Hi

I have an issue from Septembers security updates where three updates from the same software update group are showing as unknown status rather than required / not required / installed etc.

There are multiple other updates in the same update group and they are all displaying correctly with the figures I would roughly expect.

I would have expected if something was wrong with the clients not returning software update scans that all the updates in this software update group (all deployed automatically as part of the same ADR) would show the same status of unknown, rather than just three of them.

The updates in question are: KB2894842, KB2972215 & KB2977629 (First two .net 4.0 and last one IE11).

Now these updates would largely be not required in our organisation as for the most part we use different versions so I would expect them to show as not required.

Short of kicking off a mass software update scan cycle I don't know a) why this has happened b) if a scan cycle will fix it. Our clients scan every week and its been several weeks since the updates were deployed, that and the other updates have all reported back in.

Anyone have any ideas? Its making the compliance results look quite poor :(

Thanks

Jonathan

Hi,

Recently I noticed that some of ours Secondary SUP's have stopped syncing. Looking at the logs I found that they cannot found SUP parent. Name resolution was OK, no firewall blocking traffic flow, SUP at Primary Site working normally, all replica SUP services online.

Then I went to the Sync Settings at Site Components of the SUP replica and the value of the option "Synchronize from a upstream data source location (URL)" had been changed!

The URL of the upstream server has the correct server name, but the 8530 port is missing! The interesting fact is that I have other SUP replicas working normally with the correct upstream server name and port.

So, my question is: Since I've installed all the replicas SUP's with the same upstream SUP settings, they have been working normally until last week, how the settings are now wrong? The property is greyed out and I cannot change it back to the correct parameter.

Is there any way to correct it without having to reinstall all the replicas SUPs?

Thanks!! 

Hello,

I developped a SCCM 2012 configuration item based on two PowerShell scripts... Below is the generic structure:

1. The discovery part works fine. Based on several tests, the right result is always sent back to SCCM
2. In my specific case, it is expected that the remediation script is not always successfull (for instance, I could attempt to free up some disk space and it might not be possible to go back above the specified thresold to be compliant)... In such a case, my problem is that the remediation script reports a status "OK" while I am expecting to get "not ok (even after remediation trial)"

Does anybody see something wrong in my script structure ? Or do I misunderstand how to properly handle return code for configuration item scripts ?

Regards.

Discovery.ps1

if ("test if compliant") {

    "ok"

} else {

   "not ok"

}

Remediation.ps1

### Execute commands here to remediate the configuration ###

### Test again to see if the client is now compliant

if ("test if compliant") {

    "ok"

} else {

   "not ok (even after remediation)"

}

Yesterday we had on outbreak of viruses on 33 machines.  We were able to clean up the viruses and delete all files and processes being used.  Updated the definitions... etc.

My question here is why is my SCCM still saying they are infected?  And what steps do I have to take to show remediation has occurred?

I have followed the referenced article at the bottom of this posting twice over to try and enable WOL settings on a clean test machine.  The Inventory Item piece works, I can see the MSPOWER_DeviceWakeEnable and the other WOL setting in the PC's inventory, and I see the Instances (PCI only) in the Hardware list for the test machine.  The compliance setting however does not work.  I have tracked it down to the DCMWMIProvider.log:

<![LOG[WQLRealizer::QueryValues- failed at Namespace.Query with Error=0x80041017]LOG]!><time="23:45:05.812+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="wqlqueryutils.cpp:149"><![LOG[Failed in discovering instance. 
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.821+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="cibase.cpp:473"><![LOG[Failed to do HandleExecQueryAsync(). 
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.828+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="cibase.cpp:249"><![LOG[Failed to process CWqlQueryProvider::ExecQueryAsync. 
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.837+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="wqlqueryprovider.cpp:210"><![LOG[WQLRealizer::QueryValues- failed at Namespace.Query with Error=0x80041017]LOG]!><time="23:45:05.840+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="wqlqueryutils.cpp:149"><![LOG[Failed in discovering instance. 
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.853+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="cibase.cpp:473"><![LOG[Failed to do HandleExecQueryAsync(). 
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.861+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="cibase.cpp:249"><![LOG[Failed to process CWqlQueryProvider::ExecQueryAsync. 
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.869+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="wqlqueryprovider.cpp:210">

Troubleshooting:

1. The SMS Agent service runs as system.  I have verified that as both a local admin and as system, I can query these WMI namespaces using WBEMTEST and WMI Explorer.  At first I could not, but I enabled the necessary bios settings, and then the classes were created by the OS and could be queried by inventory.

2. Being that the inventory works using the same exact settings in this article (even the LIKE 'PCI%' statement), I do not see how the query is invalid.  I have tried removing this, but it still fails.

3. Completely removed and re-added my baseline and config item, re-deployed, same error.

4. All of the related logs show successes until this evaluation occurs.  All research suggests something is wrong with the query.  But it works in the inventory items!

Can anyone confirm if they have successfully implemented these configuration items?  Any help is greatly appreciated!

Referenced article: http://myitforum.com/myitforumwp/2012/07/28/how-to-enable-wake-on-lan-on-network-interface-cards-using-sccm-2012-compliance-by-ben-fisher/#!prettyPhoto

There are cleaned computers still on the list of "Malware Detected" computers after 3 weeks.

How can I remove old information?

Thank you,

mqh7

Hello,

I deployed security updates Mid October 201, however some clients failed to install with the error "0x800705B4 this operation returned because the timeout period expired when installing updates".

Although, i saw an article but this did not address the issue. It was advised  i temporarily disable any third party antivirus software and firewall. Unfortunately, we use SEP antivirus and any attempt to disable it would yanck the clients off the network. Windows Firewall is also disabled on these clients. 

Can anyone help urgently?

We are trying to get to the bottom of how updates are deployed based on 1) Deadline 2) Maintenance Windows.

Our maintenance window is 1am to 5am every night/morning. This should be ample time to apply updates.

Our deadline for these updates was last friday 19/09/2014 2am

According to 'UpdatesDeployment.log' as of today 23/09/2014: 'No Service window available to run updates assignment.

'ServiceWindowManager.log', has recent output exclaiming 'No Service Window of this type exit', and then the very next line says 'There exists an All Programs window for this duration. The program will run eventually'.

This happens every night and the updates dont run.

Questions: How can we be sure pc's will be awake during this service window WITHOUT using wake on lan (Can SCCM client schedule a wake up for the maintenance window?)

How can we figure out why these updates arent happening?

Hi,

Does SCEP (2012 R2) scan mail archives like .pst?

/SaiTech

Hi,

I was following the directions from this link and on the first step

http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx

to remove expired updates and after unchecking all the updates I wanted to remove I clicked the OK button.  That was about 20 hours ago and the dialog box is still open with an hour glass.  I was attempting to remove close to two years worth of old/expired updates so maybe this should take a long time?

If I look in task manager on the server I can see that the smsexec.exe and Microsoft.ConfigurationManagment.exe*32 processes appear to cranking away and have been since I clicked the OK button.  If I look at the SQL Server that is hosting the SCCM database the SQLServer.exe process is also busy cranking away.  I'm a little hesitant to click the Cancel or X button on the Edit Membership dialog as I'm not sure what that would do at this point.

Is there a log or something I can check to see if the process of updating the update group memberships is done?

Thanks in advance,

Nick

I have started using Configuration Baseline's and I followed a blog on how to add an inbound firewall rules via a Configuration Item using Powershell.  The Powershell script is using the commands 'Get-NetFirewallRule'& 'New-NetFirewallRule' which work fine for my Windows 8 clients however those commands are not available for the version of powershell in the Win 7 clients.  The post was not OS specific and such it answer how you would use this for win 7 devices? Maybe I'm missing something and those commands would work on a Win 7 device...?

I'm hopefully making a good assumption that all Win 7 devices would have to have Import-Module NetSecurity' run in Powershell before we are able to deploy that Configuration Baseline calling those commands?  Am I off here?  Is there a better way to go about this?  Or would I have to make two Configuration Item's by OS.... (Win 7 and Win8)? 

We are about to roll out the update package for KB2830477 RDP 8.1 Compatibility updates, I have developed a solution to handle the issues encountered when deploying it but I wanted to ask the community if they had any different approaches and issues.

Each of the following had to be installed in the order shown and all applied otherwise it left us without total functionality on our RDS connections. There are 2 reboots to be catered for also, Software updates wasn't an option due to the nature of maybe installing the update at some point just wasn't good enough, it all had to occur at the same time.

1. KB 2574819: An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1  
2. KB 2857650: Update that improves the RemoteApp and Desktop Connections features is available for Windows 7
3. KB 2830477: Update for RemoteApp and Desktop Connections feature is available for Windows
4. KB 2913751: Smart card redirection in remote sessions fails in a Windows 7 SP1-based RDP 8.1 client
5. (Optional) If you experience connection reliability issues after installing KB 2913751, we recommend installing KB 2923545: Update for RDP 8.1 is available for Windows 7 SP1 .

So any ideas?

Hello,

I developped a SCCM 2012 configuration item based on two PowerShell scripts... Below is the generic structure:

1. The discovery part works fine. Based on several tests, the right result is always sent back to SCCM
2. In my specific case, it is expected that the remediation script is not always successfull (for instance, I could attempt to free up some disk space and it might not be possible to go back above the specified thresold to be compliant)... In such a case, my problem is that the remediation script reports a status "OK" while I am expecting to get "not ok (even after remediation trial)"

Does anybody see something wrong in my script structure ? Or do I misunderstand how to properly handle return code for configuration item scripts ?

Regards.

Discovery.ps1

if ("test if compliant") {

    "ok"

} else {

   "not ok"

}

Remediation.ps1

### Execute commands here to remediate the configuration ###

### Test again to see if the client is now compliant

if ("test if compliant") {

    "ok"

} else {

   "not ok (even after remediation)"

}

Yesterday we had on outbreak of viruses on 33 machines.  We were able to clean up the viruses and delete all files and processes being used.  Updated the definitions... etc.

My question here is why is my SCCM still saying they are infected?  And what steps do I have to take to show remediation has occurred?

I have followed the referenced article at the bottom of this posting twice over to try and enable WOL settings on a clean test machine.  The Inventory Item piece works, I can see the MSPOWER_DeviceWakeEnable and the other WOL setting in the PC's inventory, and I see the Instances (PCI only) in the Hardware list for the test machine.  The compliance setting however does not work.  I have tracked it down to the DCMWMIProvider.log:

<![LOG[WQLRealizer::QueryValues- failed at Namespace.Query with Error=0x80041017]LOG]!><time="23:45:05.812+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="wqlqueryutils.cpp:149"><![LOG[Failed in discovering instance.
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.821+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="cibase.cpp:473"><![LOG[Failed to do HandleExecQueryAsync().
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.828+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="cibase.cpp:249"><![LOG[Failed to process CWqlQueryProvider::ExecQueryAsync.
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.837+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8532" file="wqlqueryprovider.cpp:210"><![LOG[WQLRealizer::QueryValues- failed at Namespace.Query with Error=0x80041017]LOG]!><time="23:45:05.840+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="wqlqueryutils.cpp:149"><![LOG[Failed in discovering instance.
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.853+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="cibase.cpp:473"><![LOG[Failed to do HandleExecQueryAsync().
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.861+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="cibase.cpp:249"><![LOG[Failed to process CWqlQueryProvider::ExecQueryAsync.
Invalid query (Error: 80041017; Source: WMI)]LOG]!><time="23:45:05.869+240" date="08-12-2013" component="DcmWQLQueryProvider" context="" type="3" thread="8804" file="wqlqueryprovider.cpp:210">

Troubleshooting:

1. The SMS Agent service runs as system.  I have verified that as both a local admin and as system, I can query these WMI namespaces using WBEMTEST and WMI Explorer.  At first I could not, but I enabled the necessary bios settings, and then the classes were created by the OS and could be queried by inventory.

2. Being that the inventory works using the same exact settings in this article (even the LIKE 'PCI%' statement), I do not see how the query is invalid.  I have tried removing this, but it still fails.

3. Completely removed and re-added my baseline and config item, re-deployed, same error.

4. All of the related logs show successes until this evaluation occurs.  All research suggests something is wrong with the query.  But it works in the inventory items!

Can anyone confirm if they have successfully implemented these configuration items?  Any help is greatly appreciated!

Referenced article: http://myitforum.com/myitforumwp/2012/07/28/how-to-enable-wake-on-lan-on-network-interface-cards-using-sccm-2012-compliance-by-ben-fisher/#!prettyPhoto

Hello,

I deployed security updates Mid October 201, however some clients failed to install with the error "0x800705B4 this operation returned because the timeout period expired when installing updates".

Although, i saw an article but this did not address the issue. It was advised  i temporarily disable any third party antivirus software and firewall. Unfortunately, we use SEP antivirus and any attempt to disable it would yanck the clients off the network. Windows Firewall is also disabled on these clients. 

Can anyone help urgently?

Hi

I have an issue from Septembers security updates where three updates from the same software update group are showing as unknown status rather than required / not required / installed etc.

There are multiple other updates in the same update group and they are all displaying correctly with the figures I would roughly expect.

I would have expected if something was wrong with the clients not returning software update scans that all the updates in this software update group (all deployed automatically as part of the same ADR) would show the same status of unknown, rather than just three of them.

The updates in question are: KB2894842, KB2972215 & KB2977629 (First two .net 4.0 and last one IE11).

Now these updates would largely be not required in our organisation as for the most part we use different versions so I would expect them to show as not required.

Short of kicking off a mass software update scan cycle I don't know a) why this has happened b) if a scan cycle will fix it. Our clients scan every week and its been several weeks since the updates were deployed, that and the other updates have all reported back in.

Anyone have any ideas? Its making the compliance results look quite poor :(

Thanks

Jonathan