~ Subbulakshmi Kumar | Support Engineer

System Center Updates Publisher (SCUP) is an independent tool that enables us to import third party software update catalogues, create and modify software update definitions, export update definitions to catalogs and publish software updates information to a configured Windows Server Update Services (WSUS) server (the update server). By importing third party updates into SCUP and publishing them to WSUS, the software updates component in System Center 2012 Configuration Manager (ConfigMgr 2012) is able to synchronize the custom updates from the WSUS server database to the site server database.

Supported Operating Systems

System Center Updates Publisher 2011 is supported on the following operating systems:

• The Windows Vista operating system
• The 64-bit editions of the Windows Vista operating system
• The 64-bit editions of the Windows 7 operating system
• The 86-bit editions of the Windows 7 operating system
• The Windows Server 2008 operating system
• The Windows Server 2008 R2 operating system
• The Windows Server 2012 operating system
• The Windows Server 2012 R2 operating system
• The 64 bit editions of the Windows 8 operating system
• The 64 bit editions of the Windows 8.1 operating system
• The 86-bit editions of the Windows 8 operating system
• The 86-bit editions of the Windows 8.1 operating system

Please note that there are some additional steps that must be performed when installing SCUP with Windows Server 2012  and Windows Server 2012 R2 Operating systems. The articles below provide more information on this.

System Center Update Publisher 2011 and Windows Server 2012: http://blogs.msdn.com/b/minfangl/archive/2012/12/01/system-center-update-publisher-2011-and-windows-server-2012.aspx

System Center Updates Publisher 2011 and Windows Server 2012 R2: http://blogs.msdn.com/b/minfangl/archive/2014/01/29/system-center-updates-publisher-2011-and-windows-server-2012-r2.aspx

Installation

Download location: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11940

After downloading the installation file, simply run it and follow the steps in the Setup Wizard.

Importing Update Catalogs

After installing SCUP, we first need to import the update catalogs. SCUP files are hosted on a vendors public server: For example, Adobe hosts their files at http://armmf.adobe.com/arm-manifests/win/SCUP/ and we will be using that for our example. Note that there will be two types of files:

CAB files: CAB files such as Acrobat10_Catalog.cab are the actual catalog.
XML files: XML files such as Acrobat10_Catalog.xml are a hash that can be compared to the cab file to check if the catalog has changed since it was last downloaded without having to download the catalog itself. It is optionally provided by the vendor so if no XML file is there SCUP will simply download the catalog each time to see if it has changed.

Once you have located and downloaded the appropriate update catalogs, open the SCUP Import Software Updates Catalog Wizard and select the Import Type option. Specify the path to the CAB files you downloaded.

Once the path is specified, the import will progress and ask for a catalog validation which should be accepted (this is based on the signature of the cab file). After successful import, we should see Adobe Flash Player and Adobe Reader (per our example) as shown in the figure above.

When working with updates it is also useful to understand the differences between quarterly updates, out of cycle patches, and the possible file types. While SCUP catalogs provide a way to automate installs, you should understand what gets installed and why. For example, Acrobat updating always involves installing every MSP update in order. Reader updates may involve quarterly MSI files that don’t require installing previous updates. See your software vendor for more details on how their updates are intended to be deployed.

Configuring SCUP

To configure SCUP, go to Options by clicking the left corner icon, then under Options specify the Update Server (your WSUS computer). While SCUP can be used with a CA issued certificate supplied in this dialog, for our example we will configure SCUP to sign patches with the WSUS Self-Signed Certificate (WSSC).

Note that SCUP can also be used with a CA issued certificate. This requires additional configuration when used with newer operating systems. There is a WSUS registry key that may need to be enabled in order to use self-signed certs and you can find out more on this in the article below.

WSUS no longer issues self-signed certificates:http://blogs.technet.com/b/wsus/archive/2013/08/15/wsus-no-longer-issues-self-signed-certificates.aspx

Since the certificate we’ll be using is self-signed, we need to add it to the Trusted Publishers and Trusted Root Certification Authority via the certificates mmc. Note that although we’re using a self-signed certificate in our example, non-self-signed certificates will also need to be added to Trusted Publishers.

Within the Certificates MMC you can simply copy and paste the certificate from one container to another, however if you’d rather go through the process of importing and exporting the certificate as a file then the steps to do so are below.

First, open the WSUS container and right-click to export the certificate.

Save it with a .CER extension.

Next, go to Trusted Publishers and Trusted Root Certification Authorities and import the certificate.

Now that our certificate is imported and our Update Server is configured, we need to configure the ConfigMgr server. Under Options, select ConfigMgr Server, then enable integration and specify the Central site server that syncs with the WSUS computer as demonstrated below. Note that this is optional and used primarily to support the Automatic option during the publishing process.

Publishing Updates

Be aware that if no prerequisite rules are defined in an update, it will evaluate to true (or prerequisite rules passed) when scanned.  However, if no applicability rule is defined it will evaluate to false, meaning the update will never be applicable.  If an Installed Rule is not defined then the update cannot be published. While the WSUS generated MSP installable rule will be present, additional detection logic could be added by using AND/OR logic, and even a new rule could be created.

Next set up Installable Rules to check whether this device needs the update or not, then configure an Installed Rule to check whether this update is already installed.

Now to publish the updates to the WSUS server, complete the steps below.

1. Right-click on the update and select the Publish option. Here we are publishing the Reader 11.0.08 Update.

2. In our example we will select the Full Content option to deploy this through Configuration Manager. Note that here is where we find the Automatic mode mentioned earlier.  This Automatic mode requires ConfigMgr integration to work, however with the Full Content option no ConfigMgr integration or configuration is required from within SCUP tool.

3. Click Next and it will ask for content validation which should be accepted.

4. Once the wizard completes successfully, click Close.

If the wizard generates errors or fails, check the scup.log file for additional information. The scup.log is present in %Appdata\local\temp%.

Below is an example from a Scup.log during publishing of updates.

If you try to publish an update that is already published then it will skip the update and will not re-publish it again (unless it has been changed since it was last published). For example, here I re-published the Reader 11.0.01 Update:

Once published, make sure that you run a sync from the Configuration Manager console after selecting the right product and classification. You need to sync once to get the products into the SUP configuration, then you can select the 3^rd party updates in the SUP configuration and sync again to have them show up in the console.

When the sync runs, you can track the progress in Wsyncmanager.log to verify the import of the updates into ConfigMgr.

To view the updates, select Add Criteria and select the corresponding vendor. Sometimes Adobe is listed multiple times because the name does not always conform to “Adobe Systems, Inc.

When the updates have been successfully imported into WSUS, you can see the location of the updates in C:\WSUS\WSUS content\ and the dependencies will be WSUS\Update services packages.

The following SQL query gives the list of locally published updates in WSUS. This could be useful to check whether the update is correctly published into the SUSDB.

SELECT [UpdateId] , [DefaultTitle] , [ArrivalDate]
FROM [SUSDB].[PUBLIC_VIEWS].[vUpdate]
WHERE UpdateId IN (select UpdateId from tbUpdate where IsLocallyPublished = '1')

If content is missing in the WSUS Content share (Update services packages folder) for an update that is previously published, simply republishing the update is insufficient as this will not re-download the content. Instead, get the update ID of the update from the query above as shown below.

Preparing the Clients

The next task is to configure the proper certificate on the clients so that they can receive and install the updates. Since we used a WSSC (WSUS self-signed certificate) on the update server, we need to transfer the WSSC to the client’s certificate store as well. This can be done manually by importing the certificate directly on the client via the MMC, or you can distribute and install the certificate on multiple clients using a software distribution package. You may also have to include the WSSC in the Trusted Root Certificate Authorities node as well, which can be done with easy adjustments to the package if needed.  Be sure and test first to determine exactly what is needed for your environment.

Only the WSUS service needs the private key as it is the service that signs the content that will eventually be deployed to clients and the WUA must trust the signer. It would also be inadvisable for the certificate trusted by all of the clients in an organization to have the private key deployed since that could potentially allow administrative users to access the private key and sign content.

Once the clients have the proper certificates, we then only need to configure a group policy allowing the updates. To do this, open the Group Policy Object Editor MMC snap-in and select the domain or OU where you’d like the policy applied, then expand Computer Configuration–> Administrative Templates–> Windows Components and select Windows Update. In the results pane, right-click Allow signed content from intranet Microsoft update service location, click Properties, click Enabled and then click OK.

When complete, once Group Policy refreshes on the clients they will be ready to accept updates.

Deploying Updates

To deploy an update, open the ConfigMgr console and right-click on the update to download and create a deployment package, then distribute it to the required Distribution Points.

Next, specify the download location from which the contents should be downloaded.

In general, we can't choose a network location on this. When the update is imported into WSUS it has the "Internet"  download location as the local WSUS server rather than the adobe website. We do this since we sign the package and place it into the WSUS content directory. The signing of the content is done with that certificate that was created for SCUP during the configuration, hence we choose download from Internet rather than the network location.

If you run into failures while downloading, you can check the patchdownloader.log file which will be present in user profile%\AppData\Local\Temp% for more details.

In most cases this is caused by proxy or firewall settings so be sure to check the LAN settings and configure your proxy/firewall accordingly.

Example from Patchdownloader.log:

After creating the package, deploy it to your ConfigMgr collections like you would any other normal update.

Additional Resources

The resources below blogs guides better to install and configure SCUP.

How to install SCUP and configure: http://blogs.technet.com/b/sudheesn/archive/2012/05/04/3474025.aspx

How to setup SCUP and ConfigMgr 2007 to deploy custom updates: http://blogs.technet.com/b/jasonlewis/archive/2007/11/30/how-to-setup-scup-and-configmgr-2007-to-deploy-custom-updates.aspx

Getting Started with System Center Updates Publisher 2011: http://technet.microsoft.com/en-us/library/hh134747.aspx#OSandSoftware

Updates Publisher 2011: http://technet.microsoft.com/en-us/library/hh134742.aspx

About System Center Updates Publisher: http://technet.microsoft.com/en-us/library/bb632895.aspx

System Center Updates Publisher 2011: http://technet.microsoft.com/en-us/library/hh134742.aspx

The following links will help in troubleshooting issues with SCUP

Custom catalogue in SCUP: http://blogs.msdn.com/b/minfangl/archive/2012/01/18/system-center-update-publisher-2011-troubleshoot-series-1-updates-cannot-be-synced-to-configuration-manager.aspx

Installable and applicability rules in SCUP:http://blogs.msdn.com/b/minfangl/archive/2011/10/26/troubleshoot-detection-logic-issue-for-updates-created-by-system-center-update-publisher-2011.aspx

What’s the difference between Prerequisite, Applicability and Installed Rules?http://blogs.technet.com/b/jasonlewis/archive/2007/08/02/what-s-the-difference-between-prerequisite-applicability-and-installed-rules.aspx

Adobe Updates on x64: http://sms-hints-tricks.blogspot.in/2010/07/adobe-updates-on-x64.html

Deploy Adobe Acrobat Updates:http://sms-hints-tricks.blogspot.in/2009/05/deploy-adobe-acrobat-updates.html

How to Expand WSUS Updates: System Center Update Publisher (SCUP): http://www.petri.com/expand-wsus-updates-system-center-updates-publisher-scup.htm#

Subbulakshmi Kumar | Support Engineer | Microsoft GBS Management and Security Division

Get the latest news and tech tips onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

On Microsoft System Center 2012 Configuration Manager (ConfigMgr 2012) sites that have many Standard or Pull distribution points, installing or upgrading all distribution points may take longer than expected. This can occur if the Distribution Manager component cannot create additional threads for the installation or upgrade process.

Additionally, you will receive messages that resemble the following in the Distmgr.log file:

DP upgrade processing thread: No more available threads left to process any more upgrade distribution point notification. Will wait for existing distribution point upgrades.

If you receive this message repeatedly, you can reduce the overall time that is required to complete the process by increasing the number of processing threads.

For complete details please see the following:

KB3025353 - Distribution point installations or upgrades may take longer than expected in System Center 2012 Configuration Manager (http://support.microsoft.com/kb/3025353)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

~ Scott Rachui | Support Escalation Engineer

Recently I worked with a customer who was using System Center 2012 Configuration Manager (ConfigMgr 2012) and having a significant problem with queries that were running slowly and having a noticeable impact the performance of his SQL Server.  While working the issue, a Microsoft SQL Server support engineer was engaged to help identify what was causing the impact. During the course of that case I learned a lot about SQL Server locks and blocks so I thought I would take a minute and share some of that knowledge in case you find yourself in a similar situation.

When we first engaged the SQL engineer, his first action was to check for “locks and blocks” to see if this might be the source of the customer’s problem.  Because I was not entirely familiar with what this meant at the time, I did some research into the topic to be prepared when I might need this information in the future. One of the resources I came across, which inspired me to write the article below with an emphasis on Extended Events, is Don Jones’ excellent book Learn SQL Server Administration in a Month of Lunches.  There are an awful lot of technical books on the market but I’ve only encountered a few that are easy to understand and also quite enjoyable.  For those of you who have read any technical documentation in your career, you know what a rare gift it is to be able to teach technical topics in a way that’s understandable and interesting at the same time.  At the outset, I wanted to mention Don’s book and recommend it highly to anyone who has even a passing interest in working with Microsoft SQL Server technologies.  In my opinion, you won’t find a better place to start.

Overview

As a ConfigMgr admin there are times when it may be necessary to determine why Configuration Manager is responding more slowly than normal.  One possibility when conducting this analysis is a slowdown on SQL Server itself, and in this article I’ll talk briefly about one reason SQL might become non-responsive and how to identify what’s going on.

SQL Server is designed so that multiple processes can read data from a database table simultaneously in most cases, but when it comes to updating those same tables with new data (e.g. inserting new information, deleting rows, etc.), SQL needs to take precautions so that only one process at a time can do this.  For example, if I have a database table called Employees, it is acceptable for multiple applications to read that table simultaneously to find out what someone’s address or phone number might be.  But if one of those applications needs to change the phone number of a person in that table, it’s important that no other applications are trying to change that same data at the same time.  To ensure this exclusive access when writing changes to the table (or any other portion of the database), SQL Server “locks” the portion of the database being changed until that change has been completed.

Typically, changes written to the database occur so fast that it’s not noticeable by users, however sometimes if a SQL statement needs to access a large number of tables or is highly complex, there may be a delay for other processes trying to access those same tables.  For example, a poorly written query that requires exclusive access to a number of tables in a database can noticeably bog down a SQL server and prevent other applications from completing their tasks in a timely manner.  Given the degree to which ConfigMgr depends on SQL, it is important for the ConfigMgr admin to have at least a basic understanding of locks and how to identify them.

Transactions Defined

TechNet defines a transaction as “a sequence of operations performed as a single logical unit of work”.  When a process accesses a SQL database, it does so in logical units of work, and this often involves interacting with multiple tables. For example, updating the status of a package delivered through ConfigMgr would need to potentially update multiple tables all within the same transaction.  Depending on the complexity of a transaction, different portions of the SQL database, up to and including the entire database, may be involved.

One of the reasons that things happen in the context of a transaction is consistency of the database.  If a process is updating multiple tables with new information but that update fails, it’s important to keep the update from being placed in some of the tables while it fails in others.  For this reason, the transaction will ensure that the data is either updated in all of the tables or in none of them.  In other words, if one of the update operations fails, all of them fail.  This is known as an explicit transaction.

The important thing to understand about transactions is that these represent single units of work.  Depending on the extent and complexity of the transaction, the portion of the database impacted by the transaction may be quite large and may encompass the entire database in some circumstances.  To ensure no other changes are being made to the portion of the database the process is updating, SQL allows processes to lock that portion of the database.  This grants the process exclusive access to make its changes.  Depending on the type of lock, that may mean that other processes can’t even read data from the “locked” tables until the transaction is finished.

Understanding SQL Locks and Deadlocks

There are different types of locks used by applications when modifying data in a SQL database.  These lock types describe the varying levels of isolation used during database modifications, which determines how exclusive is the access to the selected portion of the database. These lock types are enumerated in a good article found here.  Briefly, the types of locks include:

• Shared– These locks do not change data.  When a shared lock exists on a resource, no other transactions can modify this data.  Shared locks allow for multiple transactions access to the resource.  SELECT statements use shared locks.
• Update– This type of lock is used to prevent deadlock conditions (explained below).  If a transaction needs to update a resource, it requires exclusive access to that resource to ensure no competing process is making changes at the same time.  Update locks are used to prevent problems when two resources are attempting to make updates to the same resource
• Exclusive– This type of lock prevents access to a resource by other processes.  An exclusive lock is used when a process is updating information in a SQL database, and during that update it prevents other processes from making changes to the locked portion of the database.  Depending on what the transaction is doing, this may be a row in a table, an entire table, or even an entire database

Deadlocks

Deadlocks are a special type of lock, and they can occur when two processes are attempting to make updates to resources that the other has locked.  For example, if Process1 has locked ResourceA and needs to make changes to ResourceB, it will attempt to lock the portion of the SQL database contained in ResourceB.  But what if Process2 has already locked ResourceB and is waiting to update ResourceA at the same time?  In this case, Process1 won’t release ResourceA until it completes updating ResourceB, and Process2 won’t release ResourceB until it finishes updating ResourceA.  This is known as a deadlock, and the use of Update locks are an attempt to work around this problem.

Identifying Locks

When dealing with SQL performance issues, taking time to ensure there are no locks preventing other processes from completing is a good idea.  While it’s possible to get some basic information on locks by reviewing Perfmon (specifically the SQL Server: Locks object), for more robust data we want to use Extended Events

Extended Events

Extended Events is the logical heir to SQL Profiler which we’re told will eventually be deprecated (no time soon, but better to get a head start!).  Part of the reason for this is the heavy overhead that SQL Profiler brings, making it useful only for real time troubleshooting.  By contrast, Extended Events has a lower overhead and can be run persistently, generating event data that can be written to memory or even reports for later viewing.

To start with, Extended Events comes with a couple pre-configured sessions.  In order to see these, open SQL Server Management Studio and navigate to the Management\Extended Events folder and expand Sessions.  When you do this, you should see the AlwaysOn_health and system_health sessions as shown in the screenshot below:

The sub-containers under each of these sessions is explained below:

• Event_File – When you see event_file this indicates the session is configured to send its results to a file that can be reviewed later as needed.  The default location for these files (though you can specify your own location for sessions you create) on my lab computer is C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Log.
• Ring_Buffer – This option holds events in memory on the SQL Server itself.  It is intended to maintain a recent history of events that can be accessed from memory rather than opening and reviewing an event file.

To view events stored in a ring bugger, click on the appropriate entry under the desired session (in my case package0.ring_buffer).  This will open a result window as shown In part) below:

To look at the actual data resident in memory for this session, click the link and a new query result window will open up showing in XML format.  Below is an example of data collected by the system_health session in my lab:

AlwaysOn_health and system_health sessions are useful, but since we’re interested in finding out about the behavior of locks on our SQL Server, let’s turn our attention to what Extended Events offers in that area.

Investigating Locks with Extended Events

Because there is no default session for SQL locks, we need to create a new one before we can gather data.  Right-clicking on the Sessions container reveals two options for us: We can either choose to create a new session manually or we can invoke the New Session Wizard.  While either option is possible, we’ll choose the New Session Wizard.

In the first screen of the wizard we can see that we need to select a name for the session.  I have chosen to call this SQL Locks but the name is ultimately up to you.  I would just encourage you to use a name that’s easy to identify later on, especially if you do a lot of work with Extended Events and end up with many different sessions.  You can also choose whether to start this particular session when the server starts up.  While this might be useful for some sessions like system_health, it probably isn’t needed for the present session so we’ll leave it unchecked.

In the second window of the wizard, we can choose whether to use a template or not.  As you can see, the default template listed is ‘Count Query Locks’.  For our purposes since we want to have full control over which events we’ll add, we will choose ‘Do not use a template’ and select ‘Next’.

In the ‘Select Events to Capture’ screen, we initially see a list of every event that is part of Extended Events.  For our present purposes we care about events related to SQL locks, so we’ll type the word ‘locks’ into the Event library window.  This will filter the events to return only those related to SQL locks as shown below:

By clicking on each specific event, a description of the purpose of the event will appear at the bottom of the screen so you can be certain you are selecting the specific events you care about.  There are a number of interesting events related to locks that we might choose from.  A sampling of these are described below:

• Lock_acquired – This occurs when a lock has been acquired against a particular object (or objects) in the database.
• Lock_cancel – This occurs when a request for a lock is canceled.
• lock_escalation – This occurs when a lock is escalated (for example, from locking a single row in a table to locking the entire table).
• lock_released – This occurs when a lock is released by a process.

Depending on what you’re doing, different events may provide the data you need.  In our case, we care about which processes might be blocking others, and thus slowing SQL down, so for this purpose we want to look at the blocked_process_report.

We add this by selecting the event and moving it to the Selected events window as shown below:

Note that when adding an event, certain event properties known as fields are included automatically as shown below.  Other fields can be added on the following page to supplement this list.

Once we have selected our events, choose Next.  At this point we can select the additional fields of the event that we want to capture.  As can be seen below, there is a very broad list to choose from:

Depending on the specific information of interest, it may not be necessary to add any additional fields.  The additional fields that might make sense are database_name and sql_text, which I’ve selected above.  Once any additional fields have been chosen, select ‘Next’.

On the next screen is the opportunity to filter events, if needed, based on clauses.  This limits the extent of the data and can help to screen out some of the background noise that might otherwise result.  For the purposes of this example, no filters will be added.

On the next screen is the opportunity to specify where the data collected by the session will be stored, as shown by the screen below:

The options available are:

• Save data to a file for later analysis – Using this option allows you to set the file location for where the events will be stored (the file will be stored in a .xel format).  You can specify both the maximum size of a single .xel file as well as how many of these files will be created, so a max size of 1 MB x 10 files = 10 MB of space must be available.
• Work with only the most recent data – This option stores events in memory on the SQL server.  The amount of space allocated to store these events by selecting the maximum buffer memory size.  It’s also possible to specify the maximum number of events to store. As the screenshot says, 0 means unlimited.

If both options are selected, events will be retained in memory (ring_buffer) and will also be written to a .xel file (event_file).  Once these options have been configured, select Next.  At this point, the wizard will complete and you are given the option of starting the session if it was not configured to start automatically.

You can choose to watch live events by right-clicking the session and choosing ‘Watch Live Data’ as shown below.

Once there is some information to review, you can also navigate to the location of the .xel file(s) and double-click them to review what has been saved to file.

Testing the Extended Events Session

Creating the session to show SQL locks is one thing, but how do you know if it’s working as designed?  In a production environment with a lot going on this may not be difficult, however in a test lab (and you should always test things in a lab before deploying them to production), there might not be enough traffic to generate the necessary data to confirm you’ve set things up correctly.

Thankfully, it’s easy to set up a lock condition so that the Extended Events session can be tested.  To do this, I used the following procedure in my lab:

1. Configure the desired threshold for reporting on blocked processes.

2. I opened two separate sessions of SQL Server Mgmt. Studio on two separate lab machines, both pointing to my test database.

3. On one machine, I configured a SQL statement that would take an extended period of time and would lock the table with which it was interacting.

4. On the second machine, I configured a simple query against that same table.

5. I ran the first SQL statement from the first machine which locked the table.  While the first statement was still running, I then ran the simple query on my second machine

To illustrate this a bit better, here are the steps I used in a bit more detail.  These steps assume the Extended Events session to detect locks has been configured and is running.

Configuring the Blocked Processes Threshold

To test the Extended Events session in a lab, it’s usually necessary to configure a very brief threshold before a process is considered to be blocked.  This is known as the ‘blocked process threshold’ and it’s configured by modifying the sp_configure stored procedure.

In my lab, I set a 1 second timeout as follows:

This script can be found on the MSDN website here.

Machine 1: Establishing the Lock

On Machine 1, I opened SQL Server Mgmt. Studio, pointed to the BigCompany database (which I created for this test) and selected ‘New Query’.  To create the locked condition, I created the following SQL script in the query window:

To run this, I had previously created a test database called BigCompany and populated it with a table called Employees.  The script above does the following:

• Declares a variable called @num and configures it to accept integer values.
• Sets the initial value of @num to 1.
• Establishes an isolation level of ‘serializable’ which prevents other queries from touching the Employees table while this script ran.
• Created a While/End loop to update a value with the same information, essentially replacing it with a value that’s already present so the data in the table is never modified, 200,000 times.  This causes the script to run long enough for me to run the query from Machine 2 and see that the table is locked.
• Incremented the value of @num by one each time through the While/End loop. Otherwise I’d end up in an infinite loop.
• Finally, I rolled back the transaction so no change is ultimately made to the table.

Machine 2: Querying the Employees table while it is locked

The second step is fairly simple.  I set up SQL Server Management Studio on Machine 2, opened a New Query and ensured I was pointing to the BigCompany database.  While the SQL script above was running, I ran the following query from Machine 2:

The result was to see this query delayed while the script above ran, illustrating that the Employees table was, indeed, locked.  Once the script was finished, the query completed successfully.

When the query finishes, navigate to the location where the report is stored (in my lab, this was C:\Extended Events – SQL) and look at the .xel file that was created.  By double-clicking it you will get a view similar to the following:

To review details about the report, select one of the entries and double-click the ‘blocked_process’ value.  This results in an XML report being displayed as follows:

By reviewing this report, you can see very quickly which is the blocked and which is the blocking process.  First, here is the blocked process:

This is the query we ran from Machine 2, as we’d expect.  Further down the same report we also see which process is doing the blocking:

This validates that what we have configured in Extended Events does return the data we want.  Obviously, when you deploy this in production you’ll want to set a different threshold for reporting on your blocked processes (1 second should really only be used in your test lab).  But when you deploy this, you should have a nice report that allows you to capture this important information.  And the best part is that you can run it automatically without the overhead required by SQL Profiler.

Summary

There are many ways to troubleshoot blocked processes in SQL.  This article has been written to show how this can be done using Extended Events.  We are told that Extended Events will be replacing SQL Profiler in the future, so it’s a good idea to become familiar with it.

Hopefully you won’t have to deal with blocked processes on a regular basis, but if you do this tool should give you a good way to identify what’s going on so the issue can be remediated.

Scott Rachui | Support Escalation Engineer| Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

~ Karan Rustagi | Support Escalation Engineer

This article discusses the process of configuring settings that are not configurable through the available Configuration Manager user interface (ConfigMgr 2012 R2). I’ll be using the method discussed here to manage the settings on mobile devices. If you want to see the complete list of policies that can be set on a device, read the Windows Phone 8.1 MDM protocol documentation at http://technet.microsoft.com/en-us/library/dn499787.aspx (Page 134-143)

In this example I am going to disable Cortana on a WP 8.1 device.

Step 1 - Create a Configuration Item:

Step2 - Configure additional settings:

Step 3 - Add a setting:

Step 4 - Create a custom setting:

Step 5 - Enter the details:

Setting type: OMA-URI

Data Type: Integer

OMA-URI: ./Vendor/MSFT/PolicyManager/My/Experience/AllowCortana

Step 6 - Search for newly created setting in previous step and select it:

Step 7 - Create a rule and enter a value of 0 to disable Cortana:

Step 8 - Configure supported platforms and complete the wizard:

Step 9 - Create a baseline and add the Configuration Item created in Step 1:

Step 10 - Deploy the Baseline created in Step 9 to a User collection. Do not forget to check the option ‘Remediate noncompliant rules when supported’.

Wait for Windows Phone to pull policies from Intune, or alternatively you can pull them manually via Workplace. Cortana should now be disabled.

Some other example policies:

System/AllowUserToResetPhone : Specify whether allow the user to factory reset the phone from setting control panel and hardware key combination.

Experience/AllowManualMDMUnenrollment : Specify whether allow the user to delete the workplace account via workplace control panel. The MDM server always could remotely delete the account.

Additional reading: http://blogs.technet.com/b/configmgrteam/archive/2013/07/10/compliance-settings-and-company-resource-access.aspx

Karan Rustagi | Support Escalation Engineer| Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Just a quick note about a ConfigMgr 2012 hotfix we recently released. There’s an issue in Configuration Manager 2012 where multiple applications in a dependency chain may not install after the ConfigMgr client begins computer restart. This only affects software that is deployed by using Application Management.

For additional details including the cause and a link to a hotfix that resolves this issue, please see the following:

KB2989523 - Applications may not install after a computer restart in System Center Configuration Manager (http://support.microsoft.com/kb/2989523)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Consider the following scenario:

- An administrator tries to import drivers into ConfigMgr 2007 or ConfigMgr 2012.

• - The site server is running Windows Server 2008 R2.
• - The drivers are signed.

In this scenario, the drivers may be imported successfully, but they may be displayed as unsigned in the Configuration Manager console. You can see this through either of the following methods:

• Navigate to the Software Library -> Operating Systems -> Drivers node in the System Center 2012 Configuration Manager console. When the Signed and Signed By columns are added, the Signed column for the imported drivers displays No, and the Signed By column is blank.
• When you inspecting the Properties of the imported drivers in the Software Library -> Operating Systems -> Drivers node of the System Center 2012 Configuration Manager console, Digital signer field on in the General tab displays Unsigned.

For all the details and a resolution, please see the following:

KB3025925 - Signed drivers are displayed as unsigned in System Center Configuration Manager (http://support.microsoft.com/kb/3025925)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

Consider the following scenario:

- An administrator tries to import drivers into ConfigMgr 2007 or ConfigMgr 2012.

• - The site server is running Windows Server 2008 R2.
• - The drivers are signed.

Error: Some driver(s) cannot be imported successfully. See the following details.
Error: Failed to import the following drivers:
<Driver> - The selected driver is not applicable to any supported platforms.

For additional details as well as a resolution, please see the following:

KB3025419 - Can't import drivers into System Center Configuration Manager (http://support.microsoft.com/kb/3025419)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

~ Subbulakshmi Kumar | Support Engineer

I was recently working with a customer who found that he was unable to download third party updates from System Center 2012 Configuration Manager (ConfigMgr 2012) when the WSUS content was on a DFS share. The 3rd party updates could be successfully published to it via System Center Update Publisher (SCUP) but when he tried to download them it would fail.

He also found the following errors in patchdownloader.log:

HttpSendRequest failed HTTP_STATUS_NOT_FOUND Software Updates Patch Downloader
ERROR: DownloadContentFiles() failed with hr=0x80070194 Software Updates Patch Downloader

The reason this was happening was because the download was using the Network Service account for authentication, and the Network Service account does not have permissions to the DFS share (which is by design).

If you happen to come across the same problem, to work around this simply change the access authentication to a specific user (or group) on the DFS share in the content virtual directory of the WSUS site in IIS, then give permissions to that user (or group) on the DFS share. This allows the download to complete successfully.

Hope this helps!

Subbulakshmi Kumar | Support Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

When you remove a user who is assigned to a primary device in Microsoft System Center 2012 Configuration Manager Service Pack 1 (ConfigMgr 2012 SP1), all policies that are assigned to the device are removed. This issue occurs even when there are other users who are assigned to the device.

For additional details regarding this issue as well as a link to a Configuration Manager hotfix that resolves this issue, please see the following:

KB3011390 - Device policies are removed unexpectedly in System Center 2012 Configuration Manager SP1 (http://support.microsoft.com/kb/3011390)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

Cumulative Update 4 (CU4) for ConfigMgr 2012 R2 is now available for download. For information on the issues that have been fixed as well as instructions on how to obtain the update, please see the following:

KB3026739 - Description of Cumulative Update 4 for System Center 2012 R2 Configuration Manager (http://support.microsoft.com/kb/3026739)

J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news onFacebookandTwitter:

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/