CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts published in November, 2011

In some scenarios you need to install the SCCM client using another Software Distribution tool than Configuration Manager, yes I know it sounds strange ;-)

If you have tried this you know that the Ccmsetup.exe installs a service and the exits in the user context so that control is returned to the vbscript, cmd file or whatever method you use to run Ccmsetup.

There are two ways of solving this:

1. Run Ccmsetup.exe with the /noservice switch then ccmsetup runs the setup in the user with which you triggered the installation and not using  a service in System context.

2.Use vbscript that checks for an active process called “ccmsetup.exe” and wait for it to exit.

I thought of writing a script for this and then I found this excellent discussion on a forum:

That script will work for Ccmsetup as well. Below is the modified script for ccmsetup.exe

Set WshShell = Nothing
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "ccmsetup.exe SMSSITECODE=020 FSP=SCCM01", 0, True
Wscript.Sleep 5000
set svc=getobject("winmgmts:root\cimv2")
sQuery="select * from win32_process where name='ccmsetup.exe'"
set cproc=svc.execquery(sQuery)
Do While iniproc = 1
wscript.sleep 5000
set svc=getobject("winmgmts:root\cimv2")
sQuery="select * from win32_process where name='ccmsetup.exe'"
set cproc=svc.execquery(sQuery)
set cproc=nothing
set svc=nothing
Set WshShell = Nothing

In Forefront Endpoint protection 2010 there is no possibility to password protect the uninstallation of the FEP client. This makes it possible for instance for local admins to remove the FEP Client.
I started testing to advertise the FEP client to the “Locally Removed” collection where the client will end up if the FEP client is uninstalled. At least that was what I thought…

The above statement is true if you install the FEP client using the Package/program and advertisement in SCCM if you deploy the FEP client using for instance an OSD task sequence, or manually the client is added to the “Not Targeted” collection instead.

Note: And if you wonder the installation and the uninstall of the FEP client triggers a SCCM hardware inventory on the client immediately, to speed up the process of reporting an updated inventory to the SCCM server.

So, I solved it using the following setup in SCCM, including a standard exclusion collection as the customer asked for the possibility to exclude certain computers from FEP.

I have created two sub-collections for my Microsoft FEP collection:

-FEP – Install

-FEP – Exclusion


The following query is used for the FEP – Install Collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.Active = 1 and SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_02000087)

When you import the query change the SMS_CM_RES_COLL_02000087 in the query to reflect the CollectionID of the FEP-Exclusion collection in your environment.

The query includes:

  • Only active clients
  • Coputers where Microsoft Forefront Endpoint Protection client is not installed, both x86 and x64
  • Computers that are not members of the FEP-Exclusion collection.

You can limit the FEP-Install collection to for instance “All Windows Workstation and Professional Systems” if you don’t want to include servers.

Then I advertise the Microsoft FEP client package using the package/program included in the installation of FEP and advertise it with the following settings:


Then the installation will rerun even if the FEP client is removed and added back more than once.

I hope this is useful to more than me.

I have great honor to be doing two sessions at the SCCM Summit 2012 in Stockholm, Sweden 17-18/1 – 2012.

SCCM Summit 2012 will be 1 1/2 day focusing on all the great new features in System Center 2012 Configuration Manager(in Swedish).

sccm summit 2012

The sessions I will deliver is:

  • Application Management in two parts(double session), where we will cover the whole life-cycle of application management in CM 2012.
  • System Center 2012 Endpoint Protection, how to protect your clients using endpoint protection in Cm 2012.

There are are some great speakers which will be part of the event:

Anders Ahl – Microsoft

Johan Arwidmark – Knowledge Factory

Niall Brady- Enfo Zipper

Peter Frodin – Atea

I hope to see you there!

A new version of the FEP Definition Update Automation Tool is released. It contains a great new feature, that the Software Update Package containing the FEP definitions isn’t updated if there are no new Definition Updates.
With the old version the DP’s were always updated, so this will save replication traffic to remote locations.

Great Update!

Some more fixes:

  • Removal of /RefreshDP switch, add new switch: /DisableRefreshDP
  • Improved logic to skip updating the deployment package if no content change was detected
  • Corrected the default update filter string so it will not retrieve superseded updates and enables functionality when custom updates published by System Center Update Publisher are present

Check out the complete article here: