Information on the ConfigMgr 2007 client side process for Software Updates

November 4, 2010, 6:04 am

≫ Next: Implementing a Power Management Strategy with System Center Configuration Manager 2007 R3

≪ Previous: Error “The WebDAV server extension is either not installed or not configured properly” in Configuration Manager 2007

Image may be NSFW.
Clik here to view.I want to take a minute and walk through the process a System Center Configuration Manager 2007 client goes through when processing Software Updates but before we get into that I'd like to explain how to find information specific to a particular update in the client side log files. When viewing the logs on the client you need to reference the GUID that is assigned to each update. To view this GUID for all your updates you can go into the console and anywhere that updates are displayed in a list, right click on the column header (where it has Bulletin ID, Article ID, etc…) and select View –> Add/Remove Columns. You then have to select “Unique Update ID” in the left list and then select “Add”. Now select “Move Up” until the Unique Update ID is the first one in the list on the right. Now if you look at the console, you will see the GUID as the first column in the window, then find your update and you now have the GUID for that update. You can see the updated console display here:

Image may be NSFW.
Clik here to view.

Once you know the GUID for the update in question you can then relate this to the log entries that Software Updates creates. Sometimes they give you both the GUID and the Title of the update:

1. Update (Missing): Security Update for Windows XP (KB961501) (0d841d92-dcfd-42d0-99cc-da46abbfb86c, 101) WUAHandler 6/16/2009 7:35:32 AM

Sometimes they only give you the GUID:

Update 1 (0d841d92-dcfd-42d0-99cc-da46abbfb86c) finished installing (0x00000000), Reboot Required? Yes WUAHandler 6/16/2009 7:37:32 AM

And sometimes they like to hide the GUID in the string. You can find the GUID in this log entry by viewing the string after the “SUM_” section:

Update (Site_7B3DC51A-1366-4325-964D-0C375982148C/SUM_19986d1f-0652-4816-8d54-0add7d1d444c) Progress: Status = ciStateSubmitted, PercentComplete = 0, DownloadSize = 0, Result = 0x0

So the GUID for this update in this example is: 19986d1f-0652-4816-8d54-0add7d1d444c.

Now on to the process itself.

The Scanning Process:

The SCCM 2007 clients receive their WSUS settings as a local policy on the clients, so if there are any Group Policies that overwrite the local policy it causes issues with our scanning process. We get an error in the wuahandler.log stating that our policy has been overwritten by a higher authority as you can see here:

Group policy settings were overwritten by a higher authority (Domain Controller)

The registry keys where we set this can be seen in this exported registry file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"=http://WSUSServer.corp.com:80
"WUStatusServer"="http://WSUSServer.corp.com:80"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

These are the only keys that need to be set on the client, if they have any others then you need to check and make sure that they do not have any WSUS policies being applied from a previous WSUS implementation. When the client first looks for the existence of the keys it checks only for the “WindowsUpdate” key and not the values themselves. If the key is found, it will do a gpupdate to make sure that we have the latest policy is applied to the client. If for some reason the gpupdate will not complete on the client, we stop processing updates on the client.

When we get a scheduler event that tells us to kick off a scan cycle, or when we initiate the scan manually using the client UI we then query location services looking for our nearest SUP so that we can scan against it. You can see that log entry in the locationservices.log here:

Current AD site of machine is ADSiteName LocationServices 8/18/2009 8:22:05 PM
Created and Sent Location Request '{5B457934-72DA-4070-A23A-7F5B05423206}' for package {72B140EF-F84E-4AE9-91E2-7F3863634AAB} LocationServices 8/18/2009 8:22:05 PM
Calling back with the following WSUS locations LocationServices 8/18/2009 8:22:06 PM
WSUS Path='http://WSUSServer.corp.com:80', Server='WSUSServer.corp.com', Version='696' LocationServices 8/18/2009 8:22:06 PM
Calling back with locations for WSUS request {5B457934-72DA-4070-A23A-7F5B05423206} LocationServices 8/18/2009 8:22:06 PM

We then send up several state messages of type 501 up to the site server with the current scan state. We then create a state message of Topic Type 500 for each of the updates that are applicable to the machine. You can see the log entries for a manual scan here from the statemessage.log file:

State message with TopicType 501 and TopicId {72B140EF-F84E-4AE9-91E2-7F3863634AAB} has been recorded StateMessage 8/18/2009 8:22:06 PM
State message with TopicType 501 and TopicId {72B140EF-F84E-4AE9-91E2-7F3863634AAB} has been recorded StateMessage 8/18/2009 8:22:06 PM
State message with TopicType 500 and TopicId b94927af-f480-461b-8fe8-464636c33253 has been recorded StateMessage 8/18/2009 8:24:26 PM
State message with TopicType 500 and TopicId f38d0fed-3fc3-411e-a028-2ecce50f2c07 has been recorded StateMessage 8/18/2009 8:24:26 PM
State message with TopicType 500 and TopicId 95511f7c-4ffd-40e3-85d6-385abbe423db has been recorded StateMessage 8/18/2009 8:24:27 PM
State message with TopicType 500 and TopicId ecb8b318-95c6-4f6d-aa45-b15557f70ce2 has been recorded StateMessage 8/18/2009 8:24:27 PM
State message with TopicType 501 and TopicId {72B140EF-F84E-4AE9-91E2-7F3863634AAB} has been recorded StateMessage 8/18/2009 8:24:27 PM

You can find the reference to the Topic Types here: http://technet.microsoft.com/en-us/library/bb932203.aspx

You can also see the scan being kicked off by the windows update agent or WUA, in the windowsupdate.log file in the root of the windows directory. You know the scan is being kicked off by SCCM by seeing the ccmexec line in the log file as you can see here:

2009-08-18 08:41:57:000 1300 db0 Agent ** START ** Agent: Finding updates [CallerId = CcmExec]

The WMI entries related to scanning are below:

Root\ccm\softwareupdates\WUAHandler\CCM_UpdateSource (WSUS Server we scanned against)
Root\ccm\softwareupdates\updatesstore\CCM_UpdateStatus (Compliance State for each patch)

The Evaluation Process:

Clients receive notification that they need patches through the following policy:

Root\ccm\policy\machine\actualconfig\CCM_UpdateCIAssignment

Each CI corresponds to a particular Deployment that is targeted at the client.

There are three ways that we can initiate an evaluation cycle:

1. Scheduler kicking it off due to an expired CI (Deployment) Deadline or we have met our recurring scheduled time frame

2. We receive a policy that has an assignment of patches that has an expired deadline, in other words there is a deployment targeted at the client and the deadline for the deployment is passed when we receive it

3. We manually kick it off through the Client UI

Once we meet one of these conditions we then kick off the Evaluation Cycle. First thing we do is kick off a scan so that we get the current scan data. We then check each of the assignment CIs that are in our policy. We call the CIAgent thread to tell us what patches are included in the assignment. We compare this list against all the ones that we have listed as applicable in WMI. We then call the SDMAgent to know what binaries are included in the patch package. We then call Patch Downloader who works with CAS (Content Access Service) to find out if the files for the particular package exist in the local cache. If not then we create a Content Transfer job and hand the request off to CTM (Content Transfer Manager). CTM then makes a location services request to find what DPs that are viewable to the client have that package residing on them. Once we get this list back CTM then passes the download processing off to the DTS (Data Transfer Service). DTS determines what transfer protocol it is going to use either BITS or SMB, depending on the list that is returned from the Location Services request. DTS periodically reports back to CAS with the download status of the package. Once complete it sends a completion notice to CAS. CAS then returns success to Patch Downloader who then calls the Updates Deployment Agent to start the installation process.

The Installation Process:

If the policy states that updates can only be deployed during maintenance windows then Updates Deployment checks with Service Window Manager to determine if there are any maintenance windows defined for this client. If not, it then calls WUA Handler and Execution Manager to kick off the installation. If the client does have maintenance windows defined then it will work with the scheduler to set a trigger for the start of the maintenance window. You should see an entry in the UpdatesDeployment log that looks like this:

No current service window available to run updates assignment with time required = 1800 UpdatesDeploymentAgent 8/3/2009 3:09:02 PM
No service window available to run updates assignment UpdatesDeploymentAgent 8/3/2009 3:09:04 PM
This assignment ({F65FFEE2-6869-43F3-B86A-B1D293FE0D1B}) will be retried once the service window is available. UpdatesDeploymentAgent 8/3/2009 3:09:04 PM
EnumerateUpdates for action (UpdateActionInstall) - Total visible updates = 13 UpdatesDeploymentAgent 8/3/2009 3:21:20 PM
CUpdateAssignmentsManager received a SERVICEWINDOWEVENT START Event UpdatesDeploymentAgent 8/3/2009 7:00:00 PM
Attempting pending install assignment UpdatesDeploymentAgent 8/3/2009 7:00:00 PM
Starting install for assignment ({F65FFEE2-6869-43F3-B86A-B1D293FE0D1B}) UpdatesDeploymentAgent 8/3/2009 7:00:00 PM

Once the maintenance window trigger launches the client will look at the first patch that it is to install and see what the max run time is set to. It then takes that value and adds 15 min to it to allow for a reboot of the machine. If there is at least this long available until the expiration of the maintenance window, it will then install the patch. It will do this same calculation for each and every patch. By default the max run time for patches is set at 20 min and can be changed by bringing up the properties to the update in the console. If there is not enough time left in the maintenance window, it will then stop the install and wait until the next maintenance window is available.

Once the installation is completed we then pass off to the Update Store process who kicks off another scan so that we can update WMI with the latest state and then it creates the state messages that are sent up to the server with the updated installation compliance. There are five compliance states that a patch can be in on a client:

1. Installed
2. Needed
3. Not Needed
4. Soft Reboot (Reboot requested but we can still install other patches)
5. Hard Reboot (Reboot requested, we cannot install anything else until this is completed, not even other MSI installs)

On the Site server there is one more state and that is “unknown”. This state means that the server downloaded new metadata about a patch but that the client in question has not scanned for the patch and reported back to the site server with its compliance state.

You can see the entries in the logs for the installation status in the wuahandler.log like this:

1. Update (Missing): Security Update for Windows XP (KB961501) (0d841d92-dcfd-42d0-99cc-da46abbfb86c, 101) WUAHandler                6/16/2009 7:35:32 AM
2. Update (Missing): Cumulative Security Update for Internet Explorer 7 for Windows XP (KB969897) (38942b2d-e662-490b-8a67-d69bb73d28e3, 101)          WUAHandler        6/16/2009 7:35:32 AM
3. Update (Missing): Security Update for the 2007 Microsoft Office System (KB969679) (57adacc9-c673-40b7-a946-6671ab71ad23, 101)                WUAHandler        6/16/2009 7:35:32 AM
4. Update (Missing): Security Update for Windows XP (KB970238) (723b4632-b686-45b3-8aa5-6e638e598657, 101)               WUAHandler                6/16/2009 7:35:32 AM

You can then see the completion status and if the patch requires a reboot later in the wuahandler.log file:

Update 1 (0d841d92-dcfd-42d0-99cc-da46abbfb86c) finished installing (0x00000000), Reboot Required? Yes            WUAHandler                6/16/2009 7:37:32 AM
Update 2 (38942b2d-e662-490b-8a67-d69bb73d28e3) finished installing (0x00000000), Reboot Required? Yes        WUAHandler                6/16/2009 7:37:55 AM
Update 3 (57adacc9-c673-40b7-a946-6671ab71ad23) finished installing (0x00000000), Reboot Required? No           WUAHandler                6/16/2009 7:38:24 AM
Update 4 (723b4632-b686-45b3-8aa5-6e638e598657) finished installing (0x00000000), Reboot Required? Yes        WUAHandler                6/16/2009 7:38:28 AM

We then send up the state message for the one that did not require a reboot as you can see here in the statemessage.log file:

State message with TopicType 402 and TopicId Site_7B3DC51A-1366-4325-964D-0C375982148C/SUM_57adacc9-c673-40b7-a946-6671ab71ad23 has been recorded StateMessage 6/16/2009 7:40:45 AM

We then can see after the reboot the entries in wuahandler.log where it finished the install:

Update (0d841d92-dcfd-42d0-99cc-da46abbfb86c) has finished the post reboot operation. HResult: 0x00000000.   WUAHandler                6/16/2009 7:44:44 AM\
Update (38942b2d-e662-490b-8a67-d69bb73d28e3) has finished the post reboot operation. HResult: 0x00000000.                WUAHandler                6/16/2009 7:44:44 AM
Update (723b4632-b686-45b3-8aa5-6e638e598657) has finished the post reboot operation. HResult: 0x00000000.                WUAHandler                6/16/2009 7:44:44 AM

We then see in the statemessage.log file where we send up the state message for the patches that did require a reboot:

State message with TopicType 402 and TopicId Site_7B3DC51A-1366-4325-964D-0C375982148C/SUM_0d841d92-dcfd-42d0-99cc-da46abbfb86c has been recorded   StateMessage       6/16/2009 7:46:58 AM
State message with TopicType 402 and TopicId Site_7B3DC51A-1366-4325-964D-0C375982148C/SUM_38942b2d-e662-490b-8a67-d69bb73d28e3 has been recorded StateMessage       6/16/2009 7:46:58 AM
State message with TopicType 402 and TopicId Site_7B3DC51A-1366-4325-964D-0C375982148C/SUM_bbf29408-fe2d-4adb-b9da-af6245b16e42 has been recorded StateMessage       6/16/2009 7:46:58 AM

Additional Information:

If your Update Store in WMI on the client gets out of sync with what the server shows installed then you can run a script to resend a full compliance state using this link:

http://gallery.technet.microsoft.com/ScriptCenter/en-us/db05902e-dfa3-4401-87d6-1a93aea85642

Hope this helps,

Brian Shaw | Senior Support Escalation Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

Implementing a Power Management Strategy with System Center Configuration Manager 2007 R3

November 8, 2010, 9:48 am

≫ Next: How To Expire Software Updates in System Center Updates Publisher And Synchronize the Expired Updates In Configuration Manager 2007

≪ Previous: Information on the ConfigMgr 2007 client side process for Software Updates

Image may be NSFW.
Clik here to view.Just an FYI that we published a great whitepaper on how to implementing an effective Power Management strategy with System Center Configuration Manager 2007 R3:

The purpose of this white paper is to describe how Microsoft IT (MSIT) successfully deployed Microsoft System Center Configuration Manager 2007 R3 to provide a centralized power management solution to 165,000 physical client desktop and laptop computers across the enterprise. The paper shows how Microsoft IT leveraged System Center Configuration Manager 2007 R3 to implement a cohesive power management strategy that takes full advantage of the native power management features integrated into products such as Windows® 7, Windows XP, and Windows Vista®.

You can get all the details and download the whitepaper here.

J.C. Hornbeck | System Center Knowledge Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

How To Expire Software Updates in System Center Updates Publisher And Synchronize the Expired Updates In Configuration Manager 2007

November 8, 2010, 11:01 am

≫ Next: How to troubleshoot Advanced Client Push Installation issues in Systems Management Server 2003 and System Center Configuration Manager 2007

≪ Previous: Implementing a Power Management Strategy with System Center Configuration Manager 2007 R3

Image may be NSFW.
Clik here to view.Looks like our very own Fei Xia on the ConfigMgr 2007 Sustained Engineering team wrote up a great blog post on how to expire Software Updates in System Center Updates Publisher and synchronize the expired updates in Configuration Manager 2007. If you've ever struggled with this or wanted to know more about how it works then this one is for you:

System Center Updates Publisher (SCUP) helps users to publish their private updates to Windows Server Update Services (WSUS) and synchronize the updates in Configuration Manager 2007. Typically users synchronize these updates with WSUS by clicking "Run Synchronization" in the Configuration Manager console. This manual synchronization process does not synchronize the "Expired" flag from WSUS to Configuration Manager, so when you want to expire an update by using SCUP and then run the manual synchronization, the log (SMS\logs\wsyncmgr.log) would read "No changes made to the SMS database" as follows:

Image may be NSFW.
Clik here to view.

This behavior occurs because the manual synchronization process does not synchronize the expired flag for an existing update, which is only performed by the scheduled synchronization process. Use the following workaround to synchronize expired software updates by using a scheduled synchronization.

To continue reading see Fei Xia's post here.

J.C. Hornbeck | System Center Knowledge Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

How to troubleshoot Advanced Client Push Installation issues in Systems Management Server 2003 and System Center Configuration Manager 2007

November 9, 2010, 7:04 am

≫ Next: Configuration Manager v.Next Beta 2 TAP nominations are now open

≪ Previous: How To Expire Software Updates in System Center Updates Publisher And Synchronize the Expired Updates In Configuration Manager 2007

Image may be NSFW.
Clik here to view.I just wanted to let everyone know that we recently updated Knowledge Base article 925282 to include System Center Configuration Manager 2007. In all honesty it always applied but before now we really didn't make that entirely clear, so if you've seen the article before the contents are largely the same it just now applies to the ConfigMgr 2007 as well. Considering how many potential client install issues this article resolves you really should have it filed away for easy reference.

Enjoy!

KB925282 - How to troubleshoot Advanced Client Push Installation issues in Systems Management Server 2003 and System Center Configuration Manager 2007

J.C. Hornbeck | System Center Knowledge Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

Configuration Manager v.Next Beta 2 TAP nominations are now open

November 9, 2010, 8:36 am

≫ Next: New KB: Asset Intelligence custom labels do not get replicated to child sites in System Center Configuration Manager 2007

≪ Previous: How to troubleshoot Advanced Client Push Installation issues in Systems Management Server 2003 and System Center Configuration Manager 2007

Image may be NSFW.
Clik here to view.Looking to get a head start on System Center Configuration Manager 2012 (aka Configuration Manager vNext)? If so then you'll be happy to know that nominations for the ConfigMgr 2012 Beta 2 Technology Adoption Program (TAP) are now open. Even if your organization applied for the Beta 1 TAP and didn't get accepted you should go ahead and complete the new Beta 2 TAP survey anyway. This will ensure your nomination is reviewed with your latest status, deployment levels etc.

Interested but not sure what Microsoft's TAP is all about? There's a pretty good description of the Technology Adoption Program here.

You can find the nomination for the ConfigMgr 2012 Beta 2 TAP here.

J.C. Hornbeck | System Center Knowledge Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

New KB: Asset Intelligence custom labels do not get replicated to child sites in System Center Configuration Manager 2007

November 11, 2010, 7:48 am

≫ Next: Best practices for catalog authoring in System Center Updates Publisher (SCUP)

≪ Previous: Configuration Manager v.Next Beta 2 TAP nominations are now open

Image may be NSFW.
Clik here to view.Newly created custom labels are present in the System Center Configuration Manager 2007 central site however they do not show up on child sites. You do not see any replication related issues in any of the logs and the AIKBMGR.LOG does not show that an attempt is being made to replicate these objects. You may also see a message similar to the following in the AIKBMGR.LOG:

0 changes in range [0x00000000043744F8-0x000000000265AC79]

Note that the left HEX value in the range above is greater than the HEX value on the right. Also, whenever you make a change and a new message is generated, the right HEX value changes but is still smaller than the left HEX value.

Cause

This can occur if the column "KeyValue" is set to an incorrect HEX value for the column "KeyName" where KeyName is "Replication" in the AI_Generic table.

Resolution

To resolve this issue, follow the steps below:

1. Create a test custom label.
2. Open SQL Management Studio and connect to the central site's SQL server.
3. Run the following query on the Central Site's database:

select * from LU_Category_Local where type=2
4. Check the entry there for the custom label you just created. Note the value for the rowversion column for this entry.
5. Run the following query to correct the AI_Generic table.

Update AI_Generic Set KeyValue = '<HEX value from the first SQL query>' where KeyName='Replication'

6. Now, for each of the custom labels which need to be replicated from the central to the child site just add a description in their properties.
7. Once all the required changes have been made, wait for a couple of minutes and then restart the SMS Executive service.
8. Monitor the AIKBMGR.LOG and you should see messages similar to the ones below indicating successful replication of these objects:

Successfully replicated SMS Object Asset Intelligence batched data{00ff83ae-6df4-408f-ad4d-4f98ce7c5be2}, ReplVarFileName:D:\PROGRAM FILES\MICROSOFT CONFIGURATION MANAGER\inboxes\AIKbMgr.box\10x5bpkx.TMP
Successfully replicated to all sites. Object - ID= Asset Intelligence batched data{00ff83ae-6df4-408f-ad4d-4f98ce7c5be2} - Name= Asset Intelligence batched data{00ff83ae-6df4-408f-ad4d-4f98ce7c5be2}

Once you start seeing these messages in the log you can be sure that the custom labels are now getting replicated. In order to confirm this, just open the ConfigMgr 2007 console on the child site and refresh the custom labels section.

=====

For the latest version of this article see the link below:

KB2460008 - Asset Intelligence custom labels do not get replicated to child sites in System Center Configuration Manager 2007

J.C. Hornbeck | System Center Knowledge Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

Best practices for catalog authoring in System Center Updates Publisher (SCUP)

November 16, 2010, 6:46 am

≫ Next: The ConfigMgr 2007 Documentation Update for September 2010 is now available

≪ Previous: New KB: Asset Intelligence custom labels do not get replicated to child sites in System Center Configuration Manager 2007

Image may be NSFW.
Clik here to view.If you're looking for some guidance and best practices on how to author and maintain high quality System Center Update Publisher (SCUP) catalogs then you're at the right place. Our very own Jason Lewis has created an authoring guide that will answer just about every question you could have including:

"When should I modify my existing update or create a new one?"
"When should I remove an update from my catalog (and/or SCUP)"?
"Should I use prerequisite rules?"

And many more.

Jason Lewis is a Program Manager (PM) on the System Center Configuration Management Team at Microsoft and has been with the team for over 5 years so you're know you're getting this from a true SCUP expert. For all the details and to download his authoring guide see the following:

SCUP Catalog Authoring Best Practices

J.C. Hornbeck | System Center Knowledge Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

The ConfigMgr 2007 Documentation Update for September 2010 is now available

November 17, 2010, 2:27 pm

≫ Next: Getting BitLocker status from clients using Hardware Inventory in Configuration Manager 2007

≪ Previous: Best practices for catalog authoring in System Center Updates Publisher (SCUP)

Image may be NSFW.
Clik here to view.Looks like the latest downloadable update for the System Center Configuration Manager 2007 Documentation Library has been posted to the Microsoft download center. The September 2010 version is the newest downloadable update available and contains new material and fixes to documentation problems reported by customers since the last update was published for the March 2010 version. This version also includes the new documentation for Configuration Manager 2007 R3.

For all the details and a download link see the Configuration Manager Team Blog here.

J.C. Hornbeck | System Center Knowledge Engineer

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

Getting BitLocker status from clients using Hardware Inventory in Configuration Manager 2007

November 22, 2010, 8:07 am

≫ Next: ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations

≪ Previous: The ConfigMgr 2007 Documentation Update for September 2010 is now available

Image may be NSFW.
Clik here to view.Let's say that you need to collect the BitLocker Drive Encryption status from the clients in your environment. You have System Center Configuration Manager 2007 and you're already using Hardware Inventory, but how do you put it all together? That's what I'll be discussing here.

First are the additions that are required to be made in the SMS_DEF.MOF and the CONFIGURATION.MOF files:

SMS_DEF.MOF:
------------------
[ SMS_Report (TRUE),
SMS_Group_Name ("Bitlocker"),
SMS_Class_ID ("MICROSOFT|Bitlocker|1.0")]

class Bitlocker : SMS_Class_Template
{
[SMS_Report(TRUE), key]
string          DeviceID;
[SMS_Report(TRUE)]
string          DriveLetter;
[SMS_Report(TRUE)]
uint32          ProtectionStatus;
};

CONFIGURATION.MOF:
-----------------------
#pragma namespace("\\\\.\\root\\cimv2")

[Union,ViewSources{"select * from Win32_EncryptableVolume"},ViewSpaces{"\\\\.\\root\\cimv2\\security\\MicrosoftVolumeEncryption"},
Dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
class Bitlocker
{
    [PropertySources{"DeviceID"},key]
    string          DeviceID;
    [PropertySources{"DriveLetter"}]
    string          DriveLetter;
    [PropertySources{"ProtectionStatus"}]
    uint32          ProtectionStatus;
};

Adding these sections to the respective MOFs and saving them should get things started. Once the clients go through their next policy cycle, they will populate this information into WMI. From here on, whenever the inventory cycle runs the information will be collected in the inventory XML and will get sent to the management point for further processing by the dataloader and added to the database for the respective client. Once the information is in the database, it can be fetched via custom reports. Alternatively, you can also view this information in the resource explorer for the clients.

Most of the times things will not end at just collecting the information using the MOF edit. There will also be a need to get this information reported. This is actually pretty simple and here are the steps you'll need to follow to accomplish this:

1. Create a new report and give it a name.

2. Choose the category you want to put it in and then click on Edit SQL Statement.

3. In the SQL Statement box type in the query below:

select sys.Name0, BL.DriveLetter0, BL.ProtectionStatus0 from v_GS_BitLocker BL Join v_r_system sys on sys.ResourceID = BL.ResourceID

Now, there are two things to remember here. One, the name of the table that is being queried for the BitLocker information and second the columns that need to be reported.

The table name will be v_GS_<name of the class in MOF>. For this example, the MOFs I've created above have the class name as BitLocker. This is why we have the view we are querying by the name v_GS_BitLocker.

If more information is desired in reports (which is rarely the case), it can be queried using a select query in SQL against the SCCM database to get all the columns of information which are present in the table. For example:

select * from v_GS_BitLocker

That's it! Now you're ready to query and report BitLocker information from clients.

Vishal Gupta | Microsoft System Center support

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations

November 30, 2010, 6:39 am

≫ Next: New Knowledge Base article: Service Requests with circular relationships cannot be closed in System Center Service Manager 2010

≪ Previous: Getting BitLocker status from clients using Hardware Inventory in Configuration Manager 2007

Image may be NSFW.
Clik here to view.Please review all of the information in this post specific to your systems for any antivirus scan issues and workarounds.

Important: Some of the steps defined herein may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process below in order to enable programs to operate as they are designed or to implement specific program capabilities. Before you make these changes, it is your responsibility to evaluate the risks that are associated with implementing this process and to test in your specific environment. If you choose to implement this process, take any appropriate additional steps to protect your system. It is recommended that you follow this process only if it is absolutely required for your environment.

System Center Configuration Manager 2007:

If you have Microsoft System Center Configuration Manager 2007 (ConfigMgr 2007) installed and are running into the specific issues defined in the Knowledge Base articles below, you should consider excluding the folders/files defined in each:

KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

KB327453 - Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003

KB922358 - Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates cannot run when a McAfee antivirus program is installed on the same computer

KB924148 - A Systems Management Server (SMS) 2003 client computer stops responding when you try to perform a software update scan of the Inventory Tool for Microsoft Updates (ITMU) on a computer that is running SMS 2003

KB824722 - "Cannot Open the File to Verify the Signature" Appears in Despool.log

Inventory Tool for Microsoft Updates (ITMU):

If you are running ITMU then review the Knowledge Base articles below for issues with virus scan and their workarounds:

KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

KB922358 - Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates cannot run when a McAfee antivirus program is installed on the same computer -

Windows Server Update Services (WSUS):

If you are running WSUS on your system then review the Knowledge Base articles below for issues with virus scan and workarounds:

KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

SQL Server:

If you have SQL Server installed on your system then consider using the guidelines as defined in the following Knowledge Base articles:

KB309422 - Guidelines for choosing antivirus software to run on the computers that are running SQL Server

KB250355 – Antivirus Software that is not cluster-aware may cause problems with cluster Services

Operating Systems (OS):

If you are running Windows Server 2003, Windows 2000 or Windows XP, review the following Knowledge Base article for virus scan exclusions:

KB822158 - Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP

Internet Information Server (IIS):

If you have IIS installed on your system, use the following Knowledge Base articles for virus scan exclusion information:

KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File

KB821749 - Antivirus software may cause IIS to stop unexpectedly

Summary of Exclusions for ConfigMgr 2007:

CAB and archived files exclusions:

· Exclude the Wsusscan.cab file from the antivirus scan. –OR-

· Exclude all .cab files from the antivirus scan. –OR-

· Exclude all archived files from the antivirus scan. –OR-

· Exclude the following items from the antivirus scan:

· The folder in which the Wsusscan.cab file is located.

· The path of the Wsusscan.cab file on the local computer.

Exclusion of <DriveLetter>:\<ConfigMgr Install Folder>\Inboxes\SMS_Executive:

The SMS_Executive service may stop responding to some threads. These include the following threads:

• SMS_Discovery_Data_Manager

• SMS_Status_Manager

• SMS_Replication_Manager

• SMS_Despooler

• SMS_Data_Loader

• SMS_Collection_Evaluator

If you experience the behavior described above or in this article (KB327453), use one or more of the following methods to reduce the file backlog:

• Exclude the <DriveLetter>:\<ConfigMgr install folder>\Inboxes\SMS_Executive Thread Name directory or the SMS_CCM\ServiceData directory from the virus-scanning process

• Make sure that the antivirus software is not configure for Real-Time monitoring.

• Remove the antivirus software, and then restart the server so that any remaining traces re unloaded and removed from memory.

Note: If you exclude the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory, therefore use these options only as a short-term troubleshooting step and not as a solution for this behavior.

Exclusion of %Windir%\SoftwareDistribution :

Review the issue described in KB922358 where the antivirus program is configured to scan the %Windir%\SoftwareDistribution folder on the computer on which the ITMU scan is run. In this case, when the antivirus program scans the .edb file the antivirus program locks the file. The result is that ITMU cannot access the .edb file. To workaround this issue please make sure that the antivirus program does not scan the files in the %windir%\SoftwareDistribution folder on any computer on which the Windows Update Agent is installed.

APPENDIX: ConfigMgr 2007 Antivirus Recommendations

It is recommended from a performance point of view that antivirus scanning be disabled on certain key non-executable items. As these items are non-executable they provide minimal risk on a server, where the number of non-trusted application should be negligible and the opening of files by user applications is also minimal. The key items include:

- ConfigMgr 2007 database data and log files (server-side)

- ConfigMgr 2007 log files (server-side)

- ConfigMgr 2007 transactional files (server-side)

- Windows Update Scan Catalog (client-side)

The following is a listing of the details of the above types of key items:

Image may be NSFW.
Clik here to view.

Rushi Faldu | Senior PFE

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

↧

New Knowledge Base article: Service Requests with circular relationships cannot be closed in System Center Service Manager 2010

November 30, 2010, 6:51 am

≫ Next: New KB: A System Center Configuration Manager 2007 SP2 Task Sequence may fail if the computer has multiple drives or partitions and USMT 4 with hardlinking is being used

≪ Previous: ConfigMgr 2007 Antivirus Scan and Exclusion Recommendations

Image may be NSFW.
Clik here to view.Just wanted to give you a quick heads up on a new Knowledge Base article for System Center Service Manager 2010 that we published last night:

=====

Symptoms

A change request in System Center Service Manager 2010 will remain with a status of "in Progress" and cannot be closed even if all activities have been completed.