Quick post on how to get count of list of updates or count of updates in your Configuration Manager with severity categorised as Critical,Important,Moderate and Low.

In order to get this information count of updates with severity, you first need to identify what the SQL views that store this information about software updates.

Get the SQL views documentation for all Configmgr versions starting from SCCM 2012 to Current Branch 1702 from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Severity of the software updates is stored in v_UpdateInfo .This SQL view stores lot of other information like title,article ID,bulletin ID,date posted and lot more. Most of the metadata about software update information is stored in this SQL view v_UpdateInfo.

We will try to use this SQL view to get count of software updates with its severity.

Listed below are severity and its description:

Severity=2 –> Low

Severity=6—>Moderate

Severity=8—>Important

Severity=10—>Critical

Am Listing 2 SQL Queries here for you . 1) without any filters and this will get you what is available in your CM database 2) With custom filters and more of modified version (Thanks to Sherry on myitforum)

1.

select CASE(ui.Severity)
When 2 Then 'Low' When 6 Then 'Moderate' When 8 Then 'Important' When 10 Then 'Critical' Else 'NA' End as 'Severity',
ui.Severity ,count(ui.ci_id) [Total Updates]
from v_updateinfo ui
group by ui.severity
order by 3 desc

2.

;with cte as (   select
   CI_ID,
           BulletinID,
           ArticleID,
           Title,
           DatePosted,
                   DateRevised,
                   isExpired,
                   isSuperseded,
           CI_UniqueID,
         case
        when (ui.severity=0 and ui.CustomSeverity=0) or ui.severity is null then '0 None'
        when ui.CustomSeverity=6 then '6 Moderate'
        when ui.CustomSeverity=8 then '8 Important'
    when ui.CustomSeverity=10 then '10 Critical'
    when ui.CustomSeverity=2 then '2 Low'
    when ui.Severity=2 and ui.CustomSeverity=0 then '2 Low'
        when ui.Severity=6 and ui.CustomSeverity=0  then '6 Moderate'
        when ui.Severity=8 and ui.CustomSeverity=0  then '8 Important'
        when ui.Severity=10 and ui.CustomSeverity=0  then '10 Critical'
        end as 'Severity'
    from v_UpdateInfo ui
Where
   ui.title not like '%Itanium%'
)
select severity, count(*) [Count]
from cte
group by Severity
order by Severity

You can add  more filters to 2nd query like superseded!=0 and expired=1 etc.

In this post, i will discuss about the requirement that i have got recently. Local team /manager wants to run the software update compliance report for their LBU machines (collections) to see if all the clients in collection are compliant or not for all the patches with released date between X date to Y date.

No matter whether all the patches that are requested/available in SCCM are deployed or not but it should appear in SCCM report if the clients are in good shape or not for specific period.

By default in SCCM, there are couple of reports available for software update compliance but if you want to know the compliance status for specific collection for all updates that exist in SCCM (no software update group here) between specific period let say Jan 1,2015 to Dec 31 2015 or X range to Y range.

How to generate software update compliance report for specific collection for all the updates available in SCCM within specific date ?

To create a report for this requirement, we need set of SQL views that have information about software updates ,collection,inventory of client etc.

Below are the SQL views that i used in this report:

v_GS_COMPUTER_SYSTEM

v_CICategories_All

v_CategoryInfo

v_gs_workstation_status

v_fullcollectionmembership

v_UpdateInfo

v_UpdateComplianceStatus

Download SSRS Report from Technet Gallery,Upload to your SSRS Folder ,change data source and run the report.

When you run the report ,it prompt for collection ,Start Date and End Date shown below.

The result what see in the report is excluded by superseded and expired updates (IsExpired=0 and IsSuperseded=0) .

The original report is taken from Garth post http://smsug.ca/blogs/garth_jones/archive/2009/02/25/patch-compliance-progression-report.aspx and modified to include the date prompt ,superseded,expired ,added inventory information like OS,update scan,IP address,Last reboot into the report.

Linked report to see list of updates for each client will be in the next post.

If you want to know who executed (number of times ) the Configuration manager reports (or any other SSSRS reports) or if anyone compliant that some of the Configmgr reports are running slow or timed out ,how do you find the such reports and take action ?

I receive requests from remote users saying that they have issue while running some of the custom reports but when i run ,they works fine but not for remote users. There could be so many reasons why the report loads slow (network or SQL code issues etc) which am not going to discuss here.

Recently i was checking on this to see what are the reports ran by users most of the times and ,how many times they have run ,what are the top most reports and how long these report take time to execute .

When you run the SSRS reports ,it will log lot of information back into the report executionlog .

This report execution log is stored in the Reportserver database that by default is named ReportServer .if you have custom database name ,then you must that database to run the query.

As you can see in the following reportserver ,there are 3 SQL views that contain the information about execution log

Below is the take from Microsoft article about these executionlog sql views.

Now ,lets try SQL query to pull the information about the SSRS reports with its execution time, users ,time start etc.

Use  ReportServer
select * from ExecutionLog3
order by TimeStart desc

Results using above SQL Query:

Below query help you to find number of times that each user run the report.

Use ReportServer
select ItemPath,UserName,count(*) [No of times executed] from ExecutionLog3
group by ItemPath,UserName
order by 3 desc

One of the ways to reduce the disks space/cpu I/O is to enable cache use cache option in reports ,further reading ,please have a look at https://www.enhansoft.com/blog/how-to-setup-report-caching-for-a-ssrs-report

More information about the columns and its description can be found from http://www.sqlchick.com/entries/2011/2/6/querying-the-report-server-execution-log.html

Hope it helps!

This is quick blog post about getting the list of clients that require a specific software update contained (it can be based on title,article ID(KB),bulletin ID).

You can get the client list using the default software update compliance reports but it doesn't give you the inventory information about client ,like ip address,hardware scan,software update scan ,OS etc and creating custom SQL allow you to filter lot more like collection ID,hostname contains,OS not like etc.

Adobe has released a security update (APSB17-32) for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.

Security team has requested to get this updated on all machines that are required by this update ,so in order to proceed further, you need to identify the list of clients prior and notify to application team(mainly for servers) and follow the change request etc.

Below is the SQL query to get list of clients that are required by bulletin ID: APSB17-32 .I have also added couple of filter options like excluding server OS 2003 and include only server OS.

I have also added title,article ID,collection ID,hostname which are commented in the query .If you want filter the results using these ,you can simply uncomment them (removing the dashes - - )

You can use this SQL query to create SSRS to run the report directly from the URL , without running it from SQL server management studio.

select vrs.Name0 [Host],os.Caption0 [OS],
IP.IPAddress AS [IP Address],
CONVERT(VARCHAR(26), ws.lasthwscan, 100) as [LastHWScan],
CONVERT(VARCHAR(26), uss.lastscantime, 100) AS 'LastSUScanTime',
CONVERT(nvarchar(26), OS.LastBootUpTime0, 100) AS [Last Reboot],
ui.InfoURL as InformationURL,ui.Title,ui.dateposted [Date Posted]
from V_UpdateComplianceStatus  css
join v_UpdateInfo ui on ui.CI_ID=css.CI_ID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=css.ResourceID
JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = css.ResourceID
join v_GS_OPERATING_SYSTEM OS on os.ResourceID=css.ResourceID
join v_GS_WORKSTATION_STATUS WS on ws.ResourceID=css.ResourceID
join v_UpdateScanStatus USS on uss.ResourceID=css.ResourceID
JOIN (SELECT     IP1.resourceid AS rsid2, IPAddress = substring
((SELECT     (IP_Addresses0 + ', ')
FROM    v_RA_System_IPAddresses IP2
WHERE     IP2.IP_Addresses0 NOT LIKE '169%' AND IP2.IP_Addresses0 NOT LIKE '0.%' AND IP2.IP_Addresses0 NOT LIKE '%::%' AND
IP_Addresses0 NOT LIKE '192.%' AND IP1.resourceid = IP2.resourceid
ORDER BY resourceid FOR xml path('')), 1, 50000)
FROM    v_RA_System_IPAddresses IP1
GROUP BY resourceid) IP ON IP.rsid2 = fcm.resourceid
WHERE css.Status=2 --for required
and ui.BulletinID='APSB17-32'
--AND ui.Title='2017-08 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4034664)'
--and ui.ArticleID='4034664'
and vrs.operatingSystem0 not like '%2003%'
--and fcm.CollectionID='PS100118'
--and (fcm.name like '%WP%')
and vrs.operatingSystem0 like '%server%'
group by vrs.Name0,vrs.operatingSystem0 ,ui.InfoURL,ui.Title,ui.dateposted,
os.caption0,
ws.lasthwscan,
uss.lastscantime,
IP.IPAddress,
OS.LastBootUpTime0
ORDER BY 1

Hope  it helps!

When you install configuration manager client to manage any windows device ,it will try to configure local group policy to set WSUS server settings (unless you have no GPO configured to set these settings) .If at all ,you have any GPO to configure the WSUS information ,local GPO that created by configmgr client will fail which will be logged in wuahandler.log,windowsupdate.log.

If you look at wuahandler.log, you will see error something like below. “Group policy settings were overwritten by a higher authority (domain controller) to server and policy not configured” .

So before you try to install SCCM client,it is always recommended  to disable GPO settings for windows update to avoid the conflict with local GPO created by Configmgr client .More information about software update troubleshooting http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/ 

If you want to know more about Configmgr software update management and group policy relation ,please read Jason Sandy's explanation https://home.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/ 

https://home.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

In this blog post, we are going to see ,how to check 4 primarily used windows update policy settings the WSUS settings like USEWUServer,WUServer,NoAutoupdate and accept trusted publisher certs (for 3rd party patching) that are correctly configured or not before clients perform software update scan.

1.WUServer

2.UseWUServer

3.NoAutoUpdate

4.AcceptTrustedPublisherCerts

Although you can do SQL query to get the clients that are having issue with GPO conflict ,but it is always good to check the these registry keys to make sure clients are good .

AcceptTrustedPublisherCerts—> for trusting the 3rd party updates if you are using SCUP to trust adobe,flash ,java and other updates that are deployed via SCCM.

Location that store above policy settings in the client registry is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (for both 32bit and 64bit OS)

NoAutoupdate –>is to disable auto windows update

Following is SQL query to get clients info that have issues with GPO conflict:

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
left join v_gs_operating_system os on os.resourceid=sys.resourceid
left join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
left join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=sys.ResourceID
where uss.lasterrorcode!='0'
--and fcm.CollectionID in('PS100140')
and sys.client0 is not NULL
and uss.LastErrorCode='-2016409966'
order by sys.name0

Now lets focus on the Configuration item/configuration baseline to create task and deploy to collection:

I have couple of blogs how to create configuration item with settings hence i am not going to show you step by step . I will go through the settings that are really important for this task.

At the end ,i also attach the exported version of configuration baseline however you might have to edit it after import due WSUS server information.

In new setting, provide the following information.

Name: WUServer (anything you like) , Setting Type Registry value .Data type: String , Hive Name:HKEY_Local_Machine ,Key Name:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Click on browse to select the registry key

Registry key:  Choose the following settings.

Click Ok

Click on compliance Rules , you will see 2 conditions .

f you have multiple WSUS servers ,click on the wuserver one of ,click Edit rule,

Paste all the WSUS server locations into the one of field setting and click ok

How do you get list of all WSUS server locations ?

Run the following SQL query against your CM database.

select LastScanPackageLocation from v_UpdateScanStatus
where LastScanPackageLocation not like ''
group by LastScanPackageLocation

we now have created one setting for WUserver ,like this we need to create for 3 more entries .

For UseWUServer ,click on New ,follow the options listed below.

While you are at this page ,click on browse ,follow the path below to select the registry key

Click on Ok .

Under compliance rules ,select Report noncompliance if this setting instance is not found .

we will create the rest 2 conditions in similar way that we created for UseWUServer . All you need is point the registry key to respective value.

3.NoAutoUpdate –> SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Under compliance rules ,select Report noncompliance if this setting instance is not found

4.AcceptTrustedPublisherCerts—>SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Under compliance rules ,select Report noncompliance if this setting instance is not found

Click ok

we now set 4 conditions that required to check windows update policy settings

Click next to verify all compliance rules

Click next for the completion of configuration item wizard.

We can now create configuration baseline and deploy it to collection .

If any of the above setting is not found on the client computer, it will report as non-compliant which will help you to troubleshoot and fix software update scan issues.

Download the CB – Configuration baseline for Windows update policy settings here .

To import ,go to compliance settings – configuration baseline ,right click and import the cab file.

After you import the cab file ,don't forget to edit the configuration item and modify your WSUS server settings.

Hope this guide helps!

This blog post is going to be version 3 on the same topic (report for MS office versions) but with different requirements.My previous posts on ssrs report for count of MS office versions and drilled report to see client names etc will have some limitations like they will not give you bit type(architecture) like 32bit or 64bit of office installed on the client. They simply get the count of the MS office edition installed and then drill down further to get you the list of client computers with office edition,version,its OS and hardware scan date info.

Both the versions with ssrs report can be found on https://gallery.technet.microsoft.com/office/SCCM-Configmgr-Report-for-2c36f1b9 https://gallery.technet.microsoft.com/office/SCCM-Configmgr-2012-SSRS-c482cca2 and

https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs

After posting these 2 reports, blog viewers ,TechNet gallery and in forums have asked to get bit type (32bit or 64bit) information for the office product that is installed on the client.

I have lot of requests /posts in my To-DO list to blog about ,but due to time limitations ,i cannot bring all them.

So for this requirement to get 32bit and 64bit for MS office ,i found microsoft article to identify if the MS office is 32bit or 64bit. https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs and it is based on the product code.

This product is that we use to uninstall any software using msiexec /x {productID} /x

Below is the screenshot from the support article .

From the product code ,21st character from left (substring(productID,21,1) ) will tell you if it is 32bit or 64bit .

0 for x86

1 for x64

If you read support article ,there are lot of other information like release version (RTM,SP1,SP2 etc) ,release type (Volume,retail,trail) ,

This product ID is stored in different SQL views in CM database ,of which  we are going to utilize v_Add_Remove_Programs. For more information about SQL views in SCCM, please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Following are the office editions are added into the report . If you have any other office editions which are not in below list ,please edit the report and append it.

'Microsoft Office Personal 2007'
'Microsoft Office Professional 2007'
'Microsoft Office Professional 2007 Trial'
'Microsoft Office Professional Hybrid 2007'
'Microsoft Office Professional Plus 2007'
'Microsoft Office Professional Plus 2007 (Beta)'
'Microsoft Office Standard 2007'
'Microsoft Office Standard 2007 Trial'
'Microsoft Office Ultimate 2007'
'Microsoft Office Enterprise 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office 2010'
'Microsoft Office Professional Plus 2010'
'Microsoft Office Standard 2010'
'Microsoft Office Professional 2010'
'Microsoft Office Home and Student 2010'
'Microsoft Office Home and Business 2010'
'Microsoft Office Professional Plus 2010 (Beta)'
'Microsoft Office Starter 2010 - English'
'Microsoft Office 2013'
'Microsoft Office Professional Plus 2013'
'Microsoft Office Standard 2013'
'Microsoft Office Professional 2013'
'Microsoft Office Home and Student 2013'
'Microsoft Office Home and Business 2013'
'Microsoft Office Professional Plus 2013 (Beta)'
'Microsoft Office Starter 2013 - English'
'Microsoft Office 2016'
'Microsoft Office Professional Plus 2016'
'Microsoft Office Standard 2016'
'Microsoft Office Professional 2016'
'Microsoft Office Home and Student 2016'
'Microsoft Office Home and Business 2016'
'Microsoft Office Professional Plus 2016 (Beta)'
'Microsoft Office Starter 2016 - English'

As usual ,download the SSRS reports (rdl) files from Technet gallery here ,upload to your reporting folder in SCCM reports,change the data source and run the report.

Output:

Linked report:

This report supports RBA (role based administration) functionality.

Note that, 2nd report (drilled report) cannot be run individually and to run that, you must run the 1st report which is count of office versions and drill to 2nd report.

SQL code and parameter values for dataset (RBA): The following information is for your information only and no input required from you to run this report.

DataSetAdminID:select dbo.fn_rbac_GetAdminIDsfromUserSIDs(@UserTokenSIDs) as UserSIDs

Parameter for UserTokenSIDs: General—>Parameter visibility—>Internal, default values—>specify values—>=SrsResources.UserIdentity.GetUserSIDs(User!UserID)
Parameter for UserSIDs:General—>Parameter visibility—>Internal, default values—>Get values from a query and choose DatasetAdminID

you can always edit the RDL files ,customize it.

Happy reporting!

Using compliance settings in Configmgr, you can do many tasks as part of compliance. In the last couple of blogs, we have utilized compliance settings to identify WU settings,automatic update,trusted publisher settings etc. http://eskonr.com/2017/10/configmgr-how-to-use-compliance-settings-to-check-the-windows-update-policy-settings-like-wuserver-usewuservernoautoupdate-on-clients/

In this blog post ,we will see how to use compliance settings to check for Windows update agent version if it is older or latest one as per https://support.microsoft.com/en-us/help/949104/how-to-update-the-windows-update-agent-to-the-latest-version.

The Windows Update Agent runs on each client computer and checks for availability of updates. If you are using configmgr ,when the software update scan cycle runs ,a scan request is passed to the Windows Update Agent (WUA). This WUA then connects to the WSUS server location that is listed in the local policy (this policy will be created at the time of configmgr client installation), retrieves the software updates metadata (update catalog) that has been synchronized on the WSUS server, and scans the client computer for the updates. To read further on software updates https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction

Daniel (PotentEngineer) has document all the versions of windows update agent on http://www.potentengineer.com/windows-update-agent-build-numbers-for-windows-7/

There are lot  cases on windows update issue which happened due to old version of windows update hence you need focus on brining the windows update agent to latest supported version.

I will not go in-detail (step by step) about how to create configuration Item and Configuration baseline instead ,i will guide you through the settings that you need configure for Windows update agent.

Though the configurations used in the settings/creation of rule in compliance setting is very simple ,i would like to get it in this blog post along with SQL Query and WQL collection to identify how many clients in your organisation are running older .

1.Define Compliance setting for the applicable OS (Windows update agent varies from OS to OS)  .This blog post focus on windows 7.

Once you deploy the configuration baseline to collection ,clients will perform the CI evaluation and send the results to Configmgr which will help you to create collection from the baseline results and deploy latest windows update agent.

Compliance Item :

New setting:

New Rule:  Replace the windows update agent that you are looking for.

Note: The above WUA agent is only for windows 7 hence you need to configure the OS while creation of CI or deploy this to only windows 7 collection.

If you want to create the rule for multiple OS to check WUA version ,you can try something like below (it is untested at the time of writing the blog post).

Make sure you add the latest version of windows update agent into the one of list.

2.WQL Query for collection:

Ronni has nice post on this ,please follow it https://www.ronnipedersen.com/2015/06/04/updating-the-windows-update-agent-on-windows-7-clients/

3.SQL Query:

Windows update agent version stored in v_GS_WINDOWSUPDATEAGENTVERSION  SQL view.

We will use this SQL view to find count of versions.

select a.version0 as 'WUA Version', count(*) as 'Total'
from v_GS_WINDOWSUPDATEAGENTVERSION as a
group by a.version0
order by 2 desc

More information http://eskonr.com/2010/02/sccm-collection-for-windows-update-agent/ 

Using this ,you can create nice SSRS report .you can also create drilldown report to find what are the machines that are running lower versions with computer name ,user name etc.

List of SCCM Configmgr SQL views documentation is available on TechNet https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

I was looking at the console other day and found that, there were many collections created in the root folder (device collection) with 0 count. So i looked at the collection properties ,i found empty there  (No direct or query based rule).

So i decided to write SQL query to identify the list of collections that have empty results with no query rules (Direct or query based) defined in it.

For this query ,i have used 2 SQL views (v_Collection and v_CollectionRuleQuery ) .

For full list of SQL views that exist in SCCM Configmgr ,please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b .

Following is the SQL Code to identify empty collections with no query rule defined ,You can delete these collections to simplify the list of collections displayed when deploying objects as part of maintenance tasks ,unless there is a reason to be in the console.

You can use the following code to create SSRS report as well.

select coll.CollectionID,coll.Name,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collection coll
where coll.collectionid not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.MemberCount=0
group by coll.CollectionID,coll.Name,coll.CollectionType

Configuration manager Technical preview 1708 has ability to identify Applications without deployments and Empty collections as part of Management insights.  More information ,please read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708#management-insights

Hope it helps!

Introduction:

Boundaries for SCCM define network locations on your intranet that can contain devices that you want to manage. Boundary groups are logical groups of boundaries that you configure. For more information click here

Few days ago ,Jason Sandy’s has blogged about boundary group caching and missing boundaries ,more details ,read through https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr .

This is one of the highly needed solution that everyone must implement in their environment to evaluate what is their accuracy of the boundaries /boundary groups defined. Boundaries play major role for site assignment and content download. If you do not define the boundaries correctly,client will not function as expected hence it take up lot of your time to troubleshoot and identify it is because of missing boundaries and it is recurring issue.

Jason has covered most of the part about missing boundaries,Boundary group caching ,wmi location and basic SQL query . In this blog post, i am going to show you how to get list of the clients devices that are missing in the boundaries/boundary groups using SSRS Report and troubleshoot these devices. Sometimes You may see something like ‘waiting for content download forever’ in software center and this is because of boundaries/boundary group are missing .

This blog post will help you to identify such client devices with its basic  inventory information like OS,hardware inventory ,software update scan,IP address, last reboot etc.

You can also use other methods to achieve this solution using Compliance Item/baseline but HINV method will give you more information and better reporting .

How to create report/upload report ?

Before you download the report ,please make the necessary changes as per the guideline from Jason Sandy's post.

Following are quick points to implement the changes:

1.Open SCCM console ,go to client settings, edit default client settings ,hardware inventory ,set classes,add,choose the wmi namespace and add ,once the boundary group cache added ,uncheck it from default settings and click ok. For more information ,how to add custom inventory ,you can refer guide here

2.Go to your custom client agent settings (if you have ,else you can make these changes in default client settings)

,hardware inventory ,set classes ,choose the class name that we added in default client agent settings.

3.Monitor dataldr.log to see if these changes are processing and view are created in SQL database (v_GS_BOUNDARYGROUPCACHE).

Once you are done with above steps ,download the SSRS report from Technet Gallary ,upload to your SCCM reports ,change the data source and run it.

Report will display the following information. This report is created with filter Client0='1' .I do not want to display the client information that do not have SCCM client .

Note: As of CB 1610, all clients that do not fall within the scope of a defined boundary group will be associated with the Default Boundary Group. This is not reflected in the BoundaryGroupCache class. Essentially, if the instance of the BoundaryGroupCache class contains no BoundaryGroupIDs, then the client is considered within the scope of the Default Boundary Group.

How to troubleshoot these missing boundaries that are displayed in report:

1. From the report, we see that ,it has one device with its IP address . So we can go back to SCCM console ,look at under boundaries if the this IP address is part of the specified boundaries or not (it is ALWAYS recommended go with IP address range while defining the boundaries unless you have any specific reason not to use it) .

2.Make sure the client device has sent the inventory report successfully after you have made changes in the HINV and they are deployed to collection.

3.If the IP address is defined in boundaries ,check for boundary group ,if it is not ,add to boundary group with site system role .

4.If the IP address is part of boundaries and boundary group .what else can cause the client device appear in this report ?

5. If boundaries and boundary groups are added correctly ,MP must have returned the list of the distribution points that are configured in boundary groups for client to pick for content download.

6.If all above points looks ok ,would suggest to take a look at the client device logs (clientlocation.log ,locationservices.log and ContentTransferManager.log that will help you to identify the DP details.

Happy troubleshooting!

On this Valentine day (Feb 14,2018 ), Microsoft released Feb 2018 Technical preview version 1802 for Configuration Manager with large number of features (21) that ever released before. These monthly Tech previews generally will be released on Friday's but this time ,shipped few days earlier.

You can install this version to update and add new capabilities to your SCCM technical preview site. To use the technical preview version, you must first install a baseline version of the technical preview build i.e Technical Preview 1711. After installing a baseline version, you then use in-console updates to bring your installation up-to-date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.

If you plan to build new lab  ,download the preview baseline version 1711 is available from the TechNet Evaluation Center.

The following are new features you can try out with this Tech Preview 1802 version (21 features/updates):

1. Transition Endpoint Protection workload to Intune using co-management
2. Configure Windows Delivery Optimization to use Configuration Manager boundary groups
3. Windows 10 in-place upgrade task sequence via cloud management gateway
4. Improvements to Windows 10 in-place upgrade task sequence
5. Improvements to PXE-enabled distribution points
6. Deployment templates for task sequences
7. Product lifecycle dashboard
8. Improvements to reporting
9. Improvements to Software Center
10. Improvements to Run Scripts
11. Boundary group fallback for management points
12. Improved support for CNG certificates
13. Cloud management gateway support for Azure Resource Manager
14. Approve application requests for users per device
15. Use Software Center to browse and install user-available applications on Azure AD-joined devices
16. Report on Windows AutoPilot device information
17. Improvements to Configuration Manager Policies for Windows Device Exploit Guard
18. Microsoft Edge browser policies
19. Report for default browser counts
20. Support for Windows 10 ARM64 devices
21. Changes to Phased Deployments

To know more about these features ,Please read through https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1802

To install this tech preview ,login to your console ,Administration ,updates and servicing ,click on check for updates (make sure you have internet connection),wait for a while to see the entry in the console.

Right click on update and choose download

Downloading of the update can be monitored using the log file dmpdownloader.log

Right click on downloaded update and click install

Click next next next

Once the installation is done ,go to monitoring section to check the installation status .You can also monitor cmupdate.log and ConfigMgrSetup.log

Features are explored below

Boundary group fallback for management points:

Hide Installed Applications in Software Center:

Report for default browser counts:

Happy exploring !

Quick blog post on how to get client count with active obsolete and missing status for collections in a nice tabular column.

I used 3 SQL views in this query V_r_system ,v_FullCollectionMembership_valid  and v_Collection with sum and case statements.

You can use this SQL code in report creation with collection prompt and also create linked reports.

select coll.Name [Collection Name],fcm.CollectionID,count(sys.name0) [Total clients],
SUM (CASE WHEN sys.Active0 = 1 THEN 1 ELSE 0 END) AS 'Active Clients',
SUM (CASE WHEN sys.Obsolete0 = 1 THEN 1 ELSE 0 END) AS 'Obsolete lients',
SUM(CASE WHEN sys.Client0 is NULL THEN 1 ELSE 0 END) AS 'Client Missing'
from v_r_system sys
inner join v_FullCollectionMembership_Valid fcm on fcm.ResourceID=sys.ResourceID
inner join v_Collection coll on coll.CollectionID=fcm.CollectionID
where fcm.CollectionID in ('PS1000DE','PS1000DF')
Group by fcm.CollectionID,coll.Name   

SQL output:

For more information about SCCM client health dashboard ,refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240

With the release of SCCM Configmgr current branch 1802 ,there are some exciting features added from its previous version 1710. When there are new features released ,certainly there will be changes to the database hence sql views/tables created which will help us to create some nice SSRS reports for reporting.

So with this current branch version ,what's new in SQL for reporting ?

There has been around 1586 unique SQL views with lots of information that you can retrieve the data from SQL database help you to analyze the data.

Out of these SQL view,there are about 19 SQL views which are newly added from its previous configmgr version 1710 listed below. There could be some SQL views that are common in this new version and old versions but some new data fields added which are not listed here.

Some of newly added SQL views listed below ,you might have already seen in Configmgr Technical preview releases , however they are now into production release.

v_Default_Browser
v_GS_DEFAULT_BROWSER
v_GS_MDM_DEVDETAIL_EXT01
v_HS_DEFAULT_BROWSER
v_HS_MDM_DEVDETAIL_EXT01
v_LifecycleDetectedGroups
v_LifecycleDetectedProducts
v_LU_LifecycleProductGroups
v_LU_LifecycleProductHashes
vex_AI_LifecycleProductGroups
vex_AI_LifecycleProductHashes
vex_GS_DEFAULT_BROWSER
vex_GS_MDM_DEVDETAIL_EXT01
vSMS_Ao_ServerPrereqMonitoring
vSMS_AoSiteServerMonitoring
vSMS_ManagementInsightResultsList
vSMS_ManagementInsightRuleGroup
vSMS_PhasedDeployment
vSMS_ScriptsExecutionSummary

As usual ,you can download the SQL views documentation from ConfigMgr 2012 to Configmgr Current Branch 1802 from Technet here

Happy reporting !

Introduction:

It has been very long since i did post on Configmgr as i am spending more time on office 365 projects  but i got something on SCCM this week that i would like to share . I have many other posts in TO-DO list especially on custom reporting but will get release them when i find time.

Recently , I was looking into automation of azure servers through SCCM . for newly build azure servers, We use SCCM to install apps ,configurations ,software updates and others using task sequence as part of operation readiness.

When a new server build in azure (using terraform and other tools) ,SCCM (on-prem) will pick the server ,add into OR (operation readiness) collection ,let the task sequence runs ,if it success or failure,send email respective team for further check and remove the device from collection (only for success).

As part of this ,what we noticed is,when the new azure server joined to domain and appear in SCCM default collection (all systems) ,it usually takes quite long time before it run the task sequence . So i have to dig into this and see if we can improve adding the server to collection that has got TS deployed.

To make things faster (adding the device to collection and run the TS on the device upon adding to collection) ,there are 2 things that i need to look at mainly.

1.check ‘use incremental updates for this collection’: Select this option to periodically scan for and update only new or changed resources from the previous collection evaluation, independently of a full collection evaluation. Incremental updates occur at 5 minute intervals by default.

2.Create device collection settings with client policy polling interval. Default time is 60 min which is longer and change it to 15 min and deploy this to OR Collection .When TS run succeeds ,device from OR collection will be deleted so ,the the collection must not have any device by default unless the TS fail and respective team will troubleshoot it further.

Problem:

In order to speed up the collection update membership ,i have decided to look further on use incremental updates for this collection option.

In this article ,we are going to identify Collections with scheduled updates and incremental updates and remove and change the membership schedule to full schedule only.

Microsoft recommendation is Do not use incremental updates for a large number of collections. This configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections in your hierarchy. For more info refer here

Based on above recommendations ,how do you maintain the collections with ‘use incremental updates for this collection ‘ option not more than 200 collections ? If you exceed more than 200 ,it still work but it adds delay to collection evaluation ,hurt server performance and you should enable this ONLY for ‘HIGH PRIORITY’ collections.

since SCCM is being used by many people in organisation and they do have option to create collections hence knowingly/unknowingly ,they might enable use incremental updates for this collection for every collection which is not actually required unless you need to deploy something on them so urgent.

To have limited number of collections with ‘incremental updates ‘ option, i have gathered the list of all HIGH PRIORITY collections which must get update so frequent and rest of the collections that are created by users/admins should not have incremental updates and follow Full Update schedule.

I use powershell code to validate if there are any collections that have both Incremental Update (Only) & Incremental and Full Update Scheduled OR Incremental and Full Update Scheduled are ticked and make changes as per the recommendation.

If you have any collections that are enabled with use incremental updates for this collection then you don't need Full Scheduled Update.

Below given the powershell that query SCCM and get list of all collections that are enabled with Incremental Update (Only) & Incremental and Full Update Scheduled excluding HIGH PRIORITY that we collected earlier.

if there are any collection that is not high priority then use incremental updates will be disabled unless you add the new collections to HIGH PRIORITY list.

How to use this script ?

Create a folder and put the script into it. Create txt file called ExclusionIDs.txt and add all your HIGH PRIORITY collection ID’s into it.

Change values for collection membership types that you want for . Example ,i want to change the schedule for Incremental and Full Update Scheduled to Full Scheduled Update ONLY.

download the script from here

<#
Title: Update collection membership schedule
Following are the collection membership values for refreshtype
1:No Scheduled Update
2:Full Scheduled Update
4:Incremental Update (Only)
6:Incremental and Full Update Scheduled
Author: Eswar Koneti
Blog:www.eskonr.com
Date:31-12-2018
#>

$scriptPath = $script:MyInvocation.MyCommand.Path #Get the current folder of the script that is located
$CD = Split-Path $scriptpath
$RefreshTypefrom='6'  #This is to identify the collections with Incremental and Full Update Scheduled
$RefreshTypeto='2'  #This is to convert Incremental and Full Update Scheduled collections to Full Scheduled Update
$date = (get-date -f dd-MM-yyyy-hhmmss)
$exclusions="$CD\ExclusionIDs.txt" #High Priority collections (need your input with list of all collectionID's including device /used based)
$collectionsfound="$CD\collections with inc and full-"+$date+".csv" #Collections that are found with Incremental and Full Update Scheduled membership for your reference later
$ErrorActionPreference= 'silentlycontinue'

#Load SCCM module and map the powershell drive
Try
{
  import-module (Join-Path $(Split-Path $env:SMS_ADMIN_UI_PATH) ConfigurationManager.psd1)
  $SiteCode=Get-PSDrive -PSProvider CMSITE
  cd ((Get-PSDrive -PSProvider CMSite).Name + ':')
}
Catch
{
  Write-Host "[ERROR]`t SCCM Module couldn't be loaded. Script will stop!"
  Exit 1
}

#Get the collection ID (HIGH PRIORITY) exclusions that you want to exclude from being removing the collection membership into an array.
$exc= @()
foreach ($exc1 in get-content $exclusions )
{
$exc += $exc1
}

#Get all device collections that have both incremental and full update schedule but skip from the exclusion of the collection ID's that we imported above using exc variable
Get-CMCollection  | where-object {$_.RefreshType -eq $RefreshTypefrom -and $_.collectionID -notin $exc} | select collectionID,Name | Export-CSV -NoTypeInformation $collectionsfound -append
#import the collection that we want to change the membership into variable
$CollectionIDs=Import-Csv $collectionsfound | select -ExpandProperty collectionID
Foreach ($CollID in $CollectionIDs)  {
#Get the collection details that we want to change the membership (removal of incremental collection)
           $Collection = Get-CMCollection -CollectionId $CollID
            $Collection.RefreshType = $RefreshTypeto
            $Collection.Put()

}

Script folder looks like this before execution:

After execution:

New CSV file will be added with list of all collections that are enabled with ‘Incremental and Full Update Scheduled’ and we will act on these collections.

You can run this script using task scheduler on daily or weekly .

Following is the SQL code to identify the collection membership types and validate the results.

select
case Flags
when 1 then 'No Scheduled Update'
when 2 then 'Full Scheduled Update'
when 4 then 'Incremental Update (Only)'
when 6 then 'Incremental and Full Update Scheduled'
when 4100 then 'default collection'
else 'total'
End as  ScheduleType,
count(*) as Total
from v_Collections_G
where siteid not like 'SMS%'
group by flags,flags with rollup

Output:

If you want list of all collections with membership type then use the following SQL code: Replace the refreshtype values as per your needs.

select coll.SiteID,coll.CollectionName from v_FullCollectionMembership fcm
inner join v_Collections_G coll on coll.SiteID=fcm.CollectionID
where coll.Flags in ('4','6')
group by  coll.SiteID,coll.CollectionName

you can also use CEViewer.exe (Collection Evaluator viewer ) which is now part of CMCB 1810 server tools to see what is the total run time for full evaluation and for incremental evaluation. It is always recommended to run this tool to check what is going on with collection execution time .

Following is the results of incremental evaluation which is 57 sec for 67 collections and you can see what is the run time for each collection. The same can be viewed for full evaluation.

In the next post ,i will talk about ,how to get collections with direct membership rules ONLY (no query based) with membership schedule enable and how remove the schedule option using powershell.

For collections with direct rule added, you don't need to update them on schedule basis .

References:

https://blogs.technet.microsoft.com/leesteve/2017/08/22/sccm-for-those-nasty-incremental-collections/

https://byteben.com/bb/identifying-and-updating-sccm-collection-evaluations/

After long-time ,i am back with quick SCCM Configmgr software update compliance report .A friend of mine asked me today morning that ,he wants to check the compliance report for specific computer (could be VIP ) against one or multiple software update groups that they have created/deployed.

How do you check the compliance status of computer for specific software update groups ONLY and not for all updates that are available in SCCM ?

You have several software update compliance reports for software update groups and for computers but there is none to check if the particular computer is compliant or not for given software update group. The only possible way is to run the compliance report for specific collection and that will give you the overall compliance status and drill down further or run other compliance report which is tedious process. And if you want to repeat this multiple times for different updates groups ? Not easy. The only solution is custom report .

So i started off looking at this request and search online but could not find any thing except this link https://social.technet.microsoft.com/Forums/en-US/6cb95ee0-808e-4c8f-a39c-11bc35282357/limit-specific-computer-report-to-a-software-update-group?forum=configmanagergeneral and is unanswered.

I have also looked at my blog if i posted something similar on this but nothing that matches the requirement.

So i started of writing the SQL code and convert that to nice SSRS report and is now available for you to download and play with it.

I had added most of the computer information like software update group ,computer name,User name, OS, Last Hardware scan, Last software update scan,Last logon time,IP address and patch compliance status to troubleshoot further .

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

How does this report works ? When you run this report  ,it prompt to choose list of software update groups that you are interested and enter the computer name (must enter ,no drop down ,just the computer name and no need to enter FQDN).

Output of the report shown below.

Download the report from Technet Gallery  ,upload to your SSRS reports, change the datasource and you are ready to run.

Some of software update compliance reports from my blog are listed below.

SCCM Configmgr 2012 Updated Patch Compliance reports for software update group and collection with patch progression

Configmgr SQL query to get the list of clients that require a specific software update patch

SCCM Configmgr Software Update Compliance Report for Specific Collection within Specific Time Frame

SCCM Configmgr SQL query to find Top X missing updates for specific collection for specific update group

SCCM Configmgr Get the Update Compliance Status for multiple Update groups against Multiple collections using SQL query without reporting

SCCM Configmgr Software update Compliance Report for multiple Software Update groups per collection

SCCM Configmgr SQL Query to check software update is superseded by what software updates

Configmgr How to list all Default and Custom reports with created by, modified by,data source , Path and Description

SCCM Configmgr How to generate patch compliance report that shows all updates for specific collection ?

SCCM Configmgr SSRS Report Get list of missing updates for PC from specific Software update group

sccm  SQL Query Get software updates that are downloaded but not in any software update group

SCCM Configmgr 2012 Software update compliant non-compliant results for list of computers from collection for specific month

SCCM Check Patch is member of what software update package

SCCM Configmgr  SSRS Patch Compliance Report Per Collection Per Update Group

SCCM Configmgr SSRS Report Overall Compliance Per Update Group Per Collection will help to troubleshoot the clients

SCCM Configmgr Patch Report – OU based Compliance status per Update Group

SCCM Configmgr Report Get the Status of Software Update Scan results

SCCM Configmgr Software update compliance states

SCCM report applications installed on computers without Updates

SCCM Configmgr Report for Software Update Compliance

Beginning with the release of SCCM ConfigMgr Build 1710 or later , you can use the SCCM Console to identify client devices that require a restart, and then use a client notification action to restart them. If you want get this feature enabled on the client side ,you must also upgrade clients to version 1710 or later for this capability to function

This become so much easier for SCCM engineers to restart the device with just one click .

To identify devices that are pending a restart, you can go to the Assets and Compliance workspace and select the Devices node ,then right click on the right side details pane in a new column named Pending Restart.

Once you choose this, you can sort with pending restart to see list of all devices with client state .

Each device has one or more of the following values:

• No: there is no pending restart
• Configuration Manager: this value comes from the client reboot coordinator component (RebootCoordinator.log)
• File rename: this value comes from Windows reporting a pending file rename operation (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, PendingFileRenameOperations)
• Windows Update: this value comes from the Windows Update Agent reporting a pending restart is required for one or more updates (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired)
• Add or remove feature: this value comes from the Windows component-based servicing reporting the addition or removal of a Windows feature requires a restart (HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Reboot Pending)

To restart the device ,you can simply right Right-click on the device, select Client Notification, and then select Restart. An information window opens about the restart. Click OK to confirm the restart request.

When the notification is received by a client, a Software Center notification window opens to inform the user about the restart. By default, the restart occurs after 90 minutes. You can modify the restart time by configuring client settings.

Settings for the restart behaviour are found on the Computer restart tab of the default settings.

If you want to know the list of pending reboot devices ,it is not always good to follow the steps that we did above .It doesn't give us the number of devices pending with reboot also ,you need to add the column and sort to find out how many.

In this blog post ,what we will see on how to create a dynamic collection that list all devices with pending reboot. This collection always be on your check list for troubleshooting.

Also ,i will get you nice SSRS report/s that show you the count of pending reboot devices against the collection Operating System and then it will have drilldown report to see list of all clients with client inventory.

Before we start creating collection with pending reboot ,we need to know ,where does this information store in WMI. Collection uses WQL hence you need to have the class and instance name.

Restart information stored in sms_combineddeviceresources with value clientstate.

Anything that is not 0 (clientstate!=0) will be treated as pending reboot.

Following are the list of applicable states you get with client pending reboot.

1 – Configuration Manager
2 – File Rename
3 – Configuration Manager, File Rename
4 – Windows Update
5 – Configuration Manager, Windows Update
6 – File Rename, Windows Update
7 – Configuration Manager, File Rename, Windows Update
8 – Add or Remove Feature
9 – Configuration Manager, Add or Remove Feature
10 – File Rename, Add or Remove Feature
11 – Configuration Manager, File Rename, Add or Remove Feature
12 – Windows Update, Add or Remove Feature
13 – Configuration Manager, Windows Update, Add or Remove Feature
14 – File Rename, Windows Update, Add or Remove Feature
15 – Configuration Manager, File Rename, Windows Update, Add or Remove Feature

Create a device collection ,choose query based and paste the following WQL Code into it.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System join sms_combineddeviceresources on
sms_combineddeviceresources.resourceid = sms_r_system.resourceid
where sms_combineddeviceresources.clientstate != 0

we have just created a collection to know the list of devices with pending reboot. You can now decide if you can reboot them using client notification or not.

How to reboot all devices at once ? you cannot do it by right click on collection , you must go into the collection ,choose all devices ,right click and do client notification . Collection level do not have reboot option.

Now we will look at SSRS report.

With the information that is available in SCCM ,we can have variety of reports however ,i am going with following customisations.

A report with custom collection and device restart type (Configuration Manager ,Add or Remove Feature etc ,multiple) .  It will show you count of Pending restart devices by Operating System.

The count will have drill down report to show list of clients with inventory information like last hardware inventory, IP address, last MP ,software update scan etc.

Parent Report:

Click on Pending Restart count appear in Blue colour to see list of all clients of that particular OS.

Child Report (Drilldown Report):

Child report has 3 parameters: Collection name ,Restart state name and OS .All these parameters will be passed to child report from parent report.

You might see pending reboot for clients that are inactive and this because , client never reported back to SCCM after pending restart status message and it will remain same until the device comes online and report its status.

You must run parent report to go child report. If you try to run child report directly ,you will run into issues which is expected and is because of hidden parameters in child report.

How to get the reports ?

Download the RDL files from Technet Gallery ,extract it ,upload the files to your SSRS reports (make sure both the reports in same folder location) ,change the datasource and run the reports.

Reference:

https://blogs.technet.microsoft.com/meamcs/2019/01/10/understanding-and-using-the-pending-restart-feature-in-sccm-current-branch/

Microsoft has released SCCM ConfigMgr Current Branch build version 1902 and is available as in-console update and baseline version. You can apply this update on sites that runs on 1710,1802,1806 and 1810.

If you want to install new site ,you can download 1902 as baseline . Download baseline version of 1902 from volume licensing or

Once you update your existing version to 1902 ,you need to upgrade your secondary sites manually by right click on secondary site and upgrade.

You also need to update your configmgr clients to latest version to newly supported client features.

With 1902, there are bunch of new features added .Which means ,there is also number of SQL tables/views added which will help us to create custom reports.

Following are the newly added SQL views for custom reporting.

v_CH_ClientHealth
v_ClientActionResultOfTaskSummary
v_ClientActionResultSummary
v_ConsoleAdminsData
v_GS_OFFICE_ADDIN
v_GS_OFFICE_DOCUMENTMETRIC
v_GS_OFFICE_VBASUMMARY
v_GS_PHYSICALDISK
v_GS_SYSTEMBOOTDATA
v_GS_SYSTEMBOOTSUMMARY
v_Office_AdoptionStatus
v_Office_EntityLookup
v_Office_ValueLookup
v_OfficeProplusReadinessStrings
v_PhasedDeploymentOperationalDataCI
v_PhasedDeploymentOperationalDataPkgProgram
vSMS_CMPivotResult
vSMS_OfficeProplusReadiness

we can make use of these SQL views and create variety of dashboards.

Looking at some of the office SQL views like v_GS_OFFICE_ADDIN,v_GS_OFFICE_VBASUMMARY,_GS_OFFICE_DOCUMENTMETRIC etc, it is now easier to take decision to move to 64bit proplus from 32bit.

SCCM Configmgr 1902 build comes with following office 365 client management dashboard report and this dashboard is being made from these SQL tables/views.

Microsoft recommends to install 64bit proplus for many reasons .If you look at this article ,Microsoft default option to install proplus from office 365 is 64bit. https://support.office.com/en-us/article/Choose-between-the-64-bit-or-32-bit-version-of-Office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261#32or64Bit=Newer_Versions

If you still want to go with 32bit then Read the reasons to choose 32bit version. The decision factor for choosing 32bit depends on the data that you get from SQL Views above (Office).

We can now create some nice dashboards to monitor the system boot time for different models and take action against those causing trouble with long time boot.

When creating client health reports, we can now use V_CH_ClientHealth as it contains almost all info about client health like last policy request,LastDDR,Lastonline time,last offline time,OS ,member of what collection etc.

we can now monitor the CMPivot results executed by users and how much time does it take to run specific query. All this info stored in vSMS_CMPivotResult .Though it is not SQL view ,access to this table not permitted to all RBAC users/sccm console access unless you are SCCM Admin/SQL admin access provided.

Download SCCM Configmgr SQL views documentation for 1902 from TechNet  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Happy reporting!

I was working on SCCM report for client health dashboard. During this report creation ,found that ,device appear twice with different GUID ID and resource ID but with same hostname.

So i started looking at this issue to see how identify the records with duplicate hostnames.

SCCM clients are uniquely identified by a GUID. A GUID is a combination of the client's media access control (MAC) address and the time when the GUID is assigned.

This combination produces a number that is virtually always unique. The GUID assignment occurs during the client discovery and installation processes.

The GUID is stored in the client's Registry and in a binary file on the client's hard disk into smscfg.ini file (C:\Windows\SMSCFG.INI)

As you see below snapshot ,computer record appear twice with the information that was gathered through inventory/BGB/discovery.

Take a look at the following screenshots with 3 different problems .

Device with different resource ID and Client=Yes

With this information ,i started looking at SQL to write code and convert that to collection ,so it would be easy to cleanup records in automated way.

Device with different resource ID and client =No

Device with different resource ID and client=No

So i went to site hierarchy settings to see the conflict records but the settings applied correctly:

Why did this happens ? Old article but still valid though https://support.microsoft.com/en-us/help/837374/how-to-locate-and-clean-advanced-client-duplicate-guids-in-sms-2003

If you have maintenance task enabled ,these obsolete or inactive stale records taken care by that but do want to wait until the default maintenance task runs ?

Here is the SQL code to find out the list of devices with appear in SCCM console with its count.

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by Name0

If you want to see the device that appear maximum times in the top ,use the following query:

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by 2 desc

If you want to see the list of all devices with its resource ID ,use the following query:

select sys.name0,sys.ResourceID from v_r_system as sys
full join v_r_system as sys1 on sys1.ResourceId = sys.ResourceId
full join v_r_system as sys2 on sys2.Name0 = sys1.Name0
where sys1.Name0 = sys2.Name0 and sys1.ResourceId != sys2.ResourceId
group by sys.Name0,sys.ResourceID
order by 1

Create WQL Collection with following syntax:

I am making use of SMS_R_System with full join.

select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier,
sys.ResourceDomainORWorkgroup,sys.Client from SMS_R_System as sys
full join SMS_R_System as sys1 on sys1.ResourceId = sys.ResourceId
full join SMS_R_System as sys2 on sys2.Name = sys1.Name
where sys1.Name = sys2.Name and sys1.ResourceId != sys2.ResourceId

P.S: The above queries are only used to find the computer names appear twice or more with different resource ID,GUID etc

Also note ,this collection includes active/live entry along with inactive entry .I could not find any way/logic to skip the active computers .

you can delete all these records  manually or create a powershell script with schedule to empty the collection . This way ,you loose the inventory of active computers but they send back in the next inventory cycle.

Hope it helps!

Introduction:

With the recent Current Branch updates starting from 1806 , Microsoft is making good improvement on Software updates maintenance but there is lot to come in the near future. Read the Software updates maintenance tasks available in SCCM https://docs.microsoft.com/en-us/sccm/sum/deploy-use/software-updates-maintenance

Many SCCM Admins think that ,installing WSUS ,doing initial configuration and configuring SUP role is enough for software update patching but that's not true. When you finish initial WSUS configuration ,you go SUP properties and start selecting classification and products. Based on this selection criteria , updates get synced with Microsoft . These synced updates include itanium and many other junk updates. Once the updates are synced successfully ,you will see them in SCCM console under software update section . With this ,you can start patching your clients but over a period of time ,if you don't maintain your metadata/update catalog with the help of maintenance job (custom scripts/tools) ,you will hit into lot of issues. These issues could be like high CPU usage (IIS worker process) ,WSUS application pool in IIS stops automatically ,clients software update scan performance issues and many more.

Top reasons to have site performance issues ,client update scan ,WSUS application pool etc, is due to large number of updates in your WSUS database which includes superseded ,Itanium and other unneeded updates. If you decline all unused,itanium, superseded updates etc. at regular intervals then your site server will be happy with better performance and also your clients to perform quick update scan which will help to achieve better compliance rate.

There are N number of questions asked in various forums around WSUS and software update scan issues and there are several posts available with maintenance solution.

After going through lot of forums ,blog posts ,suggestions from Microsoft, I have come up with standard document that i have used all the times in every SCCM infra that i setup as part of SUP maintenance.

This solution consists of PowerShell scripts and also SQL reports to perform the cleanup/decline the junk updates that will help to improve the site server performance and also client update scanning.

How is it different from the built in SUP maintenance tasks ? when am running current branch 1806 and above ,do i still need this solution ?

Yes, the software update maintenance solution that is built in does very basic things like expiring the superseded updates ,cleaning the unused updates etc but what am going to describe in this blog post is more of advanced to decline the unneeded updates ,

configure WSUS in IIS as per best practices and further more.

If you have CAS, primary,secondary sites then you should perform these steps from bottom to top (secondary ,primary and CAS ).

Steps at glance:

A) Check the status of WSUS database with count of updates. These count of updates decides the catalog size

B) Decline itanium and other junk updates that you don't use in your infra.

C) Decline superseded updates.

D) Perform SQL indexing

E) Invoke WSUS configuration (best practice)

F) Troubleshooting.

A) Check the status of WSUS database with count of updates:

We will first use some SQL queries to fetch the current status of WSUS with count of updates before we decline them.

1. Use the appropriate method to back up the WSUS database (SUSDB). For related information, please see Create a Full Database Backup (SQL Server) .

2.Once the database is being backed up ,run the following SQL code against your WSUS database to see the count of updates (superseded ,declined ,total updates, live updates etc). It is always good validate the results before and after cleanup task.

3.I assume your WSUS DB is running on SQL but not on windows internal database .If your wsus database is running windows internal database (WID) ,then follow this guide and run the following SQL command.

4. Open SQL server management studio ,connect to your secondary site database (incase you have ,else primary then CAS) and run the following SQL code:

--get the count of total updates, superseded ,declined updates.

use SUSDB;
select
(Select count (*) 'Total Updates' from vwMinimalUpdate ) 'Total Updates',
(Select count (*) 'Live updates'  from vwMinimalUpdate where declined=0) as 'Live Updates',
(Select count (*) 'Superseded'  from vwMinimalUpdate where IsSuperseded =1) as 'Superseded',
(Select count (*) 'Superseded But NoDeclined'  from vwMinimalUpdate where IsSuperseded =1 and declined=0) as 'Superseded but not declined',
(Select count (*) 'Declined'  from vwMinimalUpdate where declined=1) as 'Declined',
(Select count (*) 'Superseded & Declined' from vwMinimalUpdate where IsSuperseded =1 and declined=1) 'Superseded & Declined'

Total Updates: count of all updates which includes superseded ,decline .This basically include all updates in your wsus db.

Live updates: Count of updates without declined .This includes all updates with superseded/without superseded but not declined. These updates are considered to generate the update catalog file.

Superseded: Count of all superseded updates

Superseded but not declined: Count of all superseded updates but they are not declined yet.

Declined:Count of updates that are declined. Declined updates never goes into update catalog file .

Superseded & declined: Count of updates that are superseded and declined.

As you see above,the total live updates that are considered to generate update catalog is 18000+ .This usually be larger update catalog file and with huge amount of updates, it also impact the CPU,memory on your WSUS because clients always talk to WSUS to download update catalog.

B) Decline itanium and other junk updates that you don't need in your infra.

Now ,download and extract the PowerShell scripts and SQL files that are available here.

Following are the files you get from the download link

Following are 2 powershell scripts (customized) that am going to use to decline the unused /superseded/itanium updates.

b.1)Decline-OtherUpdates.ps1

b.2)Decline-supersededUpdates.ps1 /Decline-SupersededUpdatesWithExclusionPeriod.ps1

Decline-OtherUpdates script have the following titles to decline because i dont use them in my infra.

Itanium
ia64
ARM64-based Systems
Windows 10 (consumer editions)
Windows 10 Education
Windows 10 Team
Windows 10 Insider Preview

Please review the tiles and make changes as you need .

Run the PowerShell script with command line:  .\Decline-OtherUpdates.ps1 -UpdateServer YourWSUSServerName -Port 8530 –DeclineItanium

As you see ,i have 2402 updates declined. This includes all the titles listed above.

C) Decline superseded updates.

Now we will run decline superseded updates script.

There are 2 scripts here for you Decline-supersededUpdates.ps1 and other Decline-SupersededUpdatesWithExclusionPeriod.ps1 . The only difference with these 2 scripts are ,added with exclusion period as per your SUP settings.

Login to your secondary site (if you have any) ,launch powershell in admin and change directory to the script that you placed.

To decline superseded updates ,we can make use of ExclusionPeriod as criteria that will help to decline updates that are in sync with our software update component properties .

In your configuration manager SUP properties ,if you have set supersedence behavior to expire immediately then you don't need to use above ExclusionPeriod period in the PowerShell however ,if you have configured supersedence behavior with X months then i would recommend to use same period in the script.

The following command lines show different ways in which PS scripts can be run (if the script is run on a WSUS server, you can use LOCALHOST instead of the actual SERVERNAME).

Based on your SUP settings ,if you want to decline all superseded updates ,then run the following command:

Decline-supersededUpdates.ps1 -UpdateServer SERVERNAME -Port 8530

If you want to decline the superseded updates with some exclusion period ,use the following command:

Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -Port 8530 -ExclusionPeriod 60

ExclusionPeriod 60 to gather information about updates on the WSUS server from current date that you run the script and check the number of updates that can be rejected.

P.S: Don't look at SQL query count (18182) vs PowerShell count (18175) as they are not same servers when i execute the code  

Once the updates are declined ,go back to your SQL and run the query against your WSUS DB to see the status.

This time ,you should see different count compared to last time run .

After declining the updates in WSUS , these declined updates still appear in SCCM  until you run software update sync.

Once the software update sync happens on SCCM server ,the changes you made on WSUS will appear in SCCM console.

After SUP sync ,you will see all declined updates from WSUS will disappear from SCCM console.

D) Perform SQL indexing

After you decline the updates , SUSDB needs to be re-indexed for optimal performance. See the section on Re-Indexing the WSUS Database above for related information .

Please wait until the execution of script completed.

E) WSUS configuration (Best practice)

You will find script Invoke-WSUSConfiguration.ps1 which i got from Johan which i always use in all SCCM infra as per best practice .

Take a look at the script to see what it does before you execute in your infra.

F) Troubleshooting.

In some cases ,if your WSUS database never cleaned up before and is the first time you are doing it on some secondary /primary sites ,execution of scripts may fail with following error and is because of too many updates .

In my case ,I had 23k plus total number of updates in WSUS database, hence script was always failing to fetch the data.

Connecting to WSUS server localhost on Port 8530... Connected.
Getting a list of all updates... Failed to get updates.
Error: The operation has timed out
If this operation timed out, please decline the superseded updates from the WSUS Console manually.

I tried few times running the script but I could not get through even though i restarted the IIS service and WSUS service.

If you are unable to decline the updates using script ,what other possibilities do we have ? open the WSUS console and do manual update,that takes lot of time.

Microsoft support engineer posted SQL code to decline the updates in SUSDB. 

1. If you have not backed up your SUSDB database, back up your SUSDB database before continuing .
2. Connect to SUSDB using SQL Management Studio.
3. Execute the following query: The number 60 for the number of rows containing " DECLARE @thresholdDays INT = 60" corresponds to the number of rows before # 1 and the number of days that match the number of months configured in the Supersedence rule. If the expiration date is set to expire immediately, you must set the SQL query value @thresholdDays to zero.
4. The SQL code that was posted in support article needs some syntax corrections to get it work OR it could be the reason that ,the support article in in Japanese language so while translating ,syntax got changed.

--Decline superseded updates in SUSDB; alternative to Decline-SupersededUpdatesWithExclusionPeriod.ps1
DECLARE @thresholdDays INT = 60--Specify the number of days between today and the release date for which the superseded updates must not be declined (ie, updates older than 90 days). This should match configuration of supersedence rules in SUP component properties, if ConfigMgr is being used with WSUS.
DECLARE @testRun BIT = 0--Set this to 1 without test excluding anything.
--There shouldn't be any need to modify anything after this line.




DECLARE @uid UNIQUEIDENTIFIER
DECLARE @title NVARCHAR (500)
DECLARE @date DATETIME
DECLARE @userName NVARCHAR (100) = SYSTEM_USER




DECLARE @count INT = 0




DECLARE DU CURSOR FOR
     SELECT MU.UpdateID, U.DefaultTitle, U.CreationDate FROM vwMinimalUpdate MU
     JOIN PUBLIC_VIEWS.vUpdate U ON MU.UpdateID = U.UpdateId
WHERE MU.IsSuperseded = 1 AND MU.Declined = 0 AND MU.IsLatestRevision = 1
     AND MU.CreationDate <DATEADD (dd,-@thresholdDays, GETDATE ())
ORDER BY MU.CreationDate




PRINT 'Declining superseded updates older than' + CONVERT (NVARCHAR (5), @thresholdDays) + 'days.' + CHAR (10)




OPEN DU
FETCH NEXT FROM DU INTO @uid, @title, @date
WHILE (@@FETCH_STATUS>-1)
BEGIN
     SET @count = @count + 1
     PRINT 'Declining update' + CONVERT (NVARCHAR (50), @uid) + '(Creation Date' + CONVERT (NVARCHAR (50), @date) + ')-' + @title + '...'
     IF @testRun = 0
         EXEC spDeclineUpdate @updateID = @uid, @adminName = @userName, @failIfReplica = 1
     FETCH NEXT FROM DU INTO @uid, @title, @date
END
CLOSE DU
DEALLOCATE DU




PRINT CHAR (10) + 'Attempted to decline' + CONVERT (NVARCHAR (10), @count) + 'updates.'

To check progress, monitor the Messages tab in the Results pane.

Depending on the number of updates ,it may take longer time. In my case ,it took ~15 min to decline around 10K updates.

Once the superseded updates are declined using SQL ,we can now go back to PowerShell script and run other script (decline other updates.).

Hope you find this post useful.

Following are some of the References that would help to go through the WSUS maintenance solution.

https://support.microsoft.com/en-sg/help/4490644/complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maint

https://deploymentresearch.com/Research/Post/665/Fixing-WSUS-When-the-Best-Defense-is-a-Good-Offense

https://mnscug.org/blogs/sherry-kissinger/512-wsus-administration-wsuspool-web-config-settings-enforcement-via-configuration-items

https://home.configmgrftw.com/wsus-cleanup-for-configmgr/

https://damgoodadmin.com/2017/11/30/software-update-maintenance-its-a-thing-that-you-should-do/

Configuration Manager site database contains a large collection of information about the network, computers, users, user groups, and many other components of the computing environment. Being SCCM Admin, you need to understand the different categories of the SQL views, what information is stored in each view, and how the SQL views can be joined to one another to create reports that return the required information. For more information about SQL views please refer  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Hardware inventory views contain information about the computer hardware .Many hardware inventory views are created in ConfigMgr by default, and many can be enabled or created using the hardware inventory classes dialog box, accessible from client settings. Because of this, it is likely that ConfigMgr sites collect different hardware inventory resulting in different hardware inventory views.

If you want to know more about how extend hardware inventory in ConfigMgr ,please refer https://docs.microsoft.com/en-us/sccm/core/clients/manage/inventory/extend-hardware-inventory

The question in title was asked by one of my customer as they have lot of custom hardware inventory classes imported and they want to find a way to list-down all such custom hardware inventory classes.

Why is it important to know the list of custom hardware inventory classes that are imported (MOF changes)?

One of the reason i would think is ,to asses if these custom changes are still needed by the organization . If you have too many custom mof changes ,it enlarges the database and also impact clients sending huge inventory file back to  site server for processing.

The simple way to check the custom MOF configuration is to look at the configuration.mof file that is located in <SCCM installation dir>:\inboxes\clifiles.src\hinv but i started looking around database for list rather taking notes from the configuration.mof file.

This blog post will help you to get list of custom MOF imported to client device settings (Note: If you enable any of the existing classes not via MOF import in inventory settings, it is not covered in this post).

After going through the SQL views documentation ,found that ,there is one view called v_InventoryClass that store all inventory classes enabled in hardware inventory client settings.

v_InventoryClass Lists the WMI classes that are collected by ConfigMgr hardware inventory by class ID. The view also shows the WMI namespace, the class name and the name of the class as it will be displayed in Resource Explorer.

So i started querying this SQL view for the inventory classes.

select count(*) Total from v_InventoryClass

There are total of 161 inventory classes enabled in client device settings  .

Out of these 161, how do we tell the custom inventory classes (MOF IMPORT)?

By looking at above 161 classes , i thought to pick ‘isDeletable’ because all default classes that comes with Configmgr installation ,would not give you option to delete , which is not TRUE.

For for the WMI classes that are enabled by default at the time of ConfigMgr installation or available for you to enable can also be deleted from inventory settings.

So my next key observation was at SMSClassID.

For all default classes that are enabled at the time of ConfigMgr installation will start with Mcrosoft|.

Any custom inventory classes will not have Microsoft as starting word.

With this information ,i started creating SQL Query with count.

select tmp.[Inventory Type] ,count(*) Total  from
(
select case when IC.SMSClassID like 'Microsoft|%' then 'Default' else 'Custom'  end as 'Inventory Type'
from v_InventoryClass IC
) tmp
group by tmp.[Inventory Type]

To see the list of custom MOF changes ,following is the SQL query:

select * from v_InventoryClass IC
where ic.SMSClassID not like 'Microsoft|%'

Hope this helps!

SCCM has multiple discovery methods help you  different devices on your network, devices and users from Active Directory, or users from Azure Active Directory (Azure AD). Read more about the discovery methods in SCCM https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/about-discovery-methods

AD system discovery help to discover computer resources that can be used to create collections and queries. You can also install the SCCM Client client on a discovered device by using client push installation.

In order to successfully discover the computer (by creating the DDR Record) in domain by AD system Discovery , it must be able to identify the computer account and then successfully resolve the computer name to an IP address (DNS name resolution).

You can check Active Directory System Discovery logs which gets recorded in the log file adsysdis.log in the <InstallationPath>\LOGS folder on the site server.

In this blog post, we will see how to create SCCM device collection to identify devices that have old AD system discovery time stamp (older than 14 days) . This will help us to find the devices that are having issues while discovering though AD system discovery(SMS_AD_SYSTEM_DISCOVERY_AGENT) ,like the devices that are deleted from Active Directory but still in SCCM or having DNS name resolution.

Create a new collection ,edit the query and past the following and click.

Collection (WQL Query):

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,

SMS_R_SYSTEM.Client from SMS_R_System where ((DATEDIFF(dd, SMS_R_SYSTEM.AgentTime, getdate()) > 14) and AgentName ="SMS_AD_SYSTEM_DISCOVERY_AGENT")

Devices might appear in this device collection may  have SCCM agent installed and healthy but they are failed to discovery through AD system discovery from its last discovery date is older.

If the devices are deleted in AD but still in SCCM means with no active client, they are yet to be cleanup using site maintenance tasks.

If you want to find the devices that are not reported via specific agent with old timestamp , then simply replace the AgentName in the above collection.

There are different discovery agents available in SCCM, listed below.

SQL Query for list of discovery agents:

select AgentName from v_AgentDiscoveries
group by AgentName

AgentName
ConfigMgr
Heartbeat Discovery
MP_ClientRegistration
SMS_AD_SECURITY_GROUP_DISCOVERY_AGENT
SMS_AD_SYSTEM_DISCOVERY_AGENT
SMS_AD_USER_DISCOVERY_AGENT
SMS_AZUREAD_USER_DISCOVERY_AGENT
SMS_NETWORK_DISCOVERY
SMS_WINNT_SERVER_DISCOVERY_AGENT

If you want SCCM Collection for active inactive computers using Last Logon timestamp and troubleshooting ,you can refer this post http://eskonr.com/2018/08/sccm-collection-for-active-inactive-computers-using-last-logon-timestamp-and-troubleshooting/

Hope it helps!