Monday, December 31, 2018

Step-by-Step SCCM 1810 Upgrade Guide

Few days ago, Microsoft has released new branch update (1810) for System Center Configuration Manager.
ConfigMgr Current Branch 1810 update is available as in-close update, which can be updated from all supported Current branch versions (1702, 1802 and 1806)

For complete list of features read whats new in 1810

Before proceeding with SCCM branch upgrade, it is very important to review SCCM Current Branch servicing (upgrade) checklist

 This step by step SCCM 1810 upgrade guide will guide you through  upgrading SCCM Current branch from all supported previous versions to SCCM Current Branch 1810.

Downloading the SCCM CB 1810 update:
 1. Use FastRingScript_1810.exe to upgrade the site to 1810 without waiting for global release.
 2. Download FastRingScript_1810.exe from TechNet gallery
 3. Extract the downloaded FastRingScript_1810.exe
 4. Launch PowerShell as Administrator
 5. Change the current directory to the FastRingScript_1810 script path
 6. Run the script from elevated PowerShell window (ex: EnableFastUpdateRing1810.ps1 SCCB )
       Note: Just use server name without FQDN

 7. You will get the command(s) completed successfully

 8. Now go to \Administration\Overview\Updates and Servicing node in SCCM console then click           Check for updates on the ribbon.

 9. Refresh the Updates and servicing node in SCCM console, you can see the 1810 update in
       downloading state.

10. Review the dmpdownloader.log file
     The log should have - Found a new available update then downloading large files with BITS;

 11. Wait until the 1810 update status changes from Downloading to Ready to Install in the console

Installing SCCM CB 1810 update:
1. Like any other previous updates, first run the Run Prerequisite check or run the Install update Pack directly;

 2. The installer will start the Configuration Manager Updates wizard. Click Next on the General tab;

3.  Select required features to be installed then click Next;

4.  Select required client update options then click Next;
5. Accept the license terms then click Next;

6. Review and confirm the selected options then click Next;

7. Close the completion window;

8. Now the 1810 update state will change from Available to Installing;

9. The detailed progress of the update installation can be viewed from \Monitoring\Overview\Updates and Servicing Status\Configuration Manager 1810 node From the ribbon click on Show status.
The show status will provide detailed progress of the upgrade process.
The update status also can be checked by reviewing hman.log
It will take 20-30 min (based on the server performance) to complete the upgrade.

Console Upgrade:
After upgrading the site server to SCCM Current Branch 1810, If we re-launch or check the console version, we will get a popup message saying A new version of the console is available (5.1810.1075.1400).

When prompted, Click OK to upgrade the console and follow on screen prompts to complete the upgrade process.

Once the update is installed the version number of SCCM will be;
           System Center Configuration Manager Version: 1810
           Console Version: 5.1810.1075.1400
           Site Version: 5.0.8740.1000

Friday, November 30, 2018

Searching for devices takes long time to return results in SCCM Console

Recently experienced slow performance issue while searching for a particular device in SCCM console under Devices node \Assets and Compliance\Overview\Devices.
Note: The slow search is only on under Device node, every where else (in) the console is fine.

No errors in SmsAdminUI.log and no errors in the database error logs as well.
Reviewing smsprov.log on the site server showed the actually query (below is the query) the system is trying to execute and it is taking too long to complete the task

Select ALL SMS_CombinedDeviceResources.AADDeviceID,SMS_CombinedDeviceResources.AADTenantID,SMS_CombinedDeviceResources.ActivationLockBypassState,SMS_CombinedDeviceResources.ActivationLockBypassStateTimeStamp,SMS_CombinedDeviceResources.ActivationLockState,SMS_CombinedDeviceResources.ADLastLogonTime,SMS_CombinedDeviceResources.ADSiteName,SMS_CombinedDeviceResources.AMTFullVersion,SMS_CombinedDeviceResources.AMTStatus,SMS_CombinedDeviceResources.ATP_LastConnected,SMS_CombinedDeviceResources.ATP_OnboardingState,SMS_CombinedDeviceResources.ATP_OrgId,SMS_CombinedDeviceResources.ATP_SenseIsRunning,SMS_CombinedDeviceResources.CA_ComplianceEvalTime,SMS_CombinedDeviceResources.CA_ComplianceSetTime,SMS_CombinedDeviceResources.CA_ErrorDetails,SMS_CombinedDeviceResources.CA_ErrorLocation,SMS_CombinedDeviceResources.CA_IsCompliant,SMS_CombinedDeviceResources.ClientActiveStatus,SMS_CombinedDeviceResources.ClientCertType,SMS_CombinedDeviceResources.ClientCheckPass,SMS_CombinedDeviceResources.ClientEdition,SMS_CombinedDeviceResources.ClientRemediationSuccess,SMS_CombinedDeviceResources.ClientState,SMS_CombinedDeviceResources.ClientType,SMS_CombinedDeviceResources.ClientVersion,SMS_CombinedDeviceResources.CNAccessMP,SMS_CombinedDeviceResources.CNIsOnInternet,SMS_CombinedDeviceResources.CNIsOnline,SMS_CombinedDeviceResources.CNLastOfflineTime,SMS_CombinedDeviceResources.CNLastOnlineTime,SMS_CombinedDeviceResources.CoManaged,SMS_CombinedDeviceResources.CurrentLogonUser,SMS_CombinedDeviceResources.DeviceAccessState,SMS_CombinedDeviceResources.DeviceCategory,SMS_CombinedDeviceResources.DeviceOS,SMS_CombinedDeviceResources.DeviceOSBuild,SMS_CombinedDeviceResources.DeviceOwner,SMS_CombinedDeviceResources.DeviceThreatLevel,SMS_CombinedDeviceResources.DeviceType,SMS_CombinedDeviceResources.Domain,SMS_CombinedDeviceResources.EAS_DeviceID,SMS_CombinedDeviceResources.EP_AntispywareEnabled,SMS_CombinedDeviceResources.EP_AntispywareSignatureUpdateDateTime,SMS_CombinedDeviceResources.EP_AntispywareSignatureVersion,SMS_CombinedDeviceResources.EP_AntivirusEnabled,SMS_CombinedDeviceResources.EP_AntivirusSignatureUpdateDateTime,SMS_CombinedDeviceResources.EP_AntivirusSignatureVersion,SMS_CombinedDeviceResources.EP_ClientVersion,SMS_CombinedDeviceResources.EP_DeploymentDescription,SMS_CombinedDeviceResources.EP_DeploymentErrorCode,SMS_CombinedDeviceResources.EP_DeploymentState,SMS_CombinedDeviceResources.EP_Enabled,SMS_CombinedDeviceResources.EP_EngineVersion,SMS_CombinedDeviceResources.EP_InfectionStatus,SMS_CombinedDeviceResources.EP_LastFullScanDateTimeEnd,SMS_CombinedDeviceResources.EP_LastFullScanDateTimeStart,SMS_CombinedDeviceResources.EP_LastInfectionTime,SMS_CombinedDeviceResources.EP_LastQuickScanDateTimeEnd,SMS_CombinedDeviceResources.EP_LastQuickScanDateTimeStart,SMS_CombinedDeviceResources.EP_LastThreatName,SMS_CombinedDeviceResources.EP_PendingFullScan,SMS_CombinedDeviceResources.EP_PendingManualSteps,SMS_CombinedDeviceResources.EP_PendingOfflineScan,SMS_CombinedDeviceResources.EP_PendingReboot,SMS_CombinedDeviceResources.EP_PolicyApplicationDescription,SMS_CombinedDeviceResources.EP_PolicyApplicationErrorCode,SMS_CombinedDeviceResources.EP_PolicyApplicationState,SMS_CombinedDeviceResources.EP_ProductStatus,SMS_CombinedDeviceResources.ExchangeOrganization,SMS_CombinedDeviceResources.ExchangeServer,SMS_CombinedDeviceResources.IMEI,SMS_CombinedDeviceResources.IsActive,SMS_CombinedDeviceResources.IsAlwaysInternet,SMS_CombinedDeviceResources.IsAOACCapable,SMS_CombinedDeviceResources.IsApproved,SMS_CombinedDeviceResources.IsBlocked,SMS_CombinedDeviceResources.IsClient,SMS_CombinedDeviceResources.IsInternetEnabled,SMS_CombinedDeviceResources.IsMDMActive,SMS_CombinedDeviceResources.IsObsolete,SMS_CombinedDeviceResources.IsSupervised,SMS_CombinedDeviceResources.IsVirtualMachine,SMS_CombinedDeviceResources.LastActiveTime,SMS_CombinedDeviceResources.LastClientCheckTime,SMS_CombinedDeviceResources.LastDDR,SMS_CombinedDeviceResources.LastHardwareScan,SMS_CombinedDeviceResources.CP_LastInstallationError,SMS_CombinedDeviceResources.LastLogonUser,SMS_CombinedDeviceResources.LastMPServerName,SMS_CombinedDeviceResources.LastPolicyRequest,SMS_CombinedDeviceResources.LastSoftwareScan,SMS_CombinedDeviceResources.LastStatusMessage,SMS_CombinedDeviceResources.LastSuccessSyncTimeUTC,SMS_CombinedDeviceResources.LastSyncNowRequest,SMS_CombinedDeviceResources.CP_LatestProcessingAttempt,SMS_CombinedDeviceResources.ManagementAuthority,SMS_CombinedDeviceResources.Name,SMS_CombinedDeviceResources.PasscodeResetState,SMS_CombinedDeviceResources.PasscodeResetStateTimeStamp,SMS_CombinedDeviceResources.PhoneNumber,SMS_CombinedDeviceResources.PolicyApplicationStatus,SMS_CombinedDeviceResources.PrimaryUser,SMS_CombinedDeviceResources.RemoteLockState,SMS_CombinedDeviceResources.RemoteLockStateTimeStamp,SMS_CombinedDeviceResources.MachineID,SMS_CombinedDeviceResources.ArchitectureKey,SMS_CombinedDeviceResources.RetireStatus,SMS_CombinedDeviceResources.SerialNumber,SMS_CombinedDeviceResources.SiteCode,SMS_CombinedDeviceResources.SMSID,SMS_CombinedDeviceResources.CP_Status,SMS_CombinedDeviceResources.SuppressAutoProvision,SMS_CombinedDeviceResources.SyncNowStatus,SMS_CombinedDeviceResources.Unknown,SMS_CombinedDeviceResources.UserDomainName,SMS_CombinedDeviceResources.UserName,SMS_CombinedDeviceResources.WipeStatus from vSMS_CombinedDeviceResources AS SMS_CombinedDeviceResources  where (((SMS_CombinedDeviceResources.ClientType is null  AND SMS_CombinedDeviceResources.EAS_DeviceID is null ) OR SMS_CombinedDeviceResources.ClientType <> 3) AND (((SMS_CombinedDeviceResources.PrimaryUser like N'%Windows%' OR SMS_CombinedDeviceResources.CurrentLogonUser like N'%Windows%') OR SMS_CombinedDeviceResources.LastLogonUser like N'%Windows%') OR SMS_CombinedDeviceResources.Name like N'%Windows%'))

When I executed the same query in SQL management Studio, the execution completed within 3 seconds, where as the console is taking 8-10 minutes.

Next, fired up SQL profiler and captured SQL server profiler when searching device in SCCM console. The SQL server profiler indeed showed that the above query executed very slow.

So based on these tests, it seems to be some differences in the SQL execution of the same command when used SQL Management Studio and SCCM Console.

To test further, decided to cleanup the SQL execution plan cache by running below commands;

--clean buffer cache

--clean procedure cache

--clean all caches

Please Note:
- After running above commands, some of the queries may run slow for first time
- Always check with your DBA for any applied customization

After running above commands, re-tested the search in SCCM console under device node. The slow search issue disappeared and the search results displayed in 3 seconds.

Thursday, November 1, 2018

MP has rejected policy request from Client because this SMSID is marked as blocked

You may get MP has rejected policy request from Client(SMSID = GUID:xxxxxxxxxxxxxxx-xxxxxxxxx-xxx) because this SMSID is marked as blocked to some of your clients when a client is deleted manually from CM database or a client is blocked in the console.

Simply uninstalling and re-installing will not fix the issue. If this is a client and want to resolve follow below procedure;

1. Launch command prompt as administrator then run C:\Windows\ccmsetup\ccmsetup.exe /Uninstall
Wait until the SCCM agent is uninstalled by monitoring ccmsetup.exe and ccmexex.exe is also not present in task manager

2. Delete following folders:

3. Delete following files:
C:\windows\sms*.mif (if present)

4. Delete following registry keys:

5. Remove the 2 SMS certificates in the local certificate store
Run MMC.exe as administrator and launch the certificate panel to the local computer
Expand Certificates > SMS and Delete both certificates

6. Delete WMI namespace from powershell:
1. root\ccm Get-WmiObject -query "SELECT * FROM __Namespace WHERE Name='CCM'" -Namespace "root" | Remove-WmiObject

2. root\cimv2\sms Get-WmiObject -query “SELECT * FROM __Namespace WHERE Name='sms'" -Namespace "root\cimv2" | Remove-WmiObject

7. In Task Scheduler library, under "Microsoft" delete the "Configuration Manager" folder and any tasks within it

8. Restart the machine
9. Then reinstall the SCCM client

Monitor the MP Control component. The error should disappear from the console.

Friday, September 14, 2018

SCCM CB 1806 Site server high availability step by step guide

With the release of SCCM CB 1806, High Availability feature is introduced for SCCM site server using active and passive modes.

To use site server high availability feature the design must meet certain requirements as below;
- Site must be running on minimum 1806
- Content library on site server has to be remote and with full control permissions for both servers
- Active and Passive site servers has to be on the same domain
- Connect to the same site database
- Site database must to be remote to each server
- Both the servers must have sysadmin permissions on the database
- Passive mode server should not have any other site system role before installing site server passive mode role
- Must meet all the site server prerequisites

First upgrade the SCCM CB site to 1806. When installing or upgrading the site make sure that Site server high availability is selected (by default it is selected);

For this guide my lab setup is;
LABPRI1 – Primary site server (Active) with SMS provider
LABPRI2 – Primary site server (Will be passive) with SMS provider
LABSQL1– SQL Server 1
LABSQL2 – SQL Server 2
LABAOAGLS – Listener for AlwaysOn group
LABDPMP – DP, MP roles and Remote content library

The setup is using SQL AlwaysOn for database HA and connected with listener.

Make Content folder as a remote folder to both the site servers:
If the content library is local on the primary site server move that to a remote location;
Create a network share on a different server for site server content library and assign full control to both the site servers (active and passive).

 Note: Make sure remote content folder is not the root folder. It has to be under another folder as above i,e      \\unc\share1\RemoteContent
If the content library folder is in root then when moving the content, it will fail with 0x800700a1 error.

In Configuration Manager Console, Go to \Administration\Overview\Site Configuration\Sites, then 
Right click on the site then select Manage Content Library or On the ribbon click on Manage Content Library

In the Manage Content Library window, enter a valid network path for the New Location. This path is the location to where the site moves the content library. It must include a folder name that already exists on the share, for example, \\server\share\folder. Click OK

Check the progress of the content move in the Content Library column on the Summary tab of the details panel. While In progress, the Move Progress (%) value displays the percentage completed.

We can also check the progress in distmgr.log;

When the content move is completed successfully, the distmgr.log will show MoveContentLibrary() completed, also the console will show the content location to remote including the remote path.

Install Passive site server role:
Go to \Administration\Overview\Site Configuration\Sites in SCCM console then right click on the sites then click Create site system server.
This will start Site system server wizard, on the general page, enter the server name then click next;

On Specify roles for this server window select Site Server in passive mode then click next;

On site server in passive mode window;
- select appropriate choice for source file location;
- And select the installation folder.
It is a good idea to select similar drive as Active node installation path then click next;

Review the summary then click next;

Click close on the completion window;

Soon after closing the wizard, the installer will start copying the files (SMS_BOOTSTRAP) to the selected installation drive.

Review ConfigMgrSetup.log on the root of C drive on the passive node. Once the setup is completed, the ConfigMgrSetup.log will show “Completed Configuration Manager Site Server setup - Installation”.

To check the nodes of Site servers go to \Administration\Overview\Site Configuration\Sites then switch to Nodes in the bottom.

Now there will be two site servers listed one is in Active Mode and other server is in Passive mode;

At this stage, we have two site servers and one SMS provider. If we tried to promote passive mode to Active it will connect to SCCM provider on the primary site.

By default, when installing the passive site server role it won’t install SMS Provider role. This role need to be installed after installing the Passive mode site server role.

To check the SMS provider location, Select the site from \Administration\Overview\Site Configuration\Sites then right click and open the properties. The General tab will display the SMS provider location; 

Installing SMS Provider:
To Install SMS Provider, run Setup.exe from ConfigMgr installation directory;

Click next on Before you Begin window;

On the Getting started window under Available setup Options, select Perform site maintenance or reset this site then click next;

On Site Maintenance window select Modify SMS Provider Configuration then click next;

On Manage SMS Provider window select Add a new SMS Provider then enter the SMS Provider FQDN name;
- If installed on the Passive node then enter the passive node server name
- If installed on a separate server enter the server FQDN name, then click next;

Monitor the progress of provider installation on Configuration page;

Close the wizard when configuration completes;

To check the installed SMS providers, go to \Administration\Overview\Site Configuration\Sites in SCCM console.
The General page of the site properties will display two SMS Providers;

Promoting Passive Mode site server to Active Mode:
To promote Passive mode site server to Active mode go to \Administration\Overview\Site Configuration\Sites, on the summary page switch to nodes tab then select and right click passive mode server then select promote to active;

Click Yes on the warning message to promote passive server to active mode;

The status will change from Passive to Promoting;

In few min. the status will change from Promoting to OK;
 Monitor the FailoverMgr.log from <ConfigMgrInstallDir>\Logs\FailOverMgr.log"
Now LABPRI2 is active node and PABPRI1 is passive node.
To see the HA functionality, turn off the passive node (Primary1 where SMS provider is installed).
Once the server is offline, re-launch the SCCM console.
The console will fail to connect to the LABPRI1 server, where previously it was connected to.

Click on Connect to a new site then enter FQDN of LABPRI2 (New active mode site server);

The console is successfully connected to LABPRI2 using the SMS provider on LABPRI2;

Thursday, August 30, 2018

WSUS Control Manager failed to monitor WSUS Server

SCCM console showing errors;

WSUS Control Manager failed to monitor WSUS Server "SCCB.W2016.LAB.

Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.
Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.
Message ID: 7003

Followed by;
WSUS Control Manager failed to configure proxy settings on WSUS Server "SCCB.W2016.LAB".

Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted.
Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website. You can receive failure because proxy is set but proxy name is not specified or proxy server port is invalid.

Messag ID: 7000

WSUSCtrl.log on the SUP;
System.Net.WebException: The request failed with HTTP status 503: Service Unavailable.~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
 Failures reported during periodic health check by the WSUS Server SCCB.W2016.LAB. 
Will retry check in 1 minutes SMS_WSUS_CONTROL_MANAGER

This check will happen every min so error will appear every min. aswell.

WSUSCtrl.log on the SUP is clearly indicating there is an issue with IIS service availability

The first point to check is the status of WSUS application pool.

Open IIS manager then go to Application pools then check WSUS pool.

In this instance my WSUS pool has stopped.
Once the service is started, the wsusctrl.log file check the connectivity and will successfully validate the connection.

To address the actual WSUSpool issue, consider changing the WSUS pool queue length in IIS from default 1000 to 25000

Follow blog from Microsoft to re-configure the Wsuspool queue length;