There was a question raised by someone on MyItform list ,asking for ‘is there a way to get superseded patch list’ for all windows 7”. when I read the question ,I was thinking ,we can get this using the default reports but when I check the default reports,there is no such report that match this requirement  .

So ,I sat for sometime in the lab ,started writing the SQL Query ,found something . So thought of writing this blog post that helps others who are in similar needs.

If you want to know particular patch (ex:Cumulative Update for Windows 10 Version 1511 (KB3124200)) superseded by what software updates in SCCM/Configmgr ,you can simply browse Software Library /Software updates nodes,search with this title ,right click on the Software Update Properties ,Go to Supersedence Information ,You can see, this software update is superseded by (To replace ) also ,if this software update supersedes by any other update .

This method is easy if you want to check for specific software update but,what if you want to have a list of software updates that are superseded by what software updates ? 

In Configmgr ,Software update information is scattered across multiple tables/views and depends on your requirement ,you must choose right table to query the information.

For Writing the SQL Queries /SSRS Reports,always have these 2 as reference 1)Configmgr SQL views and 2)SSRS expressions

For our requirement, we will be retrieving the software update information from V_updateinfo and superseded information from v_CIRelation_all.

Based on the above 2 SQL views, I will be retrieving the Software updates that are superseded by what updates.

SQL Code:

select UI1.Title,UI1.IsSuperseded,ui1.BulletinID,UI1.InfoURL,
UI2.Title [S Title],ui2.IsSuperseded,UI2.BulletinID [S BulletinID],UI2.InfoURL [S InfoURL]
from v_CIRelation_all CA
left join v_UpdateInfo UI1 on CA.ReferencedCI_ID=UI1.CI_ID
left join v_UpdateInfo UI2 on ca.CI_ID=ui2.CI_ID
where RelationType=6
and UI1.title like '%Windows 10%'

If you want to list only windows 7 updates ,replace 10 with 7 .if you want to list all Software updates irrespective of OS ,then simply comment the last line using --

you can use this SQL Code to put in SSRS Reports with your customizations.

If you have same application with multiple versions installed on machines for ex: JAVA ,it allow to have multiple versions with same name like JAVA 6 update 45,JAVA 7 update 65 and so on….

How do you find computers that have single version application installed and exclude computers that have multiple versions with same name Installed ?

This scenario can be applicable to other applications (like Microsoft Office)  that allow multiple versions on same computer .

Example : I have client A,B and C out of which ,A and B has 3 versions of JAVA installed where as C is installed with One Version of JAVA and want get PC C into the Query results.

We will get this done using concept called Subselect query. Full Details https://social.technet.microsoft.com/Forums/en-US/a1d013ac-34fc-4486-9747-56e3d0027d9f/softwareinventory-query?forum=configmanagergeneral#108b932b-e91c-4b09-8abf-7fbf5701c588

SQL Code:

select sub.name0,arp1.DisplayName0,arp1.Version0

from

(

select

vrs.Name0,vrs.ResourceID,

COUNT(*) Total

from v_Add_Remove_Programs ARP

inner join v_R_System vrs on ARP.ResourceID = VRS.ResourceID

where arp.DisplayName0 like 'Java%'

group by vrs.Name0,vrs.ResourceID

having count(vrs.Name0)=1 )Sub

inner join v_Add_Remove_Programs arp1 on arp1.resourceid=sub.ResourceID

where arp1.DisplayName0 like 'Java%'

order by sub.name0,arp1.DisplayName0,arp1.Version0

You can use this query to create nice SSRS Report and prompt for specific application so you can get information for any application.

Collections in Configmgr play a crucial role .If you want to do anything(can be software deployment,OSD ,Client agent settings,Software updates,compliance etc) in configmgr against clients,you a collection .

Being Configmgr administrator, it is always important to look at collection performance ,if they are scheduled well and do some maintenance like identifying collections that take longer time to update (collection evaluation viewer tool from Configmgr 2012 toolkit) or identifying the collections that update too frequently than expected etc.

This blog post will assist you to identify collections with count of direct membership rules and type of schedule and other important collection Queries which can be represented in Nice SSRS Report.

The below SQL Code is for Collections with count of Direct Membership rule and what type of Collection Schedule configured.

Usually for Collections with Direct membership rule, you really no need to configure any Schedule at all as they are one time created and do not require any update.

so ,you can simply run this SQL Code ,if the count of Direct membership rule is bigger and if any Schedule configured to get the RID of it.

Direct membership rule info stored in v_CollectionRuleDirect View ,For more information about SQL Views in Configmgr, refer this Excel spreadsheet

Schedule can be of anything listed below:

Scheduled
Incremental
Scheduled and Incremental

SQL Code:

select coll.CollectionName,crd.CollectionID,COUNT(crd.RuleName) [Direct rules],
Case when coll.RefreshType = 1 then 'Manual'
when coll.RefreshType = 2 then 'Scheduled'
when coll.RefreshType = 4 then 'Incremental'
when coll.RefreshType = 6 then 'Scheduled and Incremental'
else 'Unknown' end as RefreshType
from v_CollectionRuleDirect  CRD
inner join v_Collections Coll on CRD.collectionID=coll.SiteID
Group by crd.CollectionID,coll.RefreshType,coll.CollectionName
order by crd.CollectionID

SQL Code for All Collections with its Refresh Type:

Select (Case when RefreshType = 1 then 'Manual'
when RefreshType = 2 then 'Scheduled'
when RefreshType = 4 then 'Incremental'
when RefreshType = 6 then 'Scheduled and Incremental'
else 'Unknown' end) as RefreshType, count(SiteID) as Collections
from v_Collections
group by RefreshType

Microsoft has introduced new feature in System Center Configuration manager Build Version 1602  called Client Online Status .This is really cool and exciting feature which is really needed these days to know if the computer is online or offline (of course ,SCCM agent must be working and healthy which is different story).

A new status for clients is available for monitoring if a computer is online or not. A computer is considered online if it is connected to it's assigned management point. To indicate that the computer is online, the client sends ping-like messages to the management point. If the management point doesn't receive a message after 5 minutes, the client is considered offline.

How to Monitor the status of individual clients:

In the Configuration Manager console, click Assets and Compliance > Devices or choose a collection under Device Collections.

Beginning in version 1602 of Configuration Manager, the icons at the beginning of each row indicate the online status of the device:

For more detailed online status, add the client online status information to the device view by right-clicking the column header and clicking the online status fields you want to add. The columns you can add are

• Device Online Status indicates whether the client is currently online or offline. (This is the same information given by the icons).
• Last Online Time indicates when the client online status changed to online.
• Last Offline Time indicates when the status changed to offline.

Now ,coming to the subject line , wouldn’t it be nice to create Collection or SSRS Report for client online Status in Configmgr 1602 ?

If you want to create collection or SSRS Report  for Clients with online ,offline Status in 1602 and later build versions ,you must know the correct SQL views (SSRS) and wmi instance that store this information . Download the SQL views documentation for Configmgr 1602 from http://eskonr.com/2016/04/download-sccm-configmgr-1602-sql-views-documentation/

collections Uses WQL and Reports uses SQL .

For Collection , Client online Status stored in wmi namaspace : SMS_CollectionMemberClientBaselineStatus with CNIsOnline =True or False

For SSRS Report ,Client Online Status stored in view: v_CollectionMemberClientBaselineStatus with CNIsOnline=1 or 0

Once we know the wmi instance or SQL view,it is easy to create collection or SSRS Report.

To create collection ,Use the following WQL Code (subselected) for Online Clients:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in
(select resourceid from SMS_CollectionMemberClientBaselineStatus where SMS_CollectionMemberClientBaselineStatus.CNIsOnline = 1)

To Create SSRS Report ,Use the following SQL Code for Online Clients:

select Name,sitecode,Clientversion,LastHardwareScan,LastMPServerName,CNIsOnline,max(CNLastOfflineTime) CNLastOfflineTime ,
max(CNLastOnlineTime) CNLastOnlineTime
from v_CollectionMemberClientBaselineStatus
where CNIsOnline=1
group by Name,sitecode,Clientversion,LastHardwareScan,CNIsOnline,LastMPServerName
order by Name

Until Next!

With system Center Configuration manager Build Update 1602 (Current branch ) ,we can now monitor the Configuration manager console usage data .

In previous versions of configmgr ,there is no records in database to see who are the users connecting to SCCM console ,though this information is tracked in SMSProv.log, but no stored information for reporting.

Microsoft have made some improvements with Configmgr current branch build 1602 ,that store the information in database,WMI class about users who try to make successful connection .

After you install the Configmgr console update 1602 and try to connect to Site server (CAS or Primary Site) , if the user is having least permissions( RBA) , SMS provider start tracking the information by executing several queries against the permissions defined in RBA (like OS ,software updates,packages ,applications ,collections and many more )  ,all these information can be monitor in smsprov.log .

This process is same in earlier versions of Configuration manager but the change that was added to Build Update 1602 is ,it creates additional stored procedures,tables,views to store machine Name that is trying to connect to console ,User name ,connected site code , admin console Version (all this info appear in SMSProv.log) and other important information and insert into the database by executing stored procedure (spCMUpsertConsoleUsageData )that Update Console Telemetry table with admin console machine telemetry information.

I have installed Console (CB Configmgr 1602) in PC001 and tried to connect to my Site using APAC\Eswar who has permissions defined using RBA,monitor the log (smsprov.log) for more information:

couple of screenshots from SMSprov.log:

All the information coming from client and connecting to Site server will be tracked in the database.

So,where does the information stored in database and WMI about the console usage ?

In Database ,there is view called : v_CMConsoleUsageData ,which stores information about PC ,User who connect to console ,Connected Site ,Site number,What is OS Build of the Connected PC,Console Version Installed,Client Version installed, Memory,.net framework installed version ,Console connect time and other information.

SQL Query :  select * from v_CMConsoleUsageData

After executing the Query ,I have noticed that ,the console connected time is showing in UTC instead of client connected time (Local time) .

This leads me to review the code used in stored procedure and check if any conversion syntax used and Yes ,it is using syntax to convert : (ConsoleConnectTime = GETUTCDATE()) .

So,if you want to have the console connected time but not UTC,you can either change the stored procedure (HIGHLY NOT RECOMENDED) or use the SQL CAST DATE syntax function ,something like below:

select MachineName,UserName,ConsoleConnectTime [ConsoleConnectTime (UTC)],
CAST(GetDate() - GetUtcDate() + ConsoleConnectTime AS datetime) [ConsoleConnectTime]
from v_CMConsoleUsageData

Once you know,there is view exist that store the information ,you can start working on your customized report by joining other views and create Nice SSRS Report.

For more information about SQL views in Configmgr update 1602,refer this post

Report is okay but can I create collection (user device collection probably to see who are all users connecting to site ) ? if you are interested to play with this .

WMI class (for Collection) called: SMS_ConsoleUsageData (Instance: ROOT\SMS\site_sitecode)

For some reason, I had SMS_ConsoleUsageData class with empty information,though I can generate report for console usage data as you see in above snippet.

Run wbemtest from RUN command, connect to ROOT\SMS\Site_PS1 name space. Click on Query and run the following command to see if it returns any value:

select * from SMS_ConsoleUsageData

So ,How to get this corrected ? am still trying to figure out using the stored procedures ,which might help to update the information into WMI ,but no fix yet for me. Am not sure if this is happening to all or Only for me.

So 2 things are pending (at least for me) for confirmation from this post 1) UTC time for console connected time 2)WMI results empty .

I will update this post when I find something on this UTC and WMI class.

I have been putting lot of SQL Queries ,SSRS Reports on my blog and I never explained ,how you can create such SSRS reports on your Own and I know that ,it is not easy to explain in blog post about the SQL/SSRS Reports . This is post will help you ,how to understand Configuration manager reporting and how to write your Own SSRS Reports (Advanced level) .

There are lot of books released on System Center Configuration Manager ,but there is nothing specifically for Reporting (in-depth).

The wait is Over now and Finally ,the only book that was missing since long on Configuration Manager Reporting is now available on the market I.e System Center Configuration Manager Reporting Unleashed.

This Book was written by Well known Configuration Manager MVP Garth Jones  and his export Co-authors Dan Toll and Kerrie Meyler .

The Unleashed book written by Experts is really fantastic and it has all the content what is needed for you to get complete knowledge on Configuration Reporting,RBA ,SQL views ,SSRS Report Builder and lot more.

You’ll walk through installing and configuring SSRS, using SQL views to find the data you need, writing SQL queries, creating basic and advanced reports, and using role-based administration to securely deliver those reports to the correct individuals.

Content at a Glance give you better feeling that ,it consists of of total 411 pages which is all about Reporting.

Contents at a Glance:

I highly recommend to purchase this book ,If you want to become expert in creating Custom based SSRS Reporting in Configuration manager and deliver the content to your management with in No-time .

You can purchase this book (System Center Configuration Manager Reporting Unleashed )from Amazon website ,available in both Paper back and Kindle version http://www.amazon.in/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=configuration+manager+reporting+unleashed

and from InformIT http://www.informit.com/store/system-center-configuration-manager-reporting-unleashed-9780672337789

Long ago ,did blog post on How to get software update compliance for specific update group per collection with drill down report to list the Required/missing ,unknown clients with some additional information like recent hardware inventory, last update scan results ,OS etc .

This report will only work for single software update group per collection ,but in Configuration Manager ,there could Multiple Software update group created as part of Patching process and it would be difficult to know the compliance status for the same collection for multiple update groups and this task become tedious if you run the same report multiple times and write down the results into file.

with the help of Configuration Manager console ,it is possible to see the Compliance % (Required, installed ,Unknown  and %) for the software update group for the deployed collection but if you want to see the same for multiple update groups and get the list of Required Clients etc ,not possible ,Thus you need SSRS Report.

Would it be nice to have SSRS Report that list the Software update compliance for multiple update groups per collection ?

This report is lying in my bucket for longer time and finally going out to public.

I have made little changes to the report (nothing major ) with respect to prompts (select multiple update groups) and drill down report changes as well.

This report allow you to select multiple Update groups and single collection as shown below . you need to action on Required(a.k.a Missing) and Unknown status.

It has 2 RDL files 1) Update compliance Status for multiple Groups per collection and 2) Linked report to know what are the client with specific Software update Status (Required ,Unknown)

First report looks like below:

Installed—>Specifies that the software update is applicable on the client computer and that the client computer already has the software update installed.

Not Required—>Specifies that the software update is not applicable on the client computer, and therefore, the software update is not required.

Required –>Specifies that the software update is applicable and required on the client computer

Unknown—> Specifies that the site server has not received a state message from the client computer,could be various reasons like scan did not run successfully,scan completed but state message did not sent successfully etc.

Click on the Arrow (blue color) to see the Required ,Unknown clients for the selected software update group:

Download the Reports from TechNet Gallery ,Upload to your Configmgr SSRS reports ,Change the Data source and Run the Report .

How to troubleshoot software update issues ,refer http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

Recently ,we had an issue with SCCM Configmgr Reporting services role (Remote SQL sitting on VM was crashed ,blog post coming soon ) and we were unable to generate reports mainly for the Software update compliance status that happens every month. This post is about ,how to check the software update compliance status for the deployed software update group/Groups per collection/collections without using Configmgr Reports . The reason for posting this blog is ,fixing the Configmgr Reporting services role took more than expected time and meantime ,we need to check the status of patch compliance status and troubleshoot the non-compliant machines (servers) within the Maintenance window.

I thought the SQL Code which I used to generate the compliance status would be handy for others if they do not want to Use configmgr Reports and use SQL Code for Quick results.

If you are unable to generate compliance status using the SSRS Reports ,the only possible method is ,to depend on Monitoring node—deployments ,look for the software update deployment for particular collection and see the non-compliant machines for troubleshooting which is not easy method if you have large number of deployments and collections.

So ,to overcome this ,you can USE SQL management studio and run the query (posted below) to generate non-compliance list of clients with extra information like hardware inventory,software update scan,,Operating System ,IP address,User Name ,does it have Client etc.

This SQL Query should be helpful to quickly generate compliance Status for multiple software update groups and for multiple collections.

I recently posted a blog about ,how to generate software update compliance Status for multiple update groups per collection but this SQL query helps to generate update compliance status for multiple updates groups against multiple collections.

you can use this SQL query to create nice SSRS Report for multiple update groups per multiple collections in OneClick.

The below SQL code is for list of clients with required/Missing Status ,If you want clients with Unknown ,change the @status value to 0 ,More about Update compliance Status ,see below :

Update compliance Status:

0—Detection Status Unknown

1—Not Applicable

2—Required/Missing

3—Already Installed /Compliant

--SQL Code to Generate Update compliance Status for multiple update groups against multiple collections

Declare @Status nvarchar(255);set @Status='2';
--Status 0 for Unknown, 1 for Not Applicable,2 for Required ,3 for installed
select sys.name0 [Computer Name],sys.User_Name0 [User Name], os.caption0 [OS],
CONVERT(VARCHAR(26), ws.lasthwscan, 100) as [LastHWScan],
CONVERT(VARCHAR(26), uss.lastscantime, 100) AS 'LastSUScanTime',
CONVERT(VARCHAR(26), sys.last_logon_timestamp0, 100) AS 'Last Logon Time',
case when sys.client0='1' then 'Yes' else 'No'
end as 'Client (Yes/No)', c.IPAddress AS [IP Address]
From v_Update_ComplianceStatusAll UCS
left join v_r_system sys on ucs.resourceid=sys.resourceid
left join v_FullCollectionMembership fcm on sys.resourceid=fcm.resourceid
left join v_collection coll on coll.collectionid=fcm.collectionid
left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
left join v_AuthListInfo LI on ucs.ci_id=li.ci_id
INNER JOIN (SELECT     IP1.resourceid AS rsid2, IPAddress = substring
((SELECT     (IP_Addresses0 + ', ')
FROM    v_RA_System_IPAddresses IP2
WHERE     IP2.IP_Addresses0 NOT LIKE '169%' AND IP2.IP_Addresses0 NOT LIKE '0.%' AND IP2.IP_Addresses0 NOT LIKE '%::%' AND
IP_Addresses0 NOT LIKE '192.%' AND IP1.resourceid = IP2.resourceid
ORDER BY resourceid FOR xml path('')), 1, 50000)
FROM    v_RA_System_IPAddresses IP1
GROUP BY resourceid) c ON c.rsid2 = ucs.resourceid
where li.title IN (‘SUG1’,'SUG2’,SUG3’) and coll.collectionID in ('PS10029A','PS10000D')and ucs.status=@Status
group by sys.name0,sys.User_Name0,os.Caption0,ws.LastHWScan ,uss.LastScanTime,sys.Last_Logon_Timestamp0,sys.client0,c.IPAddress
order by 1

Hope it helps !

Microsoft released new version of SCCM Configmgr Current Branch 1606 (YY MM) with lot of new features and improvements to the existing features. You can install this update via in-console update.

With this new update ,there are also couple of newly added SQL views compared to its previous update (1602) which will help us to create reports in better way.

So ,what’s new in SCCM Configmgr CB 1606 SQL reporting ? Lets have a look at ,what are SQL views added newly and also have this SQL Views document handy for reporting ,otherwise , you may end up looking into the database for the correct information.

There are 3 SQL views added with this update version (1606) compared to its previous version 1602 ,listed below:

v_GS_ClientEvents
v_GS_OFFICE365PROPLUSCONFIGURATIONS
v_MDMDeviceCategory

Download the SQL View documentation for SCCM Configmgr Current Branch 1606 from TechNet Gallery.

For Other Configmgr version, you can download the SQL Views for Configmgr 1602,  Configmgr 1511 , Configmgr 2012 R2 SP1, Configmgr 2012

SQL Server Views in System Center 2012 Configuration Manager

Since few days ,I am working on a customized Software update compliance dashboard report with some Pie charts for management to see how the patch compliance progress for each Business Unit (I say business unit means for each country).

Management are interested to see the overall patch compliance summary for each country (focused on servers ) into a nice pie chart which can be published to them either Via emails (using SSRS subscriptions or put them on Bigger screens especially for server compliance status).

This dashboard uses lot of pre-existing reports that are already published on my blog ,but there is one report (though SQL query is few lines code) which makes me to spend lot time doing lot of changes and check in the console if the results tally or not and the report is:

Top 5 or 10 missing patches for specific collection and specific update group.

The hard part for getting this report work is ,identifying the correct views to join Software update group ,compliance status . I would strongly recommended to use the SQL views documentation to create any custom SCCM reports.

After going through the SQL view documentation ,found below views that will help me to join the software update group (CI_ID) and software updates (CI_ID)

v_BundledConfigurationItems –contains information about each Update CI_ID and software update group ID

v_AuthListInfo –Contains Software update group Name, Update ID(CI_ID) .

For reporting (ONLY) ,we normally have 1 software update group that contains list of all updates (as per the requirement from IT Security team as they are the ones who decide what security patches to deploy ) that are  deployed to clients from so long to until 2 months old from current month  . Technically speaking, you cannot have more than 1000 updates in software update group which you can deploy to collection but ,in this case ,it is only used for reporting ,I can have more than 1000+ updates into 1 software update group and always make sure this SUG group is at good compliance rate for each BU .

As we move on, add the previous months patches to this Software update group and rerun the report to reflect the status for newly added updates against each country collection.

In this blog post, I will share you couple of SQL queries which are used my dashboard report ,help you to create your own dashboards.

P.S: The reason for not posting the dashboard which I created is because ,it has lot of customizations (more into collection ID’s and Software update group) per country basis and they are unique for each organization ,but I can share how the output of the dashboard look like.

Each pie chart has linked report to see the list of clients status like missing or unknown for troubleshooting purpose.

Below are couple of SQL queries that I wanted to share with you guys.

1.How to get list of top 5 or 10 missing patches against particular collection for specific software update ?

In SCCM console ,if you go to software updates node ,you can see lot of information for each update with Bulletin ID,Title ID,required,installed etc , but there is no way for you to filter against particular collection and if you want see the list of clients that needed by the patch ,no way in the console.

You either have to use default reports (if there is any such) otherwise ,create custom report.

Use the below Query in your SSRS or SQL management studio to get list of all updates from particular software update group against collection with missing count.

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

If you compare the result you get from above SQL query ,the required count of clients will vary from what you see in the SCCM console software updates node and this is due the fact that ,in the console ,the software updates do not have any limitation over any collection(They apply to all clients) .But here ,we are trying to limit the software update against particular collection.

You can use this SQL query in multiple ways as you  need.For example ,if someone want to see the list of updates that are still needed by specific collection(BU) ,you can simply comment Software update group and choose only collection ,you can also do the other way.

To get top 5 or 10 missing updates ,simply use TOP 5 or TOP 10 . Full SQL Query is below:

Declare @CollID nvarchar (255),@SUG nvarchar(255);
Set @CollID='PS100254';set @SUG='SUM_2016_July_All';
--CollID=Collection ID and SUG=Software update group Name

Select top 5 CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2) AS MonthPosted,
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised,
case when ui.IsDeployed='1' then 'Yes' else 'No' end as 'Deployed',
--SUM (CASE WHEN ucs.status=3 or ucs.status=1 then 1 ELSE 0 END ) as 'Installed/Not Required',
sum( case When ucs.status=2 Then 1 ELSE 0 END ) as 'Required'
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID --AND ui.IsExpired = 0 AND ui.IsSuperseded = 0
--If you want display the expired and superdeded patches, remove the -- line in the above query
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
group by CAST(DATEPART(yyyy,ui.DatePosted) AS varchar(255)) + '-' + RIGHT('0' + CAST(DATEPART(mm, ui.DatePosted) AS VARCHAR(255)), 2),
ui.Title, ui.ArticleID, ui.BulletinID, ui.DateRevised, ui.IsDeployed
order by sum( case When ucs.status=2 Then 1 ELSE 0 END ) desc

Now that, we have count of all updates for specific update group for specific collection with required client count ,but how to get the list of clients needed need specific update ?

This is mainly needed if you want to create linked SSRS report to see the list of clients for specific update for troubleshooting purpose.

SQL Query to list the clients required by specific software update ?

Declare @CollID nvarchar (255),@SUG nvarchar(255),@title nvarchar(255);
Set @CollID='PS100254';set @SUG=''SUM_2016_July_All'';
set @title='Security Update for Windows Server 2008 R2 x64 Edition (KB2992611)'
--CollID=Collection ID , SUG=Software update group Name and Title= Name of Software update title

Select sys.Name0,sys.User_Name0,os.Caption0 [OS],ws.LastHWScan,uss.LastScanTime [Last SUScan],os.LastBootUpTime0
From v_UpdateInfo ui
JOIN v_Update_ComplianceStatus ucs on ucs.CI_ID = ui.CI_ID
JOIN v_BundledConfigurationItems bci on ui.CI_ID = bci.BundledCI_ID
JOIN v_FullCollectionMembership fcm on ucs.ResourceID = fcm.ResourceID
join v_R_System sys on sys.ResourceID=ucs.ResourceID
join v_GS_OPERATING_SYSTEM OS on os.ResourceID=ucs.ResourceID
join v_GS_WORKSTATION_STATUS WS on ws.ResourceID=ucs.ResourceID
right join v_UpdateScanStatus uss on uss.ResourceID=ucs.ResourceID
where bci.CI_ID = (SELECT CI_ID FROM v_AuthListInfo where title=@SUG)
and fcm.CollectionID =@CollID
AND UCS.Status='2'
and ui.Title=@title
group by
sys.Name0,sys.User_Name0,os.Caption0,ws.LastHWScan,os.LastBootUpTime0,uss.LastScanTime
order by 1

SQL Query used in Pie Chart to get the patch compliance status for specific Collection and for specific update group ?

select CASE WHEN ucs.status=3 or ucs.status=1  then 'success'
When ucs.status=2 Then 'Missing'
When ucs.status=0 Then 'Unknown' end as 'Status',ucs.status [Status ID],coll.CollectionID
From v_Update_ComplianceStatusAll UCS
    left join v_r_system sys on ucs.resourceid=sys.resourceid
    left join v_FullCollectionMembership fcm on ucs.resourceid=fcm.resourceid
    left join v_collection coll on coll.CollectionID=fcm.CollectionID
    left join v_GS_OPERATING_SYSTEM os on ucs.resourceid=os.resourceid
    left join v_gs_workstation_status ws on ucs.resourceid=ws.resourceid
    left join v_updatescanstatus uss on ucs.ResourceId=uss.ResourceID
    left join v_AuthListInfo LI on li.ci_id=ucs.ci_id
where li.title='Software update group name' and coll.CollectionID=’CollectionID’
and os.Caption0 not like '%2003%'
order by 1

Hope these SQL queries are helpful to you .

Other day,I was looking at the client health dashboard which I published long ago https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240 . From the dashboard report ,noticed that couple of clients were having software update scan issues .

If client fail to perform success software update scan ,it is out of patching window and client will never send or receive any software updates that you deploy from SCCM. You always need to make sure your clients are performing the successful software update scan as per the schedule you configure in SCCM client agent settings. Software update troubleshooting guide http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

So ,the report had couple of clients with software update scan failures with lasterrorcode –2147012894 which leads to me take a look at one client (XXXXXXX) and see what's happening on that.

If you want to see, how your clients are performing software update scan (without dashboard) ,run the below SQL query in management studio.

This query will help you to get list of client that have issues with software update scan (software update scan not success).

--SQL code list clients with software update scan failures

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
inner join v_gs_operating_system os on os.resourceid=sys.resourceid
inner join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
inner join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
where uss.lasterrorcode!='0'
order by uss.lasterrorcode

Login to the problem client (it can be workstation or server ) ,open WUAHandler.log located in C:\widows\ccm\logs ,notice the below error.

OnSearchComplete - Failed to end search job. Error = 0x80072ee2.

Scan failed with error = 0x80072ee2.

0x80072ee2—>The operation timed out

The above log (Error) do not give much information  ,so this leads me to look at windowsupdate.log located in C:\windows folder

This log has several entries related to proxy request ,send and download file failed etc.

2016-09-01    12:45:14:216     820    ce0    Misc    WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <10.133.48.48:8080> Bypass List used : <(null)> Auth Schemes used : <>

2016-09-01    12:45:14:216     820    ce0    Misc    FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2

2016-09-01    12:45:14:216     820    ce0    PT      + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0

Problematic Client is healthy and able to send inventory and receive other deployments like applications etc but software update scan is failing all the time.

if you look at the above log snippet, it is failing to download the cab files from WSUS server . It looks like ,client has some issues downloading the content ,so how do I check what is causing the problem for content download ?

From Windowsupdate.log snippet, client is trying to access the URL http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml which is failed due to proxy settings.

From other working client, found the below URL succeeded but not on the problem client  ,so I ran the below URL on non-working client and it surely have issues with proxy.

http://SCCMServerName.domain:8530/ClientWebService/WusServerVersion.xml

I ran the same URL on working client and got below results:

How do I fix the proxy issues on the problem client and get the rid of software update scan issues ?

There is a registry key on the client machine which you will have to change to get it working. What is the registry ?

Login to working client that is reporting to the same SCCM site( WSUS) ,open the registry and export for the below registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

Save it on desktop ,copy it to the problematic client and run it (double click on it ).

Once the registry key is imported ,Open services.msc from RUN command ,restart windows update service.

follow windowsupdate.log and WUAHandler.log

After few min ,I noticed that, scan still failed with error code ,but this time it is different : OnSearchComplete - Failed to end search job. Error = 0x80244010.

0x80244010.—> The number of round trips to the server exceeded the maximum limit.

After a while ,it will try (you don’t have to do any) again to sync and sync will get Successfully completed .

If the sync is not running ,initiate software update scan cycle and monitor WUAHandler.log

Now go back to your site server ,run the SQL query ,you will see problematic client will no longer appear.

Summary:

For software update scan issues with error code:0x80072ee2

login to the working client ,export the registry key ,import into the problem client ,restart windows update service ,wait for a while ,monitor the logs.

References :

http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/

http://s9org.blogspot.sg/2015/03/software-updates-are-not-getting.html

https://blogs.technet.microsoft.com/sus/2008/09/18/wsus-clients-fail-with-warning-syncserverupdatesinternal-failed-0x80244010/

I wrote a blog post year ago on how to get count of MS Office Editions with versions installed across my environment using SCCM Configmgr. This report consists of 2 reports .1st report is ,to get count of Microsoft Editions for ex: how many are office 2003, 2007 ,2010 and 2013 and 2nd report is actually drilled report linked to 1st report to give list of all MS Office editions (what are the editions of office 2003 ,2007,2010 and 2013) with its client count .

Many of my blog viewers have requested through comments and some of them are via social networking sites ,that they want drill down the 2nd report to see the list of clients with each office edition and version.

Having drilled report to see the list of clients will certainly help to investigate and upgrade them to latest version of Microsoft office.

You can always create collection for office editions but having a report like this would help to export them to excel and other SSRS supported formats.

This request is pending from very long ,it was lying in my to-do list and finally going out through this blog post.

So what all you need to get this report (Count of MS office editions ) implemented in your SCCM site ?

Download the 3 reports from the TechNet Gallery ,upload the reports into your SSRS folder (make sure they all in same folder),change the data source for each report and you are good to run.

Note: This report will list only Microsoft Office 2003,2007,2010 and 2013 but not office 365. If you need office 365, you may have to wait for next update ,otherwise you can edit the RDL file and customize it.

How does the report look like ?

1. Count of MS Office editions

2. List MS Office editions for selected version (ex: 2003)

3. List of Clients by specific MS Office edition and version

Hope it helps.

Colleague of mine has received request to check why did the SCCM client (server OS) rebooted during office hours and more details about the reboot (who initiated etc.). I started looking at this request to find out whether the client was rebooted due to windows patching or any applications pushed by SCCM.

During my troubleshooting ,I went through several client logs ,event viewer,SQL Query,PowerShell script etc .

In this blog post, I will try to list down the steps that went through to identify who rebooted the SCCM Client (server OS).

1. First and foremost that anyone would look at is ,event viewer to find out who rebooted the server (whether it was SCCM Client or any user).

Go to event viewer –> Windows logs –-> system ,right click and select filter current log ,enter 1074 (Event ID:1074 for reboot) as shown below.

Event ID:1074 –>This event is written when an application causes the system to restart, or when the user initiates a restart or shutdown by clicking Start or pressing CTRL+ALT+DELETE, and then clicking Shut Down. This event is written to the system log only when the Shutdown Event Tracker group policy setting is enabled or not configured.

You will see lot of entries with 1074 event ID ,of which ,we only look at the recent one .

From the above screen, the recent restart was initiated by SMS agent host (ccmexec) on 10/31/2016 05:45:10 PM due to applications or software update installation. This doesn’t tell you the username as the restarted was initiated by system account (NT AUTHORITY\SYSTEM)

The process C:\Windows\CCM\CcmExec.exe (ComputerName) has initiated the restart of computer  ComputerName on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80020001
Shutdown Type: restart
Comment: Your computer will restart at 10/31/2016 05:45:10 PM to complete the installation of applications and software updates.

Now ,we need to find out ,what was installed on the server during the reboot time/before and does client have enough maintenance window to reboot .

2. Lets check what is the available maintenance window for the server ,that might help to analyze any installation that has pending reboot with enough maintenance window allowed reboot or not.

I use the following SQL query to check the available maintenance window for specific client.

DECLARE @file varchar(5000);
SET @file='Server Name'

select MW.[Collection Name],MW.[MW Name],MW.Description,convert(nvarchar(26),MW.StartTime,100)[StartTime],MW.Duration
from
(
select fcm.CollectionId, coll.Name [Collection Name],s.Name [MW Name],s.Description,s.StartTime,s.Duration
from dbo.v_R_System sys
Right JOIN dbo.fn_SplitString(@file,',' ) AS fss ON sys.Name0 = fss.substring
join dbo.v_FullCollectionMembership FCM on sys.ResourceID = fcm.ResourceID
join dbo.v_Collection coll on Coll.CollectionID = fcm.CollectionID
left join v_ServiceWindow S on s.CollectionID=fcm.CollectionID
) MW
where MW.[MW Name] not like ''

I have used @file is basically to pipe large number of clients that I wanted to query for. If you want to list the MW for more than 1 client ,your @file should be @file=’server1,server2,server3,server4’

With above SQL query ,I do not see any maintenance window available for server to reboot that time (server rebooted time ).

3. Now ,we will go back to problem server ,login to see what was Installed by SCCM during the reboot time or before the reboot.

we will try to look at AppEnforce.log (for applications),execmgr.log (for packages) and windows update logs (WUAHandler.log,UpdatesHandler.log) and other logs that you suspect.

AppEnforce.log :

From appenforce.log, there was an application that installed silently without any reboot (Matched exit code 3010 to a PendingSoftReboot entry in exit codes table.)

So the application doesn’t have any force reboot option and for sure,something else is caused the reboot .

4. Now ,take a look at the RebootCoordinator.log and MaintenanceCoordinator.log if that helps to reveal some information about reboot behavior.

RebootCoordinator.log

From above log,I see couple of entries related to server reboot which help my job to identify the root cause.

User S-1-5-21-1009845188-1641970364-1010270793-4361695 is getting pending reboot information

ServiceWindowsManager has not allowed us to Reboot

MTC allowed us to reboot

Notified UI grace period start with 900 grace seconds and 300 final seconds.

System reboot request succeeded.

As you see from the log, user SID is getting pending reboot information which means, someone logged into the server during the reboot of the server.

How to find who is that user ? Well ,you can find it using event viewer security logs or PowerShell script that converts SID to User name.

I have used below PowerShell script that convert SID Value to User Name

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-5-21-1009845188-1641970364-1010270793-4361695")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$objUser.Value

copy the script ,change the SID Value and run the PowerShell script on the problem server to find the user name.

Now I got the user name ,who logged into the server during the reboot, but I cannot take this information as granted and confirm that this user initiated the reboot.

Well, RebootCoordinator.log doesn’t confirm if logged user restarted the server .So what next ?

In SCCM Configmgr 2012 and above, there are logs for users as well.These logs records the activity for notifying users about software for the specified user.

These user notify logs named with SCNotify_<domain>@<username>_1.log

open the log for the user (_SCNotify_<domain>@<Username>_2.log) who  logged into the server during the server reboot if he/she initiated .

From this log,found lot of useful information of which ,found below entry that confirm user allowed to restart system.

RestartCountdownDialog: IsRestartSystemAllowed - user is allowed to restart system      (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

Notification is for a logoff/restart required or logoff/restart countdown.      (Microsoft.SoftwareCenter.Client.Notification.NotifyObjectBase at ShowBalloonTip)

Number of total seconds in countdown is 900; starting value is 2; seconds til restart is 898, system will restart at 5:45:09 PM (utc end time = 9:45:10 AM)      (Microsoft.SoftwareCenter.Client.Pages.RestartCountdownDialog at .ctor)

This confirm that, user who logged into the server has initiated the reboot and nothing from SCCM client.

If you have any other possible methods to identify who initiated the reboot, post it via comments section.

Until next!

Introduction:

One of my blog reader asked question about ‘There is report in your blog to find out packages that has no advertisements created,but is there similar report to find applications with no deployments created’.

I found this question is valid and is needed if you want to perform maintenance tasks like cleanup packages,applications,collections etc .Performing regular maintenance is important to ensure correct site operations.

There are several default site maintenance tasks available that maintain the health of your site database but when it comes to clean up unused collections,packages,applications etc,you have to find way to do it.

There are instances where someone create application without any deployment or deployment was created and deleted it later leaving the application in the console for longer time ,many other instances .

If you are Maintaining a maintenance log to document dates that maintenance was conducted, by whom, and any maintenance-related comments about the task conducted, I would add the following tasks to the maintenance document as they also required to cleanup every 6 months or yearly once.

1.Clean up unused collections

2.clean up unused packages

3.clean up unused applications etc.

This blog post covers task 3 to identify applications without any deployments and not used in any other task sequence.

How to create SQL query or SSRS report to identify applications with no deployments?

To create such report ,first you need to identify the SQL views that store the information about applications and its dependencies. For that, you can refer Configmgr SQL view documentation available here

There are 3 main sql views/functions that store the information about applications ,its deployment info,dependent application info and task sequence app references  etc and they are listed below:

dbo.fn_ListApplicationCIs(1033)

vSMS_AppRelation_Flat

v_TaskSequenceAppReferencesInfo

I will be using above views to create nice SSRS report.This report mainly output applications that has zero deployments and these applications are not referenced in any task sequence.

This report contains fields like application name,Created by,Datelastmodified,Application age since created (days),Isenabled,is deployed,number of DT(deployment types),no of dependencies,number of devices with app,number of devices with failure.

After you run the report, take a look at column dependentdeployments as this filed refers this application is used as dependent application in another application (supersedence ).

ex: Application A appear in this report with dependentdeployments >1 which means ,application A is used as supersedence application in other applications listed in the dependentdeployments .

How does the report look:

Download the RDL file from Technet Gallery Here ,upload to your SSRS reports ,change the datasource and run it.

You might receive an error as seen below:

An error has occurred during report processing. (rsProcessingAborted)
Query execution failed for dataset 'DataSet1'. (rsErrorExecutingCommand)
The SELECT permission was denied on the object 'vSMS_AppRelation_Flat', database 'CM_XXX', schema 'dbo'.

This can be resolved by adding the reporting user with the datareader permission or by giving the select permission to the views.

Introduction:

Few months ago ,we had an issue with one of the deployment (it was software updates) that was deployed to collection with override service window due to emergency patch to be installed on the clients.

Deployment went fine and results were positive .All good ,but after few days ,some clients were added to the above deployed collection and you know what, as soon the clients are added to the collection ,they had new policy now and try to perform scan against the deployed software updates to check if they are already installed or not ,if not installed ,they try to install right away due to the setting ‘Override Service Window’ .What happens after the installation ? If the patch you have deployed to the collection require reboot ,it will check if there is any MW available to reboot ,if there is no maintenance window, it will reboot else wait for the maintenance window.

Unfortunately ,some of the newly added clients had maintenance window on different collection on the next few days ,which no one noticed and client REBOOTED .

For sure if there is any such unplanned reboot occur, you must be in position to explain with root cause and how are you going to prevent such issues in the future with RCA (Root cause analysis).

So a request came to identify/create report that will help us to identify how many such deployments (it can be application,package or software update ) do exist with OverrideServiceWindows and RebootOutsideOfServiceWindows options selected.

Have got some time to allocate for this request ,so am posting it here for you guys incase you need to identify such deployments (applications,packages,software updates,baselines) .

Below screen show the Deployment settings under User experience Tab with User notifications,deadline behavior and device restart behavior settings.

How to get list of deployments with OverrideServiceWindows and RebootOutsideOfServiceWindows selected ?

To get information about OverrideServiceWindows and RebootOutsideOfServiceWindows for deployments, you need to first identify the right SQL views in SCCM.

All Deployments information (packages,applications,baselines ,software updates) stored in view called: v_CIAssignment

So have used this view to retrieve the information and put it in a nice SSRS report with options to choose OverrideServiceWindows and RebootOutsideOfServiceWindows  Yes or No.

How to identify if the deployment is package or application or software update ?

Use the below numbers to identify the deployment or package type.

When 0 Then 'Package'
When 2 Then 'Application'
When 3 Then 'Driver'
When 4 Then 'Task Sequence'
When 5 Then 'Software Update'
When 7 Then 'Virtual'
When 257 Then 'Image'
When 258 Then 'Boot Image'
When 259 Then 'OS Package'

Below is the report how it looks like: you can choose the options what you want and based on the selection ,report will give you the deployment information.

As usual ,have posted the report into TechNet Gallery ,download it from Here ,upload it your SSRS reports ,change the data source and run it.

Introduction:

Maintenance windows in Configmgr help to ensure that client configuration changes occur during periods that do not affect the productivity of the organization.

Following Operations can be performed during the Maintenance window:

• Software update deployments
• Compliance settings deployment and evaluation
• Operating system deployments
• Task sequence deployments

More about MW https://technet.microsoft.com/en-us/library/hh508762.aspx?f=255&MSPPError=-2147217396

Problem:

So ,If you want to know the client maintenance window for next few days (20 days or recently occurred in the last 20 days ) ,you have no built in report and for that, you must go with custom report to find out the clients that are undergoing the changes that are deployed by your SCCM team.

I had a requirement to create report to get client maintenance window with prompt to choose past (occurred) and future days (going to happen) or simply enter the client name to list available maintenance Windows.

Solution:

This blog post will help you to identify the clients have maintenance window setup for the next few days or recently occurred with some custom dates.

What you get with this report : list clients with their collection name, Maintenance Window Name, Description (effective date),Days ahead (If –(minus) ,it was past date ,else future date )

After you run this report, it will prompt you to choose Past (-10) and Future (10) .Past and Future is considered from Current date.

For Ex: Today is 24-Jan-2017 ,I have client PC001 in collection ABC with MW set 21-Jan-2017 and PC002 in collection CDE with MW set 28-Jan-2017 .So I choose Past as 3 days and future 10 days ,I should get all clients from ABC and CDE collections as their MW fall under past (2) and future date (10) .

If I choose past as 1 day and future 3 days ,I won’t get anything in the report as there is no client that has MW between 1 <--->3 from current date.

The logic used in the SQL is: Maintenance Window date should be <future date and >past date from the current Date as shown in below snippet.

How does the report look like ?

As usual, download the RDL file from TechNet Gallery here ,upload to your SSRS folder ,change the data source and run the report.

If you are using SCCM Configmgr in your environment, you can accomplish lot manual /administrative tasks using Configmgr using deployment/compliance method.

Recently I was working on task to update the DNS records (Primary DNS server IP ) for lot of servers as servers use static IP and is required to change it on all where needed.

As there was change in network segment for DNS server ,the IP of the DNS server changed from Class B to Class A.

How do I update the old DNS server record with the new one on all the servers ? Before you use any method (scripting or Configmgr) ,you need to know the list of servers that are using the OLD DNS record and validate and then perform the change .

Since our infra is using Configmgr to manage workstations and servers ,I can use configmgr to pull report that using OLD DNS server record , create a collection for these servers ,deploy a script to update with DNS server record ,monitor the report if the change is successfully executed or not .

Before you generate report, you need to find out which SQL views store information about DNS server details. Network adaptor information is stored in v_GS_NETWORK_ADAPTER_CONFIGUR view.

The information that we are looking for is , DNSServerSearchOrder0 which is not enabled by default in the hardware inventory class.

You need to enable it by going to client settings-> hardware inventory –>set classes ,search with network ,you will see network adaptor configuration ,select DNS server search order .

After you enable this ,clients that are deployed with this client agent settings will download the policies and send the updated inventory during the next scheduled inventory cycle.

After this is done, you are good to generate report to see the servers that are using OLD DNS record.

Here is SQL query to check for DNS Server search order:

select sys.name0,os.Caption0,DNSServerSearchOrder0 from v_R_System sys

join v_GS_NETWORK_ADAPTER_CONFIGUR NAC on NAc.ResourceID=sys.ResourceID

join v_GS_OPERATING_SYSTEM os on os.ResourceID=sys.ResourceID

where OS.Caption0 like '%server%'

and nac.IPEnabled0='1'

and nac.DNSServerSearchOrder0 like '%OLD DNS SERVER IP%'

From the above query ,you will get servers with their primary DNS and secondary DNS server records .Create a new collection ,add these machines to the collection.

Now we have list of servers to update with new DNS server record but we do not have package to deploy to the collection.

To update the DNS server records ,you can either use powershell or VBscript .If you are running any server 2003 ,PowerShell is not good option for you ,so you might have to use vbscript.

I am posting both VBscript and PowerShell for your feasibility.

In my case, I need to update Primary DNS record (new IP) and keep secondary DNS server record as it is without any change.

VBscript:

on error resume next

strComputer = "."

Const FullDNSRegistrationEnabled = True

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

Set colNetCards = objWMIService.ExecQuery ("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True")

FOR EACH objNetCard in colNetCards

arrDNSServers = Array("DNS server IP1","DNS Server IP2")

errEnable = objNetCard.SetDNSServerSearchOrder(arrDNSServers)

objNetCard.SetDynamicDNSRegistration FullDNSRegistrationEnabled

next

If you have primary and secondary DNS ,replace the IP address accordingly in the above script.

Powershell:

$NICs = Get-WMIObject Win32_NetworkAdapterConfiguration | Where-Object {$_.IPEnabled -eq "True"}

Foreach($NIC in $NICs) {

$DNSServers = “DNS server IP1"," DNS server IP2”

$NIC.SetDNSServerSearchOrder($DNSServers)

$NIC.SetDynamicDNSRegistration(“TRUE”)

}

When you deploy the powershell script ,focus on the command line you use .If you have enabled the execution of powershell to bypass in client agent settings ,you can simply use the command line as scriptname.ps1 and deploy it else you will have to use command line to bypass the execution of powershell script.

PowerShell.exe -ExecutionPolicy Bypass -File "scriptname.ps1"

Create a package using above scripts and deploy to the collection ,monitor the results.

For results , wait for the next hardware inventory cycle and fix the issue where it didn’t go through.

I had a requirement to generate report to list members (users/groups) of local administrators group on servers for auditing purpose. Finding the users/groups who are member of  local administrator group manually or scripting is tedious task on all servers .If you are managing the devices with configuration manager ,you can leverage Configmgr tool to get this task done so easily .

By default ,Configmgr do not have inbuilt solution /provide any report to get members of local administrator group ,but you we can achieve this using custom solution . The  only solution that i have tried earlier and seen people using ,is a solution that was provided /blogged by Sherry Kissinger .

Solution that was provided by Sherry was to create configuration item/configuration baseline with vbscript ,deploy this to collection ,import mof file into client agent settings to pull custom wmi changes that made by script,run report to get the required information.

If you search online with subject line ,you will mostly hit TechNet forum/blogs that refer to the following links.

http://myitforum.com/cs2/blogs/skissinger/archive/2010/04/25/report-on-all-members-of-all-local-groups.aspx

https://mnscug.org/blogs/sherry-kissinger/244-all-members-of-all-local-groups-configmgr-2012

http://mnscug.org/images/Sherry/WMIFrameworkForLocalGroupswithLogging.zip

I have tried this solution very long ago for some of my customers which worked fantastic , but i did not blog about this as there are already posts available online.

I started to follow above blogs few days ago for my task, but for some reason these URL’s not active .So during my online search,i found few other blogs that talk about this solution .

I tried importing the cab file from sherry blog into configuration baseline, but for some unknown reason ,importing of cab file that did not succeeded on both Configmgr 2012 and Configmgr Current branch 1610. Both environments have the following error.

I am not the only one facing issue while importing the cab file, there are lot more people who posted about it on TechNet for solution.

So i started creating configuration items ,configuration baseline and do changes to client agent settings (MOF file) ,generate report .

I am attaching the configuration baseline cab file here for you to download ,extract ,import into your configmgr 2012 or configmgr current branch 1610 and simply deploy to your required collection, import MOF file into client agent settings for hardware inventory.

If you see any issues while Importing the cab file into configuration baseline ,please follow the steps illustrated below how to implement this solution step by step.

In this blog post, i will help you  how to create configuration item ,configuration baseline with the script that sherry provided ,do MOF changes in client settings ,wait for hardware inventory and create SQL query to run report.

There are 2 vbscripts out there online 1) Get members of local administrators group ONLY (WIN32_localadmins) 2)Get members from all local groups on the machine (cm_localgroupmembers)

Script 1 will get you the information about users/members who are member of administrators group ONLY and script 2 will get you members of all locally created groups.

Have attached both scripts in the download section for your reference in case you don't want all groups information.

Note: This task can be achieved in 2 ways ,either by deploying script as package or deploying the script using baseline method ,but Pre-requisite ,is recurring deployment, or Recurring DCM Baseline/CI

Steps in brief:

1. Import the MOF file into default client agent settings but do not select the changes in default client agent settings. You can select these changes on custom client agent settings to deploy to collection .

2. Create configuration item,configuration baseline and deploy to collection on recurring basis.

3.Run SQL query /report to get members of local administrators group.

Note: Should i go with configuration item or as package ? I would strongly suggest you go with configuration item and make it recurring instead of scheduling it for 1 time. Why should i make it recurring ?

Since the script that is used in the configuration item will create the instance in wmi “cm_localgroupmembers ” and query local groups with its members 1 time per script run ,which means if you run the configuration item 1 time ,it will query  local groups and members and pipe the information into cm_localgroupmembers  ,but if any changes happened after the compliance item run ,they wont appear in cm_localgroupmembers . For any addition or deletion of users/groups from local groups ,you must schedule it on recurring basis.

In this post, i will go with configuration baseline method.

Before we start the steps, download the files that are required to create baseline,MOF file ,reports etc from here

Step 1: Copy the MOF file from download section to your SCCM server,import the MOF file into default client agent settings—>Hardware Inventory in your SCCM server (CAS if you have else primary site )  ,de-select the settings  in default client agent settings for localgroupmembers .

Go to your custom client agent settings and select localgroupmembers that you want to get local members information.

If you do not have any custom client agent settings in your environment ,you can enable this settings in default client agent settings.

monitor dataldr.log for the changes .

with this change ,there will be a SQL view created and can be used for reporting which is : v_gs_localgroupmembers0. The Information which is stored SQL views that start with V_GS comes from inventory.

Step 2: From configuration manager console, assets and compliance , compliance settings right click configuration item ,create new ,type Name ,description

click next (leave default OS settings) ,next, on settings page ,add new with following information.

Name: WMI Framework for cm_localgroupmembers

Setting Type: Script

Date Type: String

Edit the script ,select vbscript ,paste the content from the SCCMLocalGroupMembers.vbs file .This is script 2 what i referred above. If you want only members of local admin group ,select localadmins.vbs

Click ok, click next ,on the compliance rules ,click new with the following information

Name: cm_localgroupmembers

Selected setting: select the setting that you created above

Rule type: existential

Setting comply rule: This specified script does not return any values

Click Ok ,next next to see the summary page.

Create a new baseline ,select the configuration item that we created above ,deploy it to collection .

Wait for client to receive new client device settings and configuration baseline to create wmi instance followed by client inventory .

On client machine after the policy ,assigned configuration baseline is compliant.

Logging information by script:

output of the script into SCCMLocalGroupMembers.log in C:\windows\temp folder:

SQL Queries:

Now we have sufficient information about the local users ,member of all local groups which is stored in SQL view ‘v_gs_localgroupmembers0’ .

We can create variety of SQL queries depends on the requirement .

Query 1: List all clients with members of the local Administrators group:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 2: List members of the local Administrators group on specific client:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
, lgm.category0 [Account Type]
, lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
and sys1.Name0='clientname'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 3: List all clients with members of the local Administrators group excluding certain users or group  :

This will be helpful in case, you have applied some of the policies through GPO who should be member in local administrator group on all the clients for ex: domain admins or some other AD sec groups.

'Domain Admins','wintelMonitoring','WintelAdmins','eskonr'

declare @PC nvarchar (255);set @PC='computername'
select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators' -- and sys1.name0=@pc
and lgm.account0 not in ('Domain Admins','wintelMonitoring','WintelAdmins','eskonr')
order by sys1.netbios_name0, lgm.name0, lgm.account0

Hope it helps!

This is quick post to show you ,how to compare 2 or more collections to find clients that are not member of other collections. The reason for me to write this collection is ,for server patching ,we have been using direct membership rules ( I know AD sec groups is good way to automate this but lets leave this for now ) due to multiple business units with different maintenance windows .

There could be multiple scenarios to compare 1 collection with another collection for application deployment ,OSD etc.

So i want to compare the list of servers that are in Active directory are part of the patching collections or not . I am writing up another blog post on how to manage software updates for workstations or servers in an effective manner to achieve good compliance rate with some nice dashboard reports.

This way ,i can get to know the servers in AD that are supposed to patch on monthly basis are missing or not in patching collection. You can also achieve this using SQL query which is also listed in this blog post.

So i created a collection based on Active directory OU with collection ID: PS100318  .Creating collection with OU filter is straight forward.

I have another parent collection that is used for patching PS100315 .This collection include lot of individual collections with its own maintenance window set for patching.

Now ,i need to compare the OU based collection (PS100318 ) to find out if any server not in patching collection (PS1000315).

Collection Query (sub selected query):

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select ResourceID   from SMS_FullCollectionMembership   where CollectionID = "PS100318") and SMS_R_System.ResourceId not in (SELECT ResourceID FROM SMS_FullCollectionMembership WHERE collectionid IN ('PS100315'))

If you have more than 1 collection to compare ,simply add all your collections into IN condition i.e WHERE collectionid IN ('PS100315',’PS100316’,’PS1000317’)) 

You can also use include exclude collection mechanism to do the same. Thanks to Nash for pointing this out.

SQL Query:

select fcm.name
from v_FullCollectionMembership fcm
where fcm.CollectionID='PS100318 '
and fcm.name not in (select fcm1.name from v_FullCollectionMembership fcm1 where fcm1.CollectionID='PS100315')

you can expand SQL Query further to know its OS,hardware inventory ,client installed etc.

Hope it helps!

Other day,I was trying to create my first SCCM Configmgr SSRS report with RBA (role based administration) what it means is ,data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles.

The report which was trying to create : Get the Status of Bitlocker for all physical devices(Laptop and desktops) for specific collection .The main difference between the normal SQL code and SQL code that you use for RBA reports is ,you simply replace V_ with fn_rbac_ and append (@userSIDs) at the end of the SQL view name . SQL code i used in this report with RBA is given at the end of the post.

Since the report has collection prompt ,i created dataset for collection that also uses fn_rbac and tried to run the report .For some reason ,it failed to run with following error code.

Error: " The report parameter 'A' has a default value or valid value that depends on the report parameter 'A'. Forward dependencies are not valid ".

The above screen clearly says that ,COLLID prompt depends on the report parameter UserSIDs which is another parameter,hence forward dependencies are not valid. In SSRS ,the parameters always executed in specific order how you define them. All parameters cannot run at time.

If you look at my parameters in my SSRS ,they are in order 1)CollID 2)usertokenIDs and 3)UserIDs.

CollID has UserIDs parameter which cannot accept forward dependencies.

I need to change the order of parameters how they execute .So in your reporting tool, (I use visual Studio 2012) ,click on the parameters ,select the parameter value ,select the arrow to change the order of parameters and run the report.

I have to pull down the COLLID parameter to last to fix my issue here.

Download the SSRS report with RBA enabled from Technet Gallary.

SQL code to get the status of bitlocker for all physical devices from specific collection:

SELECT distinct SYS.Netbios_Name0 [Name],sys.User_Name0,
OS.Caption0 [OS],MEM.TotalPhysicalMemory0/1024 [Memory (MB)],
CS.Model0,
ev.driveletter0,
case when ev.protectionstatus0=1 then 'Yes' else 'No' end as 'IsDrive Bitlocker',
CONVERT(nvarchar(26), ws.LastHWScan , 100) [Last inventory],
CONVERT(nvarchar(26), sys.Last_Logon_Timestamp0 , 100) [Last Logontimestamp]
FROM fn_rbac_R_System(@UserSIDs) SYS
LEFT JOIN  fn_rbac_GS_X86_PC_MEMORY(@UserSIDs) MEM on SYS.ResourceID = MEM.ResourceID
LEFT JOIN  fn_rbac_GS_COMPUTER_SYSTEM(@UserSIDs) CS on SYS.ResourceID = CS.ResourceID
LEFT JOIN fn_rbac_GS_OPERATING_SYSTEM(@UserSIDs) OS on SYS.ResourceID=OS.ResourceID
--LEFT OUTER JOIN fn_rbac_R_User(@UserSIDs) vUSER ON vUSER.[User_Name0] = SYS.User_Name0
left join fn_rbac_GS_ENCRYPTABLE_VOLUME(@UserSIDs) EV on ev.resourceid=sys.resourceid
left join fn_rbac_GS_WORKSTATION_STATUS(@UserSIDs) ws on sys.ResourceID=ws.ResourceID
left join fn_rbac_FullCollectionMembership(@UserSIDs) fcm on sys.ResourceID=fcm.ResourceID
WHERE
fcm.CollectionID=@COLLID
and cs.Model0 not like '%virtual%'
ORDER BY SYS.Netbios_Name0

If you want to run the above SQL code in SQL server management studio ,simply replace the @COLLID with collection ID and add Declare @UserSIDs as varchar(Max) = 'Disabled' at the beginning of the query .

Collection Prompt:

select CollectionID, Name from fn_rbac_Collection(@UserSIDs)
order by Name