Kops

Hello everyone, I am having an issue where many devices (100+ in an environment of about 500) are appearing with a Client - NO status in my SCCM 2012 console where they had been YES before. When I examine the device, it has the client installed and looks to be configured OK (shows site FQDN, SiteCode, etc). See below Console showing no client Client settings I've read that there could be issues found in the ClientIDManagerStartup.log so I looked here and found an error This has now led me down a long road of troubleshooting WMI errors. Just wanted to see if there were any other suggestions if anyone has seen issues like this in the past? Or any recommended approaches to repairing/investigating WMI issues, if that is the issue?

Can't express how much of a help it has been to be able to bounce some ideas off of you guys. I'll be moving forward with the side-by-side migration and will update this thread along the way with any success/failures I've had. Thanks again! Cheers, Greg

I think the most important thing for me is as seamless of a transition as possible, while moving to new hardware and new OS/SQL.

I've reviewed all these options and I think I've settled on a plan to try the site backup/restore, as long as I can move to Win2012/SQL2012 as an end result. Can anyone point out any flaws in my final plan? - Configure new server with Win2012R2/SQL2012 using same disk/partition layout as old server (new server has more disk/storage, but will still be using C:\ and E:\ as its paths) - Copy all source files from old server to new server - Perform site backup on current server - Shutdown current server - Change new server's hostname to match hostname of old server which was just shutdown, refresh AD object (necessary? or can I use a different hostname knowing I'd have to adjust my 'source file' paths?) - Perform site restore on new server Garth, in reading the article you posted you reference 'Upgrade to SQL2012' before backing up and building a new server, is that necessary if I'm doing a site restore/backup? I've never done an 'upgrade' to a SQL installation before. If you can't tell I'm fairly new to the Systems Administration world and you guys have been an incredible help! Nickolaj, I have considered a side-by-side migration but there seems to be less information online around doing so - do you know of any resources? You mention that I would be able to migrate "almost all" of my objects from the old environment, are there any limitations to this method?

Hi again Nickolaj, thanks for having a look at my other threads on here . Can you clarify what you mean by side-by-side migration? Is this what I was talking about in posts 12 and 14? I am open to any ideas really, just trying to get a good understanding of how to do these tasks before jumping in and there seems to be some mixed recommendations out there. Garth I will have a read through those links now!

Hey Garth, Correct me if I'm wrong, but my thought on this was to bring up another site system server SCCMP2, install Config Mgr on it, and add it to the existing site hierarchy. I would then give SCCMP2 the SUP role for example, and remove SUP from the original SCCMP1 server. I would continue that until all roles had been moved off of SCCMP1 and onto SCCMP2, and I can retire SCCMP1. Does that make sense? We want to move to Win2012/SQL2012, but the process for backing up/restoring the CM database with these upgrades wasn't very clear to me. If I could configure a new server with Win2012/SQL2012 (similar drive partitions, etc) and restore the configmgr database onto that I would, but from what it sounds like I wouldn't be able to do that as a part of the restore. I appreciate you taking the time to read over my thread and lend a hand

Just following up, updates are working great now that I've deployed them to the unknown computers group, I hadn't realized that was a necessary step. I thought since I have the "Setup ConfigMgr" task earlier in the sequence that it should be picked up as a known device at that point, but I guess I was wrong! Thanks for your help Nickolaj.

Hey Nickolaj, thanks for lending a hand. I've confirmed that all Components are OK, and have just deployed our September Windows Update package to the 'Unknown Computers' collection. I'll go back to using just the single 'Install Software Updates' and test this OSD. Will report back with my findings.

Thanks for all the thoughts on this! I had another idea after doing some more reading online, where one person had success in bringing up a new server and adding it to the existing site hierarchy, then slowly migrating each of the components (SUP, DP, etc) over to the new server. It seems like this method might allow for a more seamless transition rather than an all-in-one type deal. I may try to take this approach, since I've read some people suggesting not to upgrade SQL or the OS when doing a Site Database Recovery to a new server and I'd like to move to Win2012R2 and SQL2012

Appreciate the quick replies! Thanks for linking me to that tool Peter, it looks like this could be very useful if I decide to shift our packages to our NAS in the future. For now I'm going to try to build the new server out as closely as I can to the old server and try the site backup/restore. Will update!

Hi everyone, I am having an issue where my software updates are not being applied during the OSD Task Sequence. I've created a very simple task sequence that doesn't do much other than configure the OS, join the domain, install the SCCM client, and run software updates. I read in a few different threads online that it can be beneficial to trigger a Software Update Scan Cycle prior to applying the updates in the TS, so I have attempted to do that with the command below (Scan for Updates in the TS), however updates still aren't being applied during OSD. WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE I investigated my WUHandler.log (attached) and found an error Unable to read existing resultant WUA policy. Error = 0x80070002 When researching this, some people suggest that it may have to do with a GPO that configures a Intranet Microsoft Update Service Location to http://ServerFQDN:8530 however that was advised in the Step by Step config guide I found here. I'm hoping someone can help me figure out why my updates won't install as a part of the OSD Task Sequence! WUAHandler.log

OK - point taken, SQL will be kept locally. Appreciate the suggestions. My other question/concern is around the name of server (currently SCCMP1). Right now all my applications/packages have their source files stored in \\sccmp1\sources\. I also have a GPO which points the Intranet WSUS server to http://sccmp1.domain:8530. I can easily update the GPO to point to the new server sccmp2, and the application/packages source files path with a little legwork (we have maybe 50 applications/packages), but I feel this method leaves room for human error. Are there any suggestions on a good approach to this as well? I could name the server the same, but it wouldn't be possible to have them on the domain at the same time. I'm not sure if I could take a site backup, then shutdown the server, join the new sccmp1 to the domain, and restore the site that way? Again your help is greatly appreciated!

Hey all, I just wanted to post here because when I made the original thread I accidentally submitted it when I had only written a couple lines and it didn't make much sense. Hopefully some people may have a second look now that the details are filled in

Hey guys, its been a while since I've posted here but I've gotten great help in the past and am hoping to find the same results . I currently have a Dell R710 server running our ConfigMgr 2012 R2 environment which is no longer under warranty, and we'd like to move ConfigMgr to a newer R730 server which is under warranty. Some info about our current setup - Windows Server 2008 R2 and ConfigMgr 2012 R2 - SQL Server 2008 R2 installed locally - All installation packages kept locally on the server - Server is handling all Site System Roles - Application Catalog web service point/website point - Component Server - Distribution Point - Endpoint Protection Point - Management Point - Reporting Services Point - Site Database Server - Site Server - Site System - Software Update Point - State Migration Point I have read a few different threads that advise using Backup Site Server followed by Restore Site Server on the new server, but is there anything else involved? This is my plan.. - Install Server 2012 R2 on new server (with same server name) - Install WSUS role - Install ConfigMgr R2 with the same site code - Install SQL Server (can I upgrade to SQL Server 2012 R2 at this time, or can I move the database to our SQL cluster without much impact?) - Copy all packages/sources to new server (in same directory/folder structure) - Perform Site Server Backup on old server - Perform Site Server Restore on new server Any comments or experience with this type of migration is greatly appreciated!

Thanks for the reply Garrett, interesting thoughts. What you've said might explain a few things.. We have an ADR for Critical/Security updates only that runs every day, and adds to an existing software update group (to avoid creating new groups everyday) - this is the one with the low compliance. I've now created another ADR to run every second wednesday for regular windows updates and to create a new group each time, so I'll monitor how that reports compliance and see how that goes. If I report out of Monitoring > Reports, the compliance numbers actually look great. It just seems to be in the Software Update Group area that shows them very low.

We are using 4 ADRs, but my understanding of how they are used is not great. We have 3 ADRs for Level 1, Level 2, and Level 3 updates, configured as per below, and 1 ADR for Windows Protection (differences in config shown in red below) - Add to an existing Software Update Group, Enabled the deployment after this rule is run - Create New Software Update Group, Enable the deployment after this rule is run - Automatically deploy all software updates found by this rule, and approve any license agreements - Date released = Last 6 months, Superseded = No, Update class = Critical or Security Updates - Date Released = Last 1 day, Product Forefront Security Client, or Windows Defender - Run this rule every day - Deployment (varies per level, Level 1 is available ASAP and 7 day deadline, Level 2 is 7 days and 14 day deadline, Level 3 is 14 day and 21 day deadline) - Deployment available every 2 hours, deadline ASAP - Deployment Package = Windows Critical and Security Updates - Deployment package = Windows Protection Updates I'd really like to be able to break this down into a sort of workflow... 1. Updates are sync'd from MS to SCCM every day 2. ADR Level X WSUS takes critical/security updates and applies them to Level X WSUS Software Update Group 3. etc.. But I get lost in this process fairly quickly. I was under the impression that updates were a fully automated process but with compliance being shown at 7% I'm thinking there must be a manual process that isn't being done. Can anyone help me understand the typical process that this might follow?

I checked out this area of our policy, and we do have one option Specify Intranet Microsoft updates Service Location is enabled, with a link pointing to our SCCM server. I think I have an idea as to whats going on. After looking at our Software Update Groups closer, we have groups called 2012 Updates, followed by January 2013 Updates, February 2013 Updates, March-May 2013 Updates and then no more. This is when the previous admin left. It looks to me like they were deploying updates monthly and this stopped when nobody was really responsible for the SCCM environment. I am going to do the following: Go to All Software Updates, filter by January 2015 release date, selecting those and creating a January 2015 Update Group, and deploying that to our Level 1 device collection. I think this is how it was intended to be setup. If I'm right, I'll have to try to figure out what the automatic deployment rules are really doing...

First off, I appreciate you taking some time to read through my issues and lend a hand. I'm very appreciative for the help I receive from this community I ran some compliance reports through the Monitoring tab and this does provide much better insight. I'm able to see which users/computers are compliant which will be a great breakdown going forward. However, I am still seeing very low compliance numbers. See compliance1.png I can definitely look into this - I wasn't familiar with any group policy required for SCCM? I think I would like to move to a more manual approach similar to what you are describing, where I can take all the updates that were released per month and create a group, and manually deploy these rather than relying on the auto-rules. I can see in our Software Update Groups that this might have been done in the past - there are groups named January 2013 Updates, February 2013 Updates (with veyr high compliance numbers), but there are also auto-deployment rules setup for Level 1/2/3, which was confusing. See monthlyupdates.png. Can anyone advise how an approach for moving to that sort of update system? Again, your time is much appreciated!

A couple months ago I inherited responsibility for our System Center Config Mgr environment from a previous systems admin who left the organization. There was no hand-off of the system, so I basically just picked it up, read a few things online and jumped into managing it. I tackled a few of the high priority issues for us which were getting images deployed through SCCM as well as updating the Software Library to have more relevant packages and up to date applications for our users. Now I need to get software updates in a better state, as we seem to have very low compliance numbers (7% ). In hopes of getting some help here, I have gathered as much info as I can from our current config. SUP Settings (looks OK to me) - Synchronize from Microsoft Update - All classifications (critical, definition, etc) - Products - Windows 7, 8.1 - Adobe Acrobat/Reader/Flash - Microsoft Office 2010/2013, Visual Studio 2010/2012/2013 - Sync schedule everyday at 3am - Immediately expire superseded updates Automatic Deployment Rules (might need attention) - Level 1 / Level 2 / Level 3 - Level 1 = Systems Administrators / HelpDesk (approx 25 PCs) - Level 2 = Software Developers (approx 40 PCs) - Level 3 = Rest of company (approx 450 PCs) - Deployment schedule - Level 1 available as soon as possible, deadline after 7 days - Level 2 available after 7 days, deadline after 14 days - Level 3 available after 14 days, deadline after 21 days - Add to an existing Software group (Level 1/Level 2/Level 3) - Enable deployment after rule is run - Search Criteria - Custom Severity = None - Date released/revised = Last 6 months - Superseded = No - Update Classification = Critical or Security - Evaluation sync schedule every 1 day - Deployment schedule - Level 1 available as soon as possible, deadline after 7 days - Level 2 available after 7 days, deadline after 14 days - Level 3 available after 14 days, deadline after 21 days - Deployment package Windows Critical and Security Updates However the issue is that compliance is still very low, see attached update_compliance.png. As I see things, this should be setup to automatically deploy these updates, but I might be missing some pieces. I can provide log files/any more info it will assist. I am open to completely reworking this if there is a better practice! Appreciate you taking the time to read my question

Hello everyone, I'd like to get a better understanding of a few aspects of software updates in SCCM, and was hoping that you might be able to help. I am able to go to Software Library > Software Updates > All Software Updates and sort by date to manually find which Windows updates have recently been downloaded. Is there a way to find out which updates are being downloaded for other Products, like Adobe Flash/Reader? We have included these Products in our SUP components but those updates don’t seem to appear in All Software Updates, I’d like to get a better understanding of how these get applied. Another question I have is, why are some updates being expired so quickly? There are some updates here that were released Dec 11th, and are already expired. What exactly does this mean? I also have some that expired over a month ago. Is there a need for them to remain in my All Software Updates library? Lastly, and maybe this isn’t a Software Updates question, but I see lots of unknown devices in the reporting/statistics of software updates. We have approx. 400-500 PC’s in the environment, and we are seeing somewhere between 700 devices, where 200+ are ‘unknown’. Could these be old entries for computers that have been retired or re-imaged? Is there any way I can get some more information on these/clean them up? Thanks, Greg

Thanks for the reply Jorgen, that script is something I will have to play with. I did read of a few people deploying this by WSUS, which seems like a good solution. What I have done is deployed it with the /norestart switch. This has returned much better results. The max runtime was set at 120minutes which should be plenty of time. Regardless, it looks like the /promptrestart switch was causing some issues with the reporting back to sccm.

Hi everyone, We have recently been experiencing extremely slow domain login times in our org, upwards of 30 minutes. After opening a case with Microsoft on the issue they were able to identify it as an issue with WMI, which was resolved with this HotFix http://support.microsoft.com/kb/2775511 As this HotFix is not included with standard Windows Updates (because it is for enterprise/domain related issues), we would like to push it out with Config Mgr. I have tried this two ways: 1. Placing the hotfix on the SCCM server, and creating a Package that looks in that folder, and runs the command line wusa.exe hotfixname.msu /quiet /promptrestart 2. Placing the hotfix on the SCCM server, and creating a Package that looks in that folder, and runs a batch script Slow_Login.bat - which contains the command line CMD /c wusa.exe hotfixname.msu /quiet /promptrestart. The result of both of these are the exact same - Config Mgr is reporting them as failures even though I have manually checked and all the deployed PC's received the update, and rebooted. The error we are seeing is either 10070 Program Failed (run time exceeded) or 10006 Error 2359302. Upon investigating the execmgr.log file from one of these computers (which I understand logs the details of Package deployments) I found a few things. I have attached this log. Any help on why these are showing up failed, or a better way to deploy .MSU packs, it would be greatly appreciated! execmgr.log

One of our technicians created a task sequence with a single command line entry to run a Microsoft HotFix executable and deployed this to all of our Windows 7 PCs (approx 400). The task sequence only successfully reached 80 PCs before we cancelled the deployment as the issue was found to be related to something else in our environment. My question is, now that the deployment is cancelled, I can no longer go to the Monitoring > Deployments > Hotfix Deployment to view the deployment statistics on which PCs received this update. Is there any log that I can look into that will be able to pull this kind of information?

Today I was asked to prevent IE 11 from installing on our computers through SCCM updates. Currently, we are doing updates on a tiered schedule (small test group, then 1 week delay to IT, then 1 week delay to rest of org), however, we are pushing updates for all categories (see updates1.png) At this point, IE 11 has been deployed to 136 of our 470 devices (see updates2.png). I would like to prevent any future deployments, but I can't seem to find a way to remove the IE 11 update. Can anyone advise the best practice for this?

Wow, that is sort of a weird way to calculate compliance, but I guess it sort of makes sense in that 90% of the systems are configured correctly (in your example). Thanks for clearing that up for me