CCMEXEC.COM – System Center blog

This topic is not new but it has been asked a lot lately on the forums so a post is in order.

To use the “Install Software updates” step in a Task Sequence to install Software updates requires that the computer that is being deployed/reimaged is a member of one or more collections with the updates that should be installed deployed to it.

There are two options for the “Install Software Updates Step”:

Mandatory Software Updates = This naming is perhaps not really clear as in Configuration Manager 2012 Software Updates are deployed as “Required”. This option will install all updates deployed to the computer as required.

All Software Updates = this option will install all Software Updates that are deployed to the computer as “Available”

What if I am using Unknown Computer support to install my clients? In that scenario you have two options:

• Deploy all the “Software Update Groups” to the “Unknown Computers” collection. This option will require you to deploy all updates multiple times which is not fun.
• Include the two “Unknown Computer”(one for x86 and one for x64) objects in your normal Collection that you use to deploy Software Updates.
  This is a much better option which doesn’t require multiple deployments of all Software Update Groups

Also check out this KB article, http://support.microsoft.com/kb/2894518 for an issue with deploying Software Updates during a Task Sequence that requires multiple reboots.

I got a request from a customer that they want to be able to subscribe to the built in report “Antimalware Activity Report” in Configuration Manager 2012. As this report requires a start date and end date to run the report will be be emailed for the dates that are entered when you create the subscription and not the current date.

Modifying the report to be for the last day or for the last 7 days and remove the Start Date and End Date prompt.

Here is how to do it:

1. Browse to the Configuration Manager 2012 reporting site

2. Under Endpoint Protection, select the “Antimalware Activity Report” and select “edit in report builder”

3.Under Parameters select @StartDate and Edit parameter

4. Change the visibility to “Hidden”
5. In the available values section change to “Get values from a query” with the below settings:

6. Then we do the same for the @EndDate parameter:

7. Then we save the report with a new name like “Anitmalware Activity Report – Last 7 days”

Now when we run the report we are no longer prompted for a Start Date and an End Date, only which device collection the report should be based on.

Then we are done!

If you want to change the interval from 7 days to only include todays activity we can change that as well really easy in the Report Builder.
Under “Datasets” select the “StartEndDates” dataset and edit the query. Change the “-7″ in the query to how many days back in time you want the report, for only todays activity set it to “0″.

Then the query looks like this:
select DATEADD(day,0,DATEDIFF(day, 0, GetUTCDate())) as StartDate, DATEADD(day,0,DATEDIFF(day, 0, GetUTCDate())) as EndDate

Then we save report again as for example “Antimalware activity report – todays activity”

I hope this can be useful for more than me

I have ran into this a couple of times now when moving site roles in Configuration Manager 2012. When uninstalling the WSUS server components from in this case the Primary Site server to move it to a dedicated server instead the Management Point on the Primary Site server started giving HTTP Error 500 Internal Server Error:

This was caused by the removal of the WSUS role on the server which removed almost all the files installed by the Windows Update Services but not the configuration written in the ApplicationHost.config file. The Applicationhost.config file tries to call the .dll installed by the WSUS Server but no longer exists on the system.

From the Applicationhost.config file:

<scheme name=”xpress” doStaticCompression=”false” doDynamicCompression=”true” dll=”C:\Program Files\Update Services\Webservices\suscomp.dll” staticCompressionLevel=”10″ dynamicCompressionLevel=”0″ />

Running the following command will remove all references to the module installed by WSUS.

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']


After that the Management Point is up and running again.

I have the great honor to be speaking at TechED 2014 in Houston together with Stefan Schörling.
The session is called “Microsoft System Center Configuration Manager Community Jewels”. We will present and demo many of the cool tools that are available created by the community and show how they can help you solve day to day headaches and makes your life a lot easier! Expect a lot of demos!

The session code is PCIT-B320

See you all in Houston!

Just realized I missed a release of a Configuration Manager book, “Configuration Manager book: High availability and performance tuning” by fellow MVP Marius Sandbu. A good introduction to High-availability.

You can find it here on PactPublishing

When building a new OS image it is a really good idea to include Visual C++ Redistributable packages in the image as well as .NET framework versions so that we don’t need to handle these software components as dependencies for all applications but have it included in the standard image instead. I also copy Cmtrace.exe to every location I can think of, like C:\windows on all clients when I create the image, extremely useful.

Here is a Knowledge-base article to bookmark “Latest Supported Visual C++ Downloads” http://support.microsoft.com/kb/2019667

It contains information and links to all the latest versions of the Visual C++ Redistributable packages which makes it really easy to find the latest versions.

The link to the Visual C++ 2013 redistributable pacakge is not in page below, here is the link instead. http://www.microsoft.com/en-us/download/details.aspx?id=40784

When enabling Bitlocker using Configuration Manager the step fails if there are a CD/DVD inserted. There are many great solutions to eject the CD/DVD before enabling Bitlocker out there.
As CD/DVD are not used at all that much anymore I was kind if annoyed that it ejected the CD/DVD every time and when enabling Bitlocker after OS deployment using a Task Seqeunce it could be interesting for the end-user when the CD/DVD is ejected.

So this script only ejects the CD/DVD when media is present in the drive. I have posted a powershell version on Microsoft Gallery: http://gallery.technet.microsoft.com/Eject-CDDVD-if-CD-present-5e464ad2

But after several requests I have created a vbscript version as well which also ejects the CD/DVD if media is present.

Download it here: ejectcd

Or copy paste the code below:

-------------------------------------------------------------------------------------------------------------------------------------

'Created by Jörgen Nilsson, http://ccmexec.com

'Version 1.0

WSCript.Quit


A really cool new announcement was just made: a new feature in Configuration Manager 2012 R2 / Windows Intune that makes it possible to provision ActiveSynce email profiles using ConfigMgr 2012 and Windows Intune. Thought that I would post this here as well as it is bigger news than just the fact that you can provision ActiveSync email profiles using Configuration Manager 2012 R2 and Windows Intune.

This new feature uses a new component in Configuration Manager 2012 R2 that makes it possible for Microsoft to publish new Windows Intune Mobile Device Management features to the Configuration Manager 2012 R2 console / site without having to do it in a Service Pack or in a new release.  This is a really cool feature as it makes it possible to ship new features more often than you could with the normal approach with Service Packs and R2 releases.

The Mobile Device Management segment is driving innovation really fast. I have several customers who now have more iOS devices in their environment than they have PC’s, so there is a big market out there.

The blog post about how to provision email profile can be found here:  http://blogs.technet.com/b/configmgrteam/archive/2014/01/29/provision-activesync-email-profiles-to-mobile-devices-using-configmgr-and-windows-intune.aspx

Now it is time to provision some email accounts