we are running SCCM2012 now,
McAffee EP had an option to scan url's called "ScriptScan", does SCEP have an option like this?
Thanks
Pat
↧
Scriptscan in SCEP
↧
RBA for AMT and out of band management
On all the writeups for configuring intel SCS with SCCM ( i.e
here or
here) there is no mention of scoping roles for out of band management. Under sites in the "Out of Band Management Component properties", there is a section for AMT user accounts. Is there a way to scope down what computers, a
user can have amt access to?
↧
↧
Some security fixes don't install via SCCM
Hi,
This month, we are having some issues with our monthly fixes deployment in our Lab environment.
For our monthly updates, we always create a new updategroup of all available security and critical fixes per OS (every month). This month we had a problem that on some servers the available updates were not showing in software center. After running the updates deployment cycle, the following message appears for the assigned updategroup: Assignment({B27D0A77-4F09-4019-8B8B-5B49C9B7098F}) already in progress state (AssignmentStateDetecting). No need to evaluate UpdatesDeploymentAgent 16/06/2015 14:19:00 2716 (0x0A9C). It doesn't ever finish, so updates are not displayed. By creating different updategroups (removing some updates) and deploying them, I found that for 1 servers kb2894854 and KB2898869 were the problem. Once this patches were removed from the list, the deployment worked and I could install the remaining updates. Afterwards, I deployed those fixes seperately but again I got the same message in the updatesdeployment.log (already in progress).
So I manually installed those fixes and all seems fine. I'm afraid that the same will occur next month, as the patches will be in the updategroup again. Even now if I deploy the complete updatelist, it still says in progress, even after all the patches are installed and the machine is compliant with that list.
On a second machine, KB3033929 is the culprit. Other servers are there...
Is this a know issue and/or how can we troubleshoot this? I don't find any errors in the logfiles (updatesdeployement, scanagent, windowsupdate,updatstore). I've searched on this issue for days now, but didn't find a solution.
Maybe it is also not a good idea to deploy all available patches but only deploy what has been released the last (2,3...) month(s) and only use those complete patchlist for compliancy tests?
↧
One ADR to Multiple Collections at different times?
Hi,
We like to stagger our patches a bit in case we find something that goes wrong. I have created an Automatic Deployment Rule that goes and gets the various patches. In the past we'd setup multiple ADRs that would all run at the same time but would
wait 0, 7, or 14 days to become available & deadline and each would be assigned to a certain collection.
I'm wondering if it'd be easier to just use 1 ADR that would deploy to all 3 of our groups and then just use Maintenance Windows to control when each group would install their updates. Any reasons why one would be better or worse than the other?
Thanks.
↧
updates are downloading to cache but not showing in Software Center. They are also picked up by Windows Update....
SCCM 2012 R2
Server 2012 R2
Like the title says, with some recent 2012 R2 server deployments, they are not pulling in all the software updates into Software Center. A couple of security updates show up but there should be like 30.
When I run Windows Update and check the internet, it shows 40+ updates needed. Most of which I have deployed to this server. When you look at the cache you can see a bunch of updates downloaded to cache (most match up with what windows update sees as needed) but they do not show up in Software Center!?
I've ran and re-ran appropriate actions, restarted the server and client, reinstalled client, killed the cache and forced re-download of updates. Nothing makes a difference. Funny thing is, I have 2 different servers with this issue and they both pull in the same two updates below. I tried installing them then seeing if the rest of the updates show up - no luck.
↧
↧
Security Scopes and Roles
I have a group in my desktop support team that has access to SCCM 2012 R2. They can see a lot but cannot change it.
What I'm looking to do is allow them to view Deployments on the Monitoring tab. They can see Monitoring, they can see deployments, when they click on the the deployments it says there are no results.
Nothing seems very obvious to me that they are missing any rights or permissions.
Thanks!
↧
Can't find KB3035583 under All Security Updates
Hi,
I was tasked by our upper management to check if KB3035583 is available through SCCM. As per checking, I was not able to see any KB3035583 under All Security Updates. Has anyone experienced the same issue that I am having? Is there any significant reason why I can't find KB3035583 in SCCM?
Thanks!
↧
SCCM 2012 R2 CU3 - Clients doesn´t need anymore Windows Update
Hi @ all,
in May 2015 all clients asked for updates and received them so we gave them free.
In CM12 i can see under \Software Library\Overview\Software Updates\All Software Updates that looks good.
On month later, also June 2015, i would like to give free needed/released updates to all my clients but there is NOTHING REQUIRED.
As example, i download MS15-063 from 09 June 15 (KB3063858) and i have ca. 20000 machines and following is shown under detail:
So i checked some clients whats going wrong into there logs but i see nothing, so i check now i SUP Server and Primary Site Server and also looks like fine.
But that is not the truth, can anyone give me a hint how i can find more information or find the errors.
I cleanup 3 machines with agent and make a clean install but that´s doesn´t help too.
Strange is that should nothing to be changed from one month to the other.
with best regards
André
↧
"Installed Updates" from "Programs and Features" SCCM 2012 Report
Hi All
I am trying to configure a query in SCCM 2012 to list all Programs and all Installed Updates of a PC but I am not getting a luck. I tried to google but could'nt find much help.
I have current query to list all Softwares from Add Remove Programs and it is working fine. I am looking to extend it further to include all "Installed Updates" from "Programs and Features" but not getting much luck. I tried to use V_GS_ADD_REMOVE_PROGRAMS View but it is not picking all applications and Updates. I am getting better results with V_GS_INSTALLED_SOFTWARE but it is not picking any "Installed updates" of machines.
Please Assist????
My SQL Queries as follows:
Software Report of All Physical Machines.
Select DISTINCT SYS.Netbios_Name0, SP.ARPDisplayName0 as "Display Name", SP.ProductVersion0, SP.Publisher0 as "Application Manufacturer", SP.InstallDate0FROM v_GS_INSTALLED_SOFTWARE SP
JOIN v_R_System SYS ON SP.ResourceID=SYS.ResourceID
JOIN v_FullCollectionMembership fcm on sys.ResourceID=fcm.ResourceID
WHERE fcm.CollectionID = 'COLL00123'
ORDER By SYS.Netbios_Name0,SP.ARPDisplayName0, SP.ProductVersion0, SP.Publisher0, SP.InstallDate0
Thanks & Regards
Veday
Server Engineer
↧
↧
Changing the PW on users computers
I've been asked to find a solution to change the local admin passwords on users desktops
We thought of doing a GPO, but we have found out that its not very secure as you can still find out what the password is by running a gpresults report
Is there a secure way to do this via SCCM ?
Cheers,
Andrew
MCSE, MCSA, VCP, CCNA, SNIA
Microsoft Infrastructure Consultant
Blog:Network AngelLinkedIn:Note: Please remember to mark as "propose as answer" to help other members. Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
↧
Some updates are not being displayed to implement SUP
Some updates are not being displayed to implement, with no errors in the logs:
wsyncmgr
Everything is configured correctly, follows some pictures
configuration.
check online update.
check in SCCM.
Plz anyone?
tks!
↧
Admin on Machines?
I'm fairly new to SCCM and I was just tasked with trying to find out if there is a way via SCCM to gather a list of who all is a part of the Administrators Group on each Machine we have (over 6000).
Is there a simple way to do this?
↧
KB3025417 breaks SCEP reporting about malware
So, this is one of the odd ones.
We have setup our SCCM/SCEP to send e-mails when new malware are found in selected collections (Alerts).
During last week, I was surprised to see that our environment was without malware at all (according to the endpoint protection status in the SCCM console) . That's very unlikely to happen, so I started to go about test the SCEP client on a newly installed W81 machine. I did a few test with the following http://www.eicar.org/86-0-Intended-use.html
SCEP instantly found the string as malware, which is what I hoped for. I waited to see if the client would report that back to SCCM as usually, but no. Nothing ever shows up in the console.
Long story short; we went back to see when the last time we ever recieved an e-mail based on a malware-alert in SCCM. The last e-mail was dated march 14th 2015.
So we went back to see what happened on our clients back in march, and during our troubleshooting we went through every software update we released in march, and it appears thatKB3025417 is causing the trouble here. (Note: I also suspect that the update itself is unnecessary given we have SCEP, and the update is related to windows defender. However, the update is seen as required by all W81 clients)
We ended up excluding the mentioned update, and reinstalled a client and voila; SCEP works fine again. The minute we install the update, SCEP on the client is no longer reporting the found malware back to SCCM. Also, uninstalling the update doesn't do anything. The damage is done.
We found a few other reporting similar behaviour. While they don't mention the KB itself, I suspect it's very same issue: https://social.technet.microsoft.com/Forums/en-US/34903763-b423-41b4-8783-b75df94337d0/scep-email-alerts-stopped-working-in-sccm-2012-r2?forum=FCSNext
The environment is SCCM 2012 R2 CU4, Antimalware Client Version: 4.8.204.0, Windows 8.1 x64
Also, note that everything around the SCCM client seems healthy. Deployments are installing and reporting back as usual. Nothing else seems broken, and the SCEP component is also healthy.
This is probably a case for MS Support, but given that I see a few others with the same issue, I also suspect that there's alot more out there with the same problem. They just don't know yet, or haven't figured out why it stopped working.
Any pointers or comments to above is much appreciated.
Thanks in advance.
Martin Bengtsson | www.imab.dk
↧
↧
SCCM 2012 SP1 not deploying "Update Rollups" such as Silverlight or IE11
HI Guys,
Thought maybe someone would know why my SCCM 2012 Sp1 server is struggling to install updates for Update Rollouts.
Security updates seem to be ticking over alright but all my new workstations don't seem to get these packages.
I have to go to the workstation itself, login as admin then install these two items outside of SCCM.
Cheers,
Brett.
↧
How to patch Unix/Linux devices using SCCM 2012 R2 ?
Hi all,
Is there a way to patch unix/linux devices using SCCM 2012 R2.
Please Suggest.
Thanks,
Pranay.
↧
Inconsistent data in various places
Hello,
I have deployed updates to device collection all updates seem to have installed, on monitoring -> deployments all clients are listed under "compliant". However if I check properties of individual clients one of them lists one update as "required". Checking locally on the server the update is actually installed and installation date is weeks ago, how do I fix it to show properly on the sccm console?
Screenshot: http://i.imgur.com/X6v60At.png?1
↧
Info missing from the "Compliance 5 - Specific computer" for various computers, but not all computers
I am trying to access this report for some systems and when I open it up, it is completely blank for some computers, but not all of them.
What is the reason for this behavior?
Thanks
↧
↧
Software Updates and 1000 update limit for a deployment
Hi,
Based on the Best Practices you must limit the number of software updates to 1000 for each software update deployment.
Does this apply only to software update groups or deployment packages as well?
So my question is can I add more than 1000 updates to a Deployment Package or is that not possible/allowed/recommended?
Thanks!
↧
SCCMR2 2012 and FEP At Risk Reporting
First off, I apologize if this is not the right forum. This can be moved if needed.
We run SCCM R2 2012 and deploy FEP with it in our environment. We have noticed lately that the At Risk machines is growing rather rapidly. I have been designated to figure out why. So far, I have found 3 issues.
1. There is an issue with the Client Check failure. It has been determined that those machines are having issues with Silverlight. We have a fix in place that we have been putting some machines in for testing. So far the results are good.
2. The issue with the corrupted Registry.pol file and it needing to be deleted and replaced. Since we have a lot of mobile systems in our environment, we are working on a way to accomplish this, since a lot of them are not always available on the network.
3. One i found this evening. We have a good amount of machines showing at risk, yet they passed the client check and they passed the anti-malware policy. However, the date on the anti-malware policy is anywhere from a month out of date to being close to a year.
So my question is really more about number three. What is SCCM looking at for this reporting? I logged into a few machines that weer online, and looked at the EndPoint log. The dates int he log are as recent as last week to a week ago. But those same machines in SCCM show that the anti-malware policy was successful well over month or more ago.
What is SCCM reading to say, yes it was successful, disregarding the dates on the logs?
I am also tasked as to figure out why each one of these is happening. As for the registry.pol file, no one seems to know why it get's corrupted, but everyone has the same fix.
When I exported the At Risk report this evening, I had found roughly 58 machines for issue 1, 66 for issue 2. 4 machines for both issue 1 and 2 and all the remainder of the list was issue 3.
I am totally new to SCCM and am learning as I go. So if I ask what seems to be "newbie" questions, please forgive me.
↧
SQL exclusions FEP
Hello,
I've installed SCCM2012R2 with Endpoint protection.<o:p></o:p>
Now I’m planning to deploy the endpoint protection client to my SQL servers. However there are more instances on my SQL server. Is it possible to exclude the SQLServr.exe services with wildcards?
https://support.microsoft.com/en-us/kb/309422
Thank you
↧