The Manageability Guys

Hello,

This is my first blog post so I thought I would make it something vaguely interesting (to certain people). Powershell has been around for a while, though for most ConfigMgr people it remains a dark area. This is primarily due to the lack of samples explaining how to access the ConfigMgr WMI Provider on a Site Server. This post will walk you through the ConfigMgr SDK sample in VBScript and show a corresponding sample in Powershell.

I’ve written up the following sample to walk you through the process of converting the ‘How to Create a Static Collection’ sample in the SDK from C# or VBscript to Powershell. The sample is designed to work locally on the site server with a site code of LAB, but establishing a connection to a remote provider should not prove too difficult. We are using some of the .NET System.Management classes directly to give us direct access to WMI. This makes things easier to maps back to C#/VBScript samples in the SDK.

The first thing we need to do, is instantiate an instance of the SMS_Collection class.

$collClass = [WMIClass] “root\SMS\Site_LAB:SMS_Collection”
$collInstance = $collClass.CreateInstance()

With that done, we can populate all settings required for our collection.

$collInstance.Name = “FooCollection1”
$collInstance.OwnedByThisSite = $true

You may want to set additional properties for this collection. From there, we store our instance of the SMS_Collection class, and use the returned object to tell us the path of the new instance. We will need this later on. To properly handle the Path property we need to cast the type of object returned using [WMI].

$collPath = $collInstance.Put()
$collection = [WMI] $collPath.Path

We now follow the same instantiation process used above to create an instance of SMS_CollectToSubCollect class. The SMS_CollectToSubCollect class is required to tie our new collection to an existing collection so that is actually shows up in the console. This can be any existing collection’s ID or the special ID of COLLROOT to appear under the ‘Collections’ node. In our case, we are using COLLROOT for simplicities sake.

$subcollClass = [WMIClass] “root\SMS\Site_LAB:SMS_CollectToSubCollect”
$subcollInstance = $subcollClass.CreateInstance()

So we set our relationship class (SMS_CollectToSubCollect) parentCollectionID property to COLLROOT. Again, this could be any existing collection ID.

$subcollInstance.parentCollectionID = “COLLROOT”

We now need to link our relationship class’s subCollectionID property to our new collection’s ID. Since this is assigned by the provider based on existing collection IDs, we much reference it using the new collection’s object’s CollectionID property and store the new instance of SMS_CollectToSubCollect, as such:

$subcollInstance.subCollectionID = $collection.CollectionID
$subcollection = $subcollInstance.Put()

Now that we have a new collection linked to the ‘Collections’ root node, we ought to put something in there, so let’s create a direct membership rule for a computer called ‘Test’. We follow the same WMI connection process using the [WMIClass] cast and then instantiate SMS_CollectionRuleDirect. We also set the ResourceClassName property to “SMS_R_System” to let ConfigMgr know that we want to find System resources.

$directruleClass = [WMIClass] “root\SMS\Site_LAB:SMS_CollectionRuleDirect”
$directruleInstance = $directruleClass.CreateInstance()$directruleInstance.ResourceClassName = “SMS_R_System”

With that done, we can use the Powershell Get-WmiObject commandlet to find the ‘Test’ computer. As you may have noticed, this is the first time we are going to be using a commandlet in our PowerShell script. Anyway, we are going to assume that we only have one instance returned (meaning that there is only one computer object (System resource instance) in the database). In reality there may be multiple objects with similar names, so you will want to either filter them more or use a foreach loop (foreach-object commandlet) to walk through the collection of returned computer objects.

$computer = Get-WmiObject –class “SMS_R_System” – namespace “root\SMS\Site_LAB” –Filter “NetbiosName = ‘Test’”

All we need to do is link the ResourceID property in the found computer object with the rule object’s ResourceID property, as such:

$directruleInstance.ResourceID = $computer.ResourceId

Then, we call the AddMembershipRule method from our new collection, and tie it to the new Direct Memebership rule instance we created just now.

$collection.AddMembershipRule($directruleInstance)

Finally, we call the RequestRefresh method to ask Collection Evaluator in the site to update the collection membership for our new collection and that it!

$collection.RequestRefresh()

Assuming I haven’t bored you to death with my comments so far, this is what you should have in the end:

$collClass = [WMIClass] “root\SMS\Site_LAB:SMS_Collection”
$collInstance = $collClass.CreateInstance()
$collInstance.Name = “FooCollection1”
$collInstance.OwnedByThisSite = $true
$collPath = $collInstance.Put()
$collection = [WMI] $collPath.Path
$subcollClass = [WMIClass] “root\SMS\Site_LAB:SMS_CollectToSubCollect”
$subcollInstance = $subcollClass.CreateInstance()
$subcollInstance.parentCollectionID = “COLLROOT”
$subcollInstance.subCollectionID = $collection.CollectionID
$subcollection = $subcollInstance.Put()
$directruleClass = [WMIClass] “root\SMS\Site_LAB:SMS_CollectionRuleDirect”
$directruleInstance = $directruleClass.CreateInstance()
$directruleInstance.ResourceClassName = “SMS_R_System”
$computer = Get-WmiObject –class “SMS_R_System” – namespace “root\SMS\Site_LAB” –Filter “NetbiosName = ‘Test’”
$directruleInstance.ResourceID = $computer.ResourceId
$collection.AddMembershipRule($directruleInstance)
$collection.RequestRefresh()

Hopefully, the above sample will be useful in letting you understand how you can use PowerShell with ConfigMgr’s WMI Provider. If this has been helpful to you, please let me know by commenting below.

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

The following T-SQL query will generate a report that shows the status of ConfigMgr clients. It uses various sources for this information, including:

Last Hardware Inventory timestamp
Last AD Discovery agent timestamp
ConfigMgr 2007 R2 Client Health views data, including:
- Last Heartbeat DDR
- Last HW Inventory
- Last SW Inventory
- Last Policy Poll to the MP (Very useful for finding clients that are alive but cannot send other forms of communication)
- Last Status Message
- Last Ping (Client Health tool ‘ping’ not an ICMP echo)
- Last Successful Ping
Active Directory System Discovery Additional Attributes (these have to be added to the discovery method)
- lastLogonTimestamp
  - Use this instead of lastLogon, as lastLogon is not replicated throughout a domain. This tells us when the domain member last logged on (part of computer start up)
- pwdLastSet
  - This tells us when the domain member last set its computer account object in AD
- whenChanged
  - This tells us when the computer object was last modified in Active Directory. Password changes, disabling the account, resetting the account and OU moves are among the ways this attribute is updated.

The lastLogonTimestamp and pwdLastSet atttributes are usual ways to determine stale machines accounts in AD. Unfortunately, they are returned as AD time integer by the AD System Discovery, as opposed to datetime values like whenChanged. I use the following CAST statement to convert the integers into usable datetime values (where @columnName is the column we want to work with):

CAST((@columName / 864000000000.0 - 109207) AS DATETIME)

This reports provides a large output that can then be sorted in Excel or modified to include a WHERE clause to filter it to only machines where one or more sources is out of date x number of days. Here is the sample report query and I’ve highlighted the source views used for easier viewing:

SELECT sysValid.Netbios_Name0 AS
'Computer Name'
      ,sysValid.Resource_Domain_OR_Workgr0 AS
'Domain'
      ,ConUsr.TopConsoleUser0 AS
'[AI] Top Console User'
      ,sysValid.User_Domain0 +
'\' + sysValid.User_Name0 AS
'Last Logged on User'
      ,wsStatus.LastHWScan AS
'Last HW Inventory Time'
      ,agentDisc.AgentTime AS
'Last AD System Discovery'
      ,cliSumm.LastDDR AS
'[CH] Last Heartbeat Discovery'
      ,cliSumm.LastHW AS
'[CH] Last HW Inventory'
      ,cliSumm.LastSW AS
'[CH] Last SW Inventory'
      ,cliSumm.LastPolicyRequest AS
'[CH] Last Policy Request'
      ,cliSumm.LastStatusMessage AS
'[CH] Last Status Message'
      ,cliSumm.LastPingTime AS
'[CH] Last Ping'
      ,cliSumm.LastSuccessfulPing AS
'[CH] Last Ping Success'
      ,CAST((sysAgent.lastLogonTimestamp0 / 864000000000.0 - 109207) AS DATETIME) AS '[AD] Computer Last Logon'
      ,CAST((sysAgent.pwdLastSet0 / 864000000000.0 - 109207) AS DATETIME) AS '[AD] Password Last Set'
      ,sysAgent.whenChanged0 AS '[AD] Object Last Modified'

FROM v_R_System_Valid AS sysValid

LEFT OUTER JOIN v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP AS ConUsr ON sysValid.ResourceID = ConUsr.ResourceID
LEFT OUTER JOIN v_GS_WORKSTATION_STATUS AS wsStatus ON sysValid.ResourceID = wsStatus.ResourceID
LEFT OUTER JOIN v_AgentDiscoveries AS agentDisc ON sysValid.ResourceID = agentDisc.ResourceId
LEFT OUTER JOIN v_CH_ClientSummary AS cliSumm ON sysValid.ResourceID = cliSumm.MachineID
LEFT OUTER JOIN v_R_System AS sysAgent ON sysValid.ResourceID = sysAgent.ResourceID

WHERE agentDisc.AgentName = 'SMS_AD_SYSTEM_DISCOVERY_AGENT'

ORDER BY sysValid.Netbios_Name0 DESC

Hope this helps as a starting point at looking at your client base’s health!

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

Ever wonder what’s in the Asset Intelligence (AI) catalog on your site server’s database? I wrote the following query for a customer to show the value of AI and the data this is in there (and convince them to deploy AI Sync Point). It summarizes data to a list of Publishers and an sum of their products and rules for their products. When I ran this query in my test environment (newly synchronized SP2 site), it returns the following counts among other things:

Publishers: 11,806
Products: 147,923
Rules: 252,798
Examples for Windows Live Messenger:
- Products: 8 (e.g. Windows Live Messenger, Windows Live Messenger 8.0, Windows Live Messenger 14.0…)
- Rules: 84
Top 10 publisher by product counts:
1. Microsoft: 23,921
2. HP: 3,424
3. Red Hat: 2,021
4. IBM: 1,671
5. National Instruments: 1,554
6. Adobe: 1,506
7. Autodesk: 1,180
8. OSI Software: 1,042
9. Symantec: 830
10. Canon: 807

Obviously, from the example of Windows Live Messenger you can see that the number of products is slightly misleading as the product is listed multiple times. It just depends on the marketing and packaging naming format of the publisher the product counts may need to be looked at on a case by case basis. Hopefully, the below will give you a starting point for this analysis.

SELECT CommonPublisher AS 'Publisher',
COUNT(DISTINCT CommonName) AS 'Count of Products',
COUNT(*) AS 'Count of Rules'
FROM v_LU_SoftwareList
GROUP BY CommonPublisher
ORDER BY CommonPublisher ASC
COMPUTE SUM(COUNT(DISTINCT CommonName)), SUM(COUNT(*))

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

UPDATE (09/03/2010): Removed test environment ConfigMgr DB name from T-SQL statement. Sorry for any confused this caused people.

These postings are provided "AS IS" with no warranties, and confer no rights.

The following information is for example purposes only. Do not rely on this information for a production deployment. These are meant to show the areas you should test for when evaluating ConfigMgr client activity impact on your network before going into production. The results are specific to the below ConfigMgr configuration and will vary from environment to environment.

UPDATE (22/04/2013): The System Center 2012 Configuration Manager version of this post can be found here: http://aka.ms/pwlunk

To perform this sort of testing you can use NetMon 3.3, and the Top Users Netmon Expert. Basically, the process is:

Start Capture (easiest in Mixed Mode)
Perform Activity
Stop Capture
Run the Top Users expert

For more information on Netmon traffic tracing see the following:

How to capture network traffic with Network Monitor: http://support.microsoft.com/kb/148942
Microsoft Network Monitor 3.3 download: http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en
NetMon Experts (including Top Users): http://nmexperts.codeplex.com/
NetMon Open Source Parsers: http://nmparsers.codeplex.com/

Activity	Type	Average Bytes	Attempts	Client to Server Bytes	Server to Client Bytes
Policy Polling Request	MP	3,499	5	2,933	566
Software Update Scan (Regular)	MP	6,881	1	3,056	3,825
Software Update Scan (Regular)	SUP	56,527	1	50,197	6,330
Software Update Scan (Fresh AU DB)	MP	22,408	1	16,088	6,320
Software Update Scan (Fresh AU DB)	SUP	5,539,666	1	574,877	4,964,789
Hardware Inventory (Delta)	MP	17,080	1	14,519	2,561
Hardware Inventory (Empty)	MP	7,023	1	6,350	673
Software Inventory (Empty)	MP	6,072	1	5,399	673
Hardware Inventory (Full)	MP	72,678	1	69,467	3,211
Software Inventory (Full)	MP	291,314	1	288,792	2,522
Software Distribution Policy Poll (Advert Download)	MP	14,452	1	6,161	8,291

Notes on Test Configuration

Software Inventory Configuration:
- Inventory Rules: *.exe
- Items Inventoried: 2128 files
Hardware Inventory Configuration:
- Standard SMS_DEF.MOF --> All AI configurations turned on
Software Updates Configuration:
- Last Synched: 13/5/2009, 12:05 AM
- Products:
  - Exchange Server 2007
  - Office 2007
  - SQL Server
  - SQL Server 2005
  - Forefront Threat Management Gateway, Definition Updates
  - Windows Server 2003
  - Windows XP
  - Windows 7 Client
  - Windows Server 2008
  - Windows Vista
  - CAPICOM
  - System Center Configuration Management 2007
  - Visual Studio 2005
  - Visual Studio 2008
- Classifications
  - Critical Updates
  - Definition Updates
  - Security Updates
  - Service Packs
  - Update Rollups
  - Updates
Client Configuration:
- Windows Server 2008, x64
- SQL Server 2005
- Programs Registered in Add/Remove Programs: 11
- Updates Registered in Add/Remove Programs: 6

Note on SUP/WSUS traffic: Below is some additional (though less comprehensive) testing performed for this information.

Clients pulling metadata from a SUP with Windows Vista and Office 2007 installed have been observed requiring 21MB worth of metadata.
Client pulling metadata from a SUP with Windows Vista, Office 2007 and FCS installed have been observed requiring 34MB worth of metadata, with 4MB of upstream (client to server) traffic.

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

I received a question from colleague recently around how to find the exact name used in the AI database for previous versions of a Microsoft product. The reason for this was to replace the license MVLS statement’s product name with an older version of software that is deployed by availing a customer Downgrade Rights in their PUR. The Asset Intelligence database in Configuration Manager contains this information in v_LU_MSProd view.

The following T-SQL should do the trick:

SELECT DISTINCT [MLSFamilyName], [MLSProductName]
FROM v_LU_MSProd

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

One of the things that regularly comes up when discussing ConfigMgr is one of the following:

How do I find out who did this?
How do I find out where this is installed?
Where are my assets?

These are all perfectly good reasons to use ConfigMgr, but I would argue that one of ConfigMgr best uses is actually as an enabler of proactive end user support. What do I mean by proactive end user support? A common proactive activity is when your credit card company phones you after you put in a large purchase on your credit card in foreign country to confirm that you actually performed the transaction. Or you may be familiar with “phone home” features in high-end enterprise SANs, networking equipment and even mainframes.

The idea here is to use information from the environment to allow us to support end-users or our customers before they phone the helpdesk. In fact, I would see scenarios where it is actually the help desk proactively phoning users to let them know that there may be optimizations that a technician can do either remotely or on the machine to assist them and if they would like to schedule a visit.

What are the scenarios where I can see ConfigMgr being utilized with this include (I will be working on these items throughout this series):

Users with very low (e.g. less than 15% free) disk space on their machines
Users with too many applications in their start-up list(s) in Windows
Users with too many browser helper objects in IE (especially toolbars)
Client-side application configuration with DCM

Outlook Cached Mode
Windows Desktop Performance settings (VM, Boost Priority)
LOB App Settings

Intelligent software license entitlement reviews (ok, this isn’t 100% proactive)

While this may seem like a trivial benefit to IT, think of the change in perception it creates with end-users and the business.

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

So this is the first post in a series about how to be proactive with ConfigMgr. I’ve started with something that is relatively straightforward, disk space. Now, you might say that this is too simple because we already have reports in ConfigMgr that tell us this information. What I am aiming to due is get a report that can be used to contact end-users, rather than just report ConfigMgr data about machines.

Prerequisite AD Information

Before we can get started we need to know some information about our users. Where is the best information about users (hopefully)? Active Directory, so we turn to Active Directory User Discovery. For this example, I’m going to extend AD User Discovery to collect the following additional attributes:

telephoneNumber
mail
givenName
displayName
sn
distinguishedName

sn in this can is surname. You may also want distinguishedName because that is useful in linking people to their managers and linking computer objects to their owners.

Enable Asset Intelligence

Additionally, before we begin we want to enable Asset Intelligence (AI). Enabling AI gets us the primary user of the computer we are looking at. Some people have concerns about the accuracy of this data, and while I agree it’s not perfect it’s a lot better than last logged on user. So go ahead and turn on the following AI classes, if you don’t have them on:

SMS_SystemConsoleUsage
SMS_SystemConsoleUser

Views Used

We are going to use four views in this report, as follows:

v_GS_LOGICAL_DISK: This is our main view that gives us information on logical drive utilization on each machine. We will probably limit this to only fixed disks. It is linked it using the ResourceID column.
v_R_System_Valid: This views gives us the computer name we are working with. It is linked using the ResourceID column.
v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP: This views gives us the primary console user for a given computer. It is linked using the ResourceID column.
v_R_User: This view gives us the AD attributes we want for a given user. While this view does have a ResourceID column, this maps to User resource and not Computer resources like our other views. This means we will have to link it to our other views using the user’s domain\accountname format instead. The Windows_NT_Domain0 and User_Name0 columns give us this (with a \ in between of course). This can then be linked to v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.TopConsoleUser0.

SQL Query

The following SQL query can be used to create your own reports. You may need to customize this for your own environment (perhaps changing the 0.15 to a parameter for the report or getting it to target a specific collection instead of all machines in the environment). This join format will be reused thought the remainder of this series to show to link computer, inventory and users together.

SELECT Systems.Netbios_Name0 AS 'Computer Name',
        Disks.Name0 AS 'Drive Letter',
        ROUND(Disks.FreeSpace0*1.00/Disks.Size0*1.00,2) AS '% Free',
        Disks.FreeSpace0 AS 'Free Space (MB)',
        Disks.Size0 AS 'Disk Size (MB)',
        MaxUsage.TopConsoleUser0 AS 'Primary User',
        Users.displayName0 AS 'User''s Name',
        Users.mail0 AS 'E-mail Address',
        Users.telephoneNumber0 AS 'Telephone Number',
        Users.givenName0 AS 'Given Name',
        Users.sn0 AS 'Surname'
FROM v_GS_LOGICAL_DISK AS Disks
JOIN v_R_System_Valid Systems
    ON Disks.ResourceID = Systems.ResourceID
JOIN v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP MaxUsage
    ON Disks.ResourceID = MaxUsage.ResourceID
JOIN v_R_User Users
    ON MaxUsage.TopConsoleUser0 =
        Users.Windows_NT_Domain0 + '\' + Users.User_Name0
WHERE DriveType0=3
AND FreeSpace0 IS NOT NULL
AND ROUND(Disks.FreeSpace0*1.00/Disks.Size0*1.00,2) < 0.15

Sample Output

Computer Name	Drive Letter	% Free	Free Space (MB)	Disk Size (MB)	Primary User	User’s Name	E-mail Address	Telephone #	Given Name	Surname
Client01	C:	10	100	1000	LAB\Bob	Bob Smith	bob@contoso	4567	Bob	Smith
Client02	C:	0.2	2	1000	LAB\Kate	Kate Smith	kate@contoso	5678	KAte	Smith

Conclusion

The outputted list will be easy to Word’s Mail Merge feature to draft messages to end users to let them know that their machines are running out of disk space, that this may cause performance problems and IT can help. Alternatively, use this list to call end-users to schedule a visit (perhaps 15% isn’t good for calling but under 100MB or 50MB my justify a call).

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

This comes up quite often, so I thought I share a method I came up with to enumerate open ports in VBScript using netstat. Basically the script, which is available here on TechNet Script Center, runs “netstat –a –n” and parses the output into the following format:

TCPv4\0.0.0.0:135
TCPv4\0.0.0.0:445
TCPv4\0.0.0.0:990
TCPv4\192.168.1.11:139
TCPv6\[::]:135
TCPv6\[::]:445
TCPv6\[::1]:5679
UDPv4\0.0.0.0:123
UDPv4\0.0.0.0:500
UDPv4\0.0.0.0:1434
UDPv4\127.0.0.1:1900
UDPv4\192.168.1.11:9
UDPv4\192.168.1.11:137
UDPv4\192.168.1.11:138
UDPv6\[::]:123
UDPv6\[::]:500
UDPv6\[::]:1434
UDPv6\[fe80::c02:48a0:3bd:f896%14]:1900

In DCM, you would configure CI setting with this script. The validation rules for this CI would validate against the returned list. For example:

'Not Contains' to exclude certain IP & ports (e.g. 'Not Contains' on 'TCPv4\0.0.0.0:445' (without quotes when entered in the console) would return non-complaint for any machines with TCPv4 445 open on all addresses
'Contains' to make sure a IP & port is open (e.g. 'Contains' on TCPv4\0.0.0.0:445' would return non-compliant for any machine with TCPv4 445 closed on all addresses (or 0.0.0.0))
'Does not end with' to check for only a port being closed on any address (e.g. 'Does not end with' on ':445' would return non-compliant for any machine with TCPv4 open on any address)

Here is what a simple set of CIs to look for ports 445 and 139 looks like from one of my test ConfigMgr clients:

Please let me know if you found this useful or any other feedback.

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

Hi Everyone,

I haven’t posted anything in ages so I thought I’d post something simple but hopefully useful. We publish a list of all custom Configuration Manager 2007 errors in TechNet (it’s up here in case you haven’t seen it http://technet.microsoft.com/en-us/library/bb632794.aspx). Now, while this list is really good when you’re trawling through Trace32 looking at logs, it’s not so useful when you’re trying to figure out why clients are failing. We have a built-in report in Configuration Manager that provides this information, but again you get hex error codes (which are better than 32-bit decimal integers, but only a little). So what I did was take the report and add a massive case statement with all the custom scan error messages.

The new query for the scan errors can be found below. You can clone the existing report, and put the below query in the new report. Note that there may be some clipping on the blog page, but the underlying code is still there so when you highlight the text you’ll get the full line.

select us.UpdateSourceName as UpdateSource, 
    us.UpdateSourceDescription as Description,
    us.UpdateSourceVersion as Version, 
    us.SourceSite as SourceSitefrom v_SoftwareUpdateSource us with (NOLOCK) where us.UpdateSource_UniqueID = @UpdateSourceID select
    uss.LastStatusMessageID&0x0000FFFF as ErrorStatusID,
    asi.MessageName as Status,
    isnull(uss.LastErrorCode,0) as ErrorCode,
    dbo.fnConvertBinaryToHexString(convert(VARBINARY(8), isnull(uss.LastErrorCode,0))) as HexErrorCode,'Error Text' =CASE dbo.fnConvertBinaryToHexString(convert(VARBINARY(8), isnull(uss.LastErrorCode,0)))WHEN'8024402C'THEN'WU_E_PT_WINHTTP_NAME_NOT_RESOLVED: Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - The proxy server or target server name cannot be resolved.'WHEN'80244016'THEN'WU_E_PT_HTTP_STATUS_BAD_REQUEST: Same as HTTP status 400 – The server could not process the request due to invalid syntax.'WHEN'80244017'THEN'WU_E_PT_HTTP_STATUS_DENIED: Same as HTTP status 401 – The requested resource requires user authentication.'WHEN'80244018'THEN'WU_E_PT_HTTP_STATUS_FORBIDDEN: Same as HTTP status 403 – Server understood the request, but declines to fulfill it.'WHEN'80244019'THEN'WU_E_PT_HTTP_STATUS_NOT_FOUND: Same as HTTP status 404 – The server cannot find the requested URI (Uniform Resource Identifier).'WHEN'8024401A'THEN'WU_E_PT_HTTP_STATUS_BAD_METHOD: Same as HTTP status 405 – The HTTP method is not allowed.'WHEN'8024401B'THEN'WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ: Same as HTTP status 407 – Proxy authentication is required.'WHEN'8024401C'THEN'WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT: Same as HTTP status 408 – The server timed out waiting for the request.'WHEN'8024401D'THEN'WU_E_PT_HTTP_STATUS_CONFLICT: Same as HTTP status 409 – The request was not completed due to a conflict with the current state of the resource.'WHEN'8024401E'THEN'WU_E_PT_HTTP_STATUS_GONE: Same as HTTP status 410 – Requested resource is no longer available at the server.'WHEN'8024401F'THEN'WU_E_PT_HTTP_STATUS_SERVER_ERROR: Same as HTTP status 500 – An error internal to the server prevented fulfilling the request.'WHEN'80244020'THEN'WU_E_PT_HTTP_STATUS_NOT_SUPPORTED: Same as HTTP status 501 – Server does not support the functionality required to fulfill the request.'WHEN'80244021'THEN'WU_E_PT_HTTP_STATUS_BAD_GATEWAY: Same as HTTP status 502 – The server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed in attempting to fulfill the request.'WHEN'80244022'THEN'WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL: Same as HTTP status 503 – The service is temporarily overloaded.'WHEN'80244023'THEN'WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT: Same as HTTP status 504 – The request was timed out waiting for a gateway.'WHEN'80244024'THEN'WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP: Same as HTTP status 505 – The server does not support the HTTP protocol version used for the request.'WHEN'8024400A'THEN'WU_E_PT_SOAPCLIENT_PARSE: WUA client needs to be updated, message from server cannot be parsed.'WHEN'8024001E'THEN'WU_E_SERVICE_STOP: Operation did not complete because the service or system was being shut down.'WHEN'8024400D'THEN'WU_E_PT_SOAP_CLIENT: SOAP client found the message was malformed.'WHEN'80240032'THEN'WU_E_INVALID_CRITERIA: The search criteria string sent to WUA from ConfigMgr was marked as invalid by WUA.'WHEN'80240012'THEN'WU_E_DUPLICATE_ITEM: Failed to add file to the FileLocationList.'WHEN'80240032'THEN'WUA Error: Failed to end search job. WUA failed searching for update with error.'WHEN'8024001D'THEN'WUA Error: An update contains invalid metadata.'WHEN'C80003F3'THEN'hrOutOfMemory: The computer is out of memory. Generally reported when WSUS try to initialize its datastore.'WHEN'C800042D'THEN'hrVersionStoreOutOfMemory: Generally reported when the WUA is unable to update %WINDIR%\SoftwareDistribution folder.'WHEN'80040692'THEN'ConfigMgr Custom Error: Group Policy conflict. Check domain GPOs applying to this machine.'WHEN'80040693'THEN'ConfigMgr Custom Error: WUA version is lower than expected. Upgrade WUA.'WHEN'80040708'THEN'ConfigMgr Custom Error: Software Updates Install not required.'WHEN'80040709'THEN'ConfigMgr Custom Error: Failed to resume the monitoring of the process.'WHEN'8004070A'THEN'ConfigMgr Custom Error: Invalid command line.'WHEN'8004070B'THEN'ConfigMgr Custom Error: Failed to create process.'WHEN'8004070C'THEN'ConfigMgr Custom Error: Software update execution timeout.'WHEN'8004070D'THEN'ConfigMgr Custom Error: Software update failed when attempted.'WHEN'8004070E'THEN'ConfigMgr Custom Error: Empty command line specified.'WHEN'8004070F'THEN'ConfigMgr Custom Error: Invalid updates installer path.'WHEN'80040710'THEN'ConfigMgr Custom Error: Failed to compare process creation time.'WHEN'80040711'THEN'ConfigMgr Custom Error: Software updates deployment not active yet; for example, start time is in the future.'WHEN'80040712'THEN'ConfigMgr Custom Error: A system restart is required to complete the installation.'WHEN'80040713'THEN'ConfigMgr Custom Error: Software updates detection results not received yet.'WHEN'80040714'THEN'ConfigMgr Custom Error: User based install not allowed as system restart is pending.'WHEN'80040715'THEN'ConfigMgr Custom Error: No applicable updates specified in user install request.'WHEN'80040154'THEN'ConfigMgr Custom Error: Class not registered. Try repairing the ConfigMgr client.'WHEN'80040668'THEN'ConfigMgr Custom Error: Software update still detected as actionable after apply.'WHEN'80040600'THEN'ConfigMgr Custom Error: Scan Tool Policy not found.'WHEN'80040602'THEN'ConfigMgr Custom Error: Out of cache space.'WHEN'80040603'THEN'ConfigMgr Custom Error: The ScanTool Policy has been removed, this prevents completion of Scan Operations. (E_SCANTOOL_NOTFOUND_INJOBQUEUE)'WHEN'80040604'THEN'ConfigMgr Custom Error: Scan Tool has been Removed. (E_FAIL_SCAN_TOOL_REMOVED)'WHEN'80040605'THEN'ConfigMgr Custom Error: Scan Tool Policy not found. (E_FAIL_OFFLINE_SCAN_HISTORY_NOT_FOUND)'WHEN'80040608'THEN'configMgr Custom Error: Out of cache space.'WHEN'80008201'THEN'ConfigMgr Custom Error: Out of cache space.'WHEN'80008202'THEN'ConfigMgr Custom Error: Cache size is smaller than requested content''s size.'WHEN'8007000E'THEN'Win32 Error: Not enough storage is available to complete this operation.'WHEN'800705B4'THEN'Win32 Error: The operation returned because the timeout period expired.'WHEN'80070050'THEN'Win32 Error: The file already exists.'WHEN'80070005'THEN'Win32 Error: Access Denied.'WHEN'8007041D'THEN'Win32 Error: The service did not respond to the start or control request in a timely fashion.'WHEN'80004002'THEN'Win32 Error: No such interface supported.'WHEN'80072EE2'THEN'ERROR_INTERNET_TIMEOUT: The request has timed out.'WHEN'80072EEC'THEN'ERROR_INTERNET_SHUTDOWN: WinINet support is being shut down or unloaded.'WHEN'80072F84'THEN'ERROR_INTERNET_SERVER_UNREACHABLE: The Web site or server indicated is unreachable.'WHEN'80072F7D'THEN'ERROR_INTERNET_SECURITY_CHANNEL_ERROR: The application experienced an internal error loading the SSL libraries.'WHEN'80072F89'THEN'ERROR_INTERNET_SEC_INVALID_CERT: SSL certificate is invalid.'WHEN'80072F8A'THEN'ERROR_INTERNET_SEC_CERT_REVOKED: SSL certificate was revoked.'WHEN'80072F19'THEN'ERROR_INTERNET_SEC_CERT_REV_FAILED: Certificate revocation check failed.'WHEN'80072F17'THEN'ERROR_INTERNET_SEC_CERT_ERRORS: The SSL certificate contains errors.'WHEN'80072F05'THEN'ERROR_INTERNET_SEC_CERT_DATE_INVALID: SSL certificate date that was received from the server is bad. The certificate is expired.'WHEN'80072F06'THEN'ERROR_INTERNET_SEC_CERT_CN_INVALID: SSL certificate common name (host name field) is incorrect—for example, if you entered www.server.com and the common name on the certificate says www.different.com.'ELSE'Unknown Error'END,count (*) as NumberOfComputers,
    @UpdateSourceID as UpdateSourceID,
    @CollID as CollectionIDfrom v_UpdateScanStatus uss with (NOLOCK) join v_ClientCollectionMembers ccm with (NOLOCK) on ccm.ResourceID=uss.ResourceID and ccm.CollectionID=@CollIDjoin v_SoftwareUpdateSource sus with (NOLOCK) on sus.UpdateSource_ID=uss.UpdateSource_IDleftjoin v_AdvertisementStatusInformation asi with (NOLOCK) on uss.LastStatusMessageID&0x0000FFFF=asi.MessageIDwhere sus.UpdateSource_UniqueID=@UpdateSourceID and uss.LastStatusMessageID <> 0groupby uss.LastStatusMessageID, isnull(uss.LastErrorCode,0), asi.MessageNameorderbycount(*) desc

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

A while back (2 years to be precise) Saud posted a list of resources to do with ConfigMgr. Below is a well overdue update to that list:

ConfigMgr Resources/Information:

Learning:
- TechCenter on TechNet: http://technet.microsoft.com/en-us/configmgr/default.aspx
- Features (Technical Content): http://technet.microsoft.com/library/bb680550.aspx
- Virtual Labs: http://technet.microsoft.com/en-us/configmgr/bb539977.aspx
- Webcasts: http://www.microsoft.com/events/series/technetmms.aspx?tab=webcasts&id=42364
- Audiocasts (WMA): http://technet.microsoft.com/en-us/configmgr/bb727202.aspx
- TechNet Virtual Labs, ConfigMgr: http://technet.microsoft.com/configmgr/bb539977.aspx

Download Service Pack 2 Here: http://www.microsoft.com/downloads/details.aspx?FamilyID=3318741a-c038-4ab1-852a-e9c13f8a8140&displaylang=en (Upgrade download, Full Evaluation download available here). Configuration Manager 2007 SP1 left support on January, 11^th, 2011 (http://support.microsoft.com/lifecycle/?p1=12769).
Open (public) Betas Invites & Product Feedback. Note: the Connect sites have information about both R3 and v.Next.
- Configuration Manager 2012: https://connect.microsoft.com/ConfigurationManagervnext/program4346
- Product Feedback: smswish@microsoft.com
- Documentation Feedback: smsdocs@microsoft.com
Windows Server 2008and Server 2008 R2and Configuration Manager: http://technet.microsoft.com/en-us/library/cc431377.aspx

· PFE worldwide Blogs, News and Announcements:http://www.opsvault.com/
- o System Center Configuration Manager 2007 Toolkit V2: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5a47b972-95d2-46b1-ab14-5d0cbce54eb8&displaylang=en

Blogs:
- Product Team:
  - System Center Product Team: http://blogs.technet.com/systemcenter/
  - Configuration Manager Product Team: http://blogs.technet.com/configmgrteam/
  - Configuration Manager Support Team: http://blogs.technet.com/configurationmgr/
- PFE UK Manageability: http://blogs.technet.com/b/manageabilityguys
- The Deployment Guys (TechNet): http://blogs.technet.com/deploymentguys
- Steve Rachui – PFE (MSDN): http://blogs.msdn.com/steverac/
- ConfigMgr Writers – team of writers behind production documentation (TechNet): http://blogs.technet.com/wemd_ua_-_sms_writing_team/
- Adam Meltzer – ConfigMgr Developer (MSDN): http://blogs.msdn.com/ameltzer/
ConfigMgr KB Article RSS Feed: http://support.microsoft.com/common/rss.aspx?rssid=12769&ln=en-us
Tools:
- System Center Update Publisher (tool used to publish custom updates) TechCenter: http://technet.microsoft.com/manageability/bb741049.aspx
- Acresso (formerly InstallShield) AdminStudio Configuration Manager Edition: http://technet.microsoft.com/en-us/configmgr/bb932316.aspx.

Catalogues:
- Desired Configuration Monitoring, Configuration Catalogues: http://technet.microsoft.com/en-us/configmgr/cc462788.aspx
- 3^rd Party Custom Catalogues for Updates: http://technet.microsoft.com/en-us/configmgr/bb892875.aspx
System Center Partners (3^rd Party): http://www.microsoft.com/systemcenter/en/us/alliance-members.aspx
- Dell:
  - Dell & System Center: http://www.dell.com/content/topics/global.aspx/sitelets/solutions/management/microsoft_sms
  - Dell ConfigMgr Wiki: http://www.delltechcenter.com/page/SCCM+-+System+Center+Configuration+Manager
  - OSD Extension, Dell Deployment Pack for ConfigMgr: http://www.delltechcenter.com/page/Dell+Deployment+Pack+for+Configmgr+%28Server+Deployment%29
- HP:
  - HP Management Integration Solutions for Microsoft: http://h18013.www1.hp.com/products/servers/management/integration/ms_integration.html
  - OSD Extension, HP Insight Control Suite for System Center: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPICE-SC
- IBM:
  - Microsoft System Management Solutions for IBM Servers: http://www.ibm.com/systems/management/director/partners/microsoft/
  - OSD Extension, IBM Deployment Pack for Microsoft System Center Configuration Manager 2007: http://publib.boulder.ibm.com/infocenter/toolsctr/v1r0/topic/dpsccm/dpsccm_ic_product_page.html
ConfigMgr Community (including sites like myitforum.com that have community content): http://technet.microsoft.com/configmgr/bb625749.aspx
Product Information (Sales/Business Content): http://www.microsoft.com/systemcenter/configurationmanager/en/us/default.aspx

ConfigMgr Design Resources

Configuration Manager Planning and Deployment Overview: http://technet.microsoft.com/en-us/library/bb693806.aspx
Planning and Deploying the Server Infrastructure for Configuration Manager 2007: http://technet.microsoft.com/en-us/library/bb680397.aspx
Planning and Deploying Clients for Configuration Manager 2007: http://technet.microsoft.com/en-us/library/bb680373.aspx
Configuration Manager Supported Configurations: http://technet.microsoft.com/en-us/library/bb680717.aspx
Configuration Manager Sample Configurations and Common Performance Related Questions: http://go.microsoft.com/fwlink/?LinkID=113136.

OS Deployment

Desktop Deployment TechCenter on TechNet: http://technet.microsoft.com/en-us/desktopdeployment/default.aspx
Microsoft Desktop Deployment Toolkit: http://www.microsoft.com/downloads/details.aspx?familyid=3bd8561f-77ac-4400-a0c1-fe871c461a89&displaylang=en
- Microsoft Deployment Toolkit 2010 is the newest version of Microsoft Deployment Toolkit, a Solution Accelerator for operating system and application deployment. MDT 2010 supports deployment of Windows 7 and Windows Server 2008 R2 in addition to deployment of Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP.
Application Compatibility Guidance: http://technet.microsoft.com/en-gb/desktopdeployment/bb414773.aspx
Application Compatibility Toolkit: ACT is a collection of tools to inventory, assess and help fix applications for Windows Vista deployment projects. This update to ACT includes new tools to assess application compatibility with Internet Explorer 8 and detect potential application compatibility issues caused by Windows Vista or Windows Server 2008 security updates. http://technet.microsoft.com/library/cc507852.aspx

Out of Band Management

· Configuring Out of Band Management: http://technet.microsoft.com/en-us/library/cc161822.aspx
· Troubleshooting Out of Band Management: http://technet.microsoft.com/en-us/library/cc161834.aspx
· Intel resources:
- Infrastructure Prep Checklist for Microsoft SCCM: http://communities.intel.com/docs/DOC-2300
- SCCM / vPro Common Issues and Potential Resolutions:
  - § SP1: http://communities.intel.com/docs/DOC-1627
  - § SP2: http://communities.intel.com/docs/DOC-4153

This post was contributed by Rob York, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

Hi Everyone,

This is our first post in a long while, we've had our heads down ramping up on System Center 2012 and helping the first wave of early adopters. As part of some of the work we've done, we found one common scenario where customers are looking to migrate their server patching from WSUS to System Center 2012 Configuration Manager. For desktop migrations, customer are usually happy to take all updates or the majority of updates and just start fresh. For servers, they want to be sure that they only thing they pull across is whatever was approved by change and release management.

To this end, I've written up a couple of sample scripts that help with this migration. The first script dumps a list of all approvals to all software update groups. The second script takes this list and create Software Update Groups (or Update Lists if you're using 2007) for each computer group with an update per approval. The reason these steps were split was to allow for manual review of the exported list. We found certain updates need clean up prior to importing into WSUS...and some simple Excel clean up does the trick (look for blank fields - these are usually software update titles that have wrapped).

The first script will output the list to console, so you'll need to pipe the script output into another file (powershell.exe script.ps1 > output.csv). The second script will show a progress bar as it imports, and uses a combination of T-SQL to get CI_IDs from the database and WMI via the provide to create the software update group and add the updates to the group.

NOTE: you may end up with more than 1000 updates in a single update group, something we don't recommended for Configuration Manager, so consider either splitting those groups into separate groups or doing some cleanup/fixup in Excel to split the authorizations being imported.

Both scripts can be found on the TechNet Script Center's Repository:

Export Script: http://gallery.technet.microsoft.com/scriptcenter/Export-WSUS-Approvals-per-59b89a53
Import Script: http://gallery.technet.microsoft.com/scriptcenter/Import-WSUS-Approvals-into-475bff65

Hopefully these scripts will make your migration to Configuration Manager a little bit easier.

Keep in mind those that these scripts are sample scripts only and should be tested thoroughly prior to use in any production environments.

Regards,

Saud

Hi All,

One more quick one for you. This script shows how to use a CSV file as a data source and map to assign software to a given user role or department using a Install Software step in ConfigMgr. The step allow you to simplify and condense your task sequences. The description on TechNet Script Center has more details on how to use the script and customize it. I basically wrote it because we often talk to customers about how to do this but it is hard to explain much less demo. Hopefully the script will achieve that goal.

Ultimately, the script is just a way for you to see what is possible and how it can be used. You could feed the data from the MDT database, a custom database, task sequence variables or even a web service if you wanted (plus, it is a sample script, so no production use without testing, etc.)

Here is the script: http://gallery.technet.microsoft.com/scriptcenter/Install-Multiple-Software-e05d2f39

Enjoy!

Regards,

Saud

A not so techie post today. J

The ConfigMgr UX team (docs team) blog here that explain how to use a feature of Bing to search their documentation (the MSDN/TechNet team's SDK blog post here about the feature). This feature lets you search just for the documentation for System Center 2012 Configuration Manager rather that all of TechNet. This is very useful when you're looking for a common term, but only in the context of ConfigMgr. This feature is also in the documentation of this feature for use with ConfigMgr here.

Here are some helpful product filters for System Center 2012 to nodes in TechNet:

 App Controller
site:technet.microsoft.com meta:search.MSCategory(hh552973)
(link to Bing results)

 Configuration Manager
site:technet.microsoft.com meta:search.MSCategory(gg682056)
(link to Bing results)

 Data Protection Manager
site:technet.microsoft.com meta:search.MSCategory(hh758347)
(link to Bing results)

 Endpoint Protection
site:technet.microsoft.com meta:search.MSCategory(hh479670)
(link to Bing results)

 Operations Manager
site:technet.microsoft.com meta:search.MSCategory(hh546788)
(link to Bing results)

 Orchestrator
site:technet.microsoft.com meta:search.MSCategory(hh237244)
(link to Bing results)

 Service Manager
site:technet.microsoft.com meta:search.MSCategory(hh546791)
(link to Bing results)

 Virtual Machine Manager
site:technet.microsoft.com meta:search.MSCategory(gg610702)
(link to Bing results)

<geeky_explanation>

This feature allows to use Bing to directly search against the meta HTML tags that sites use to tag their sites. Meta tags are sort of like headers, but in the HTML. The search.MSCategory tag is a special tag for search engines…to get it for a page, we need to use the special robot version of the page, for example the VMM documentation here can be access using the robot page here: http://technet.microsoft.com/library/gg610610(robot).aspx. Once you have that, hit View Source in IE. You'll see a bunch more meta HTML tags versus the normal page, one of which will be the search.MSCategory we are looking for. You'll see a few in of them as follows:

 bb126093 = TechNet Library

 cc138020 = System Center

 hh546793 = System Center 2012

 gg610702 = Virtual Machine Manager

How do I know the friendly name? This maps to the nodes in the site as follows:

With that, we can now plug the following string into Bing site:technet.microsoft.com meta:search.MSCategory(gg610702) to search for information about VMM. For example, to get information about WSUS relating to VMM 2012: http://www.bing.com/search?q=WSUS+site%3Atechnet.microsoft.com+meta%3Asearch.MSCategory%28gg610702%29

Now…the fun bit is this works for other meta HTML tags in the robot view, some interesting ones:

 Search.MSHAttr.DCS.appliesToProduct (for example, SCServiceManager or SCConfigurationManager)

 Search.MSHAttr.DCS.appliesToVersion (for example, 2012 or 2007 )

 Search.MSHAttr.appliesToProduct (for example, System Center 2012 Configuration Manager)

</geeky_explanation>

Happy Binging! J

Saud

We had an interesting thread internally on Untrusted Forests and hierarchies in System Center 2012 Configuration Manager. As part of that thread we discovered that Neil Peterson has a series of posts covering the various options. These are definitely worth reviewing if you're in the situation where you have to support Untrusted Forests:

Blog 1 - Simple Management of a few cross forest clients (Lookup MP / SLP type functionality) -
Blog 2– More complex management of a larger number of cross forest clients (introduce forest discovery, cross forest system discovery, and cross forest client push installation).
Blog 3 - Introducing the placement of Configuration Manager infrastructure (MP, DP) in the non-trusted forest environment.
Blog 4– Child site placement (Child Primary or Secondary) in the cross forest environment.

<soap_box>

Keep in mind that if you setup untrusted forests to achieve security segregation (remember that the forest is the security boundary in AD), you may be breaching that segregation by managing everything with Configuration Manager. Doesn't mean you should look to use a single hierarchy in your environment; however, you should be clear on your requirements, including business, IT operations and security.

</soap_box>

Saud

Hi All,

As hopefully most of you are aware we released KB article 2801987 for System Center 2012 Configuration Manager SP1. This update provides a new version of MicrosoftPolicyPlatformSetup.msi (a prerequisite for CI-related activities, in case you were wondering such as DCM, AppMgmt and so on). If you install 2801987 you won't need to install the Windows update provided in Security Advisory 2749655for Configuration Manager. I highlight this, because the Windows update addresses this generically for other products/updates rather than just Configuration Manager (or specifically MicrosoftPolicyPlatformSetup.msi).

That said, one thing that crops up is that the cert used to sign MicrosoftPolicyPlatformSetup.msi expires in March, 2013. Does this mean that you'll need a new hotfix in March this year to install the client because the cert expires then?

The answer is no, you won't have to install new hotfix in March, 2013 because of the cert expiring then.

Why? The reason for this is that the issue described in Security Advisory 2749655 and the hotfix 2801987 has to do not with the signing certificates themselves expiring but with the a missing timestamp. From 2749655:

Microsoft is aware of an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes. These digital certificates were later used to sign some Microsoft core components and software binaries. This could cause compatibility issues between affected binaries and Microsoft Windows...

The timestamping extension to digital signatures basically allows a signature (and cert) to be marked as valid at the time of signing. That basically means that a certificate is valid until a certificate is revoked by the Certificate Authority (CA) or marked as untrusted. Timestamping allows those signatures and the binaries they sign to have an indefinite lifecycle, rather than an arbitrary limit. From Security Advisory Security Advisory 2749655:

How are timestamp Enhanced Key Usage (EKU) extensions used?
Per RFC3280, timestamp Enhanced Key Usage (EKU) extensions are used to bind the hash of an object to a time. These signed statements show that a signature existed at a particular point in time. They are used in code integrity situations when the code signing certificate has expired, to verify that the signature was made before the certificate expired. For more information about certificate timestamps, see How Certificates Work and Windows Authenticode Portable Executable Signature Format.

Hopefully this helps to clarify things for this update!

Saud.

There has been a lot of discussion recently around boundaries in Configuration Manager...do you use ranges or subnets? All ranges or all subnets? What about AD sites? The ConfigMgr product team as put out blog on this here: http://blogs.technet.com/b/configmgrteam/archive/2013/03/01/when-not-to-use-ip-address-ranges-as-boundaries-in-configuration-manager.aspx. Rod Trent has raised a few questions and highlighted community feedback over on myITForum: http://myitforum.com/myitforumwp/2013/03/02/official-microsoft-blog-on-ip-address-ranges-as-configmgr-boundaries-met-with-instant-rebuttal/.

Now - I'm not going to step foot into either camp (or even acknowledge any camps). Rather...I want to discuss how subnets and ranges are used internally by ConfigMgr.

Subnets

Subnets in a ConfigMgr are a client-side (or more accurately a network host) view of networking. We'll comeback to that in a second; however, that is one of the major reasons supernets don't exist in ConfigMgr (let alone being supported). Supernets are a network construct for a way of grouping like subnets to make their management and routing more simple. A supernet is like saying all of Japan is supernet A, composed of Tokyo office subnets 1, 2 & 3. We might want to serve that location through a single ConfigMgr server or site.

That said, let's go back to client-side. A client only knows about its IP address and subnet mask. It doesn't know anything else. It uses that to determine if an IP address is local or remote (something that needs to be routed by a gateway/router). It is the ConfigMgr client on that network host (Windows device) that determines its IP subnet by applying its subnet mask against its IP address.

Now - you might think that's simple and too basic; but it is the ConfigMgr client that drives this entire subnet process. It's a client sends content location request, along with SUP and MP list within 2012. When a client does a location request to the MP for content (e.g. packages) it does so by supplying its subnet to the MP. You can see this by turning on trace logging and looking at Location Services log files or the MP log files (if you have a few clients) - or even firing up NetMon and doing a network trace. The MP passes the subnet by calling a SQL query with that information to determine if the content/site system is available on that subnet or a remote one (Jason discusses this more in his blog, http://blogs.technet.com/b/configmgrteam/archive/2013/03/01/when-not-to-use-ip-address-ranges-as-boundaries-in-configuration-manager.aspx). This is a fairly straight forward comparison of the supplied subnet against a list of subnets. Obviously...as you get more and more subnets this gets more computationally expensive - but it still string lookup against a list of strings, not the end of the world in SQL complexity.

IP Ranges

IP ranges are conceptually simple. They aren't even really supernets, there just a range of addresses. The determination of if a client falls into a range, unlike a subnet, is done by the ConfigMgr server infrastructure. Specifically it is done by SQL Server. Again, in the location request you'll see an IP address sent up by the client. The MP passes that to the SQL Server, and the SQL Server does the determination of where that IP address falls into. Again, Jason discusses this further and discusses why this is a more complex operation than a simple lookup of a subnet we talked about above. Since the individual query is expensive, adding lots of them burns up more SQL Server resources.

Real world

Some customers I have worked with have subdivided a subnet into two different IP ranges to support different sites serving different departments or client types. For example, PCs can only talk to Global End User team's server (not my North America team's server) or Retail Banking cannot talk to Treasury servers (if they contained the same packages). That's an example of something bad, and something I'd strongly advise my customers against when working with them. Valid ways of using might include (I say might include because the below is not exhaustive):

You might use IP Ranges when you have been provided with supernets by your networking team (in my Tokyo example, I might group those three subnets into a single IP Range).
You might use them when your AD sites have been consolidated heavily and DC have been consolidated. This helps you maintain granularity needed for ConfigMgr.
You might use them you have a tremendous amount of subnets in your environment (you network team is using subnet masks like 255.255.255.128 or .192 to create very small ranges)
You might also need them when dealing with the VPN client scenario (naturally :-)

The key is - don't just start throwing IP Ranges just because they work. Have a think about it. Know the trade-off when using something more complex internally within the product and costs you more database perf resources but easier to administer. It's a trade off...

You could probably create millions of IP Ranges, if you get your boss to sign off on 512GB of RAM for SQL Server and a SSD SAN...kidding... ;)

Happy ConfigMgr'ing - Saud

P.S. If your going to MMS - catch my session on reporting in ConfigMgr 2012 SP1 here: http://www.2013mms.com/topic/details/UD-B338

Hi,

Thanks for attending or watching my session at MMS 2013 on reporting in Configuration Manager. The session video is posted here: http://channel9.msdn.com/Events/MMS/2013/UD-B338. The following are resources related to the session or you might find interesting:

T-SQL Statements along with Excel 2013 PowerPivot xlsx file http://gallery.technet.microsoft.com/scriptcenter/Count-of-EP-Definition-59c06ea2 (I have posted this here as it gives better formatting for T-SQL along with file attachment capabilities)
Getting started with Power View: http://office.microsoft.com/en-us/excel-help/power-view-explore-visualize-and-present-your-data-HA102835634.aspx
Dashboarding in SharePoint: http://office.microsoft.com/en-us/sharepoint-server-help/getting-started-with-dashboards-HA010380601.aspx

There were also quite a few other SQL & Reporting related session for Configuration Manager at MMS 2012:

What's New: Configuration Manager 2012 SP1 Infrastructure Improvements and Hierarchy Design: http://channel9.msdn.com/Events/MMS/2013/UD-B333 (This is a Product Group led session)
The Top Ten Lessons Learned in Managing SQL & Reporting: http://channel9.msdn.com/Events/MMS/2013/UD-B328 (This is a session by Microsoft IT on how they do reporting for Configuration Manager)
SQL Server 2012 for System Center Administrators: http://channel9.msdn.com/Events/MMS/2013/UD-B324 (a session by two PFEs I know)
Advanced SQL Query Techniques: Beyond the Basics: http://channel9.msdn.com/Events/MMS/2013/UD-B407 (a 400-level MVP session)

If you have any questions, ping me on @saud_ms or use the comments below.

Regards,
Saud

These postings are provided "AS IS" with no warranties, and confer no rights.

This blog is an update of my System Center Configuration Manager 2007 blog post (available here: http://blogs.technet.com/b/manageabilityguys/archive/2009/11/19/client-network-traffic-tests.aspx) to System Center 2012. This post will provide the results, the other two posts will provide how to do this manually using Excel with more context and the other post will provide an example PowerShell script that helps (let me know via the comments which of the two you'd prefer and I'll use that to prioritise things J). In a change from the 2007 blog post, I've gone to using IIS logs instead of NetMon. While this does mean that there is a small amount of traffic lost (IP headers, TCP headers) the benefit is that the data can be easily reviewed in Excel if you know what you're looking for or parsed with PowerShell (or whatever programming language you prefer).

To perform this sort of testing you need to enable a few things in IIS logging. Basically, the process is:

Change IIS log settings to include sc-bytes and cs-bytes (server to client and client to server bytes respectively)
Perform Activity using the client control panel applet, making note of the timings
- To reset the Windows Update Agent repository and force a re-download of metadata, stop the Windows Update/Automatic Update service and rename C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
- To reset the state message store, see http://msdn.microsoft.com/en-us/library/cc146437.aspx (this is a 2007 article, still works for 2012 though)
- To reset the hardware inventory history and force a re-sync, see http://msdn.microsoft.com/en-us/library/cc144592.aspx (again, a 2007 article but works for 2012)
Review the log files

Here are the results from the testing:

Activity	Type	Average Total Bytes	HTTP Requests Counted	Average Client to Server Bytes	Average Server to Client Bytes
Policy Polling Request (Note: 1 HTTP request/client poll)	MP	5,217	25	242	4,975
Software Update Scan (Regular/On-going)	MP	Varies based on WU/MU/WSUS update metadata
Software Update Scan (Regular/On-going)	SUP	Varies based on WU/MU/WSUS update metadata
Software Update Scan (Fresh AU DB) (Note: single client refresh, including re-sync of state messages)	MP	11,626	5	9,977	1,649
Software Update Scan (Fresh AU DB) (Note: single client refresh)	SUP	8,941,583	45	356,298	8,585,285
Hardware Inventory (Delta) (Note: This is heavily variable. In this example, the delta was run immediately following the re-sync.)	MP	6,274	3	2,561	672
Hardware Inventory (Re-sync)	MP	60,814	7	59,334	1480
Hardware Inventory (Full)	MP	61,007	3	60,334	673
Software Inventory (Full) (Note: Single client tested, with.dll & .exe rules, including the Windows directory)	MP	1,332,003	4	1,331,125	878
Software Inventory (Delta) (Note: heavily variable. In this example, the delta was run immediately following the re-sync)	MP	6,072	3	5,399	673
Software Distribution Policy Poll (Advert Download) (Note: not tested for 2012, for reference)	MP	14,452	1	6,161	8,291
Application Management Policy Retrieval (Note: Single Client Requesting Single Application)	MP	50,000	66	16,109	33,897
BGB (1 HTTP request/client/5 minutes) (Note: only applies when BGB TCP port is not available)	MP	1,424	570	1,105	319

Notes on Test Configuration that may impact results

Application Management test software:

App-V 5.0 install
Single DT, script/setup.exe type
No dependencies

Software Inventory Configuration:
- Inventory Rules: *.exe, *.dll (Exclude Windows directory was disabled, therefore the Windows directory was included)
Hardware Inventory Configuration:
- Standard SMS_DEF.MOF --> All AI configurations turned on
Software Updates Configuration:
- Last Synched: 22/04/2013, 00:20 (GMT/UTC+1)
- Products
  - All Developer Tools, Runtimes, and Redistributables
  - Forefront Endpoint Protection 2010 (Note: for SCEP definitions)
  - Office 2010
  - CAPICOM
  - Silverlight
  - Skype for Windows
  - Microsoft SQL Server 2012, SQL Server 2008, SQL Server 2008 R2
  - System Center 2012 products (not SP1)
  - Windows 7, Windows 8, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012,
- Classifications
  - Critical Updates
  - Definition Updates
  - Security Updates
  - Service Packs
  - Update Rollups
Client Configuration:
- Windows 8
- Office 2013 Professional (Note: that this product was not configured in SUP/WSUS at the time of testing)
- Programs Registered in Add/Remove Programs: 11
- Updates Registered in Add/Remove Programs: 6

Hopefully this post helps you get your Configuration Manager rollout moving. The other posts in this series should be coming along in the next couple of weeks (but I do have a day job and customers to keep happyJ).

Saud

This post was contributed by Saud Al-Mishari, a Premier Field Engineer with Microsoft Premier Field Engineering, UK.

Hi All,

We made some major announcements at TechEd North America 2013 around System Center 2012 R2 & Windows Server 2012 R2. Based on that, I thought I would share the following list of Windows Server 2012 R2 and System Center 2012 R2 content with you. This is basically I list I built for the team internally but I think it might be of some benefit for y'all to view.

Channel 9 Apps

 Events App (Windows 8 and Windows Phone, good for viewing schedules – plus other platforms): http://channel9.msdn.com/Blogs/TechEd/Stay-Connected-with-the-Ch9-Events-App#fbid=-Z_200XYHZt

 Windows 8 Channel 9 app (allows viewing videos on Windows 8 and RT after TechEd): http://apps.microsoft.com/windows/app/channel-9/29b1eeb0-9d70-482d-9bcb-291014cb9fb1

Windows Server 2012 R2 sessions

 Intros/What's New:

o Introduction to Windows Server 2012 R2

o Hyper-V - What's New in Windows Server 2012 R2

o What's New in Windows Server 2012 R2 Networking

o Internet Information Services: What's New in Window Server 2012 R2

o Storage Spaces: What's New in Windows Server 2012 R2

o Storage and Availability Improvements in Windows Server 2012 R2

 Depth Content and Scenarios:

o Virtualization

 Upgrading Your Private Cloud with Windows Server 2012 R2

 Enhancements with Window Server 2012 R2 Hyper-v Replica

 Building Hosted Clouds Using Windows Server 2012 R2

o Storage

 Storage Changes in Windows Server 2012 R2

 Windows Server 2012 R2: Enabling Windows Server Work Folders

 Deploying Windows Server 2012 R2 File Services for Exceptional $/IOPS

o Networking

 Deep Dive on Hyper-V Network Virtualization in Windows Server 2012 R2

 Network Automation Using Window Server 2012 R2 IPAM

 Networking for Cloud Services in Windows Server 2012 R2

o Availability

 Continuous Availability: Deploying and Managing Clusters Using Windows Server 2012 R2

 Windows Server 2012 R2 Clustering

o Desired State Configuration with Windows Server 2012 R2

System Center 2012 R2 sessions

 Introduction to System Center 2012 R2

 Configuration Manager & Intune

o Microsoft System Center 2012 SP1 - Configuration Manager Overview (Actually includes R2 content )

o What's New in Infrastructure: Microsoft System Center 2012 SP1 - Configuration Manager… (Actually includes R2 content)

o What's New with Microsoft Deployment Toolkit 2012 Update 1 (Include MDT 2013 info)

o Windows Intune Overview (Includes R2 and Intune changes)

o Deploying and Configuring Mobile Device Management Infrastructure with Microsoft System Center 2012… (Includes R2 content)

o Application Delivery with Microsoft System Center 2012 SP1 - Configuration Manager and Windows Intune (includes R2 content towards the end)

o Unified Modern Device Management with Microsoft System Center 2012 SP1 - Configuration Manager… (Includes R2 content)

 Data Protection Manager

o Automate Private Cloud Protection and Recovery with Microsoft System Center 2012 - Data Protection…

 Operations Manager

o Microsoft System Center 2012 SP1 - Operations Manager: Overview and What's New (Yes, this includes R2 content as well)

 Orchestrator

o Microsoft System Center 2012 R2 Automation

 Virtual Machine Manager:

o What's New in Microsoft System Center 2012 R2 - Virtual Machine Manager

o Building Cloud Services with Windows Server 2012 R2, Microsoft System Center 2012 R2 and the Windows…

o Everything You Need to Know about the Software Defined Networking Solution from Microsoft

Windows 8.1 sessions

 What's New in Windows 8.1 Security: Overview (repeats on 6/4 at 5 pm)

 What's New in Windows 8.1 Security: Modern Access Control Deep Dive

The ConfigMgr product team has just released an update to the Unix/Linux client. This update adds support for AIX, HP-UX, Solaris 11, CentOS, Debian, Oracle Linux and Ubuntu. It also introduces a new common Open Management Infrastructure CIM server (OMI version 1.0.6.5), along with simplified common universal agent for cross distro support in Linux and various other minor updates. The new agents can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=36212.

The Support Configuration for Configuration Manager has been updated to reflect the changes, and lists the specific versions of each distribution supported: http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigLnUClientReq

The Linux/Unix client product documentation on TechNet has also been updated to reflect the release of the update agent:

http://technet.microsoft.com/en-us/library/jj573947.aspx

http://technet.microsoft.com/en-us/library/jj573941.aspx

http://technet.microsoft.com/en-us/library/jj573937.aspx

There is also a new excellent section of documentation that explains how to extend hardware inventory: http://technet.microsoft.com/en-us/library/jj573945.aspx. (warning this is straightforward, if you're a *nix admin :-) and does require some significant knowledge of OMI but links are provided to their documentation).

At least we can now say ConfigMgr supports the same *nix distros as OpsMgr. ;)

ConfigMgr and Powershell

Client Activity Summary Report

What AI data is in your database?

Client Network Traffic tests

Obtaining a list of AI Microsoft Products

Being proactive with ConfigMgr series

Being Proactive with ConfigMgr: Users with Low Disk Space

Enumerate Open Ports Script for DCM

How to get a report with Friendly scan errors

Useful ConfigMgr Resources (Updated)

Migrating from WSUS to Configuration Manager

Install Software step: Multiple Software sample script

How to search System Center 2012 documentation on TechNet using Bing (no…not that way)

System Center 2012 Configuration Manager and Untrusted Forests

Hotfix 2801987 is out for 0x800b0101, but the cert expires in March

A subnet by any other name...

MMS 2013 UDB-338 Additional Content

System Center 2012 Configuration Manager Client Network Traffic Estimates (Series, Part 1 of 3)

System Center 2012 R2 and Windows Server 2012 R2 content from TechEd North America 2013

Unix/Linux Support in ConfigMgr 2012 Updated