WSUS/SCCM DB Cleanup (SCUP)

More and more often it seems that the WSUS DB becomes too large that it causes multiple issues especially with SCCM integration (SCUP). You may not be able to perform the required maintenance using scripts (Download Here)  but often enough the service will crash thus you will need to troubleshoot at the SQL/WID level to perform a cleanup.

SQL/WID Cleanup Queries

Download the scripts here and run in order:

SQLQuery – 1 Remove Unused Updates
SQLQuery – 2 Remove Hidden Updates
SQLQuery – 3 Re-index Database

If your SUSDB is on a dedicated SQL Instance, connect to that  server/DB and run the SQL Queries.

If you are running Windows Internal Database, this will still require SQL Management Studio (Run As Administrator)

Server Name to connect to

2012 (or later) \\.\pipe\MICROSOFT##WID\tsql\query
2003 & 2008  \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

SCCM 1806 – Site server high availability

Starting in Configuration Manager version 1806, high availability for the site server role is a Configuration Manager-based solution to install an additional site server in passive mode. The site server in passive mode is in addition to your existing site server that is in active mode. A site server in passive mode is available for immediate use, when needed. Include this additional site server as part of your overall design for making the Configuration Manager service highly available.

A site server in passive mode:

  • Uses the same site database as your site server in active mode.
  • Doesn’t write data to the site database when it’s in passive mode.
  • Uses the same content library as your site server in active mode.

To make the site server in passive mode become active, you manually promote it. This action switches the site server in active mode to be the site server in passive mode. The site system roles that are available on the original active mode server remain available so long as that computer is accessible. Only the site server role is switched between active and passive modes.

Find out more here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/site-server-high-availability

SCCM Third Party Patching

Currently a Pre-Release feature with 1806, Third Party Patch management is finally on it’s way!!

Here is a great video from Patch My PC covering the new feature.

SCCM OSD PXE problems with USB Adapters

A rather annoying issue I have come across with PXE imaging on PC’s with a USB adapter is a conflict with duplicate MAC as the adapter itself has a MAC address and does not pass through from the PC itself. If you look into the SMSPXE.log this will reveal the issue

Manage duplicate hardware identifiers

Providing a list of hardware identifiers that Configuration Manager ignores for the purpose of PXE boot and client registration, helps to address two common issues.

  1. Many new devices, like the Surface Pro 3, do not include an onboard Ethernet port. Technicians use a USB-to-Ethernet adapter to establish a wired connection for purposes of operating system deployment. However, these adapters are often shared due to cost and general usability. Because the MAC address of this adapter is used to identify the device, reusing the adapter becomes problematic without additional administrator actions between each deployment. To reuse the adapter in this scenario, exclude its MAC address.
  2. While the SMBIOS attribute should be unique, some specialty hardware devices have duplicate identifiers. Exclude this duplicate identifier and rely on the unique MAC address of each device.

To add hardware identifiers for Configuration Manager to ignore

  1. In the Configuration Manager console, go to Administration > Overview > Site Configuration > Sites.
  2. On the Home tab, in the Sites group, choose Hierarchy Settings.
  3. On the Client Approval and Conflicting Records tab, choose Add in the Duplicate hardware identifiers section to add new hardware identifiers.

SCCM Cannot Disable Peer-Cache

SCCM peer cache was introduced in 1610 as a pre-release future and eventually made it into production.

As there was quite limited documentation around the feature at the time, there have been several eager admins who have likely  enabled this without understanding how it works and the consequences.

5

After disabling the feature in client settings, clients started to remove from the Super Peers list however not all.

To check the Super Peers list you will need go to the SQL database your SCCM instance is hosted on.

Select * from SuperPeers

Symptoms

The symptoms you will are slow OS deployement, slow applications download (Downloading stuck 0% for a while) from Software Center, or even when deploying updates.

CAS.log reported a long download locations list before the SCCM was even considered, so the server still reports these sources as active peer cache clients.

2

DataTransferService.log then reports a bunch of errors, because the feature is disabled on clients and content can’t be reached, then the client waits a bunch of seconds and proceeds with the next download location.

3

During OS deployment I noticed that placing a computer on the same subnet as the SCCM distribution point, it is considered first in the list, so the issue is … work-arounded?

4

Causes

I didn’t understand at first if this was BranchCache or PeerCache related. I tried a lot of things: re-enabling the feature then disable it again, changed my boundaries and boundary groups so that they are managed by IP address range, removed the “Allow clients to share content[…]” from applications (which is BranchCache related).

https://blogs.technet.microsoft.com/umairkhan/2017/06/12/configmgr-1702-the-case-of-unexplained-client-peer-cache-not-getting-disabled-even-after-disabling-it-via-client-settings/

This is the exact case. Read it, because this is gold. Even the introduction and myth-busting about BranchCache and PeerCache is worth a read.

The setting is disabled on computers, but the site server is not aware. Apparently there’s an issue when the client sends back a state message stating  to the site server, I’m not a superpeer, remove me from the list.

Verifying the WMI informations on a “guilty” computer (one of those appearing in CAS.LOG) with WMI Explorer

6

The setting is consistent with the deployed client settings. So the computer knows.

Let’s see if the client is in the “SuperPeers” table on the DB

Select * from System_DISC where Name0 like ‘ComputerName_still_in_Superpeer_list’

get the ItemKey from there, and

Select * from SuperPeers where ResourceID = ‘ItemKey’

7

8

So the client is still a SuperPeer for SCCM, and the same ResourceID also appears in SuperPeerContentMap for every application or package it is (was) able to distribute.

Select * from SuperPeerContentMap where ResourceID = ‘ItemKey’

9

So, how do we get rid of this data (which is now complete garbage, since I disabled the setting globally) ?

The Fix

As always make a backup of your database before running these commands. This will delete all the table information for Peer Cache information.

delete from SuperPeerContentMap

delete from SuperPeers

Test again from your clients to verify that everything now works!

GPO Backup and Email of GPO Modifications

Recently I wrote a Powershell script that backs up Group Policies and also sends an email of Group Policies modified within a specified time.  Works well setup on a scheduled task to take care of GPO Backups.

Download Here: GPO_Backup_1.2

The following fields can be modified to suite your requirements

$BUlocation = "C:\GPOBackups" #where the GPOs Backups will be located
$BUresults = "Backup-results.txt" #name of the ouput file (for reference)
$days = 15 #number days old bacups to be auto deleted
$dc = "domaincontroller" #hostname of the DC for backing up
$SMTPserver = "smtp.domain.com" #SMTP server name
$SendTo = "reciepient@domain.com" #Send email to this address

Also for the email sent you can change how long to capture the modifications

eg. 24 Hours

$body = Get-GPOModifications -Hours 24

eg. 7 Days

$body = Get-GPOModifications -Days 7

Hope you find this one useful 🙂

Error sending DAV request. HTTP code 500 (HTTP Error 500.19 – Internal Server Error)

From a client they were not able to download any content, after investigation the DataTransferService.log I could see the following error

Error sending DAV request. HTTP code 500, status 'Internal Server Error'   DataTransferService       24/08/2017 8:21:17 AM       3972 (0x0F84)

GetDirectoryList_HTTP('http://SERVERNAME:80/SMS_DP_SMSPKG$/f4e4ea5d-49ad-423a-9cac-cea869e6e1d7') failed with code 0x87d0027e.      DataTransferService       24/08/2017 8:20:47 AM  28624 (0x6FD0)

After browsing to the server http://localhost/SMS_DP_SMSSIG$ it would return a HTTP Error 500.19 – Internal Server Error.

As WSUS was previously installed on this sever it was the culprit behind it. I had a look at the ApplicationHost.config file and noticed that suscomp.dll was still installed by WSUS even though it had been removed.

To verify that suscomp.dll is configured

  1. Go to C:\windows\system32\inetsrv\config and locate the ApplicationHost.config file
  2. Open it with notepad and look for the following lines below
    scheme name=”xpress” doStaticCompression=”false” doDynamicCompression=”true”
    dll=”C:\Windows\system32\inetsrv\suscomp.dll” staticCompressionLevel=”10″
    dynamicCompressionLevel=”0″ />

Resolution

  • The following command needs to be run to disable the suscomp.dll that was installed when the WSUS server role was installed.From an elevated command prompt running the following.
    %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']
  •  If you need to re-enable this just change it slightly and run this command.
     %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /+[name='xpress',doStaticCompression='false',dll='%windir%\system32\inetsrv\suscomp.dll']

Software Metering Reports not working for new Rules

I came across an issue today  that when I created some new software metering rules that no data was being reported back and the reports were empty.

After a quick search the recommendation is to delete the RULECHG.RTA file from the “%installdir%\Microsoft Configuration Manager\inboxes\policypv.box” inbox, however I found that this file did not exist. Rather I had a lot of RT4, RT6 &  RT18 files.

To fix what I had done was remove the rules I created,  remove those files from the policypv.box inbox (copy to a temp folder). Create the rules again and check the reports.

It seems the rules were actually effective as data was being collected however no data was showing, since putting the fix in above the data now shows.

SCCM 1702 Upgrade – What to be aware of!

SCCM 1702 is now available under the current branch model. There are some new features that come along with this but also some items to be aware of.

What is be being dropped?

  • SQL Server 2008 R2, for site database servers. This version of SQL Server remains supported when you use a Configuration Manager version prior to version 1702.
    ..
  • Windows Server 2008 R2, for site system servers and most site system roles. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.
    ..
    Beginning with version 1702, this operating system is not supported for site servers or most site system roles, however versions prior to 1702 continue to support its use. This operating system does remain supported for the state migration point and distribution point site system role (including pull-distribution points, and for PXE and multicast) until deprecation of this support is announced, or this operating system’s extended support period expires.
    ..
  • Windows Server 2008, for site system servers and most site system roles.
    ..
    This operating system is not supported for site servers or site system roles with the exception of the distribution point and pull-distribution point. You can continue to use this operating system as a distribution point until deprecation of this support is announced, or this operating system’s extended support period expires
    ..
  • Windows XP Embedded, as a client operating system. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.

Be sure to read this extensively: https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/removed-and-deprecated-features

What is coming?

  • Close executable files at the deadline when they would block application installation – If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline
    ..
  • Support for Windows 10 Creators Update – This version of Configuration Manager now supports the release of upcoming Windows 10 Creators Update
    ..
  • Express files support for Windows 10 Cumulative Update – Configuration Manager now supports Windows 10 Cumulative Update using Express files
  • Customize high-risk deployment warning – You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system.

As per any upgrade, make sure you check everything and what is supported. Make sure to run the Pre-Req first to start your planning.

SCCM – Server OS upgrade from 2008R2 to 2012R2

I recently completed an OS upgrade of my environment from 2008R2 to 2012R2 on a CAS>Primary Hierarchy. I found the documentation a bit limiting especially post install as without a doubt there are some issues you are bound to run into. So what is a good way going about the process? I broke this up into 3 main steps

  1.  Prepare the OS Drive by cleaning up data (a Windows.Old Directory is stored post upgrade that consumes a lot of space)
  2. The OS upgrade itself. (If using a VM, Snapshot!)
  3. Post upgrade Tasks and remediation

1. Preparation

  • Check Disk space of OS Drive
  • Delete old log files in inetpub.
  • Install desktop experience so that you get the Disk cleanup utility to use post upgrade.
  • If using a static IP, take note of these details as the upgrade will change to DHCP
  • Uninstall WSUS 3.0 SP2
  • Remove the Software Update Point Role from SCCM
  • Stop the SCCM site using Presinst.exe /StopSite (Stopping the CAS server will stop the whole hierarchy)
  • Create a snapshot here if you have a VM

2. OS Upgrade

Just like any OS upgrade, however you are doing it. In this case with a VM the ISO was mounted the the in place upgrade was kicked off.

 

3. Post upgrade:

  • Ensure the Windows Deployment Service is started and running for the following site system roles (this service is stopped during upgrade):
    • Site server
    • Management point
    • Application Catalog web service point
    • Application Catalog website point
    • Ensure the Windows Process Activationand WWW/W3svc services are enabled, set for automatic start, and running for the following site system roles (these services are disabled during upgrade):
  • Site server
  • Management point
  • Application Catalog web service point
  • Application Catalog website point

Ensure each server that hosts a site system role continues to meet all of perquisites for site system roles that run on that server. For example, you might need to reinstall BITS, WSUS, or configure specific settings for IIS.

Below are the common issues I came across and the fix for each.

Application Catalog does not connect

http://blogs.microsoft.co.il/u-btech/2016/05/25/sccm-1602-application-catalog-is-broken-after-windows-server-inplace-upgrade/

After upgrading SCCM OS the application server config point stopped working. This is due to .Net 4.5

Cannot connect to the application server error message below.

When looking in the Site Component node, I could see that the SMS_AWEBSVC_CONTROL_MANAGER possess a warning sign which was in fact a several error notifications with the following description:

After installing .Net framework 4.5.2,  rebooting the server I still had that same error message.

Again, browsing to  http://localhost/CMApplicationCatalogSvc/applicationofferService.svc resulted in providing me a lead to an error in a line (which can be a result of one of my troubleshooting steps before writing these words) fixing a line in the file: “C:\Program Files\SMS_CCM\CMApplicationCatalogSvc\Web.config”

from:

<serviceHostingEnvironment>
<baseAddressPrefixFilters>
<add prefix=”HTTP://SCCM.U-BTech.COM:80“/></baseAddressPrefixFilters>
</serviceHostingEnvironment>

To:

<serviceHostingEnvironment>
<baseAddressPrefixFilters><add prefix=”HTTP://SCCM.U-BTech.COM:80″/></baseAddressPrefixFilters>
</serviceHostingEnvironment>

And performing IISReset was the last piece in that puzzle that fortunatly solved the problem.

Console not working Remotely

Post upgrade the WMI permissions get overwritten thus the console does not work remotely any longer.

On the site server launch wmimgmt.msc console.

Then browse to root / SMS and root / SMS / site_[site name]. Add the SMS Admins local group back to both of these, and make sure they have Execute Methods, Provider Write, Enable Account, and Remote Enable allowed.

 

WSUS High CPU/Memory Usage

I also had multiple issues with WSUS 4.0 post upgrade. Most importantly was to patch the OS so that it is current. Also had to apply the steps in my post below to resolve the issue.

IIS w3wp.exe 100% CPU, WSUS and SCCM

Happy Upgrading!!