Category Archives: System Center Configuration Manger

Create A Dynamic Collection Containing The Last PC Used By The Member Of An Active Directory Group

During a recent project to roll out Windows Updates using System Center Configuration Manger 2007 R2 (SCCM) I wanted to deploy updates to a user group.  Unfortunately, SCCM will only deploy Windows Updates to a collection that contains computers, not users.  I used the code below to create a SCCM collection that contains the computer that was last logged onto by a member of a given Active Directory group.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.UserName in (select UniqueUserName  from  SMS_R_User where SMS_R_User.UserGroupName = “DOMAIN\\GROUPNAME“)

To use the code follow the steps below.

Firstly, start the new collection wizard, enter a name and click Next

Click on the button highlighted in yellow bellow.

Enter a name and click Edit Query Statement

Paste in the code replacing the domain and group name with your own.  Click OK and finish the wizard.

Find Collections With Maintenance Windows in System Center Configuration Manager 2007 R2

If you need a list of System Center Configuration Manager (SCCM) collections with maintenance windows, run this query against the SCCM site database using SQL Server Management Studio.

SELECT c.Name, c.Comment,SW.Description, SW.StartTime, SW.Duration
FROM v_ServiceWindow SW
JOIN v_Collection C ON C.CollectionID = SW.CollectionID
ORDER BY c.Name

Configure ForeFront Endpoint Protection 2010 with System Center Configuration Manager 2007 R2

These are brief notes on how configure ForeFront Endpoint Protection (FEP) 2010 to work with System Center Configuration Manager (SCCM) 2007 R2 and set the FEP client to receive definition updates from the SCCM server.

Install the FEP 2010 prerequisites on the SCCM http://technet.microsoft.com/en-us/library/ff823830.aspx

Install FEP on the server.  I chose a Basic installation as I wanted all components to install on to the SCCM server.

I wanted the FEP updates to be controlled by SCCM, so installed this hotfix http://support.microsoft.com/kb/2597508

Next I downloaded the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1 http://blogs.technet.com/b/clientsecurity/archive/2011/11/03/how-to-use-the-definition-update-automation-tool-for-forefront-endpoint-protection-2010-update-rollup-1.aspx

Follow the instructions at the link above under the section “How to Configure Configuration Manager for Forefront Endpoint Protection Update and Create Deployment Package and Assignment”  This creates a Deployment Package and Assignment to install the FEP definition updates.

To schedule the update of the FEP definition package with the latest definitions follow the instructions under the section “How to Use Definition Update Automation Tool with Task Scheduler”.

Open your FEP policy and in the Updates tab tick “Use Configuration Manager as the primary source of definition updates”

As I configured the FEP updates to be controlled by SCCM, when the FEP client is first installed the icon turns red because the definitions are out of date.  If you leave the client, it will eventually have the latest definitions pushed to it by SCCM.  However, I wanted to have protection from installation.  In order to get this working I enabled automatic approval of the FEP updates within WSUS.  Using the FEP policy you’re able to tell FEP to go to WSUS for updates if the definitions are older than x days.

To configure WSUS, open the WSUS console from Administrative Tools and navigate to Options.  Open Automatic Approvals, click New Rule and configure it as below.  WSUS will now automatically download FEP updates and they’ll be available to FEP clients via the policy.

 

If you still have issues with the FEP client updating after installation e.g. when deploying as part of an SCCM operating system task sequence, you can force a definition from a file share.  Setup a script to download the definitions to a share and schedule it to run daily using Task Scheduler.  These two posts provide information on how to create the script: http://blogs.technet.com/b/clientsecurity/archive/2010/09/16/using-a-script-to-automate-unc-definition-updates.aspx http://technet.microsoft.com/en-us/library/gg398041

In the SCCM task sequence add a reboot task after FEP has been installed.  Configure the reboot step to reboot into the currently installed operating system

 

Next, add a Command Line step.  Update the share path to match the location of the FEP definitions in your environment.  This will run a manual definition update from the file share.

 

Deploy Intel AMT/HECI/SOL Drivers Using System Center Configuration Manager

This post describes how I deployed the Intel AMT/HECI/SOL Drivers using System Center Configuration Manager (SCCM).

I was deploying the drivers to Dell OptiPlex desktops and Latitude laptops, so I downloaded the drivers from http://support.euro.dell.com/ .  The drivers download as compressed files, so I extract them using 7-zip http://www.7-zip.org/.  This leaves you with a set of files like those below.

In the screenshot above you’ll see setup.cmd batch file.  This is the secret to deploying the drivers using SCCM.  The Intel documentation states that you can run setup.exe -s to silently install the drivers.  However, when I created a software distribution package and set it to run setup.exe -s the drivers never installed and the installer routine exited due to an invalid command option.  What you need to do is create a batch file which calls setup.exe -s and point the software package as the batch file, e.g.

\\SCCMSERVER\SoftwareDistribution\Packages\755_HECI_Driver\setup.exe -s

 

Update Dell BIOS During Operating System Deployment Using System Center Configuration Manager

As part of an Intel AMT deployment I needed to update the BIOS on our Dell OptiPlex desktops and Latitude laptops.  I created a package to run the BIOS update and added this to the operating system task sequence.

Firstly, download the BIOS update from Dell technical support http://support.euro.dell.com/support/  The BIOS file will be named something like 0755-A21.exe .  This is the A21 BIOS revision for the Dell OptiPlex 755.

Next, in System Center Configuration Manager (SCCM) create a standard software package.  Set the command line to the BIOS file followed by -NOREBOOT –NOPAUSE .  This enables the BIOS update to run silently and without rebooting the system.  I additionally set the package to run “whether or not a user is logged on” using the setting on the Environment tab.

Go to your operating system deployment task sequence and choose Add -> General -> Install Software.  Select the BIOS update package.  Next, click into the Options tab and click “Add Condition” and select “Query WMI”  and enter SELECT SMBIOSBIOSVersion From Win32_BIOS WHERE SMBIOSBIOSVersion < “A21” Replace A21 with the BIOS version you’re using for the update.  This WMI Query ensures the BIOS is flashed only if it’s older than a given version.  I then have a restart task to reboot the machine and flash the BIOS.

System Center Configuration Manger 2007 R2 Intel vPro/AMT Provisioning Error

When using System Center Configuration Manger 2007 R2 (SCCM) with Intel vPro/AMT technology, there’s two stages to the provisioning process.  In the second stage the SCCM server attempts to connect to the device that’s being provisioned.  This can fail if the SCCM server has a proxy configured without the required proxy exceptions resulting in the error below:

Error: Can not finish WSMAN call with target device. 1. Check if there is a winhttp proxy to block connection. 2. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn’t support provision through wireless connection. 3. For greater than 3.x AMT, there is a known issue in AMT firmware that WSMAN will fail with FQDN longer than 44 bytes. (MachineId = 11578)

From the command prompt enter  “proxycfg -d” to bypass the proxy.  Alternatively, open IE, set proxy server, tick “Bypass proxy server for local addresses”  and enter *.%YOURDOMAIN%. Next, from the command prompt enter “proxycfg -u”.  This import the proxy settings from IE.

Retrieving Dell Service Tags using System Center Configuration Manager 2007 R2

I needed a list of the Dell service tags from all our desktops and laptops.  Dell have a product called the Dell Management Console (DMC) http://dell.symantec.com/dmc-tech which can do this, but as we have System Center Configuration Manager 2007 R2 (SCCM) I wanted to use that.  Below is the SQL I used to create the report in SCCM.  The important column is v_GS_PC_BIOS.SerialNumber0

select  distinct v_R_System_Valid.Netbios_Name0 AS [Computer Name],
v_GS_COMPUTER_SYSTEM.Model0 AS [Model],
v_GS_X86_PC_MEMORY.TotalPhysicalMemory0 AS [Memory (KBytes)],
LastBootUpTime0,v_GS_lastsoftwarescan.LastScanDate,v_GS_PC_BIOS.SerialNumber0 AS [Service Tag]
from v_R_System_Valid
inner join v_GS_OPERATING_SYSTEM on (v_GS_OPERATING_SYSTEM.ResourceID = v_R_System_Valid.ResourceID)
inner join v_GS_COMPUTER_SYSTEM on (v_GS_COMPUTER_SYSTEM.ResourceID = v_R_System_Valid.ResourceID)
inner join v_GS_X86_PC_MEMORY on (v_GS_X86_PC_MEMORY.ResourceID = v_R_System_Valid.ResourceID)
inner join v_FullCollectionMembership on (v_FullCollectionMembership.ResourceID = v_R_System_Valid.ResourceID)
left join v_Site on (v_FullCollectionMembership.SiteCode = v_Site.SiteCode)
join v_GS_lastsoftwarescan on  v_GS_lastsoftwarescan.resourceid = v_GS_OPERATING_SYSTEM.ResourceID
join v_GS_PC_BIOS on (v_GS_PC_BIOS.ResourceID = v_R_System_Valid.ResourceID)
Where v_FullCollectionMembership.CollectionID = @CollectionID
and (lower(v_R_System_Valid.Netbios_Name0) like @ComputerName or @ComputerName=”)
and (v_R_System_Valid.Resource_Domain_OR_Workgr0 = @Domain or @Domain=”)
and (v_GS_OPERATING_SYSTEM.Caption0 = @OperatingSystem or @OperatingSystem=”)
and (v_GS_COMPUTER_SYSTEM.Manufacturer0 = @Manufacturer or @Manufacturer = ”)
and (v_GS_COMPUTER_SYSTEM.Model0=@Model or @Model = ”)
Order by v_R_System_Valid.Netbios_Name0

Reporting on installed software using System Center Configuration Manager 2007 R2

I recently needed to discover how many computers had Office 2000 installed.  System Center Configuration Manager 2007 R2 (SCCM) includes a report called “Computers with specific software registered in Add Remove Programs”, but  I wanted to know when the computer was last inventoried and also the specific application version.  I cloned the report and updated it to include these additional fields as below

The SQL for the report is:

Select sys.Netbios_Name0, sys.User_Name0, arp.DisplayName0, Version0, LastScanDate
FROM v_R_System sys
JOIN v_Add_Remove_Programs arp ON sys.ResourceID = arp.ResourceID
JOIN v_FullCollectionMembership fcm ON sys.ResourceID = fcm.ResourceID
JOIN v_GS_LastSoftwareScan lss ON lss.ResourceID = sys.ResourceID
WHERE DisplayName0 = @displayname and fcm.CollectionID=@CollID