Tool for collecting SCCM information

I developed a tool to collect SCCM information. This tool is not perfect, but it can save you a lot of time and efforts in daily troubleshooting sccm / mecm issues.

Used to collect from the following endpoints:

  • general computer information
  • enable/disable sccm verbose
  • information of computers which have SCCM/MECM installed
  • information of computers which have Software Update Point role installed
  • information of computers which have Distribution Point role installed
  • information of computers which have Management Point role installed
  • Site Server information
  • WSUS configuration information
  • computer upgrade information

Usage: Run as Administrator: ConfigMgr-Tool.exe

Link – https://github.com/gaulogao/mecm/blob/f1a5333a02002222be6e59489d9fa1be24cc6745/ConfigMgr-Tool.exe

Catalog of Third-Party Softeware Updates Sync now failed

We followed the official guide to configure third-party software updates for Configuration Manager. After having added custom catalog, we tried the menu Sync now on the head ribbon. Unfortunately, it does not work.

Logs show the following exceptions:

WSUSCtrl:
Attempting connection to local WSUS server 2720 (0x0AA0)
System.Net.WebException: The request failed with HTTP status 403: Forbidden. at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args) at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) 2720 (0x0AA0)
Failures reported during periodic health check by the WSUS Server CONTOSO.COM. Will retry check in 1 minutes 2720 (0x0AA0)
Waiting for changes for 1 minutes 2720 (0x0AA0)
Timed Out… 2720 (0x0AA0)

SMS_ISVUPDATES_SYNCAGENT.log:
==================== Exception Detail Start ======================= 5184 (0x1440)
Exception type: WebException 5184 (0x1440)
Exception HRESULT: -2146233079 5184 (0x1440)
Exception Message: The request failed with HTTP status 403: Forbidden. 5184 (0x1440)
Exception source Microsoft.UpdateServices.Administration 5184 (0x1440)
Exception TargetSite Microsoft.UpdateServices.Administration.IUpdateServer CreateUpdateServer(System.Object[]) 5184 (0x1440)
Stack at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.ConfigurationManager.ISVUpdatesSyncAgent.WSUS.UpdateServicesWrapper.Connect() 5184 (0x1440)
===================== Exception Detail End ======================== 5184 (0x1440)

WCM.log:
Successfully connected to server: CONTOSO.com, port: 8531, useSSL: True 70592 (0x113C0)
Waiting for changes for 59 minutes 70592 (0x113C0)
Wait timed out after 59 minutes while waiting for at least one trigger event. 70592 (0x113C0)
Timed Out… 70592 (0x113C0)

In addition, SCCM SMS_WSUS_CONTROL_MANAGER kept printing repeated Error 7000 and 7003.

WSUS Control Manager failed to monitor WSUS Server “CONTOSO.COM”. Possible cause: WSUS Server version 3.0 SP2 or above is not installed or cannot be contacted. Solution: Verify that the WSUS Server version 3.0 SP2 or greater is installed. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website.

Then we checked the health on SUP:

  1. Open CMD as admin
  2. Navigate to C:\Program Files\Update Services\Tools
  3. Run: WSUSUtil.exe checkhealth

I found Event ID 12002, 12052, 12042, 12022, 12032, 12012 in Windows Server Update Services event log-

The description for Event ID 12052 from source Windows Server Update Services cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

The DSS Authentication Web Service is not working.

The only step we missed was configure wsus for ssl with wsusutil configuressel. So we tried the following steps:

  1. Open CMD as admin and navigate to C:\Program Files\Update Services\Tools
  2. Run (Case sensitive): wsusutil.exe configuressl <FQDN-OF-WSUS-SERVER>
  3. Restart WSUS Service from services and WSUS Administration from IIS Administration control

Wonderful! The issue was gone.

References

SCCM Client Manual Installation

There are several ways to install SCCM Client on client end computers. Manual is one of the most used ways, especially when you are deploying SCCM Client to UNIX/Linux, Mac OS X.

Here is an example to show you how to do manual client installation.

Example

  1. Create PowerShell script inst-sccm-client.ps1:
New-Item -ItemType directory -Path C:\Client
Copy-Item -Path \Shps1\sms_ps1\Client* -Destination C:\Client
Set-Location C:\Client
.\ccmsetup.exe /mp:shps1.contoso.local /logon CCMDEBUGLOGGING=1 CCMLOGLEVEL=0 SMSSITECODE=AUTO SITEREASSIGN=TRUE CCMLOGMAXSIZE=100000000

If MP is https-enabled, you need to run the command with /UsePKICert switch:

.\ccmsetup.exe .\ccmsetup.exe /mp:https://shps1.contoso.local /logon /UsePKICert SMSMP=https://shps1.contoso.local CCMDEBUGLOGGING=1 CCMLOGLEVEL=0 SMSSITECODE=PS1 CCMLOGMAXSIZE=100000000
  1. Open PowerShell(Admin): Set-ExecutionPolicy Unrestricted
  1. Run the script: .\inst-sccm-client.ps1

This script will first create a directory Client on the client end, then copy \Client (shared location is \\<site server name>\SMS_<site code>\Client\, eg. \Shps1\sms_ps1\Client) content to the directory Client. Make sure you have read permission to \Client. Then it sets the current location to Client directory and runs the installation command.

Note that you must have Administrator permissions to the installation files.

/mp is ccmsetup.exe switch which –

  • “specifies a source management point for computers to connect to”.
  • Computers use this management point to find the nearest distribution point for the installation files”.

CCMDEBUGLOGGING, SMSSITECODE and CCMLOGLEEVEL are Client.msi switches:

  • CCMDEBUGLOGGING – Enables logging if this property is set to TRUE. By default, logging is enabled.
  • CCMLOGLEVEL – Specify an integer ranging from 0 to 3, where 0 is the most verbose logging and 3 logs only errors. The default is 1.
  • SMSSITECODE – Specifies the Configuration Manager site to assign the Configuration Manager client to. This can either be a three-character site code or the word AUTO.

If you want to uninstall sccm client, run:

<%windir%>\ccmsetup\ccmsetup.exe /uninstall

References

SCCM client installation failed with “Setup was unable to compile the file DiscoveryStatus.mof”

File C:\Windows\ccmsetup{7E31AE3A-2706-4A34-9970-73A5526B5346}\client.msi installation failed. Error text: ExitCode: 1603
Action: CcmRegisterWmiMofFile.
ErrorMessages:
Setup was unable to compile the file DiscoveryStatus.mof
The error code is 80041002

Issue

During SCCM 1810 client installation process, installation failed with ccmsetup.log showing the following exceptions:

File C:\Windows\ccmsetup{7E31AE3A-2706-4A34-9970-73A5526B5346}\client.msi installation failed. Error text: ExitCode: 1603
Action: CcmRegisterWmiMofFile.
ErrorMessages:
Setup was unable to compile the file DiscoveryStatus.mof
The error code is 80041002

As you can see, the direct reason was that DiscoveryStatus.mof compilation failed.

Solution

  1. Open command prompt as administrator
  2. Navigate into C:\Program Files\Microsoft Policy Platform
  3. Run: mofcomp ExtendedStatus.mof
  4. Retry SCCM client installation

Note that my case happened in SCCM 1810. However, this solution also applies to SCCM 2012. If you come across the issue in other versions of SCCM, just give it a try.

Check Windows Update settings on a client

A local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

A local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

In order to check the WSUS server that the clients are contacting and also check for any GPOs affecting those clients, you will need to check the following aspects.

RsoP.msc on the client

Check the Computer Configuration > Administrative Templates > Windows Components > Windows Update
– Does it show the correct WSUS server?

Registry settings

Compare the following registry keys on the “problematic” machine with the same registry keys from a “working” machine:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

To check the two registry items’ properties, you can run in PowerShell:

Get-ItemProperty 'Registry::HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate'
Get-ItemProperty 'Registry::HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'

Active Directory Group Policy and SCCM settings

Check if WSUS is defined in the Group Policy (i.e: server name and port) versus how it is set in Configuration Manager(i.e. FQDN)

WUAHandler.log on the client

Check the WUAHandler.log for the WSUS URL used.

Enabling WUA Managed server policy to use server: http://wsussvr.contoso.com:8530

When an Active Directory Group Policy setting overrides the local Group Policy setting, you will see the following:

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://newwsussvr.sccmpeek.com:8530 and Policy ENABLED WUAHandler

References

WUAUClt and USOClient

WUAUClt no longer works on Windows 10 or Windows Server 2016 / 2019. There is a replacement for WUAUClt named USOClient located in C:\WINDOWS\SYSTEM32\ directory.

I believe some of you must have noticed that WUAUClt no longer works on Windows 10 or Windows Server 2016 / 2019. There is a replacement for WUAUClt named USOClient located in C:\WINDOWS\SYSTEM32\ directory.

WUAUclt Utility

Before Windows 10 and Windows Server 2016 / 2019, you can use WUAUClt to search for and download and install new updates.

WUAUClt.exe /detectnow - forcing an update detection. If there are updates approved for install that client needs, it ill download them when the command run.
WUAUClt.exe /updatenow - installs the downloaded updates

Note that WUAUClt.exe /detectnow works only when Automatic Update is enabled and that WUAUClt.exe /updatenow works only when 4 – Auto download and schedule the install is selected for Configure Automatic Updates. You can enable Automatic Updates via Group Policy.

Other command line switches for WUAuclt utility

OptionDescription
/a /ResetAuthorizationInitiates an asynchronous background search for applicable updates. If Automatic Updates is disabled, this option has no effect.
/r /ReportNowSends all queued reporting events to the server asynchronously.
/? /h /helpShows this help information.
WUAUclt switches
wuauclt.exe /resetauthorization /detectnow - you can use this command to expire the cookie, initiate detection, and have WSUS update computer group membership.

Sometimes you may need to re-register a client with WSUS server. In that case you can run the following command.

gpupdate /force
WUAUclt.exe /detectnow

Note that for Windows 10 and Windows Server 2016 / 2019 +, you need to run USOClient.exe StartScan instead of WUAUclt.exe /detectnow. Read further for USOClient utility.

USOClient Utility

USO stands for Update Session Orchestrator, and it’s the replaced Windows Update Agent. Windows Update service, USOClient.exe, is basically a command to run either scan for updates, install or resume updates.

USOClient utility works on Windows 10 and Windows 2016 / 2019 + as a replacement of WUAUclt.

USOClient utility switches

OptionDescription
StartScan Used To Start Scan
StartDownload Used to Start Download of Patches
StartInstall Used to Install Downloaded Patches
RefreshSettings Refresh Settings if any changes were made
StartInteractiveScan May ask for user input and/or open dialogues to show progress or report errors
RestartDevice Restart device to finish installation of updates
ScanInstallWait Combined Scan Download Install
ResumeUpdate Resume Update Installation On Boot
USOClient switches

To scan and install updates, you can simply run:

USOClient.exe ScanInstallWait 
USOClient StartInstall

References

Design a site like this with WordPress.com
Get started