Symantec Endpoint Protection Block SCCM Office Updates

Recently I've got an issue with SCCM agent couldn't install any office update.
While investigating the issue, I saw other updates installed without any problem.
Looking at the event viewer reveal error 11406 - installation couldn't wright to Browser Helper Objects registry key:

After hours of searching, I saw the following policy in Symantec Endpoint Protection:

It looks like someone activate Prevent registration of new Browser Helper Objects under application and device control policy.
In order to resolve the issue, I created the following Registry Access Attempts condition to allow the installation to complete:

SCCM Client Installation Failures

The following list is some failures in SCCM client installations and the resolution:

Problem:
One or more certificate is missing on local machine (should be 2 certificates).

CertificateMaintenance.log shows the following entries:
Crypt acquire context failed with 0x8009000f

Cause:
Wrong permissions for machine key starts with 19c5.. located under the following path:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Use SCCM Compliance Settings To Find Service Running As Administrator Account

Sometimes you have to change password for important user (like administrator account).
Changing password for this kind of user is a project in its own and should be done with extra careful.
With Compliance Settings feature in SCCM, its easy to find where this user runs a service.

In this example I'm going to use PowerShell script to detect the present of administrator account under the services, so first, I'm going to change the execution policy to Bypass in client settings for the computers this script is going to run:

 

Monitor Active Directory Security Group membership changes

In many environments permission to add members to strong security groups (lets say Domain Admins group) is granted to many users.
Sometime those permissions are getting out of hand, so audit those group membership become vital.
In this post I would like to demonstrate how to audit security groups with build-in tools.

First step
Enable Audit account management to success in default domain controller policy (enabled by default):

Query Daylight Saving Time information with SCCM

Many system administrators regularly get asked about computers Daylight Saving Time (DST) information in there network.
With SCCM you can easily get that information with simple query and add it to collection.

First, to get time zone information we need to add Time Zone class to hardware inventory in the relevant client settings:
 

Automatic Client Upgrade for SCCM cumulative update

Since Microsoft started to release cumulative updates for SCCM, we had to deploy package to Client in order to keep the clients up to date. automatic client upgrade was exclusively saved for major updates (like service packs).
Microsoft recognize the need to automatic upgrade the Clients after installing cumulative update to the site server as well.

The last cumulative update (Cumulative Update 1 for System Center 2012 R2 Configuration Manager Service Pack 1 and System Center 2012 Configuration Manager Service Pack 2) that was released earlier this month, add the ability to automatically updating the clients.

When choosing to automatically update the clients, the following will happen:

• Client package will be update.
• The update will be sent to existing clients (based on Automatic Client Upgrade settings).
• New client installations (via push\manual\OSD etc.) will include the update automatically.

The option to create packages is still available but will be less usable. 

Manually deploy Software Updates to servers using SCCM

As we all know, ADR (Automatic Deployment Rule) can be configured to automatically deploy software updates to collection.
When ADR runs and finds new updates, it adds the updates to existing Software Update Group or create new Software Update Group (depend on you ADR settings):

Add custom column to SCCM console using SCCM Console Builder

Editing SCCM console views are quit limited, there is no way to add column to collection that doesn't exist in the list available classes:

In order to add custom column (in this example, an IP Address column) we need to create a new custom node using Console Builder tool.

Remove ActiveSyncDevice Fails after restore user in Active Directory

The other day i had an issue at customer site that complain about two ActiveSync issues:

1. User cannot sync with new device.
2. Administrator cannot remove Active Sync device from user.

Both issues came from the same user, that was restored from backup couple of days before.
First issue was fixed by adding inheritance permissions for the object in Active Directory Users and Computers and in ADSI Edit. from some reason the backup software didn't set this automatically.

Install SCCM 2012 R2 Cumulative Update 3

SCCM Cumulative Update (CU) consider to be a non major update to the system. due to that fact, updating the primary site server will not automatically updates the clients.
In addition, there are post tasks to complete.
In this post i will cover how to update SCCM server and clients with CU and other post installations.

Configure Internet Explorer 10 or 11 settings with GPO

Lately i get a lot of questions about the ability (or inability) of editing internet explorer 10 or 11 settings with domain GPO.

Microsoft decided to deprecated old Internet Explorer Maintenance (IEM) in favor of more robust tools like Group Policy Preferences (GPP), Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).
Because of this change, any settings that you previously configured with IEM will no longer work on computers where Internet Explorer 10 or newer is installed, regardless of the Windows version it’s been installed on. You must update your settings using Group Policy Preferences, Administrative Templates (.admx), or the Internet Explorer Administration Kit (IEAK).

Exclude updates from Automatic Deployment Rule (ADR) in SCCM 2012

Sometimes it is necessary to exclude some updates from automatically distribute to clients.
When using Automatic Deployment Rule (ADR) in sccm 2012, all updates that meet the criteria that was configured will added to the associated software updates group, and will be eventually distribute to clients.

Exclude updates from ADR
Find the desire ADR, under Software Library node go to Software Updates -> Automatic Update Rules.
In the ADR properties, go to Software Updates tab and add a Title with - (minus) and the name of the update you would like to exclude.

Failed to execute SQL cmd exec [sp_CP_CheckNewAssignedMachine] - SCCM 2012 client push fail to start

Recently i faced an issue with SCCM 2012 R2 server and client push installation. (From my research it can be relevant to SCCM 2012 SP1 too).
Environment:

• SCCM 2012 R2
• SQL installed separately on cluster environment

Issue:
When configuring client push installation to servers and workstations as in the picture below, an error in CCM.Log stared and client fail to start installation on server type objects.

Exclude Computers From Automatically Push SCCM Client

In many situation i was needed to exclude specific computers (mostly servers), from getting SCCM client to be installed after configuring site-wide automatic client push installation method.

There is an option for editing the registry and add ExcludeServers list with all computers names that SCCM client shouldn't be install.

Basically, adding the ExcludeServers list with computer names will sets the install flag for that resource which prevent from the client to be installed automatically.

SCCM 2012 client push configure installation and troubleshooting

SCCM client push requirement
Disable firewall or open the necessary ports:

Port			Remark
80	TCP
443	TCP		native mode management point
445	TCP
135	TCP	UDP

In addition, the following needs to be open as well:

o   ICMP (ping) from server to client.

o   BITS service needs to enable.

o   Add the following as exceptions to the Windows Firewall:
Outbound and inbound: File and Printer Sharing
Inbound: Windows Management Instrumentation (WMI)

For complete list of ports used by the client:

Ports Used During Configuration Manager Client Deployment
Windows Firewall and Port Settings for Client Computers in Configuration Manager

Create Custom XML For OSD In SCCM

Lately I was needed to deploy custom Windows 7 image with SCCM 2012 (2007 should be the same).
In my search over the internet I didn't found any full guide that goes through all the required steps, so I decided to document it.

The requirements was:

·         Upgrade Windows XP with new Windows 7 image.

·         Backup domain profiles only (except My Documents).

·         Do not backup files on drive D.

·         Backup printers.

·         Format hard drive

·         Configure additional language.

·         Move computer to different OU.