Have seen couple of times on SCCM Configmgr forums asking for ‘How to get applications /deployment types that has allow clients to use fallback source location for content ’ is checked or not.

Allow fallback source location for content: This feature is designed to allow client to gain access (fallback) to content that is not available on a Distribution Point (DP) that is located in their Boundary Group.

If this feature is not implemented correctly, it can lead to unexpected results and high network utilization over remote WAN links.

For more information about fallback source location and distribution point, please read TechNet article https://technet.microsoft.com/en-us/library/gg712321.aspx?f=255&MSPPError=-2147217396#BKMK_PreferredDistributionPoint .

When this question was asked ,I thought ,I would look at it when I get time and later it went to my To-Do item list due to time constraints and never looked at it in the recent days.

Recently ,I had similar requirement to identify the list of applications with its deployment type properties to find out how  many of them are not checked this option ‘allow clients to use fallback source location for content ‘ and download options (slow or unreliable network boundary)

If you want to know the list of applications that has this option checked or not ,there is no default report and no easy way to check in console as well.

Either you have to create custom report or PowerShell (PoSH) script.

when you create an application using application wizard ,there are couple of options that doesn’t show you in GUI (unless you use scripting to create apps) and these are like allow clients to use a fallback and deployment options etc.

If you have few number of applications in SCCM ,it is easy to do manual check by right click on deployment type and look for this option ,but what if you have large number of applications with multiple deployment types and you want them to be displayed in report ?

Before we try to create report for this ,we need to identify ,what table/view this information is stored in and after we identify the right view,we can write SQL query.

Application and its deployment type property information in SCCM 2012 and above, is not stored directly in database view instead, it is stored in xml file in function fn_ListDeploymentTypeCIs(1033) with column name SDMPackageDigest.

Once we know where the application deployment property information is stored, we need to know how to extract the required information from this xml file.

This xml file contains lot of information out of which ,we now only look at couple of important fields like application name,deployment name,type,UserInteractionMode,ExecutionContext ,RequiresLogOn,FallbackToUnprotectedDP,OnSlowNetwork. If you want retrieve other information from the xml ,do customize the report yourself.

To know more information about the xml file and how to extract the information from xml file using SQL query ,read here .

The information that is stored in xml file for allow clients to use fallback source location for content is in column FallbackToUnprotectedDP with values true or NULL

If you have selected option called Deployment options as shown in the diagram ,either with do not download content or download content from distribution point and run locally ,is in  column ‘OnSlowNetwork’ with values Download or DoNothing or NULL

I have created SSRS Report for you .So all you need is ,download the report from Technet, upload to your SSRS reports, change the data source and run the report.

Note:If you have large number of applications and you are looking for deployment type names that has not checked ‘allow clients to use fallback source location for content ’ option ONLY ,then may have to edit the report and do custom changes to list only those applications with filtering instead listing all in your SCCM.

How does the report look like ?

Hope you enjoyed reading this article.

See you in the next post!

Introduction:

Few months ago ,we had an issue with one of the deployment (it was software updates) that was deployed to collection with override service window due to emergency patch to be installed on the clients.

Deployment went fine and results were positive .All good ,but after few days ,some clients were added to the above deployed collection and you know what, as soon the clients are added to the collection ,they had new policy now and try to perform scan against the deployed software updates to check if they are already installed or not ,if not installed ,they try to install right away due to the setting ‘Override Service Window’ .What happens after the installation ? If the patch you have deployed to the collection require reboot ,it will check if there is any MW available to reboot ,if there is no maintenance window, it will reboot else wait for the maintenance window.

Unfortunately ,some of the newly added clients had maintenance window on different collection on the next few days ,which no one noticed and client REBOOTED .

For sure if there is any such unplanned reboot occur, you must be in position to explain with root cause and how are you going to prevent such issues in the future with RCA (Root cause analysis).

So a request came to identify/create report that will help us to identify how many such deployments (it can be application,package or software update ) do exist with OverrideServiceWindows and RebootOutsideOfServiceWindows options selected.

Have got some time to allocate for this request ,so am posting it here for you guys incase you need to identify such deployments (applications,packages,software updates,baselines) .

Below screen show the Deployment settings under User experience Tab with User notifications,deadline behavior and device restart behavior settings.

How to get list of deployments with OverrideServiceWindows and RebootOutsideOfServiceWindows selected ?

To get information about OverrideServiceWindows and RebootOutsideOfServiceWindows for deployments, you need to first identify the right SQL views in SCCM.

All Deployments information (packages,applications,baselines ,software updates) stored in view called: v_CIAssignment

So have used this view to retrieve the information and put it in a nice SSRS report with options to choose OverrideServiceWindows and RebootOutsideOfServiceWindows  Yes or No.

Below is the report how it looks like: you can choose the options what you want and based on the selection ,report will give you the deployment information.

As usual ,have posted the report into TechNet Gallery ,download it from Here ,upload it your SSRS reports ,change the data source and run it.

I had a requirement to generate report to list members (users/groups) of local administrators group on servers for auditing purpose. Finding the users/groups who are member of  local administrator group manually or scripting is tedious task on all servers .If you are managing the devices with configuration manager ,you can leverage Configmgr tool to get this task done so easily .

By default ,Configmgr do not have inbuilt solution /provide any report to get members of local administrator group ,but you we can achieve this using custom solution . The  only solution that i have tried earlier and seen people using ,is a solution that was provided /blogged by Sherry Kissinger .

Solution that was provided by Sherry was to create configuration item/configuration baseline with vbscript ,deploy this to collection ,import mof file into client agent settings to pull custom wmi changes that made by script,run report to get the required information.

If you search online with subject line ,you will mostly hit TechNet forum/blogs that refer to the following links.

http://myitforum.com/cs2/blogs/skissinger/archive/2010/04/25/report-on-all-members-of-all-local-groups.aspx

https://mnscug.org/blogs/sherry-kissinger/244-all-members-of-all-local-groups-configmgr-2012

http://mnscug.org/images/Sherry/WMIFrameworkForLocalGroupswithLogging.zip

I have tried this solution very long ago for some of my customers which worked fantastic , but i did not blog about this as there are already posts available online.

I started to follow above blogs few days ago for my task, but for some reason these URL’s not active .So during my online search,i found few other blogs that talk about this solution .

I tried importing the cab file from sherry blog into configuration baseline, but for some unknown reason ,importing of cab file that did not succeeded on both Configmgr 2012 and Configmgr Current branch 1610. Both environments have the following error.

I am not the only one facing issue while importing the cab file, there are lot more people who posted about it on TechNet for solution.

So i started creating configuration items ,configuration baseline and do changes to client agent settings (MOF file) ,generate report .

I am attaching the configuration baseline cab file here for you to download ,extract ,import into your configmgr 2012 or configmgr current branch 1610 and simply deploy to your required collection, import MOF file into client agent settings for hardware inventory.

If you see any issues while Importing the cab file into configuration baseline ,please follow the steps illustrated below how to implement this solution step by step.

In this blog post, i will help you  how to create configuration item ,configuration baseline with the script that sherry provided ,do MOF changes in client settings ,wait for hardware inventory and create SQL query to run report.

There are 2 vbscripts out there online 1) Get members of local administrators group ONLY (WIN32_localadmins) 2)Get members from all local groups on the machine (cm_localgroupmembers)

Script 1 will get you the information about users/members who are member of administrators group ONLY and script 2 will get you members of all locally created groups.

Have attached both scripts in the download section for your reference in case you don't want all groups information.

Note: This task can be achieved in 2 ways ,either by deploying script as package or deploying the script using baseline method ,but Pre-requisite ,is recurring deployment, or Recurring DCM Baseline/CI

Steps in brief:

1. Import the MOF file into default client agent settings but do not select the changes in default client agent settings. You can select these changes on custom client agent settings to deploy to collection .

2. Create configuration item,configuration baseline and deploy to collection on recurring basis.

3.Run SQL query /report to get members of local administrators group.

Note: Should i go with configuration item or as package ? I would strongly suggest you go with configuration item and make it recurring instead of scheduling it for 1 time. Why should i make it recurring ?

Since the script that is used in the configuration item will create the instance in wmi “cm_localgroupmembers ” and query local groups with its members 1 time per script run ,which means if you run the configuration item 1 time ,it will query  local groups and members and pipe the information into cm_localgroupmembers  ,but if any changes happened after the compliance item run ,they wont appear in cm_localgroupmembers . For any addition or deletion of users/groups from local groups ,you must schedule it on recurring basis.

In this post, i will go with configuration baseline method.

Before we start the steps, download the files that are required to create baseline,MOF file ,reports etc from here

Step 1: Copy the MOF file from download section to your SCCM server,import the MOF file into default client agent settings—>Hardware Inventory in your SCCM server (CAS if you have else primary site )  ,de-select the settings  in default client agent settings for localgroupmembers .

Go to your custom client agent settings and select localgroupmembers that you want to get local members information.

If you do not have any custom client agent settings in your environment ,you can enable this settings in default client agent settings.

monitor dataldr.log for the changes .

with this change ,there will be a SQL view created and can be used for reporting which is : v_gs_localgroupmembers0. The Information which is stored SQL views that start with V_GS comes from inventory.

Step 2: From configuration manager console, assets and compliance , compliance settings right click configuration item ,create new ,type Name ,description

click next (leave default OS settings) ,next, on settings page ,add new with following information.

Name: WMI Framework for cm_localgroupmembers

Setting Type: Script

Date Type: String

Edit the script ,select vbscript ,paste the content from the SCCMLocalGroupMembers.vbs file .This is script 2 what i referred above. If you want only members of local admin group ,select localadmins.vbs

Click ok, click next ,on the compliance rules ,click new with the following information

Name: cm_localgroupmembers

Selected setting: select the setting that you created above

Rule type: existential

Setting comply rule: This specified script does not return any values

Click Ok ,next next to see the summary page.

Create a new baseline ,select the configuration item that we created above ,deploy it to collection .

Wait for client to receive new client device settings and configuration baseline to create wmi instance followed by client inventory .

On client machine after the policy ,assigned configuration baseline is compliant.

Logging information by script:

output of the script into SCCMLocalGroupMembers.log in C:\windows\temp folder:

SQL Queries:

Now we have sufficient information about the local users ,member of all local groups which is stored in SQL view ‘v_gs_localgroupmembers0’ .

We can create variety of SQL queries depends on the requirement .

Query 1: List all clients with members of the local Administrators group:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 2: List members of the local Administrators group on specific client:

select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
, lgm.category0 [Account Type]
, lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators'
and sys1.Name0='clientname'
order by sys1.netbios_name0, lgm.name0, lgm.account0

Query 3: List all clients with members of the local Administrators group excluding certain users or group  :

This will be helpful in case, you have applied some of the policies through GPO who should be member in local administrator group on all the clients for ex: domain admins or some other AD sec groups.

'Domain Admins','wintelMonitoring','WintelAdmins','eskonr'

declare @PC nvarchar (255);set @PC='computername'
select sys1.netbios_name0
,lgm.name0 [Name of the local Group]
,lgm.account0 as [Account Contained within the Group]
,lgm.domain0 [Domain for Account]
, lgm.type0 [Type of Account]
from v_gs_localgroupmembers0 lgm
join v_gs_workstation_status ws on ws.resourceid=lgm.resourceid
join v_r_system sys1 on sys1.resourceid=lgm.resourceid
where lgm.name0='Administrators' -- and sys1.name0=@pc
and lgm.account0 not in ('Domain Admins','wintelMonitoring','WintelAdmins','eskonr')
order by sys1.netbios_name0, lgm.name0, lgm.account0

Hope it helps!

This is quick post to show you ,how to compare 2 or more collections to find clients that are not member of other collections. The reason for me to write this collection is ,for server patching ,we have been using direct membership rules ( I know AD sec groups is good way to automate this but lets leave this for now ) due to multiple business units with different maintenance windows .

There could be multiple scenarios to compare 1 collection with another collection for application deployment ,OSD etc.

So i want to compare the list of servers that are in Active directory are part of the patching collections or not . I am writing up another blog post on how to manage software updates for workstations or servers in an effective manner to achieve good compliance rate with some nice dashboard reports.

This way ,i can get to know the servers in AD that are supposed to patch on monthly basis are missing or not in patching collection. You can also achieve this using SQL query which is also listed in this blog post.

So i created a collection based on Active directory OU with collection ID: PS100318  .Creating collection with OU filter is straight forward.

I have another parent collection that is used for patching PS100315 .This collection include lot of individual collections with its own maintenance window set for patching.

Now ,i need to compare the OU based collection (PS100318 ) to find out if any server not in patching collection (PS1000315).

Collection Query (sub selected query):

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId in (select ResourceID   from SMS_FullCollectionMembership   where CollectionID = "PS100318") and SMS_R_System.ResourceId not in (SELECT ResourceID FROM SMS_FullCollectionMembership WHERE collectionid IN ('PS100315'))

If you have more than 1 collection to compare ,simply add all your collections into IN condition i.e WHERE collectionid IN ('PS100315',’PS100316’,’PS1000317’)) 

You can also use include exclude collection mechanism to do the same. Thanks to Nash for pointing this out.

SQL Query:

select fcm.name
from v_FullCollectionMembership fcm
where fcm.CollectionID='PS100318 '
and fcm.name not in (select fcm1.name from v_FullCollectionMembership fcm1 where fcm1.CollectionID='PS100315')

you can expand SQL Query further to know its OS,hardware inventory ,client installed etc.

Hope it helps!

Other day,I was trying to create my first SCCM Configmgr SSRS report with RBA (role based administration) what it means is ,data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles.

The report which was trying to create : Get the Status of Bitlocker for all physical devices(Laptop and desktops) for specific collection .The main difference between the normal SQL code and SQL code that you use for RBA reports is ,you simply replace V_ with fn_rbac_ and append (@userSIDs) at the end of the SQL view name . SQL code i used in this report with RBA is given at the end of the post.

Since the report has collection prompt ,i created dataset for collection that also uses fn_rbac and tried to run the report .For some reason ,it failed to run with following error code.

Error: " The report parameter 'A' has a default value or valid value that depends on the report parameter 'A'. Forward dependencies are not valid ".

The above screen clearly says that ,COLLID prompt depends on the report parameter UserSIDs which is another parameter,hence forward dependencies are not valid. In SSRS ,the parameters always executed in specific order how you define them. All parameters cannot run at time.

If you look at my parameters in my SSRS ,they are in order 1)CollID 2)usertokenIDs and 3)UserIDs.

CollID has UserIDs parameter which cannot accept forward dependencies.

I need to change the order of parameters how they execute .So in your reporting tool, (I use visual Studio 2012) ,click on the parameters ,select the parameter value ,select the arrow to change the order of parameters and run the report.

I have to pull down the COLLID parameter to last to fix my issue here.

SQL code to get the status of bitlocker for all physical devices from specific collection:

SELECT distinct SYS.Netbios_Name0 [Name],sys.User_Name0,
OS.Caption0 [OS],MEM.TotalPhysicalMemory0/1024 [Memory (MB)],
CS.Model0,
ev.driveletter0,
case when ev.protectionstatus0=1 then 'Yes' else 'No' end as 'IsDrive Bitlocker',
CONVERT(nvarchar(26), ws.LastHWScan , 100) [Last inventory],
CONVERT(nvarchar(26), sys.Last_Logon_Timestamp0 , 100) [Last Logontimestamp]
FROM fn_rbac_R_System(@UserSIDs) SYS
LEFT JOIN  fn_rbac_GS_X86_PC_MEMORY(@UserSIDs) MEM on SYS.ResourceID = MEM.ResourceID
LEFT JOIN  fn_rbac_GS_COMPUTER_SYSTEM(@UserSIDs) CS on SYS.ResourceID = CS.ResourceID
LEFT JOIN fn_rbac_GS_OPERATING_SYSTEM(@UserSIDs) OS on SYS.ResourceID=OS.ResourceID
--LEFT OUTER JOIN fn_rbac_R_User(@UserSIDs) vUSER ON vUSER.[User_Name0] = SYS.User_Name0
left join fn_rbac_GS_ENCRYPTABLE_VOLUME(@UserSIDs) EV on ev.resourceid=sys.resourceid
left join fn_rbac_GS_WORKSTATION_STATUS(@UserSIDs) ws on sys.ResourceID=ws.ResourceID
left join fn_rbac_FullCollectionMembership(@UserSIDs) fcm on sys.ResourceID=fcm.ResourceID
WHERE
fcm.CollectionID=@COLLID
and cs.Model0 not like '%virtual%'
ORDER BY SYS.Netbios_Name0

If you want to run the above SQL code in SQL server management studio ,simply replace the @COLLID with collection ID and add Declare @UserSIDs as varchar(Max) = 'Disabled' at the beginning of the query .

Collection Prompt:

select CollectionID, Name from fn_rbac_Collection(@UserSIDs)
order by Name

Setting up Configuration Manager current branch (1702) lab for testing. While running the Configmgr reports using IE browser ,http://servername/Reports/Pages/Folder.aspx ,it failed with error code HTTP 500 Internal Server Error. SQL server installed locally on Configmgr box .

I have seen this error couple of time but i don't remember what was the solution to get it fix. So ,in this blog post, we will try to troubleshoot the issue by going through the log files and solve it.

Following the error snippet while while browsing Configmgr reports :

When you get this error, the first place to look at is ,reporting point role installation logs which are located in your Configmgr installation logs folder.

srsrpsetup.log Records results of the reporting point installation process

srsrp.log Records information about the activity and status of reporting services point

From srsrpsetp.log ,reporting services role successfully installed . Next log to look at is srsrp.log to check the health

srsrp.log :

System.Web.Services.Protocols.SoapException: The operation you are attempting requires a secure connection (HTTPS). ---> Microsoft.ReportingServices.Diagnostics.Utilities.SecureConnectionRequiredException: The operation you are attempting requires a secure connection (HTTPS).~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.EnsureHttpsLevel(SoapMessage message)~   at Microsoft.ReportingServices.WebServer.RsSoapExtension.ProcessMessage(SoapMessage message)~   at System.Web.Services.Protocols.SoapMessage.RunExtensions(SoapExtension[] extensions, Boolean throwOnException)~   at System.Web.Services.Protocols.SoapServerProtocol.ReadParameters()~   at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

Failures reported during periodic health check by the SRS Server servername.domainname

SSRS Role was installed successfully but health check did not run successfully.

Next is to check Reporting services Configuration Manager wizard if anything configured faulty or reporting services running correctly or not (this can be check from services.msc)

At this stage ,all checks passed but still issue persists.

Till now ,we have done the troubleshooting in in Configmgr point of view , but from now onwards ,we will go little further to check from SQL point of view.

Next is to look at SQL reporting services log which is located in your SQL installation folder .Since am using SQL server 2014 on my SCCM server (SQL installed locally) ,reporting services logs can be found at

C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\LogFiles

Look at recently modified date (ReportServerService__07_14_2017_00_05_14)  ,open the log using cmtrace.exe

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Did a internet search using ‘This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms’ ,found this  https://blogs.msdn.microsoft.com/dataaccesstechnologies/2015/07/16/report-manager-system-invalidoperationexception-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms/

Follow the instructions given in the above link and apply the solution.

For me, after applying the changes said above (i did web.config) ,i got the following error which leads me to change SecureConnectionLevel to 0 in rsreportserver.config file located in C:\Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\ReportServer ,referrence TechNet article here

Error: The underlying connection was closed: An unexpected error occurred on a send

Solution:

Go back to your reports URL (http://servername/Reports/Pages/Folder.aspx) ,run the reports again to see if it works or not ?

Hope it helps!

Quick post on how to get count of list of updates or count of updates in your Configuration Manager with severity categorised as Critical,Important,Moderate and Low.

In order to get this information count of updates with severity, you first need to identify what the SQL views that store this information about software updates.

Get the SQL views documentation for all Configmgr versions starting from SCCM 2012 to Current Branch 1702 from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Severity of the software updates is stored in v_UpdateInfo .This SQL view stores lot of other information like title,article ID,bulletin ID,date posted and lot more. Most of the metadata about software update information is stored in this SQL view v_UpdateInfo.

We will try to use this SQL view to get count of software updates with its severity.

Listed below are severity and its description:

Severity=2 –> Low

Severity=6—>Moderate

Severity=8—>Important

Severity=10—>Critical

Am Listing 2 SQL Queries here for you . 1) without any filters and this will get you what is available in your CM database 2) With custom filters and more of modified version (Thanks to Sherry on myitforum)

1.

select CASE(ui.Severity)
When 2 Then 'Low' When 6 Then 'Moderate' When 8 Then 'Important' When 10 Then 'Critical' Else 'NA' End as 'Severity',
ui.Severity ,count(ui.ci_id) [Total Updates]
from v_updateinfo ui
group by ui.severity
order by 3 desc

2.

;with cte as (   select
   CI_ID,
           BulletinID,
           ArticleID,
           Title,
           DatePosted,
                   DateRevised,
                   isExpired,
                   isSuperseded,
           CI_UniqueID,
         case
        when (ui.severity=0 and ui.CustomSeverity=0) or ui.severity is null then '0 None'
        when ui.CustomSeverity=6 then '6 Moderate'
        when ui.CustomSeverity=8 then '8 Important'
    when ui.CustomSeverity=10 then '10 Critical'
    when ui.CustomSeverity=2 then '2 Low'
    when ui.Severity=2 and ui.CustomSeverity=0 then '2 Low'
        when ui.Severity=6 and ui.CustomSeverity=0  then '6 Moderate'
        when ui.Severity=8 and ui.CustomSeverity=0  then '8 Important'
        when ui.Severity=10 and ui.CustomSeverity=0  then '10 Critical'
        end as 'Severity'
    from v_UpdateInfo ui
Where
   ui.title not like '%Itanium%'
)
select severity, count(*) [Count]
from cte
group by Severity
order by Severity

You can add  more filters to 2nd query like superseded!=0 and expired=1 etc.

In this post, i will discuss about the requirement that i have got recently. Local team /manager wants to run the software update compliance report for their LBU machines (collections) to see if all the clients in collection are compliant or not for all the patches with released date between X date to Y date.

No matter whether all the patches that are requested/available in SCCM are deployed or not but it should appear in SCCM report if the clients are in good shape or not for specific period.

By default in SCCM, there are couple of reports available for software update compliance but if you want to know the compliance status for specific collection for all updates that exist in SCCM (no software update group here) between specific period let say Jan 1,2015 to Dec 31 2015 or X range to Y range.

How to generate software update compliance report for specific collection for all the updates available in SCCM within specific date ?

To create a report for this requirement, we need set of SQL views that have information about software updates ,collection,inventory of client etc.

Below are the SQL views that i used in this report:

v_GS_COMPUTER_SYSTEM

v_CICategories_All

v_CategoryInfo

v_gs_workstation_status

v_fullcollectionmembership

v_UpdateInfo

v_UpdateComplianceStatus

Download SSRS Report from Technet Gallery,Upload to your SSRS Folder ,change data source and run the report.

When you run the report ,it prompt for collection ,Start Date and End Date shown below.

The result what see in the report is excluded by superseded and expired updates (IsExpired=0 and IsSuperseded=0) .

The original report is taken from Garth post http://smsug.ca/blogs/garth_jones/archive/2009/02/25/patch-compliance-progression-report.aspx and modified to include the date prompt ,superseded,expired ,added inventory information like OS,update scan,IP address,Last reboot into the report.

Linked report to see list of updates for each client will be in the next post.

Beginning with Configmgr Version 1702, clients use boundary groups to find a new software update point. You can add individual software update points to different boundary groups to control which servers a client can find.

More information about boundary groups and its relation with  software update point changes in 1702 and 1706 ,please refer TechNet link  https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/boundary-groups ,it has lot of information than i explain.

Few weeks ago ,i was looking at the boundaries and boundary groups that are configured for my environment with its fallback information (distribution point and software update point).

I find it hard to locate the boundaries that are configured with fallback distribution points and fallback software update point.Incase you want to know the list of boundaries/boundary groups that are configured with fallback options,there is no default report.

I have created SSRS report that will help to pull information from SQL database into nice reporting .

References:

Relationships:

How does the report work ?

Download the report from Technet Gallary , upload the report into Configmgr SSRS reports folder,change the data source and run the report.

When you run the report, it prompt for Site Code since all the boundary groups that you created must have assigned to specific Site Code for site assignment. If you have not assigned the boundary groups to any specific site code, they will not be listed here .

So choose the Site Code (Primary or Secondary) or select All

Boundary groups that are assigned with specific Site Code will be listed with following information.

Boundary Group Name ,Site system Role,Site Code,Fallback Boundary Group,Fallback Site System,Fallback DP,Fallback SUP.

This blog post is going to be version 3 on the same topic (report for MS office versions) but with different requirements.My previous posts on ssrs report for count of MS office versions and drilled report to see client names etc will have some limitations like they will not give you bit type(architecture) like 32bit or 64bit of office installed on the client. They simply get the count of the MS office edition installed and then drill down further to get you the list of client computers with office edition,version,its OS and hardware scan date info.

Both the versions with ssrs report can be found on https://gallery.technet.microsoft.com/office/SCCM-Configmgr-Report-for-2c36f1b9 https://gallery.technet.microsoft.com/office/SCCM-Configmgr-2012-SSRS-c482cca2 and

https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs

After posting these 2 reports, blog viewers ,TechNet gallery and in forums have asked to get bit type (32bit or 64bit) information for the office product that is installed on the client.

I have lot of requests /posts in my To-DO list to blog about ,but due to time limitations ,i cannot bring all them.

So for this requirement to get 32bit and 64bit for MS office ,i found microsoft article to identify if the MS office is 32bit or 64bit. https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs and it is based on the product code.

This product is that we use to uninstall any software using msiexec /x {productID} /x

Below is the screenshot from the support article .

From the product code ,21st character from left (substring(productID,21,1) ) will tell you if it is 32bit or 64bit .

0 for x86

1 for x64

If you read support article ,there are lot of other information like release version (RTM,SP1,SP2 etc) ,release type (Volume,retail,trail) ,

This product ID is stored in different SQL views in CM database ,of which  we are going to utilize v_Add_Remove_Programs. For more information about SQL views in SCCM, please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Following are the office editions are added into the report . If you have any other office editions which are not in below list ,please edit the report and append it.

'Microsoft Office Personal 2007'
'Microsoft Office Professional 2007'
'Microsoft Office Professional 2007 Trial'
'Microsoft Office Professional Hybrid 2007'
'Microsoft Office Professional Plus 2007'
'Microsoft Office Professional Plus 2007 (Beta)'
'Microsoft Office Standard 2007'
'Microsoft Office Standard 2007 Trial'
'Microsoft Office Ultimate 2007'
'Microsoft Office Enterprise 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office 2010'
'Microsoft Office Professional Plus 2010'
'Microsoft Office Standard 2010'
'Microsoft Office Professional 2010'
'Microsoft Office Home and Student 2010'
'Microsoft Office Home and Business 2010'
'Microsoft Office Professional Plus 2010 (Beta)'
'Microsoft Office Starter 2010 - English'
'Microsoft Office 2013'
'Microsoft Office Professional Plus 2013'
'Microsoft Office Standard 2013'
'Microsoft Office Professional 2013'
'Microsoft Office Home and Student 2013'
'Microsoft Office Home and Business 2013'
'Microsoft Office Professional Plus 2013 (Beta)'
'Microsoft Office Starter 2013 - English'
'Microsoft Office 2016'
'Microsoft Office Professional Plus 2016'
'Microsoft Office Standard 2016'
'Microsoft Office Professional 2016'
'Microsoft Office Home and Student 2016'
'Microsoft Office Home and Business 2016'
'Microsoft Office Professional Plus 2016 (Beta)'
'Microsoft Office Starter 2016 - English'

As usual ,download the SSRS reports (rdl) files from Technet gallery here ,upload to your reporting folder in SCCM reports,change the data source and run the report.

Output:

Linked report:

This report supports RBA (role based administration) functionality.

Note that, 2nd report (drilled report) cannot be run individually and to run that, you must run the 1st report which is count of office versions and drill to 2nd report.

SQL code and parameter values for dataset (RBA): The following information is for your information only and no input required from you to run this report.

DataSetAdminID:select dbo.fn_rbac_GetAdminIDsfromUserSIDs(@UserTokenSIDs) as UserSIDs

Parameter for UserTokenSIDs: General—>Parameter visibility—>Internal, default values—>specify values—>=SrsResources.UserIdentity.GetUserSIDs(User!UserID)
Parameter for UserSIDs:General—>Parameter visibility—>Internal, default values—>Get values from a query and choose DatasetAdminID

you can always edit the RDL files ,customize it.

Happy reporting!

Using compliance settings in Configmgr, you can do many tasks as part of compliance. In the last couple of blogs, we have utilized compliance settings to identify WU settings,automatic update,trusted publisher settings etc. http://eskonr.com/2017/10/configmgr-how-to-use-compliance-settings-to-check-the-windows-update-policy-settings-like-wuserver-usewuservernoautoupdate-on-clients/

In this blog post ,we will see how to use compliance settings to check for Windows update agent version if it is older or latest one as per https://support.microsoft.com/en-us/help/949104/how-to-update-the-windows-update-agent-to-the-latest-version.

The Windows Update Agent runs on each client computer and checks for availability of updates. If you are using configmgr ,when the software update scan cycle runs ,a scan request is passed to the Windows Update Agent (WUA). This WUA then connects to the WSUS server location that is listed in the local policy (this policy will be created at the time of configmgr client installation), retrieves the software updates metadata (update catalog) that has been synchronized on the WSUS server, and scans the client computer for the updates. To read further on software updates https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction

Daniel (PotentEngineer) has document all the versions of windows update agent on http://www.potentengineer.com/windows-update-agent-build-numbers-for-windows-7/

There are lot  cases on windows update issue which happened due to old version of windows update hence you need focus on brining the windows update agent to latest supported version.

I will not go in-detail (step by step) about how to create configuration Item and Configuration baseline instead ,i will guide you through the settings that you need configure for Windows update agent.

Though the configurations used in the settings/creation of rule in compliance setting is very simple ,i would like to get it in this blog post along with SQL Query and WQL collection to identify how many clients in your organisation are running older .

1.Define Compliance setting for the applicable OS (Windows update agent varies from OS to OS)  .This blog post focus on windows 7.

Once you deploy the configuration baseline to collection ,clients will perform the CI evaluation and send the results to Configmgr which will help you to create collection from the baseline results and deploy latest windows update agent.

Compliance Item :

New setting:

New Rule:  Replace the windows update agent that you are looking for.

Note: The above WUA agent is only for windows 7 hence you need to configure the OS while creation of CI or deploy this to only windows 7 collection.

If you want to create the rule for multiple OS to check WUA version ,you can try something like below (it is untested at the time of writing the blog post).

Make sure you add the latest version of windows update agent into the one of list.

2.WQL Query for collection:

Ronni has nice post on this ,please follow it https://www.ronnipedersen.com/2015/06/04/updating-the-windows-update-agent-on-windows-7-clients/

3.SQL Query:

Windows update agent version stored in v_GS_WINDOWSUPDATEAGENTVERSION  SQL view.

We will use this SQL view to find count of versions.

select a.version0 as 'WUA Version', count(*) as 'Total'
from v_GS_WINDOWSUPDATEAGENTVERSION as a
group by a.version0
order by 2 desc

More information http://eskonr.com/2010/02/sccm-collection-for-windows-update-agent/ 

Using this ,you can create nice SSRS report .you can also create drilldown report to find what are the machines that are running lower versions with computer name ,user name etc.

List of SCCM Configmgr SQL views documentation is available on TechNet https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

I was looking at the console other day and found that, there were many collections created in the root folder (device collection) with 0 count. So i looked at the collection properties ,i found empty there  (No direct or query based rule).

So i decided to write SQL query to identify the list of collections that have empty results with no query rules (Direct or query based) defined in it.

For this query ,i have used 2 SQL views (v_Collection and v_CollectionRuleQuery ) .

For full list of SQL views that exist in SCCM Configmgr ,please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b .

Following is the SQL Code to identify empty collections with no query rule defined ,You can delete these collections to simplify the list of collections displayed when deploying objects as part of maintenance tasks ,unless there is a reason to be in the console.

You can use the following code to create SSRS report as well.

select coll.CollectionID,coll.Name,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collection coll
where coll.collectionid not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.MemberCount=0
group by coll.CollectionID,coll.Name,coll.CollectionType

Configuration manager Technical preview 1708 has ability to identify Applications without deployments and Empty collections as part of Management insights.  More information ,please read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708#management-insights

Hope it helps!

Introduction:

Boundaries for SCCM define network locations on your intranet that can contain devices that you want to manage. Boundary groups are logical groups of boundaries that you configure. For more information click here

Few days ago ,Jason Sandy’s has blogged about boundary group caching and missing boundaries ,more details ,read through https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr .

This is one of the highly needed solution that everyone must implement in their environment to evaluate what is their accuracy of the boundaries /boundary groups defined. Boundaries play major role for site assignment and content download. If you do not define the boundaries correctly,client will not function as expected hence it take up lot of your time to troubleshoot and identify it is because of missing boundaries and it is recurring issue.

Jason has covered most of the part about missing boundaries,Boundary group caching ,wmi location and basic SQL query . In this blog post, i am going to show you how to get list of the clients devices that are missing in the boundaries/boundary groups using SSRS Report and troubleshoot these devices. Sometimes You may see something like ‘waiting for content download forever’ in software center and this is because of boundaries/boundary group are missing .

This blog post will help you to identify such client devices with its basic  inventory information like OS,hardware inventory ,software update scan,IP address, last reboot etc.

You can also use other methods to achieve this solution using Compliance Item/baseline but HINV method will give you more information and better reporting .

How to create report/upload report ?

Before you download the report ,please make the necessary changes as per the guideline from Jason Sandy's post.

Following are quick points to implement the changes:

1.Open SCCM console ,go to client settings, edit default client settings ,hardware inventory ,set classes,add,choose the wmi namespace and add ,once the boundary group cache added ,uncheck it from default settings and click ok. For more information ,how to add custom inventory ,you can refer guide here

2.Go to your custom client agent settings (if you have ,else you can make these changes in default client settings)

,hardware inventory ,set classes ,choose the class name that we added in default client agent settings.

3.Monitor dataldr.log to see if these changes are processing and view are created in SQL database (v_GS_BOUNDARYGROUPCACHE).

Once you are done with above steps ,download the SSRS report from Technet Gallary ,upload to your SCCM reports ,change the data source and run it.

Report will display the following information. This report is created with filter Client0='1' .I do not want to display the client information that do not have SCCM client .

Note: As of CB 1610, all clients that do not fall within the scope of a defined boundary group will be associated with the Default Boundary Group. This is not reflected in the BoundaryGroupCache class. Essentially, if the instance of the BoundaryGroupCache class contains no BoundaryGroupIDs, then the client is considered within the scope of the Default Boundary Group.

How to troubleshoot these missing boundaries that are displayed in report:

1. From the report, we see that ,it has one device with its IP address . So we can go back to SCCM console ,look at under boundaries if the this IP address is part of the specified boundaries or not (it is ALWAYS recommended go with IP address range while defining the boundaries unless you have any specific reason not to use it) .

2.Make sure the client device has sent the inventory report successfully after you have made changes in the HINV and they are deployed to collection.

3.If the IP address is defined in boundaries ,check for boundary group ,if it is not ,add to boundary group with site system role .

4.If the IP address is part of boundaries and boundary group .what else can cause the client device appear in this report ?

5. If boundaries and boundary groups are added correctly ,MP must have returned the list of the distribution points that are configured in boundary groups for client to pick for content download.

6.If all above points looks ok ,would suggest to take a look at the client device logs (clientlocation.log ,locationservices.log and ContentTransferManager.log that will help you to identify the DP details.

Happy troubleshooting!

On this Valentine day (Feb 14,2018 ), Microsoft released Feb 2018 Technical preview version 1802 for Configuration Manager with large number of features (21) that ever released before. These monthly Tech previews generally will be released on Friday's but this time ,shipped few days earlier.

You can install this version to update and add new capabilities to your SCCM technical preview site. To use the technical preview version, you must first install a baseline version of the technical preview build i.e Technical Preview 1711. After installing a baseline version, you then use in-console updates to bring your installation up-to-date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.

If you plan to build new lab  ,download the preview baseline version 1711 is available from the TechNet Evaluation Center.

The following are new features you can try out with this Tech Preview 1802 version (21 features/updates):

1. Transition Endpoint Protection workload to Intune using co-management
2. Configure Windows Delivery Optimization to use Configuration Manager boundary groups
3. Windows 10 in-place upgrade task sequence via cloud management gateway
4. Improvements to Windows 10 in-place upgrade task sequence
5. Improvements to PXE-enabled distribution points
6. Deployment templates for task sequences
7. Product lifecycle dashboard
8. Improvements to reporting
9. Improvements to Software Center
10. Improvements to Run Scripts
11. Boundary group fallback for management points
12. Improved support for CNG certificates
13. Cloud management gateway support for Azure Resource Manager
14. Approve application requests for users per device
15. Use Software Center to browse and install user-available applications on Azure AD-joined devices
16. Report on Windows AutoPilot device information
17. Improvements to Configuration Manager Policies for Windows Device Exploit Guard
18. Microsoft Edge browser policies
19. Report for default browser counts
20. Support for Windows 10 ARM64 devices
21. Changes to Phased Deployments

To know more about these features ,Please read through https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1802

To install this tech preview ,login to your console ,Administration ,updates and servicing ,click on check for updates (make sure you have internet connection),wait for a while to see the entry in the console.

Right click on update and choose download

Downloading of the update can be monitored using the log file dmpdownloader.log

Right click on downloaded update and click install

Click next next next

Once the installation is done ,go to monitoring section to check the installation status .You can also monitor cmupdate.log and ConfigMgrSetup.log

Features are explored below

Boundary group fallback for management points:

Hide Installed Applications in Software Center:

Report for default browser counts:

Happy exploring !

Introduction:

we are in process of migrating users (mailbox) from on-prem to office 365 (Cloud).As part of this project ,one of the requirement is to deploy office 365 proplus (C2R) application to all users replacing old version of Microsoft Office. We use Powershell Application deployment kit which simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.

Once users have got office 365 proplus and other office 365 components like Microsoft Teams,yammer,Onedrive etc ,there will be final task to migrate user mailbox to cloud. Mailbox migration can be the first or middle or last ,no sequence as it is independent task.

Deployment of office proplus and other components are done by SCCM hence we can create some nice dashboard /reports to monitor the progress of the deployments, but for some reason ,we are missing the mailbox migration status which happens from on-prem exchange server to exchange online (EOL).

How do we get the status of mailbox migration from on-prem to exchange online using SCCM ?

I am not exchange guy, hence i may not be able to provide much information about the theory behind this and if any questions around exchange online or mailbox migration ,you can reach out to TechNet forums or contact Microsoft support.

when the mailbox is moved (sync and cutover) from on-prem to exchange online ,there are couple of attributes that are set in Active directory .some of them are listed below.

msExchVersion
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchRemoteRecipientType
targetAddress

By default, then the user mailbox is on-prem ,the targetAddress attribute is set to empty (it does not contain any value). Once the user mailbox is moved to cloud ,this attribute is set with username@yourtenantname.mail.onmicrosoft.com

For example ,user email address is Demo1@eskor.com and after the migration ,targetAddress is set to Demo1@koneti.mail.onmicrosoft.com (where koneti is my tenant name).

Once this attribute is stamped with cloud email ,we can use SCCM to discover this attribute using AD user discovery and put that info in SSRS report.

A quick way to view an objects Active Directory targetAddress attribute is through the Active Directory Users and Computers panel. In AD Users and Computers, ensure that Advanced Features has been enabled under the View menu.

Go to the OU,locate the object that you are looking for ,right click on user properties ,choose attribute Editor ,locate targetAddress

How do we discover this attribute into SCCM ?

Go to your SCCM console ,Administration,Hierarchy configuration ,discovery method and choose Active Directory User Discovery.

From the available attributes ,choose targetAddress and click on Add ,click Ok

Once this is done, you will need to wait for the user discovery happen (delta discovery ) or you can force the discovery cycle by right click on discovery method.

After the discovery runs, you will have targetaddress0 in v_r_user SQL view to create nice SSRS reports.

couple of SQL views that i used to create SSRS report with office 365 proplus installation ,user mail,user name,cloud information and user group are listed below.

v_r_user

v_GS_OFFICE365PROPLUSCONFIGURATIONS

v_RA_User_UserGroupName

v_R_System

and finally SSRS report:

Hope it helps!

Quick blog post on how to get client count with active obsolete and missing status for collections in a nice tabular column.

I used 3 SQL views in this query V_r_system ,v_FullCollectionMembership_valid  and v_Collection with sum and case statements.

You can use this SQL code in report creation with collection prompt and also create linked reports.

select coll.Name [Collection Name],fcm.CollectionID,count(sys.name0) [Total clients],
SUM (CASE WHEN sys.Active0 = 1 THEN 1 ELSE 0 END) AS 'Active Clients',
SUM (CASE WHEN sys.Obsolete0 = 1 THEN 1 ELSE 0 END) AS 'Obsolete Clients',
SUM(CASE WHEN sys.Client0 is NULL THEN 1 ELSE 0 END) AS 'Client Missing'
from v_r_system sys
inner join v_FullCollectionMembership_Valid fcm on fcm.ResourceID=sys.ResourceID
inner join v_Collection coll on coll.CollectionID=fcm.CollectionID
where fcm.CollectionID in ('PS1000DE','PS1000DF')
Group by fcm.CollectionID,coll.Name

SQL output:

For more information about SCCM client health dashboard ,refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240

With the release of SCCM Configmgr current branch 1802 ,there are some exciting features added from its previous version 1710. When there are new features released ,certainly there will be changes to the database hence sql views/tables created which will help us to create some nice SSRS reports for reporting.

So with this current branch version 1802 ,what's new in SQL for reporting ?

There are about1586 unique SQL views with lots of information that you can retrieve the data from SQL database help you to analyze the data.

Out of these SQL view,there are about 19 SQL views which are newly added from its previous configmgr version 1710 listed below. There could be some SQL views that are common in this new version and old versions but some new data fields added which are not listed here.

Some of newly added SQL views listed below ,you might have already seen in Configmgr Technical preview releases , however they are now into production release.

v_Default_Browser
v_GS_DEFAULT_BROWSER
v_GS_MDM_DEVDETAIL_EXT01
v_HS_DEFAULT_BROWSER
v_HS_MDM_DEVDETAIL_EXT01
v_LifecycleDetectedGroups
v_LifecycleDetectedProducts
v_LU_LifecycleProductGroups
v_LU_LifecycleProductHashes
vex_AI_LifecycleProductGroups
vex_AI_LifecycleProductHashes
vex_GS_DEFAULT_BROWSER
vex_GS_MDM_DEVDETAIL_EXT01
vSMS_Ao_ServerPrereqMonitoring
vSMS_AoSiteServerMonitoring
vSMS_ManagementInsightResultsList
vSMS_ManagementInsightRuleGroup
vSMS_PhasedDeployment
vSMS_ScriptsExecutionSummary

As usual ,you can download the SQL views documentation from ConfigMgr 2012 to Configmgr Current Branch 1802 from Technet here

Happy reporting !

How do we make this report work on older version of reporting ? You need to make 2 changes in to the RDL file to get it working.

1. Open the RDL file using notepad or other editing tools ,you will find something like below in the beginning of the code.

change the version from 2016 to 2010 .

2. Search for "ReportParametersLayout" in file and remove the whole block (This code is created on 2016 version of visual studio) .

As shown below ,remove the whole block and save the report.

Now try to upload the RDL file into the reporting service ,change the data source and run the report.

Conclusion:

change the SQL version on the RDL file and remove the ReportParametersLayout to get the report working.

Introduction:

Customer is running on SCCM Configmgr current branch 1806 and configured with site maintenance tasks to delete the aged data for X number days . when you configure the site maintenance task ,the data which is older than X number days get deleted from site database which is expected.

So customer has asked ,is there is way to know the clients that get deleted by site maintenance task or manual or other ways  .So basically whatever get deleted in the site database including devices ,inventory etc.,customer wanted to have a record at later stage.

In earlier versions of configmgr build prior to 1702 ,there is no straight way to do it unless ,you configure out of box solutions like ,bring the AD computer objects into SCCM and do querying but it doesn’t get you the Inventory info of the deleted devices except that,what computers got deleted.

With 1702 ,there is pre-release feature feature introduced called Data warehouse service point .Beginning with version 1706, this feature is no longer a pre-release feature .

Data warehouse service point used to store and report on long-term historical data for your SCCM Configmgr deployment.

Data warehouse service point is not enabled by default when you upgrade your configmgr build to 1706 or  later versions and must be manually configured.

Data warehouse dataflow (captured from Technet article)

For more information about Data warehouse service point ,please read TechNet document https://docs.microsoft.com/en-us/sccm/core/servers/manage/data-warehouse 

In this blog post, we will see how to install Data warehouse service point and query the data that get deleted in the CAS/primary site database but exist in data warehouse for reporting and tracking purpose.

So in this post, I will show you ,how to use data warehouse to pull the information that get deleted from the primary database .

Prerequisites for Data warehouse server (CM01-DW):

1.create windows server 2012 R2 or higher with fully patched (CM01-DW)
2.Join (CM01-DW) to domain.
3.Add the primary site server (CM01) or CAS (if you have) that you are trying to install the data warehouse role computer account as local admin on the server (CM01-DW).

Note: The data warehouse site system role is supported only at the top-tier site of your hierarchy. (A central administration site or stand-alone primary site)

4. The computer where you install the site system (data warehouse) role requires .NET Framework 4.5.2 or later. Since am running server 2012 R2 OS ,I don’t need to install this role and is built-in enabled.

5.The data warehouse database requires the use of SQL Server 2012 or later. The edition can be Standard, Enterprise, or Datacenter. .I installed SQL server 2014 SP1 on CM01-DW server with default options and SQL collation must be: SQL_Latin1_General_CP1_CI_AS (is default as part of the installation)

While installing SQL Server ,choose database engine ,reporting services and management tools (for SQL Studio) in features. Choose default instance .

As part of SQL components installation ,you might hit error with .net framework 3.5 features which you can enable from server manager ,add roles and features .This requires to map server OS sxs files.

SQL server installation summary:

The following SQL Server configurations are supported to host the warehouse database:

• A default instance
• Named instance
• SQL Server Always On availability group
• SQL Server failover cluster

6. The computer account of the computer where you install the site system role (CM01-DW) is used to synchronize data with the data warehouse database. This account requires the following permissions:

• Administrator on the computer that hosts the data warehouse database. 
• DB_Creator permission on the data warehouse database. 
• Either DB_owner or DB_reader with execute permissions to the top-tier site's site database.

As part of this pre-req ,I pre-created DW Database on my remote SQL :CM_PS1_DW and provided the permissions as mentioned in point 6.

7.SQL server port 1433 used by the data warehouse synchronization service to connect to the data warehouse database. By default 1433 SQL Server port is used for communication.

How to Install the data warehouse service point from CAS or Primary Site:

From CAS server or Primary site ( In my case ,I don’t have CAS) ,click on servers and site system roles to install new Role . Choose create site system server

Enter the remote server name to host the data warehouse database.

also make sure the primary site server computer account (CM01) is added to local admin group on remote server (CM01-DW) as we use site server’s computer account to install the site system.

Click next with default options since this role doesn’t require to connect to internet for syncing

Choose Data warehouse service point ,click Next

Key in the fields as shows below.

SQL Server : Remote server that we installed SQL server 2014: CM01-DW.apac.eskonr.com

SQL server instance : I installed SQL server on CM01-DW with default instance hence I leave it blank

Database Name:Leave with default name: CM_PS1_DW

Data warehouse service point account :This is used to connect to data warehouse database and must have read access to the database CM_PS1_DW.

This account is used to run the reports against data warehouse database and is configured in the data source properties which you can verify later.

Accept the default sync schedule,you can customize it as per the schedule . This schedule will help to sync the data from primary site to data warehouse database.

Review the summary page:

Login to remote server (CM01-DW) to check the logs

• DWSSMSI.log and DWSSSetup.log - Use these logs to investigate errors when installing the data warehouse service point.
• Microsoft.ConfigMgrDataWarehouse.log – Use this log to investigate data synchronization between the site database to the data warehouse database.

With this ,we completed the installation of data warehouse service point on remote computer.

If you hit any issues with database connectivity ,make sure the computer accounts are added with right permissions on the CM_PS1_DW database.

Now we will check if the data from primary site (CM01) is synced to data warehouse (CM01-DW) database or not .

Open SQL server management studio , run select * From system_disc (if you are doing it in prod, then try select top 10 * from system_disc)

As you can see above, in system_disc table ,there is one attribute value (Operationtype_DW)that refers the system deleted or not from Primary site .

Operationtype_DW basically contains information as listed below:

I: New Record

U:Updated record

D: Deleted Record

So once you know the information ,you can easily create SQL reports with above attribute type with operationType_DW=D and let customer device what they want to do.

With the data warehouse ,we also get some default reports and they are available in Primary site .But these reports will run against data warehouse database .These data warehouse reports datasource is pointed to CM01-DW SQL.

Data warehouse reports can be found in the SCCM console-reporting node or using SSRS webURL using primary site SSRS URL.

There are about 7 main reports and 7 linked reports (_) .

The data warehouse site system role includes the following reports, which have a Category of Data Warehouse:

• Application Deployment - Historical: View details for application deployment for a specific application and machine.
• Endpoint Protection and Software Update Compliance - Historical: View computers that are missing software updates.
• General Hardware Inventory - Historical: View all hardware inventory for a specific machine.
• General Software Inventory - Historical: View all software inventory for a specific machine.
• Infrastructure Health Overview - Historical: Displays an overview of the health of your Configuration Manager infrastructure
• List of Malware Detected - Historical: View malware that has been detected in the organization.
• Software Distribution Summary - Historical: A summary of software distribution for a specific advertisement and machine.

using SSRS report URL using primary site :

There will be a default data source created with name: {39B693BB-524B-47DF-9FDB-9000C3118E82} with connecting string and is configured with an account CM_SR to run the reports against with.

this CM_SR is used while installing the role.

Connection string: Persist Security Info=False;Initial Catalog=CM_PS1_DW;Data Source=CM01-DW.apac.eskonr.com;Encrypt=true;TrustServerCertificate=false

I tried to run one of the data warehouse report but I get the following error which is known issue:

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)

To fix this error ,please follow the guide https://www.ronnipedersen.com/2018/01/15/sccm-unable-to-run-data-warehouse-reports-from-remote-sql/ and https://docs.microsoft.com/en-us/sccm/core/servers/manage/data-warehouse

Hope this guide help you to install and create custom reports .

In the next blog post, we will see what are the objects/information that get stored in data warehouse.

After long-time ,i am back with quick SCCM Configmgr software update compliance report .A friend of mine asked me today morning that ,he wants to check the compliance report for specific computer (could be VIP ) against one or multiple software update groups that they have created/deployed.

How do you check the compliance status of computer for specific software update groups ONLY and not for all updates that are available in SCCM ?

You have several software update compliance reports for software update groups and for computers but there is none to check if the particular computer is compliant or not for given software update group. The only possible way is to run the compliance report for specific collection and that will give you the overall compliance status and drill down further or run other compliance report which is tedious process. And if you want to repeat this multiple times for different updates groups ? Not easy. The only solution is custom report .

So i started off looking at this request and search online but could not find any thing except this link https://social.technet.microsoft.com/Forums/en-US/6cb95ee0-808e-4c8f-a39c-11bc35282357/limit-specific-computer-report-to-a-software-update-group?forum=configmanagergeneral and is unanswered.

I have also looked at my blog if i posted something similar on this but nothing that matches the requirement.

So i started of writing the SQL code and convert that to nice SSRS report and is now available for you to download and play with it.

I had added most of the computer information like software update group ,computer name,User name, OS, Last Hardware scan, Last software update scan,Last logon time,IP address and patch compliance status to troubleshoot further .

You can download the SQL views documentation from https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

How does this report works ? When you run this report  ,it prompt to choose list of software update groups that you are interested and enter the computer name (must enter ,no drop down ,just the computer name and no need to enter FQDN).

Output of the report shown below.

Download the report from Technet Gallery  ,upload to your SSRS reports, change the datasource and you are ready to run.

Some of software update compliance reports from my blog are listed below.

SCCM Configmgr 2012 Updated Patch Compliance reports for software update group and collection with patch progression

Configmgr SQL query to get the list of clients that require a specific software update patch

SCCM Configmgr Software Update Compliance Report for Specific Collection within Specific Time Frame

SCCM Configmgr SQL query to find Top X missing updates for specific collection for specific update group

SCCM Configmgr Get the Update Compliance Status for multiple Update groups against Multiple collections using SQL query without reporting

SCCM Configmgr Software update Compliance Report for multiple Software Update groups per collection

SCCM Configmgr SQL Query to check software update is superseded by what software updates

Configmgr How to list all Default and Custom reports with created by, modified by,data source , Path and Description

SCCM Configmgr How to generate patch compliance report that shows all updates for specific collection ?

SCCM Configmgr SSRS Report Get list of missing updates for PC from specific Software update group

sccm  SQL Query Get software updates that are downloaded but not in any software update group

SCCM Configmgr 2012 Software update compliant non-compliant results for list of computers from collection for specific month

SCCM Check Patch is member of what software update package

SCCM Configmgr  SSRS Patch Compliance Report Per Collection Per Update Group

SCCM Configmgr SSRS Report Overall Compliance Per Update Group Per Collection will help to troubleshoot the clients

SCCM Configmgr Patch Report – OU based Compliance status per Update Group

SCCM Configmgr Report Get the Status of Software Update Scan results

SCCM Configmgr Software update compliance states

SCCM report applications installed on computers without Updates

SCCM Configmgr Report for Software Update Compliance