SCCM – Application Migration Failed Because of the Languages?

These days, I’m working on a SCCM migration which require to consolidate 5 ConfigMgr Sites into 1 Primary sites. So part of our transition plan, we want to shared the distribution points between our legacy environments and our new CM Site, then use the migration job to only migrate the objects that need to be migrated. Well So far nothing too complicated, but once we start the migration, we notice that some type of objects like application are failing…

So we look at the SMSProv.log and Migmctrl.log to check for any errors, but so far nothing to helpful (unkown error and 0/1 object returned);

migctrl

smsprov0

So keeping working on the migration I start to think about what could be different between collections, packages and applications, as those are the 3 types of objects we have migrated so far.. and all the others are working well…

Having a closer look to the log files, I’ve noticed that the user context and preferred languages was set to English…

smsprov1033

So I tried to remove all the other languages configure on the application that we are trying to migrate… then it works. So after removing the deployment type languages and Apps Catalog language the migration job work successfully…

I don’t know if this is something documented,as I haven’t been able to found anything related to this so far… but well now I need to work on a PowerShell script to do all the changes prior to the migration and reapplying the settings once the apps are migrated… Thx Microsoft.

 

 

SCCM – Microsoft Vulnerability Assessment Configuration pack in a Multi-Language Environment?

Recently, we have to deploy the Microsoft Vulnerability Assessment Configuration pack in our environment and this to meet some standards from our security team. First, we start following this guide from Enhansoft; http://www.enhansoft.com/blog/how-to-install-vulnerability-assessment-configuration-pack which is excellent guide.

Of course, those baselines are really interesting from a security perspective, but one thing we noticed once start our deployment is … we got a lot of failure and this even using the bypass for PowerShell in our client settings. We start to troubleshoot the issue and it looks like some of the configuration items script are looking for specific value like Guest… So as we have to deal with a lot different languages, well it was just doesn’t work for us.

vulnerability_os_language

At this point my question was, why Microsoft doesn’t use the SID rather than the name in their CI script… So starting with this list of well known SIDs; https://support.microsoft.com/en-ca/kb/243330 , I’ve build my own script using PowerShell and user account SID. Ending with the following result;

guest_compatible

So if you are in the same situation as me, here an example of the script I used to fix the Guest account status check (btw, make sure to copy the CI before you do some change);

$LocalAccounts = Get-WmiObject win32_useraccount -Filter “LocalAccount=’True'” |
?{$_.sid -match ‘^[S][-][1][-][5][-].*[-][5][0][1]$’} |
Select-Object Name,Disabled

if($LocalAccounts){
foreach($Account in $LocalAccounts){
if($Account.Disabled -eq $False){Write-Host $($Account.Disabled)}
}
}

Hope that can help you to make those baselines work in your environment and Don’t forget to do some test before you target this to your production systems.

SCCM – Client health report for a specific computer

*** Update August 28: I have updated the RDL file and added the information for CM client 1606 . I’ve also added the required permission for the datasource***

In this post I will share with you a report that I’ve build to get all the information required for a specific computer. This report is divided in 4 different tables and here are the details;

  1. Operating System, in this table you will get all the information about the OS, such as display name, last reboot, etc. Specific_Comp_1
  2. Configuration Manager Client & AD, well this is a very interesting table that contains a lot of information, so in this table you get all the information about CM and AD sites, as well as all the information about the inventories,discoveries,policy request, MP, SUP, evaluation  and lastly the information about the collections, which can be expand to get the collection name. Specific_Comp_3
  3. System Information, in this table you will get all the information about the system, like computer Name & AD DN, Network, System drive, CM User Affinity and the next effective maintenance window.Specific_Comp_2
  4. Software Updates Information, in this last table you’ll get all the information about software updates (can be filter on vendors and classifications). Again, you’ll get information about the level of compliance, WUA version, missing updates and all the detail about the missing updates, like if they are targeted or not, etc.Specific_Comp_4

Alright, so now we need to discuss about requirements. First you need to add the Managed By attribute to your AD system discovery in configuration manager. Then you will also need to add the following properties to your hardware inventory, Logical_Disk — Free Space (MB) and Services — State, and finally but not the least you will need to create the following SQL function, Report for upcoming maintenance window.

Once the SQL function is created, you’ll now have to modify the SQL permissions (unless the reporting point service account already have db_datareader permission on the CM DB) and grant at least the Select permission on the 2 following SQL objects to your reporting service point account:

DS_Permission

So here the link to get the RDL file: Client Health – Specific Computer

Specific_Comp_5

Enjoy.

SCCM – Software Update Groups Compliance Dashboard Revisited, Part 2

In this second part, I will share with you some of the sub reports that I have created for the main SUG dashboard (Software Update Groups Compliance Dashboard Revisited). This will give you the ability to get the details for some of the tables in the dashboard and of course they can also be run independently, as they also bring a lot of useful information.

Let’s start with the first report, which is one of my preferred ones. It’s link to the Top Vulnerable Assets table and can be very useful as it gives you all the details about the health of a specific client as well as the level of compliance for Software Updates. The report contains 3 parameters, which are:

  • Computer Name
  • Vendor – List of vendor from the update catalog
  • Category – Update classification

and also contains multiple tables such as Operating System, CM Client/AD, System Info and Software updates information. Here are some screenshot of the reports:SysInfoDetailed_1

SysInfoDetailed_2

*** It may requires that you add some AD attributes (ManagedBy, DesktopProfile) to your CM system discovery as well as adding the service status to your client policy settings ***  

And now let’s have a look to the second one, which is link to the Assets Information table. Well this part is the only one in the Dashboard that contains the information for all clients, so not only the one with the agent. There are three filters available for this reports, which are:

  • Client – All, Unmanaged and Managed
  • Operating System – filter per OS
  • Collection – filter per Collection

and it contains a table with some information about clients, which can be useful to troubleshoot your client.

SysHealth_1

I will stop here for now, as you have the reports required to drill from the first two table of the Dashboard:SubReport_1So here’s the link to get these reports:

System health for a specific computer

System Health Overall

SCCM – Software Update Groups Compliance Dashboard Revisited

So first, it’s been a long time since my last post. So I hope it will be an interesting one for you guys… and yes, it is about custom software update report again.

In this blog post, I will share with you a Dashboard for Software Updates Group and it’s based on the ones created by Gary Simmons, which are just incredible. So for those who aren’t using it yet, here’s a link that I recommended to read first, as it explains in detail most of the feature include in this Dashboard;  SUG Dashboard from Gary Simmons

First, let’s talk about the parameters, in this Dashboard I’ve change the parameters to match our needs, so for that I’ve create a filter on the software update group parameter to only show the SUG that contains compliance in the name (This is use as a template containing all the updates that are required in our company).   Other fields like Company and Entity match our Folder Structure in SCCM and Scope is the collections that are within the second level folder SCCM. Here’s an example of what we use:

SCCMHierarchy_1

And finally the OS Type parameters allows to scope this report by OS Type, Servers, Workstations, etc. it the case that you have different OS in the Collection.

Dashboard_Parameters

Ok, so in the first part of the Dashboard I’ve change the Asset table to include all devices and the ability to drill down to get the detailed information. Also, in this part I added 2 tables to first get the top 10 vulnerable systems and them the top 10 missing updates.

Dashboard_1

In the second part, I’ve added a custom Overall Systems Compliance part (again from a report from Gary Simmons) which contains all the OS Versions.

 

Dashboard_2

And lastly in the third part, I’ve added a chart to show the Compliance level per update severity, a chart about the updates scan status (% of success) and Errors details, a chart with the top 5 Windows Updates version and a table with the Software updates point status (last sync time, sync status).

Dashboard_3

here’s a link from where you can download this dashboard, in the case you are interested to try it;

SUG Compliance Dashboard

And in the next part, I will publish all the sub reports that I’ve create to drill down and get all the details information.

Part 2: Software Update Groups Compliance Dashboard Revisited, Part 2

 

 

SCCM – Software Updates Compliance Reports (Updated)

Recently, I received some suggestions/comments about some of the reports that I published on my blog (and thanks to all of you guys)… and one of them was to add the Maintenance Windows information to the Software Updates Compliance Reports, which I think could be very helpful.

So, here’s an updated version of those reports, which now include the information on the next active maintenance window (if set), plus a new linked report, which gives the Maintenance Windows & Deployments details for the selected collection.

Here are some screenshots of these reports;

img3

Software_update_Collection_Status

img2

Software_update_Collection_Status

img4

Software_update_Computer_Detail

img1

Software_update_Collection_Detail

Links;

Software_update_Collection_Status; 

https://drive.google.com/file/d/0ByVMhVXdDQn4YUN1dTZMZEpEejA/edit?usp=sharing

Software_update_Computer_Detail;

https://drive.google.com/file/d/0ByVMhVXdDQn4UVhlRUxwZXFReHM/edit?usp=sharing

Software_update_Collection_Detail;

https://drive.google.com/file/d/0ByVMhVXdDQn4UHp6Ui0zLXpPcDA/edit?usp=sharing

SCCM – Software Updates Compliance Reports

Here’s a report that I’ve created to obtain the compliance status for the software updates. The first report will allow you to get the information for selected update classifications and for a specific collection. Then the second report, give you the ability to drill down for a specific computer and get the detail by computer as well as the % of compliance based on the selected classification(s).

Here are some screenshots of this reports;

Software Updates – Collection Status

img141

Software Updates – Computer Status

142

You can also expand the result by classification to get the detail.

143

Also note that the targeted count don’t include the updates which are already installed.

So if you’d like to use them, the only thing you need it’s to download those .RDL files, import it and changed the datasource for the appropriate one.

– Software update – Compliance Status By Collection

https://docs.google.com/file/d/0ByVMhVXdDQn4ak1URDE0NnhwWTg/edit?usp=sharing

– Software update – Compliance Status By Computer

https://docs.google.com/file/d/0ByVMhVXdDQn4MkNOSlhGR3pvRFU/edit?usp=sharing