Microsoft Security Compliance Manager 2.5

Microsoft Security Compliance Manager 2.5 was released today.

If you haven't had a chance to look at this great tool, I highly recommend you do so. A problem I had for years was juggling all the security settings in active directory and in CM. Because a security baseline can have so many settings, trying to juggle them in a spreadsheet was hopeless.

But SCM lets you manage those settings in one spot, download the latest baselines from Microsoft, compare your settings to Microsoft's, make notes on why you deviate from Microsoft's settings, and lets you import and export to GPOs and CM baselines. And it works for CM12 too!

  • Created on .

CM12 TechNet Searching

Ever try to search something on TechNet for CM12? Instead of just searching here:

http://technet.microsoft.com/en-us/library/gg682129.aspx

Their search engine looks at ALL of TechNet, not just the CM12 documentation. My fellow MVP, Cliff Hobbs, just sent this little nugget today. It works!

Use bing and type the following with your search words between the quotes:

("") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056)
  • Created on .

Purging Expired Updates in CM12

Got a question at the user group meeting yesterday about expired updates in CM12.

When I look at the source folder for my System Center Endpoint Protection, I see lots of files never being deleted:

You can't just delete them as they're being deployed.  So navigate back to All Software Updates and search for expired updates (and filter criteria for defintions):

Highlight all of these and edit membership to remove them from your EP deployment(s).  From this point, you can't delete them on your own, but being expired and not deployed, CM can delete them and will with a maintenance task each week.  You can't see or edit this task.  I can't find the FAQ published regarding this yet, but this is what it's going to say:

In Configuration Manager 2012, superseded updates that the admin has intentionally kept as deployable (by configuring to allow superseded updates going back X months), will never be removed or deleted by site maintenance.  Expired updates and their associated content on distribution points will be removed by a cleanup task running every 7 days.  Only expired updates that are not associated with a deployment are automatically cleaned up, however.  To remove expired updates from all update groups and deployments so that they are auto-cleaned, simply search for expired updates using the search functionality, select all returned results, choose edit membership, and de-select these expired updates from any update group they are members of.

  • Created on .

CM12 on SQL 2008 R2 SP1 CU4

CU4 for SQL 2008 R2 SP1 has been released which means you can build CM12 now on R2 with no need of that hotfix.  Now it's time to go upgrade SQL in my lab and be done with old SQL 2008 for good!

And R2 comes with Report Builder 3.0.  Steve Thompson has an article on how to get that working nicely with CM12.  Just a little registry key change.

  • Created on .

CM07 - Package Name Hates Quotes

Here's a new one we ran into this morning.

All ads as of yesterday afternoon never made it to clients.

We checked the site status and found many warnings in the SMS POLICY PROVIDER.

Checking the policypv.log we could see lots of this:

CPolicyProvider::UpdatePeerDPPkgPolicy: could not execute SQL cmd select PolicyID, PolicyAssignmentID, PADBID from PeerDPPkgPolicy where PkgID = "ABC00BE5" and PkgCRC <> "AE242F23"  12/15/2011 11:25:32 AM
Failed to update policy and policy assignment based on package ABC00BE5 12/15/2011 11:25:32 AM
Looking for software policy and policy assignments that should be updated because of changes in package ABC00CCB. 12/15/2011 11:25:32 AM
*** select TSRefProg.PkgID, TSRefProg.Name from PkgPrograms as TSRefProg inner join TS_References as TSRef on TSRefProg.ProgramID = TSRef.TS_ReferenceID inner join TS_TaskSequence as TS on TSRef.TS_ID = TS.TS_ID where TS.TS_ID in (select TS.TS_ID from TS_TaskSequence as TS inner join PkgPrograms as PkgProg on TS.TS_ID = PkgProg.ProgramID where PkgProg.PkgID = "ABC01133" and PkgProg.Name = "ABC - Fix "P" Drive" );~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC25702" and OfferCRC <> "FEF13A34";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2614A" and OfferCRC <> "FA853646";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2614B" and OfferCRC <> "79A5D9C7";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2614D" and OfferCRC <> "A4164F36";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2614E" and OfferCRC <> "8047877D";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26150" and OfferCRC <> "A0FAED93";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26155" and OfferCRC <> "3F6D373D";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2615B" and OfferCRC <> "54CCE29F";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2615D" and OfferCRC <> "3014E2B7";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2615E" and OfferCRC <> "5980ABAD";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2615F" and OfferCRC <> "56C2CCFA";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26162" and OfferCRC <> "BA0A4FBE";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26163" and OfferCRC <> "F43818DA";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26166" and OfferCRC <> "361DFEC8";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26167" and OfferCRC <> "3EDA1B7B";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26168" and OfferCRC <> "CB40F5A5";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC26169" and OfferCRC <> "A4F67E24";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2616A" and OfferCRC <> "118DFEC8";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2616B" and OfferCRC <> "8E47F5D8";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2616C" and OfferCRC <> "42EB5F9C";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2616D" and OfferCRC <> "9F255570";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2616E" and OfferCRC <> "959294F";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID = "ABC2616F" and OfferCRC <> "760BCEAF";~select PolicyID, PolicyAssignmentID, PADBID, PkgID, ProgramName, ParentPolicyID from SoftwarePolicy where OfferID 12/15/2011 11:25:32 AM

We found an article mentioning that advertisements with forward slashes could cause this.  But that wasn't our issue.  We found a package with quotes in the name.

ABC - Fix "P" Drive

We deleted the package and the provider log cleared up instantly and clients received their ads again.  I think the quotes were enough to through SQL off which normally likes single quotes.

Best to just avoid any punctuation in a name which are SQL reserved characters: > < " & %

  • Created on .

SCCM 2012 and Server 2003x64\XPx64

Just in case you run into it...

Client install fails on Server 2003 x64 or XP x64 with the following logged in ccmsetup.log:

This operating system does not contain the latest version of BITS  2.5 or later is required for ccmsetup
CCmSetup failed with error code 0x80004005

Before rolling out the CM12 client, install the latest Bits 2.5

  • Created on .
Copyright © 2019 - The Twin Cities Systems Management User Group