CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts published in August, 2011

Are you interested in the next generation desktop? Don’t miss out on the Desktop vNext event in Stockholm.
I have the honor of presenting Device Management using Configuration Manager 2012! (The event will be held in Swedish, sorry guys)

Desktop vNext – Agenda

Nyheterna i XenDesktop och XenApp

Jörgen Pärsson, Envoke IT

Managera ditt datacenter med SCVMM

Talare från Microsoft

Device Management med hjälp av SCCM 2012

Jörgen Nilsson, Atea

Nyheterna i XenApp 6.5

Paul Murray, Citrix

VDI lösninngar från ett Datacenterperspektiv

Lars-Eric Dufvenberg, HP

For more Information:

http://www.cornerstone.se/sv/Event/Desktop-vNext/

Read this article “A WSUS client that is connected to a WSUS or Configuration Manager 2007 SUP server takes longer than expected to finish an update scan“  and thought I would promote it as it also affect clients connected to a SUP in SCCM.

From the article:

Symptom:

- A Microsoft Windows Server Update Services (WSUS) client computer is connected to a WSUS or Configuration Manager 2007 SUP (Software Update Services) server.

- The WSUS client computer runs a scan to determine whether an update applies to the client computer.

In this scenario, the WSUS client computer takes longer than expected to finish the scan. For example, the scan may take hours or days to finish. Additionally, you experience the following problems on the WSUS client computer:

- Task Manager indicates high CPU usage for the Svchost.exe process.

- You cannot stop the Svchost.exe process.

Configuration recommendation:

On Windows Server Update Services 3.0(applies when using configuration manager as well.)

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Microsoft Windows Server Update Services.
  2. Click Options, and then click Automatic Approvals.
  3. Click the Advanced tab, make sure that the following check boxes are selected, and then click OK:
    • Automatically approve new revisions of approved updates
    • Automatically decline updates when a new revision causes them to expire

I really recommend that you read the whole article!

http://support.microsoft.com/kb/938947

When upgrading certain applications for instance plug-ins to Internet Explorer, Internet explorer must not be running if the upgrade is to be successful. I answered this question on the Technet forum during the week and I thought I would share the simple script here.
I have a more advanced script which prompts the user to close open applications with the possibility to postpone the upgrade, I will post that later it just needs a bit more cleaning up ;-)

The script can be used as a step in a  Task Sequence or “run this program before” and if you want to check more processes just add a new line as the script uses a command-line argument to pass the process-name to check status.

Example:

checkprocess1

Example syntax: cscript.exe checkprocess.vbs iexplore.exe

Script:

'The script will return error code 1 if process is running
'Processname can be passed on the command line as a variable
'Example cscript.exe checkprocess.vbs Iexplore.exe

Option explicit
DIM strComputer,strProcess
DIM Args

Set args = WScript.Arguments
strProcess = args.Item(0)

If args.count <> "1" then
wscript.echo "incorrect syntax"
wscript.echo "Syntax example = checkprocess.vbs notepad.exe"
end if

IF isProcessRunning(strProcess) THEN
wscript.quit(1)

END IF
FUNCTION isProcessRunning(BYVAL strProcessName)

DIM objWMIService, strWMIQuery

strWMIQuery = "Select * from Win32_Process where name like '" & strProcessName & "'"

SET objWMIService = GETOBJECT("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")

IF objWMIService.ExecQuery(strWMIQuery).Count > 0 THEN
isProcessRunning = TRUE
ELSE
isProcessRunning = FALSE
END IF

END FUNCTION

Last week a KB-article was released with “Suggested hotfixes for WMI related issue on Windows platforms”. It really recommend that you read it because WMI is critical to Configuration Manager, Group polices, Operations Manager and so on. As you all know without working WMI we cannot manage the systems out there.

I will deploy the following WMI stability hotfix in all my Windows 7 projects, note that is is updated for Windows 2008 R2 SP1 and Windows 7 SP1.
KB24659900×80041002 (WBEM_E_NOT_FOUND)” error occurs when you try to open a WMI namespace on a computer that is running Windows 7 or Windows Server 2008 R2″ I recommend that you have a look at it.

From the KB article:

Hotfix list for Windows Vista and Windows Server 2008

2464876 The WMI repository is corrupted on a computer that is running Windows Server 2008 or Windows Vista
http://support.microsoft.com/default.aspx?scid=kb;en-US;2464876 (http://support.microsoft.com/default.aspx?scid=kb;en-US;2464876)

973243 The default gateway is missing on a computer that is running Windows Server 2008 or Windows Vista after the computer restarts if the default gateway is set by using the Netsh command
http://support.microsoft.com/default.aspx?scid=kb;EN-US;973243 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;973243)

Hotfix list for Windows 7 and Windows Server 2008 R2

2465990 “0×80041002 (WBEM_E_NOT_FOUND)” error occurs when you try to open a WMI namespace on a computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/default.aspx?scid=kb;en-US;2465990 (http://support.microsoft.com/default.aspx?scid=kb;en-US;2465990)

2492536 Msinfo32.exe takes a long time to display or export system information on a computer that has many MSI-X-supported devices and that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/default.aspx?scid=kb;en-US;2492536 (http://support.microsoft.com/default.aspx?scid=kb;en-US;2492536)

982293 The Svchost.exe process that has the WMI service crashes in Windows Server 2008 R2 or in Windows 7
http://support.microsoft.com/default.aspx?scid=kb;EN-US;982293 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;982293)

974930 An application or service that queries information about a failover cluster by using the WMI provider may experience low performance or a time-out exception
http://support.microsoft.com/default.aspx?scid=kb;EN-US;974930 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;974930)

Hotfix list for Windows Server 2003 SP2

2257980 “0×80041002 (WBEM_E_NOT_FOUND)” error code occurs when you try to open a WMI namespace on a computer that is running Windows Server 2003 SP2
http://support.microsoft.com/default.aspx?scid=kb;en-US;2257980 (http://support.microsoft.com/default.aspx?scid=kb;en-US;2257980) For all supported x86-based versions of Windows Server 2003

Hotfix list for Windows XP

933062 A hotfix is available that improves the stability of the Windows Management Instrumentation repository in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;933062 (http://support.microsoft.com/default.aspx?scid=kb;EN-US;933062)

The whole KB can be found here: http://support.microsoft.com/kb/2591403




After 4 weeks’ vacation I started working again and the first thing I planned to do was to implement the new feature in FEP 2010 Update Rollup 1 for automating approval of FEP 2010 definition updates in SCCM instead of doing it separately in WSUS on the SCCM server as many of us do today.

UPDATE:! ——————————————————
A new version of the SoftwareUpdateAutomationtool.exe has been released it can be downloaded here: http://www.microsoft.com/download/en/details.aspx?id=26613
When using this updated tool the challenges with the original version has been solved, the command line below in the .cmd file using the new version used should be:
“e:\program files (x86)\Microsoft Configuration Manager\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName FEP2010SignatureUpdates /PackageName FEP2010Signature

The rest of this article is still valid.

——————————————————————

I found that the documentation was not that clear and that included using a Scheduled task which I cannot simply use when we have Status Filter Rules in SCCM which is so cool ;-)

The guide on Technet describes how to create the necessary Software Update packages and copy the softwareupdateautomation.exe file to the correct location so I will not go into detail about that. You can find the installation instructions here: http://technet.microsoft.com/en-us/library/hh297450.aspx

This is what I ended up doing to get it to work:

1. Follow the instructions on the Technet article until it is time to create the Schedule task.

2. Then copy the softwareupdateautomation.exe as described to the correct location(it must be executed from the AdminUI\Bin directory:
%ProgramFiles%\Microsoft Configuration Manager\AdminUI\bin, if the computer is a 32-bit operating system.
%ProgramFiles(x86)%\Microsoft Configuration Manager\AdminUI\bin, if the computer is a 64-bit operating system.

3. Then I created a simple .cmd file which I placed in a directory on the SCCM Primary Site server, E:\sccmtools.
I run all my status filter rules script from the same location. It is really easy to test that the command line works, just execute it with Admin privileges and check the SoftwareUpdateAutomation.log file for status information. The log file can be found here:
%ProgramData%\SoftwareUpdateAutomation.log.

4. The following command was the one I used in the .cmd file, replace the AssignmentName and PackaegName to reflect your environment:

"e:\program files (x86)\Microsoft Configuration Manager\AdminUI\bin\SoftwareUpdateAutomation.exe" /AssignmentName FEP2010SignatureUpdates /PackageName FEP2010Signature /UpdateFilter "articleid='2461484' AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0" /refreshdp

5. Then I created a Status filter rule on the Primary SCCM Site Server which looks like this:

FEPUA1
FEPUA2

6. Using this status filter rule the SoftwareUpdateAutomation.exe will be triggered each time the WSUS Sync Manager reports that synchronization is completed. No schedule task needed!

7. Change your FEP policies to use the new update option below and you are good to go:

FEPUA3

The command line took a while to get to work as the documentation is not correct on the Technet webpage as I am writing this at least.
Also the help information for the softwareupdateautomation.exe tool states that /refreshdp is default true but it is not so /refreshdp must be used.
I strongly recommend reading this article with some other known errors.

http://blogs.technet.com/b/clientsecurity/archive/2011/07/18/errors-when-using-the-fep-2010-definition-update-automation-tool.aspx