Tag Archives: ConfigMgr

SMS_SITE_BACKUP failed. Please see previous errors.

Posted on by
Reply

I ran into this issue, where after sometime the SMS Build-in backup function would fail.
When running the SMS_SITE_BACKUP from Window Services (services.msc) it would fail with some of the following errors:

SMS_SITE_BACKUP failed. Please see previous errors.

Error: SMS Writer service either does not exist or is not running .

Error: GatherWriterMetadata failed.

SMS_SITE_BACKUP failed. Please see previous errors.

STATMSG: ID=5060 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_SITE_BACKUP” SYS=Server001.domain.com SITE=PS1 PID=67372 TID=61212 GMTDATE=Thu Dec 10 01:20:41.530 2020 ISTR0=”Error: GatherWriterMetadata failed.” ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS

Resolution:
List the VSS writers available with the following command: VSSADMIN list writers
If you find the SMS Writer to be missing run the following commands:

Net stop SMS_SITE_VSS_WRITER
Net start SMS_SITE_VSS_WRITER

This should add it back to the list as shown below. Now restart you SMS_SITE_BACKUP (can be done form services.msc) and review the logfile: smsbkup.log. it should now be running.

The issue here was caused by another backup solution using the Volume Shadow Copy Service (VSS). So fixing also required the other solution to be removed/reconfigured.

List Packages that run in user context (Run with user’s rights)

Posted on by
Reply

Introduction

After last weeks post with the script sample to list Packages that run in user context, there where some good feedback from people still using packages, and requiring a list of packages that install within the user context (Run with user’s rights / Execution mode as user)

It seemed that many was still using Packages, either as a result of legacy migration or to avoid some application re-packaging.

So here is the followup post, with a new script to list all packages and package with programs that run in user context.

From my point of view, its still the same; Using PSADT pretty much any package can be converted to be installed as system, and the needed stuff (registry keys, files etc) in the user context can be added in a structured and controlled way.

I do still come across some applications that i would prefer to have in MSI with all settings etc added, at least for simplicity, for those packages I still prefer to use Advanced Installer.
When talking Advanced Installer, they also have a great support for MSIX, that makes to process so much easier and cost efficient.

This script will list all packages with programs, that is configured to install as user (within the user context)

All you need to do is configure the path to your import module and set the site code.

A file will be created in “C:\TEMP\Packages_and_Programs_Run_Mode_List.csv” with the following format:

“Package Name”,”Package ID”,”Program Name”,”Run with USER’s right”
“My Application”,”BB10001D”,”execute”,”TRUE

With the example above we have a package ‘My Application’ that has a run mode configured: Run with user’s rights

Properties on the program, where the program run enviroment is configured to Run with Users’s rights


Download the script from TechNet Galleryhttps://gallery.technet.microsoft.com/Generate-a-list-of-d8778d4c?redir=0



List Applications that run in user context (Install for User)

Posted on by
Reply

Introduction

When deploying applications sometimes they are created to install within the active users context.
This means that the actual installation requires the users to have the needed permissions to the filesystem, registry and etc.
In some cases local administrative rights are needed to perform the application installation, this is not a good practice.

As applications mature for the modern design of the Windows Operating System or we choose to remove the users administrative rights due to security reasons, we may need to list and change the behavior of existing Applications.

This script was created to list applications that is configured to run with Installation behavior: Install for User

The actual output will end up in the export csv file

Script Download [download id=”893″]



Today with the modern management tools and applications, the users should not have local administrative rights on a permanent basis.
Most, if not all applications can be repackaged to deploy without the need for administrative rights.



Useful links:

PowerShell Application Deployment Toolkit: https://psappdeploytoolkit.com
Advanced Installer: https://www.advancedinstaller.com/
Access Director Enterprise: https://ctglobalservices.com/access-director-enterprise/



Configuration Manager 1810 Installation – Prerequisite Check – SQL Server Native Client Version

Posted on by
Reply

I came across this error while adopting the Configuration Manager 1810 (Early Update Ring)

[Completed with warning]:Verifies that the version of Microsoft SQL Server Native Client installed on the site server meets the minimum requirements to enable TLS 1.2 support. https://go.microsoft.com/fwlink/?linkid=2026746

I was apparently running an older SQL Native client version, that did not support TLS 1.2 which is required for ConfigMgr 1810.
Review your SQL versions and update to a version that supports TLS 1.2:

This link provides information about the updates that Microsoft is releasing to enable TLS 1.2 support for SQL Server 2017 on Windows, SQL Server 2016, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012, and SQL Server 2014. This article also lists supported client providers.

Download and install the correct update for your existing SQL version.
Reboot and proceed with the 1810 update.

If your looking for the ConfigMgr 1810 package to enable early update ring follow this link

The package adds your hierarchy or standalone primary to the early update ring for Update 1810 for the current branch of System Center Configuration Manager. The package is signed and bundled inside a signed self-extracting executable.

Note: The 1810 update is only applicable to 1710 and higher versions of System Center Configuration Manager

Windows 10 Registry tweak to disable Microsoft Edge Icon for MDT or ConfigMgr

Posted on by
Reply

The icon for Microsoft Edge is now placed by default in every user profile.
It is not placed in Public Desktop, but created for each user at logon (DOH!)

Thank god there is way to stop this behavior.

You can simple add the following registry key:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Value: DisableEdgeDesktopShortcutCreation
Data: 1
Type: REG_DWORD

If your using MDT (Microsoft Deployment Toolkit) or ConfigMgr (System Center Configuration Manager)
You can add the following oneliner task sequence step, to stop the creation of the Microsoft Edge icon.
Commandline: reg.exe add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer /v DisableEdgeDesktopShortcutCreation /t REG_DWORD /d 1

In case your wondering what i have in the steps to disable Cortana, let me share them:

Registry tweaks for Build and Capture or Windows 10 Deployment task sequences

Disable Cortana Voice:
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v DisableVoice /t REG_DWORD /d 1

Disable Cortana Search:
reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search” /v “AllowCortana” /t REG_DWORD /d 0 /f

Disable Cortana Search Box:
reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search” /v “SearchboxTaskbarMode” /t REG_DWORD /d 0 /f

Using SCCM CI Baseline to check for expiring user certificates

Posted on by
Reply

The topic is almost self explaining.

You need to monitor specific user-based certificates, to avoid a situation where they have already expired.

You can add this to your daily security compliance checklist.

Prerequisites for running CIs can be found here: Compliance Baseline prerequisites

  1. Create Configuration Item

Go to Assets and Compliance, Compliance settings Configuration Items, right click and select Create a new configuration item:

Create Configuration Item

Provide the name CI – Script – USER CERT Expiration check, leave the configuration item type as Windows and press Next:
Configuration Item Wizard

Optionally you can provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console.

Select the OS where this configuration item assumes to be applied and click Next
client operating systems that will assess this configuration item for compliance

To create Configuration Item, click New:
Create Configuration Item Wizard

Type in the name CI – Script, from drop down of settings type select Script and data type as String.

There are two options to specify where a script would reside

– Discovery Script

– Remediation Script

Remediation is not handled in this post.

To place discovery script since to evaluate compliance, click on Add Script.

Please note that this script needs to be runin the logged-on user context, therefore please check “Run scripts by using the logged on user credentials”

Create Setting

Select script language as Windows PowerShell and type in the script (see attached USER_CERT_Expiration _Discovery.ps1) in the Script field:
Edit Discovery Scripts

#

$Compliance = ‘Compliant’

$Check = get-childitem -path cert:\currentuser -recurse | where-object {$_.thumbprint -eq ‘‎‎‎‎‎‎245c97df7514e7cf2df8be72ae957b9e04741e85’}| where { $_.notafter -le (get-date).AddDays(30)}

If ($Check) {$Compliance = ‘NonCompliant’}

$Compliance

#

Script download: [download id=”787″]

and click OK

Click Next

Specify settings for this operating system

After the script is in place, you can click the “Compliance Rules” tab. Now compliance rule needs to be created. This rule will determine how the compliance is reported once the script runs on a computer (based on how the compliance a machine could be either Compliant or NonCompliant).

 

Click on New

Specify complance rules for this operating system

Type in the comSpecify rules to define compliance conditions for this settingpliance rule name and click on Browse:

Select the name of the configuration setting that just created (if not already selected and then click on Select):
Select a setting for this rule

In the Rule Type select Value and then select if the value returned is Equals to Compliant.

Click OK

Click Next
Use compliance rules to specify the condition that make a configuration item setting compliant

Next screen presents the summary of the settings, if any changes are needed then you can go back and make changes here. Click Next.

create an operating system configuration item with the following settings

Configuration Item is ready now.
The Create Configuration Item Wizard completed successfully

Next step is to create Configuration Baseline.

  1. Create Configuration Baseline

Right click Configuration baseline and create configuration baseline.
Create Configuration Baseline

Type the name of configuration baseline CB – Script – USER CERT Expiration check. Click on add and select configuration item from drop down menu.
Specify general information about this configuration baseline

Please make sure that Purpose set to Required!

Select the configuration item just created and click OK. This would finish creating configuration baseline.

Add Configuration Item

Now it is time to deploy this base line to relevant Users Collection(-s).

  1. Deploy the Configuration Baseline

    Go to configuration baseline and right click and select Deploy.
    Deploy Configuration Baseline

Select the configuration baseline CB – Script – USER CERT Expiration check.

Browse and point it to targeted Users collection (its recommended to run it for some limited collection for testing before deployment to production)

Change the evaluation schedule as per as your requirements (taking in consideration that in case of it seems to be critical for your environment, in production running this CB probably once a day is recommended)

Again, the key thing here is to be sure that you deploy this CB to users and not to your systems!

Select the configuration baseline that you want to deploy to a collection

Click OK

Note: When the configuration baseline is deployed, please allow that it can be evaluated for compliance within about two hours of the start time that you schedule.

  1. Verify that a device has evaluated the Configuration Baseline

To check it on a Windows PC client (general recommendation to do it for all targeted OS client types)

On a Device, go to Control Panel, System and Security and open the Configuration Manager applet. In the Configurations tab you’ll see what Configuration Baselines the client will evaluate at its specific schedule. Click on configurations and click on “Evaluate”, “Refresh” and then “View Report”.
As shown in the pictures below, Configuration Baseline was evaluated to be Compliant or Not
Configuration Manager Properties

Report view

Report view, non-compliant

 

Unified Extensible Firmware Interface (UEFI)

Posted on by
Reply

Unified Extensible Firmware Interface

For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. UEFI is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.

Introduction to UEFI

BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:

  • 16-bit code
  • 1 MB address space
  • Poor performance on ROM initialization
  • MBR maximum bootable disk size of 2.2 TB

As the replacement to BIOS, UEFI has many features that Windows can and will use.

With UEFI, you can benefit from:

  • Support for large disks. UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
  • Faster boot time. UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
  • Multicast deployment. UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
  • Compatibility with earlier BIOS. Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
  • CPU-independent architecture. Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
  • CPU-independent drivers. On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
  • Flexible pre-operating system environment. UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
  • Secure boot. Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.

Versions

UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.

Hardware support for UEFI

In regard to UEFI, hardware is divided into four device classes:

  • Class 0 devices. This is the UEFI definition for a BIOS, or non-UEFI, device.
  • Class 1 devices. These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
  • Class 2 devices. These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
  • Class 3 devices. These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.

Windows support for UEFI

Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.

With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.

How UEFI is changing operating system deployment

There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:

  • Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
  • When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
  • When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
  • UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).