ConfigMgr Compliance Settings to Check specific Windows Event ID

Compliance settings is one of the ConfigMgr feature to manage the configuration and compliance of clients in your organization. Compliance Settings can be used to ensure clients meet a pre-configured baseline. For instance, if we want to make sure that all clients machines have a particular windows Event ID in System Event viewer within last 7 days, we can do this through compliance settings. The below settings illustrate how to create a Configuration Item and Configuration Baseline for this requirement.

Prerequisites

So before we look at implementing a configuration baseline we must ensure that clients have the prerequisite client settings enabled as below.

For reporting, the Reporting Services Point role must also be installed

Create a Configuration Item

Configuration Items are the individual’s settings that you want to set for a particular client. You can simply check for compliance and report back or remediate these settings if they are non-compliant. These configuration items can be grouped into Configuration Baselines.The first step to implementing a CB (Configuration Baseline) is to create individual CI’s to evaluate set conditions.

In the ConfigMgr console, under the Assets and Compliance workspace, expand Compliance Settings and select Configuration Items. From the ribbon, click on Create Configuration Item and Mention name of the Configuration Item

Choose which operating systems you would like to assess for the configuration item.

Type Name of the Rule and Click Discovery Script

Enter your Power shell script, Here i have used script to check the specific windows System Event ID 5823 for the past 7 days.

Script,

$EventID = (Get-EventLog system -after (get-date).AddDays(-7) | where {$_.InstanceId -eq 5823})
 if ($EventID -eq $null)
{$Compliance = “No”}
Else
{$Compliance = “YES”}
 $Compliance

Specify the Compliance condition for this setting as per below,

Create a Configuration Baseline

We need to add it to a Configuration Baseline in order to deploy it to a client machine.

Give your new configuration baseline a name and click Add > Configuration Items to pick and choose the CIs that you would like to include in the configuration baseline, Here I have included Event ID configuration Item

Deployment

The configuration baseline you’ve created will not be effective until you’ve deployed it to your target collection. Here I have deployed to “test” Collections

Reporting

Once your compliance baseline has had time to run through its evaluation schedule, apart from viewing the compliance count in the Configuration Baseline section of the console, you can also use the Reporting node in the Monitoring section of the console or the Reporting Web Instance to pull down reports.

We can see the status from one of the ConfigMgr Default Report, Report Name: “Summary Compliance by Configuration baseline

The below machine has the specific Event ID and shows as “Compliance”

The below machine doesn’t have the specific Event ID and shows as “Non-Compliance”

Thank You!

SCCM Query to Get Hardware Inventory Report for Specific Collection

A query is a specific set of instructions that extract information about a defined set of objects. SCCM Query is one of the feature to generate Report and Create Query based Device Collections. In this Post I have shared the SCCM Query to get Hardware inventory report for the specific Collection

SCCM Query

select SMS_R_System.NetbiosName, SMS_G_System_CH_ClientSummary.ClientActiveStatus, SMS_G_System_COMPUTER_SYSTEM.Manufacturer, SMS_G_System_COMPUTER_SYSTEM.Model, SMS_G_System_PROCESSOR.Name, SMS_G_System_PC_BIOS.SerialNumber, SMS_G_System_OPERATING_SYSTEM.Name, SMS_G_System_OPERATING_SYSTEM.BuildNumber, SMS_G_System_SYSTEM.SystemType, SMS_R_System.LastLogonTimestamp, SMS_R_System.LastLogonUserName, SMS_R_System.MACAddresses from  SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_PROCESSOR on SMS_G_System_PROCESSOR.ResourceID = SMS_R_System.ResourceId

Query Output

We can Get the below Output from the Generated Query. (HostName,Client Status, Manufacturer, Model, Processer Name, PC Serial Num, Oparating System Nmae, OS Build Version, System Type, Last Login, Last Logon User Name and MAC address.

ThankYou!

SCCM Query to Get Secure Boot Not Enabled Machines and BIOS Info

A query is a specific set of instructions that extract information about a defined set of objects. SCCM Query is one of the feature to generate Report and Create Query based Device Collections. In this Post I have shared the SCCM Query to Get Secure Boot Non-Compliance machines & BIOS Info.

SCCM Query to Get Secure Boot Not Enabled Machines

Secure Boot in BIOS

Secure Boot is one feature of the latest Unified Extensible Firmware Interface (UEFI). The feature defines an entirely new interface between operating system and firmware/BIOS.

When enabled and fully configured, Secure Boot helps a computer resist attacks and infection from malware. Secure Boot detects tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. Detections are blocked from running before they can attack or infect the system. Hence Its an Mandatory Setting which we need to enable in BIOS. To identify not enabled machines, We can use this Query in SCCM.

SCCM Query

select SMS_R_System.Name, SMS_G_System_FIRMWARE.SecureBoot, SMS_R_System.SystemOUName from  SMS_R_System inner join SMS_G_System_FIRMWARE on SMS_G_System_FIRMWARE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_FIRMWARE.SecureBoot = 0 order by SMS_R_System.Name

Query Output

We Will get the System Name and Secure Boot Not Enabled Machines (Result “0” is the Not Enabled Status in BIOS)

SCCM Query to Get BIOS Manufacturer & BIOS Version

To get PC BIOS manufacturer and BIOS version for a specific Collection, We can use this below Query in SCCM

SCCM Query

select SMS_R_System.Name, SMS_G_System_PC_BIOS.Manufacturer, SMS_G_System_PC_BIOS.SMBIOSBIOSVersion, SMS_GH_System_PC_BIOS.BIOSVersion from  SMS_R_System inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId inner join SMS_GH_System_PC_BIOS on SMS_GH_System_PC_BIOS.ResourceId = SMS_R_System.ResourceId

Query Output

We Will get System Name, PC BIOS Manufacturer and BIOS Version details as Below

Thank You!

Configure SCCM Reporting Services Point

In this article I will install the SCCM Current Branch Reporting Services Point role. The SCCM Reporting Services Point role will allow you to manage reports in Configuration Manager. The role must be configured on a server with Microsoft SQL Server Reporting Services installed and running. In the following section I will detail the prerequisites before installing the role.

Prerequisites

1.SQL Server Reporting Services (SSRS) is one of the requirements for SCCM CB reporting services point. The SQL reporting service is part of SQL server installation.

2.Site system role dependencies for the computers that run the reporting services point. Read about it here. These are the two main prerequisites.

SSRS Report Manager Components and Purpose

  • Configuring the Report Server Service Account: By default, we provide default account details while we initially set up the reporting server. But using the SQL Server Reporting Services Configuration Manager, we can add a new account, or we can change the password.
  • Create or Configure the Report Server Database: By default, the Reporting server generates two Databases (ReportServer and ReportServerTempDB) for internal storage. We can use the SQL Server Reporting Services Configuration Manager to create a New Database or to manage the existing Database
  • Symmetric Keys: We can use the SQL Server Reporting Services Configuration Manager to Backup or restore or replace the symmetric key. These keys are used to encrypt stored connection strings and credentials.
  • Configure Web server URLs: We can use the SQL Server Reporting Services Configuration Manager to configure the Web server URLs for each application. It is the URL we are going to use for, Deploying SSRS Projects or Reports
  • Configure Report URLs: We can use the SSRSS Configuration Manager to configure the Report URLs for each application. It is the URL we are going to use for, Viewing or Securing SSRS Projects or Reports.
  • Configuring Email: Use the SQL Server Reporting Services Configuration Manager to configure the SMTP Server. The SMTP Server is used to send Emails about report processing or report delivery etc.

Configure SQL Server Reporting Services (SSRS)

SQL Server Reporting Services is a server-based reporting platform that provides comprehensive reporting functionality for a variety of data sources. The reporting services point in Configuration Manager communicates with SQL Server Reporting Services to copy Configuration Manager reports to a specified report folder, to configure Reporting Services settings, and to configure Reporting Services security settings. Reporting Services connects to the Configuration Manager site database to retrieve data that is returned when you run reports.

To verify if that SQL Server Reporting Services is installed and running correctly, On the SQL installed SCCM Server, click Start, click All Programs, click Microsoft SQL Server 2016 and then click Reporting Services Configuration Manager.

In the Reporting Services Configuration Connection dialog box, specify the name of the server that is hosting SQL Server Reporting Services, on the menu, select the instance of SQL Server on which you installed SQL Reporting Services, and then click Connect.

On the Report Server Status page, verify that Report Service Status is set to Started. If it is not, click Start.

Configure Service Account

Apply Web service Url

Configure database as per below and Apply

Apply Web Portal Url and test the connection to the report folder.

Since we are not utilizing the other features, We can skip the other options like Email Settings & Subscription Settings.

Add Reporting Services Point Role 

The reporting services point is a site system role that must be configured on a server with Microsoft SQL Server Reporting Services installed and running. Reporting Services Point role can be installed on a central administration site and primary sites, and on multiple site systems at a site and at other sites in the hierarchy. The reporting services point is not supported on secondary sites.

To install the Reporting Services Point role, Launch the Configuration Manager Console. Under Site Configuration, click on Sites. On the right hand side right click the Site and click “Add Site System Roles“.

Select Reporting Services Point role

Select Folder Name, Instance and Service account and Click Next

Review and Click Next and Add site System Wizard Completed Successfully and click Close

Now We can see the SRS Reporting Point in Component Status

Also we can see the Successful installation status on srsrp.log

Once installation is completed, launch SCCM console, navigate to Monitoring \ Reporting. On Right Pane, you will be able to see following links

Report Manager : http://sccm01/Report
Report Server : http://sccm01/ReportServer.

Click http://sccm01/Report and this will launch the web URL for reporting services where you can browse all kinds of reports specified under various categories

Thanks You!

if you found this article useful, share it with your friends.
If you have any questions or suggestions, leave your comment.

SCCM Distribution Point Maintenance Mode

SCCM Distribution point maintenance mode is a new feature available from SCCM 1902. We can set a distribution point in maintenance mode. Enable maintenance mode when you’re installing software updates, or making hardware changes to the server.

While the distribution point is in maintenance mode, it has the following behaviors:

  • The site doesn’t distribute any content to it.
  • Management points don’t return the location of this distribution point to clients.
  • When you update the site, a distribution point in maintenance mode still updates.
  • The distribution point properties are read-only. For example, you can’t change the certificate or add boundary groups.
  • Any scheduled task, like content validation, still runs on the same schedule.

Enable SCCM DP Maintenance Mode

  • In the SCCM console
  • Go to Administration / Distribution Points
  • Right-click the desired distribution point and click Enable Maintenance Mode

At the warning click Ok to confirm that you want to enable Maintenance Mode

Now the Maintenance Mode Enabled

We can see more details in status messages

  • MessageID 40411 is message about enabling maintenance mode
  • MessageID 40412 is messages about disabling maintenance mode

The distmgr log file will show that the distribution point is in Maintenance Mode.

Thank You

SCCM 1910 STEP-BY-STEP UPGRADE GUIDE

Microsoft has released new version of in-console update 1910 for SCCM Current Branch. This is the first version of the new Microsoft Endpoint Configuration Manager, We can apply this update on sites that run version on 1806 or later.

In this post i will be implementing SCCM 1910 Upgrade as in-console update from SCCM 1906 version.

SCCM 1910 New Features

As part of the new features:

  • Configuration Manager is now part of Microsoft Endpoint Manager.
    • Configuration Manager
    • Intune
    • Desktop Analytics
    • Autopilot
  • Other features in the Device Management Admin Console
  • Deploy Microsoft Edge, version 77 and later
  • Search the task sequence editor
  • Copy and paste task sequence conditions
  • Task Sequence download on demand over the internet
  • Import a single index of an OS Upgrade package
  • Improved language support in task sequence
  • Office 365 ProPlus Pilot and Health Dashboard

SCCM 1910 Upgrade Prerequisites

  • Update 1910 for Configuration Manager current branch is available as an in-console update. There is no SCCM 1910 baseline version.
  • To apply this update on your sites, ensure you have installed SCCM version 1806 or later.
  • If you’re running a multi-tier hierarchy, start at the top-level site in the hierarchy. First perform the CAS upgrade, later you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site.
  • Ensure that you are running a supported Operating System and SQL Server version.

Get Configuration Manager 1910 Update in Console

In order to get the Configuration Manager 1910 Update in Console, Please follow the below link

Begin the installation

Once you complete enable early update process as per above link, We will be able to see “Configuration Manager 1910” under “Updates and Servicing”, running of script also starts executing the update which can be monitored through dmpdownloader.log and the location of update will be: <Installed Drive>\Microsoft Configuration Manager\EasySetupPayload\ <Filename.Cab>

It will initially download in cab format as per screenshot below, Once cab file is downloaded, it will extract the content with same folder. Original downloaded cab file will be deleted.

You can also monitor prerequisite check by going to Monitoring / Update and Servicing Status, right-click your Update Name and select Show Status

Once update is download, We will see the status as “Ready to Install” for “Configuration Manager 1910” .

Now Select “configuration Manager 1910” -Right Click and select “Run Prerequisite Check”.

Once Checking Prerequisites complete, Now Select “configuration Manager 1910” -Right Click and Run “Install Update Pack”.

This will initiate “Configuration Manager Updates Wizard”. Ignore the Prerequisite warnings and select next.

Under “Features included in update pack”, check boxes on the features you want to enable during the update

Next screen shows Client Update Settings, its always better to use option “Validate in pre-production collection” so that you can test new client agent on few systems before rolling out in production. Here i have selected “Upgrade without validating”

On the License Terms tab, accept the license terms and click Next

On the Summary tab, review your choices, click Next and close the wizard on the Completion tab. This will take some time to update SCCM.

Installation can be verified through cmupdate.log as well.

Once installation is done, and you try to open the SCCM console, this will ask you to update your console. Click ok to continue. New console version is 5.1910.1067.1600. which will uninstall old console version.

Downloading & installation of console can be verified through log file c:\ConfigMgrAdminUISetupVerbose.log

Once completed you can verify the site version and control version by clicking “About Configuration Manager”

Thank You!

Configuration Manager 1910 Update Not Available in Console

Recently Microsoft has released Configuration Manager update 1910 and It should take few weeks of time to reflect in the console. Until then we can either wait for the update to be globally available or we run the EnableEarlyUpdateRing 1910 script to enable fast ring for 1910 update package available in ConfigMgr Current Branch.

EnableEarlyUpdateRing 1910 script

Download the Powershell script from Technet . This script will allow us to enable fast Update-ring in ConfigMgr Current Branch.
On your SCCM server, run the PowerShell as administrator and run the script. Enter the site server name and script gets the update 1910 in console for you.

Before running the Script ,

After executing the Script , Configuration Manager update 1910 available to download in Console.

Windows 10 Deployment Using SCCM 1902 OSD Step by Step Guide

This guide provides step by step instructions to install PXE role, Creation of boot image, Creation of OS image, Creation of OSD task sequence and deploying Windows 10 OS via PXE boot on SCCM 1902 lab environment.

Enable SCCM PXE Role

First we need to prepare environment for configuration manager OSD. we have to create Network Access account in Active Directory and this account is used by the client to access the Configuration Manager Distribution point when booted under WinPE so make sure the account has the necessary permission for this action. Then we have to Enable PXE role on our SCCM server.

Follow the Below Steps to Enable PXE support,

Open the SCCM Console
Go to Administration / Site Configuration / Servers and Site System Roles
Select your distribution point and right-click on the Distribution point role on the bottom, select Properties

Select the PXE tab
Enable the Enable PXE support for Clients check-boxandanswer Yes when prompted about firewall ports (UDP ports 67, 68, 69 and 4011 )

Check the Allow this distribution point to respond to incoming PXE requests check box
Check the Enable unknown computer support check box
Ensure that the Respond to PXE request on all network interfaces is selected Click OK

Go to Monitoring / Distribution Status / Distribution Point Configuration Status
Click your distribution point on the top and select the Details tab on the bottom
We will see that the distribution point PXE settings has changed

BOOT Image Distribution

Here we are going to use the default SCCM boot image,
Open the SCCM Console, Go to Software Library / Operating Systems / Boot Images, Right-click Boot Image (X64) and distribute to DPs.

Add Operating System Image

Launch the Configuration Manager console, click on Software Library, click Operating Systems, right click on Operating systems images and click on Add Operating System Image.

Specify the path where the install.wim is present. Click Next.

Provide details for the operating system image. Click Next.

Click Next and click close.

Distribute the image into DPs

Select the Distribution Point

Click Next and Close

Configure Network Access account and this account is used by the client to access the Configuration Manager Distribution point when booted under WinPE

Specify Network Access account

Task Sequence Creation

Launch the Configuration Manager console, click on Software Library, expand Overview, expand Operating Systems, right click Task Sequences and click Create Task Sequence.

Type Task sequence Name

Select Boot Image

Select Operating System Image

Select Image Index ,type the Product Key ,type Local Administrator password and Next

Configure Domain Join Account

Select Join a Domain and browse the Domain OU and Click Next

Select Configuration Manager Client Package

Click Next since we are not using State Migration here

Select the Appropriate Software Update option, here i have selected Do not install any software updates

Select the Application Which we want to install during the task sequence

Click Next and Close

Task sequence has been created successfully, below is our basic win 10 task sequence view

Deploy task sequence into Unknown Computer Collection

Select task sequence right click and Click Deploy

Select All unknown Computers collection

And Select Pupose & Make available to PXE and Click Next

Select the Deployment schedule and click Next

Select User experience Option as per below and Click Next

Select deployment options as download locally and click Next

Verify the Summary and click Next

The Deploy task sequence wizard completed Successfully

Deploying Windows 10 via PXE boot

Here I have prepared another hyper V host and deploying windows 10 via configured PXE boot

Press F12 to boot from the network and the machine will get IP from DHCP, Contacting PXE server,Downloading and initiating the Boot Image

Task sequence wizard will appear and type task sequence password

Click Next

Task sequence variable will appear and Type the OSDComputerName

Click Next

Partition Disk stage Running

Applying Operating system stage Running

Setup Windows and Configuration Manger Stage Running

Setup Windows completed and Auto reboot initiated

Post Reboot, System Initiating

Imaging Completed and type the Administrator password to login,

Verify the same from smsts.log

Windows 10 deployment completed Successfully.

Thank You:-)

Deploying Application Using SCCM CB1902

This guide will shows, how to Create & deploy MSI application Using SCCM, Now lets go ahead and deploy an application to a device in SCCM CB 1902. The first step would be creating an application. To create an application, we need the MSI source file, here i have downloaded winzip.msi and placed the setup file in folder called softlib and shared the folder to access via SCCM console.

Create an Application

On the SCCM Server, login with SCCM admin account and launch the configuration manager console. Select Software Library, Under Application Management select Applications. Right click Applications and select Create Application

Select Automatically detect information.. and choose the type as Windows Installer, Specify the location of winzip.msi file.

Click Next.

On the next screen, lets specify some details about the software and for Install behavior select Install for a system if resource is device, otherwise install for user. Click Next.

Click Next.

The Application has been created successfully , click Close.

Right click the application and select Distribute,

To add the Distribution Points, click in Add and choose your distribution point.

Click Next

Deploy an Application

The Applications that are created can be seen by clicking Applications under Application Management. Right click the application and click Deploy.

Click Browse and specify the collection . Click Next.

Choose Action as “Install” and Purpose as “Required“.

The application will be available once you distribute the content to content servers. If you want to schedule the availability of application, then select “schedule the application to be available at“. We will not schedule the application availability and distribute the content immediately to the Content servers. Select the Installation deadline “as soon as possible“. Click Next.

Select the User Notifications, Click next.

Verify the selected options

We see that the deploy Software Wizard has completed successfully. Click Close.

Verify the same from Client machine, Open Software center

And Check the deployed application visible and started installing. Here deployed application status shows as successful

Verify the same from Appenforce.log

Thank You 🙂

CWmi::Connect() failed to connect to \\SCCM01.VCLOUD.COM\root\MicrosoftIISv2. Error = 0x8004100E

Package distribution failed on my DP server, When i referred the distmgr.log file, we could see the below error

CWmi::Connect() failed to connect to \SCCM01.VCLOUD.COM\root\MicrosoftIISv2. Error = 0x8004100E

ERROR DPConnection::ConnectRemoteIISManagementWMI() – Failed to connect to SCCM01.VCLOUD.COM. error = 0x8004100e

Cause: IIS 6 WMI Compatibility was not enabled on the distribution point, hence we are getting the above error

Post installation of IS 6 WMI Compatibility and restart IIS service, Redistributed the package and we could see the packages are started distributing

Review package distribution on distmgr.log file

Thank You!