Client Health : Group Policy initiated Based Script – All those core fixes still work great with SCCM Current Branch for FREE!

It came to my attention recently in a Twitter Post by Troy Martin that client health is still a thing.  It is silly companies are trying to take your money to fix clients for SCCM by doing things that have been free since 2005 and which SCCM CB fixes really well. Here is a table from the twitter post that is pretty good

c6em6iiuwaa7jkb

To add to the detail of the things you can get from the community.  Here is my updated post from MyITForum in 2008.  I picked up the torch in 2006 and ended in 2010.  Lots of great fixes out there that still work!  Just like the Sunshine and Daises.  Client Health is really easy now and free!

I am ACTIVELY looking for a copy of the script Public_SMS_CLIFIX_V4.21.vbs.txt was the last one I released.  All thanks to @Mike Terrill (www.miketerrill.net) for dredging up 4.18

CLIFIX_Public_V4_18

Below is a listing of features in a reworked version of Dudeworks (Thanks Rob and Brian), 1E, et al. (see bottom for longer list) start up scripts.  I recently became aware of Chris Stauffers Client Health Checker v1.2.   My script focuses on workstation health, Chris’ focuses on SMS health.  It is my hope in 2009 to combine these two if it seems intelligent to do.  Hopefully we can have this all together in early 2009.  Be great to present and then for everyone to tear apart at MMS… anything is possible. 

Reminder: this is not finalized.  It takes a community. Please feel free to post updates in the forums.

Overview

Workstation Client Health maintenance is a continuous process that must be maintained.

Overview

Workstation Client Health maintenance is a continuous process that must be maintained. The following document gives an overview on how to fix several common workstation issues.

Note: The original Link no longer works.  I am actively looking for any version 4.18.  CLIFIX_Public_V4_18

CliFix GPO startup script :- Can NO LONGER be downloaded from here http://myitforum.com/cs2/blogs/scassells/Public_SMS_CLIFIX_4.19.vbs.txt

In an effort to reduce the amount of common workstation issues I have developed a script to check and change the following common issues. This script is to be run via GPO startup scripts. This requires the script to work as the system account and have intranet connectivity. Both are accomplished by running as a GPO. Script Requirements

  1. Script must be in a location where the computers system account has access. Usually on your domain controller ex. \\FQDNDomain\sysvol\ FQDNDomain\
  2. sc.exe must be present for full successful run.
    1. Either in the run path
    2. system32
    3. system32\DLLCache
    4. Note: there are multiple versions floating around in the average environment
  3. regsvr32.exe needs to be present
  4. %systemroot%\system32 needs to be in system path
Script Settings

All, unless I missed some, sections of the script can be turned on and off in the top of the script. Please review the script as some features will fail without modification.

Please Review the following CONFIG SETTINGS Variables:

  • SMSVersion
  • ConfigMgrVersion
  • WKS_ASSIGNSITECODE
  • WKS_CacheSize
  • WKS_LocalAdminGroup
  • WKS_admACCT
  • RegPath
  • strWebAddress
  • StrCCRServer
  • strCCRSiteCode
  • CCMSetUP
What the Script Does
  1. Checks to make sure the script has not run in X many hours.
    1. Example if X = 12 the script will not run again until at least 12 hours after the last occurrence.
    2. This will prevent a slow down on multiple reboots.
  2. Sets DCOM permissions to be correct for SMS / SCCM configuration
  3. Checks to make sure System Path has the 3 required windows paths enabled. (does NOT use WMI or require a restart to change values)
    1. C:\windows
    2. C:\windows\sysetm32
    3. C:\windows\system32\wbem
    4. Also removes %systemroot% from path replacing it with correct full path value
    5. If one of the 3 paths is missing, it will parse the full path removing duplicates and adding a,b,or c to the beginning of the path statement leaving all else unchanged.
  4. Check to see if sc.exe exists in the run from directory and if not in the system32 directory
  5. Checks to see if this script is run on a workstation or server. If a server kills the script
  6. Checks to make sure the correct local admin group is present (value is set in header of script)
  7. Checks WMI service to see if it is set to auto and running. If not executes sc.exe to start the service.
  8. Attempts to connect to WMI object
  9. If the WMI object connect fails
    1. Attempt to do a repair (if no previous status is present in the registry and approved via script switches)
    2. Attempt to do a rebuild (if ‘repair’ status is present in the registry and approved via script switches)
    3. If both the above have failed then do nothing and report major error
  10. Checks to see if Admin$ is present, if not forces existence via WMI
  11. Checks to see if msxml3.dll is registered, if not forces existence via WSH
  12. Checks to see if Qmgr.dll and qmgrprxy.dll are registered, if not forces existence via WSH
  13. Checks to see if OLEAut32.dll is registered, if not forces existence via WSH
  14. Checks to make sure the following services are set to appropriate Status and Mode
    1. RPC
    2. WMI
    3. Firewall/ICS
    4. Server Service
    5. Remote Registry
    6. BITS
    7. Windows Update Services
    8. Terminal Services
    9. Windows Installer
    10. Note: You may want to review the settings for your environment on each of these services. All of the above services are set to default and either Manual or Automatic.
  15. Check the SMS version
  16. Checks the CCMExec service
  17. If SMS is not correct version can be forced to do an install
    1. Needs Review
  18. If the all of the above test passed without issue you have a healthy workstation. The following two checks are for SMS.
    1. Check log file last update time. If the PolicyEvaluator.log file has not been modified in past 14 days do a repair of the client.
    2. Check client assignment. If no assignment set new site code based on AD boundaries in which the client is present.
      1. Note: Some people may want to disable this as it relies on AD
  19. If any fixes above had to be preformed
    1. Check the advanced client state. Which client policies have enabled.
    2. Check the cache size
    3. Send a Client Configuration Request (CCR) to have client installed
    4. Run CCMSetup from the install share on the server.

Note during this script several forms of reporting, logging, and information submitting have been preformed. The standard methods of reporting are:

  • Event log
  • Log file in the %temp% directory for the account used to run
    • GPO = C:\windows\temp
  • Reporting to a website that submits client status to a SQL table.
    • Future WebPost on how to do this

Other verbose methods include:· Two levels of command line reportingo Log to Command lineo Verbose to command line· network share copy

Future Additions:

Area’s that need improvement

References:

·         MyITForum Forum: http://www.myitforum.com/forums/tm.asp?m=107044 ·         1E: http://www.1e.com ·         Chris Stauffers soon to be reviewed: http://myitforum.com/cs2/blogs/cstauffer/archive/2008/06/13/client-health-check-script-and-scheduled-task-version-1-1-release.aspx ·         Brian Mason: Original Author of CliFix ·         Rob Olson: Original Author of CliFix at http://www.dudeworks.com ·         Greg Ramsey:http://myitforum.com/cs2/blogs/gramsey/ ·         Steve Pruitt: http://myitforum.com/cs2/blogs/spruitt/ ·         And the MSSMS list http://www.myitforum.com

 

ConfigMgr SCCM 2007 – How to stop advertisements with immediate effect or How to stop an errant advertisement in SMS 2003 SCCM 2007

My Cached Google fu is decently strong!  Cached source: https://www.anoopcnair.com/2011/06/04/configmgr-sccm-2007-how-to-stop-advertisements-with-immediate-effect/

The original from 2008 is Below.  I will be writing a new version shortly with SCCM CB solution.  Really nice stuff that the MS team introduced.

In real time scenario, I have faced several instances of those we need to stop the advertisement with immediate effect to decrease impact to the client machines. Today, I have gone through a good wright up on this topic from Shaun Cassells.

Read the orginal post here

Scenario: An advertisement went out for a package that is causing havoc.  Let’s say, it is rebooting servers and workstations.   How do you stop it NOW!?!?!  With a Big Red Stop Button (BRSB).

Below are 5 scenarios with varying speeds and success rates.

Method 1: Stop the IIS service or the SMS_OFFER_MANAGER service on all servers.

Upside: Everything stops

Downside: Everything stops including normal client communications or any other distribution

Method 2: Delete the source package files off the DP(s) update: change the ntfs folder premissions to deny any client from reading the source files.  Thanks jnelson

Upside: All clients trying to run errant advertisement will say “Waiting For Content”

Downside: Copying the package source back to the DP after everything calms down.

Method 3: Delete the Advertisement (Do not do this)

Upside: Makes you feel better

Downside: Does not stop any clients until a policy refresh is triggered.  You also lose all tracking of the damage you have wrought.

Method 4: Disable the Program

Upside: Prevents further execution

Downside: Does not stop any clients until a policy refresh is triggered.

Method 5: Expire the advertisement

Upside: Prevents further execution

Downside: Does not stop any clients until a policy refresh is triggered.

Summary: Best solution for Big Red Stop Button (BRSB) appears to be Method 2.  Delete the files off the DP.  You will need to know the PackageID. (see reports below) and the location of the DPs (see reports below).

Best order of execution to achieve BRSB

  1. Identify PackageID
    1. See report below
    2. See console command line below
  2. Identify DPs that you will need to target
    1. See report below
  3. Run a script to delete the files off the DPs
  4. Disable the program
  5. Disable the advertisement (change the execution expiration time)
  6. View reports on advertisement success rate so you know who to go fix

If there is desire for me to post the scripts or more screen shots on how to do this, please respond to this post, and I’ll whip more docs up.

Now that the package has stopped, the clients have received new policies to prevent the errant program from executing again.  How do I get the files back on the DP?  Easy, refresh the Distribution Points from the package.  Refresh will keep the DP version the same.  Reminder: if you update the DPs.  You will be creating a new version, which may cause clients to execute this new package.  (Been there)

Helpful Reports (SMS 2003)

List of All packages:

http://<ServerNameHere>/SMSReporting_<SiteCode>/Report.asp?ReportID=137

List of All Active Package Distributions:

http://<ServerNameHere>/SMSReporting_<SiteCode>/Report.asp?ReportID=141

List of All DPs:

http://<ServerNameHere>/SMSReporting_<SiteCode>/Report.asp?ReportID=138

Location of DP (SMS 2003)

\\<ServerNameHere>\smsdp$\SMSPKG

How to add NodeInfo to the SMS 2003 console?

Add the following switch to the console command line

/SMS:NodeInfo=1 or /SMS:NodeInfo=2

Adds a property sheet that contains node information such as the GUID, WMI instance data, and the named values associated with the node to a node’s property page. You access the node information sheet by selecting the Node Information tab. Typically, you use this option when you develop or debug extension snap-ins that extend the SMS Administrator console.

This option can be set to 1 or 2. Setting NodeInfo to 1 places the Node Information sheet last on the property page. Setting NodeInfo to 2 places the Node Information sheet first on the property page.

SMS 2003 command line:

C:\smsadmin\bin\i386\sms.msc /SMS:NodeInfo=1

SCCM 2007 commandline

“C:\Program Files\Microsoft Configuration Manager Console\AdminUI\bin\adminconsole.msc” sms:debugview=1

How to stop advertisements with immediate effect

MyITForum Missing Blogs – Big Red Stop Button (BRSB)

Hi all,

I am currently trying to dig up my article from 2008 about the different methods to stop an errant software deployment via SCCM.  If anyone has it please let me know.  Here is the original blog location – http://myitforum.com/cs2/blogs/scassells/archive/2008/05/14/how-to-stop-an-errant-advertisement-in-sms-2003-sccm-2007.aspx

The best I can find is the 2010 MMS Birds of a feather by Kim Oppalfelds – http://wmug.co.uk/wmug/b/r0b/archive/2010/03/25/mms-2010-kim-oppalfens-birds-of-a-feather-session-on-wmi

 

http://scug.be/sccm/2010/03/24/wmi-for-the-sccm-admin-techdays-belgium-2010-mms-2010-birds-of-a-feather-session/

 

Collect SMART hard drive status in ConfigMgr inventory

smartdrive2002c-large

Recently while working through preflight checks for Windows 10 (W10) Redstone 1607  deployment we realized there were some spinning platter drive failures.  To help identify potentially failing machines we were looking for the Hard Drive Smart status field.  Turns out it is not gathered by default in SCCM.  The following walks you through it.

WIN32_DiskDrive contains this info under the status field.  It does not appear to be enabled by default (might just be the environment I am looking at)

I would suggest ensuring that the following are enabled
• Caption
• Status
• Capabilities (Optional to see if bit 10 is set – SMART enabled)

PowerShell example

$wmi = gwmi -class win32_diskdrive
foreach($drive in $wmi){$drive.caption + “: ” + $drive.status}

WMIC Example

WMIC DiskDrive GET Caption,status

System Center Configuration Manager (SCCM) Current Branch (CB)

This status field is NOT collected by default in SCCM.  To have the Hardware Inventory Gather this information in your environment you must enable this class in Client Settings

  1. Open SCCM Console
  2. Select Administrator node (bottom Left)
  3. Select Client Settings (middle left)
  4. Select the Client Settings you want to modify.
    1. Best Practice is to create a policy and not use the Default Client Settings.  As this is my lab I did use Default Client Settings
    2. If you create a new one than you need Hardware Inventory
  5. Select Set Classes
  6. usmt-estimate-step
  7. Filter on Win32_DiskDrive
  8. Expand out the class then select Status field
  9. Ok
  10. Ok

If you changed the Default Client Setting it will automatically be sent out to every client in the environment.  The v_GS_Win32_DiskDrive view will be updated with the Status Field.  Use the Reference section below to understand what these values mean.  I also found this field is not being read but not sure where it is ConfigManagerErrorCode

Reference

Win32_DiskDrive class

http://msdn.microsoft.com/en-us/library/windows/desktop/aa394132(v=vs.85).aspx

Status

Data type: string
Access type: Read-only
Qualifiers: MaxLen (10), DisplayName (“Status”)

Current status of the object. Various operational and nonoperational statuses can be defined. Operational statuses include: “OK”, “Degraded”, and “Pred Fail” (an element, such as a SMART-enabled hard disk drive, may be functioning properly but predicting a failure in the near future). Nonoperational statuses include: “Error”, “Starting”, “Stopping”, and “Service”. The latter, “Service”, could apply during mirror-resilvering of a disk, reload of a user permissions list, or other administrative work. Not all such work is online, yet the managed element is neither “OK” nor in one of the other states.

This property is inherited from CIM_ManagedSystemElement.

Values are:

OK (“OK”)

Error (“Error”)

Degraded (“Degraded”)

Unknown (“Unknown”)

Pred Fail (“Pred Fail”)

Starting (“Starting”)

Stopping (“Stopping”)

Service (“Service”)

Stressed (“Stressed”)

NonRecover (“NonRecover”)

No Contact (“No Contact”)

Lost Comm (“Lost Comm”)

 

Solution: Outlook (2007, 2010, 2013, O365) prompts me for credentials each time I open

Background

When your IT administrators update their exchange server or you switch to a new DNS alias or up in the cloud windows adds these new Generic Credentials into the Credentials Vault of your user account.  When more than one exists for a single account Outlook gets confused and prompts you.

Solution

  1. Close Microsoft Office
  2. Windows 7 and before
    1. From the Windows Start button, select Control Panel
    2. Click User Accounts
    3. Click Credentials Manager
  3. Windows 8
    1. Start button
    2. Type in Windows Credentials Manager
    3. Select Settings on the left side
    4. Select  Windows Credentials Manager
  4. Windows 10
    1. Start Button
    2. Type in Credential Manager
    3. Select Windows Credentials
  5. In the Generic Credentials section (bottom)
    1. For local installs (not O365)
      1. You’re looking for credentials that begin MS.Outlook or something similar for your mail server (It will be obvious)
      2. For each credential that begins with MS.Outlook
        1. Click the details button drop down (circle with a downward arrow next to the Modified date)
        2. Click Remove
      3. Repeat steps for each credential that begins MS.Outlook
    2. O365
      1. You’re looking for MicrosoftOffice16_Data:SSPI:EMAIL@ADDRESS.COM
      2. This is your primary credentails this should be taken with great care upon removal as you will need to resync O365 again afterwards
  6. Close the Credentials Manager and Control Panel
  7. Launch Outlook
  8. You should be prompted for each account in Outlook
    1. You should only be prompted on this initial startup

 

Another fun tip to make outlook run better is to use the/CleanFreeBusy start up switch.

/cleanfreebusy Clears and regenerates free/busy information. This switch can only be used when you are able to connect to your Microsoft Exchange server. 2000, 2002/XP, 2003, 2007, 2010

The /CleanFreeBusy switch will reset all of your pending Outlook meeting invites.  This will clear any conflicts and again make Outlook faster.  This was deprecated for 2013.

For Office 2013, 2016, and O365 you use this: https://support.microsoft.com/en-us/kb/2555008

Great Reference for Outlook Command Lines 

From a Post Mr.Brown

Make sure the time on all your servers is in sync. If the time on two of your domain controllers is off by more than 5 mins you will get this for some clients. It took me two days to narrow it down and once I fixed the time on one of my servers all the weirdness went away.

Music Library Cleaning with PowerShell – Removing Missing Files from iTunes

powershellrings

At the bottom of this post I originally wrote a VBS that deletes files out of ITunes if the location does not exist.  I did the rewrite into PowerShell…

(new-object –com itunes.application).LibraryPlaylist.Tracks | ?{ $_.Location -eq $null } | %{ $_.Delete() }

 

The PowerShell above only removes the item out of ITunes if the location is NULL.  I need to put in a step to check to see if the location is valid.

ITTrackKindFile = 1

deletedTracks = 0

on error resume next



set iTunesApp = WScript.CreateObject("iTunes.Application")

set mainLibrary = iTunesApp.LibraryPlaylist

set tracks = mainLibrary.Tracks

Set FSO = CreateObject("Scripting.FileSystemObject")



for each currTrack in tracks

	' is this a file track?

	if (currTrack.Kind = ITTrackKindFile) then

		' yes, does it have an empty location?

		if (currTrack.Location = "") 		then 

			' yes, delete it

			wscript.echo currtrack.name & " - " & currTrack.Location

			currTrack.Delete()

			deletedTracks = deletedTracks + 1

		else

			'wscript.echo currTrack.Location

			if not fso.fileExists(currTrack.Location) then

				wscript.echo currTrack.name & currTrack.Location

				pause

			end if	

		end if

	end if

next 



wscript.echo "-----------------------------------------------------"

wscript.echo "deletedTracks = " & deletedTracks

MyITForum: Then of an era

I have been an avid user, contributor, speaker, and blogger on www.myitforum.com since 2005.  It has been an amazing journey.  However with the most current owners a lot of great content is disappearing.  As such I am attempting to grab content before it disappears completely.

The email lists are by far the best part still.

As such sorry for all the ancient posts coming over in the next few days.

http://myitforum.com/myitforumwp/author/scassells/