Sunday, November 5, 2017

Verify Computer Name against Active Directory in SCCM task sequence

Recently, I have been asked by one of my customers, for computer name checks against Active Directory before setting it in SCCM task sequence for new computer deployment.
Searching the web didn't came up with any results, and since the request sounded really reasonable to me, I decided to take the challenge.

My solution had to be secure. meaning, password cannot be written in clear text or any other non-secure method in any way.

After a lot of research I came up with the following steps to complete this request:

  1.  Enable PowerShell in boot images.
  2. Create a package that copy's Active Directory module files to the boot image, and run it in task sequence.
  3. Create a PowerShell script that do the following:
    • Interact with task sequence.
    • load PowerShell form for prompting computer name selection.
    • Import Active Directory module, securely connect to Active Directory and check the name against Active Directory.
    • Set computer name as OSDComputername TS variable (assuming that the name not exists).

Sunday, December 18, 2016

Symantec Endpoint Protection Block SCCM Office Updates

Recently I've got an issue with SCCM agent couldn't install any office update.
While investigating the issue, I saw other updates installed without any problem.
Looking at the event viewer reveal error 11406 - installation couldn't wright to Browser Helper Objects registry key:


After hours of searching, I saw the following policy in Symantec Endpoint Protection:


It looks like someone activate Prevent registration of new Browser Helper Objects under application and device control policy.
In order to resolve the issue, I created the following Registry Access Attempts condition to allow the installation to complete:


Tuesday, November 1, 2016

SCCM Client Installation Failures

The following list is some failures in SCCM client installations and the resolution:

Problem:
One or more certificate is missing on local machine (should be 2 certificates).



CertificateMaintenance.log shows the following entries:
Crypt acquire context failed with 0x8009000f

Cause:
Wrong permissions for machine key starts with 19c5.. located under the following path:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Sunday, September 18, 2016

Use SCCM Compliance Settings To Find Service Running As Administrator Account

Sometimes you have to change password for important user (like administrator account).
Changing password for this kind of user is a project in its own and should be done with extra careful.
With Compliance Settings feature in SCCM, its easy to find where this user runs a service.

In this example I'm going to use PowerShell script to detect the present of administrator account under the services, so first, I'm going to change the execution policy to Bypass in client settings for the computers this script is going to run:

 

Wednesday, November 4, 2015

Monitor Active Directory Security Group membership changes

In many environments permission to add members to strong security groups (lets say Domain Admins group) is granted to many users.
Sometime those permissions are getting out of hand, so audit those group membership become vital.
In this post I would like to demonstrate how to audit security groups with build-in tools.

First step
Enable Audit account management to success in default domain controller policy (enabled by default):

Thursday, October 15, 2015

Query Daylight Saving Time information with SCCM

Many system administrators regularly get asked about computers Daylight Saving Time (DST) information in there network.
With SCCM you can easily get that information with simple query and add it to collection.

First, to get time zone information we need to add Time Zone class to hardware inventory in the relevant client settings:
 

Thursday, August 13, 2015

Automatic Client Upgrade for SCCM cumulative update

Since Microsoft started to release cumulative updates for SCCM, we had to deploy package to Client in order to keep the clients up to date. automatic client upgrade was exclusively saved for major updates (like service packs).
Microsoft recognize the need to automatic upgrade the Clients after installing cumulative update to the site server as well.

The last cumulative update (Cumulative Update 1 for System Center 2012 R2 Configuration Manager Service Pack 1 and System Center 2012 Configuration Manager Service Pack 2) that was released earlier this month, add the ability to automatically updating the clients.

When choosing to automatically update the clients, the following will happen:
  • Client package will be update.
  • The update will be sent to existing clients (based on Automatic Client Upgrade settings).
  • New client installations (via push\manual\OSD etc.) will include the update automatically.


The option to create packages is still available but will be less usable. 

Tuesday, July 21, 2015

Manually deploy Software Updates to servers using SCCM


As we all know, ADR (Automatic Deployment Rule) can be configured to automatically deploy software updates to collection.
When ADR runs and finds new updates, it adds the updates to existing Software Update Group or create new Software Update Group (depend on you ADR settings):

Tuesday, March 24, 2015

Add custom column to SCCM console using SCCM Console Builder

Editing SCCM console views are quit limited, there is no way to add column to collection that doesn't exist in the list available classes:




In order to add custom column (in this example, an IP Address column) we need to create a new custom node using Console Builder tool.

Saturday, December 6, 2014

Remove ActiveSyncDevice Fails after restore user in Active Directory

The other day i had an issue at customer site that complain about two ActiveSync issues:
  1. User cannot sync with new device.
  2. Administrator cannot remove Active Sync device from user.
Both issues came from the same user, that was restored from backup couple of days before.
First issue was fixed by adding inheritance permissions for the object in Active Directory Users and Computers and in ADSI Edit. from some reason the backup software didn't set this automatically.

Wednesday, September 24, 2014

Install SCCM 2012 R2 Cumulative Update 3

SCCM Cumulative Update (CU) consider to be a non major update to the system. due to that fact, updating the primary site server will not automatically updates the clients.
In addition, there are post tasks to complete.
In this post i will cover how to update SCCM server and clients with CU and other post installations.

Wednesday, July 23, 2014

Configure Internet Explorer 10 or 11 settings with GPO

Lately i get a lot of questions about the ability (or inability) of editing internet explorer 10 or 11 settings with domain GPO.

Microsoft decided to deprecated old Internet Explorer Maintenance (IEM) in favor of more robust tools like Group Policy Preferences (GPP), Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).
Because of this change, any settings that you previously configured with IEM will no longer work on computers where Internet Explorer 10 or newer is installed, regardless of the Windows version it’s been installed on. You must update your settings using Group Policy Preferences, Administrative Templates (.admx), or the Internet Explorer Administration Kit (IEAK).

Wednesday, May 7, 2014

Exclude updates from Automatic Deployment Rule (ADR) in SCCM 2012

Sometimes it is necessary to exclude some updates from automatically distribute to clients.
When using Automatic Deployment Rule (ADR) in sccm 2012, all updates that meet the criteria that was configured will added to the associated software updates group, and will be eventually distribute to clients.

Exclude updates from ADR
Find the desire ADR, under Software Library node go to Software Updates -> Automatic Update Rules.
In the ADR properties, go to Software Updates tab and add a Title with - (minus) and the name of the update you would like to exclude.

Sunday, May 4, 2014

Failed to execute SQL cmd exec [sp_CP_CheckNewAssignedMachine] - SCCM 2012 client push fail to start

Recently i faced an issue with SCCM 2012 R2 server and client push installation. (From my research it can be relevant to SCCM 2012 SP1 too).
Environment:
  • SCCM 2012 R2
  • SQL installed separately on cluster environment
Issue:
When configuring client push installation to servers and workstations as in the picture below, an error in CCM.Log stared and client fail to start installation on server type objects.

Exclude Computers From Automatically Push SCCM Client

In many situation i was needed to exclude specific computers (mostly servers), from getting SCCM client to be installed after configuring site-wide automatic client push installation method.

There is an option for editing the registry and add ExcludeServers list with all computers names that SCCM client shouldn't be install.

Basically, adding the ExcludeServers list with computer names will sets the install flag for that resource which prevent from the client to be installed automatically.

Sunday, April 13, 2014

SCCM 2012 client push configure installation and troubleshooting


SCCM client push requirement
Disable firewall or open the necessary ports:

Port


Remark
80
TCP


443
TCP

native mode management point
445
TCP


135
TCP
UDP


In addition, the following needs to be open as well:
o   ICMP (ping) from server to client.
o   BITS service needs to enable.
o   Add the following as exceptions to the Windows Firewall:
Outbound and inbound: File and Printer Sharing
Inbound: Windows Management Instrumentation (WMI)
For complete list of ports used by the client:

Monday, March 3, 2014

Create Custom XML For OSD In SCCM

Lately I was needed to deploy custom Windows 7 image with SCCM 2012 (2007 should be the same).
In my search over the internet I didn't found any full guide that goes through all the required steps, so I decided to document it.
The requirements was:
·         Upgrade Windows XP with new Windows 7 image.
·         Backup domain profiles only (except My Documents).
·         Do not backup files on drive D.
·         Backup printers.
·         Format hard drive
·         Configure additional language.
·         Move computer to different OU.