ConfigMgr Actions and What They Do

I’ve been meaning to actually write down what the ConfigMgr actions do, so that I don’t have to go through the whole list when trying to get things to happen. Turns out there isn’t all that much out there, and most of it comes from a single source which is located in a blog written by Eswar Koneti in 2014. Click here to see that info.

I’ve tried to update it as much as possible, and also link to the Microsoft documentation where it talks about the specific actions. This list is also based on Eswar Koneti’s work, so all the correct stuff in her is his, any mistakes are mine.

The Actions, and what they do:

  • Application Deployment Evaluation CycleThis action causes the computer to check which applications are supposed to be installed, and also checks to see if they are actually installed on the computer or not. Running this action could potentially cause an install or uninstall of an application (if an application is required) so it may cause some performance considerations on the computer when run.
  • Discovery Data Collection Cycle  – causes the client to generate a new discovery data record (DDR). When the DDR is processed by the site server, Discovery Data Manager adds or updates resource information from the DDR in the site database. This process is similar to running Heartbeat Discovery on a specific client.
  • File Collection Cycle  – This is a part of ConfigMgr inventory functionality. If the software inventory client agent finds a file that should be collected (as defined in the Client Settings), the file is attached to the inventory file and sent to the site server. This action differs from software inventory in that it actually sends the file to the site server, so that it can be later viewed using Resource Explorer.
  • Hardware Inventory Cycle – collects all WMI information from the computer and prepares it to be sent into the ConfigMgr database. This includes but is not limited to hardware info, software info, and client info. This is a part of ConfigMgr inventory functionality.
  • Machine Policy Retrieval & Evaluation Cycle The ConfigMgr client downloads its policy from ConfigMgr on a schedule. By default, this value is configured to every 60 minutes and is configured with the option Policy polling interval (minutes). action initiates ad-hoc machine policy retrieval from the client outside its scheduled interval.
  • Software Inventory Cycle Software Inventory collects information about files on client devices. Software inventory can also collect files from client devices and store them on the site server. Software inventory is collected when you select the Enable software inventory on clients setting in client settings. You can also schedule the operation in client settings. This action will cause the Software Inventory to run and collect the data for addition to the ConfigMgr database. This is a part of ConfigMgr inventory functionality.
  • Software Metering Usage Report Cycle collects the data that allows you to monitor and client software usage. Software metering needs to be configured in ConfigMgr before this will have the desired effect.
  • Software Updates Deployment Evaluation Cycle initiates a scan for software updates compliance. Before client computers can scan for software update compliance, the software updates environment must be configured in ConfigMgr.
  • Software Updates Scan Cycle Just after a software update installation completes, a scan is initiated to verify that the update is no longer required and to create a new state message that indicates the update has been installed. When the installation has finished but a restart is necessary, the state will indicate that the client computer is pending a restart. This action initiates this scan.
  • User Policy Retrieval & Evaluation Cycle Similar to Machine Policy Retrieval & Evaluation Cycle, but this action initiates ad-hoc user policy retrieval from the client outside its scheduled interval.
  • Windows Installer Source List Update Cycle causes the Product Source Update Manager to complete a full update cycle. When you install an application using Windows Installer, those Windows Installer applications try to return to the path they were installed from when they need to install new components, repair the application, or update the application.

I hope this helps, and now I have a place to look for the info when I can’t remember which does what.

Inactive Client Cleanup in ConfigMgr

In my “new” position, the ConfigMgr environment that I administer is a demonstration environment where we show off our product to prospective customers. That means in the environment we have “real” machines that are VM’s and then we have additional devices that have been manually added to ConfigMgr with hardware inventory information, but they never check in with ConfigMgr because they are not physical devices. By default ConfigMgr has been cleaning out these devices every 90 days. Because I try to avoid repetitive work as much as possible, and because I don’t want to have to keep adding devices every 90 days, it’s time to see what I can do to change the length of time that inactive clients are in ConfigMgr before cleanup.

After a couple of quick searches, it looks like there is a setting that determines if inactive clients should be removed from the ConfigMgr database and another that determines how long Hardware Inventory is maintained. Here’s where to get to the settings:

  • Step 1: Select Administration on the left hand side of the ConfigMgr console
  • Step 2: Select Sites under the Site Configuration folder on the left hand side of the ConfigMgr console.
  • Step 3: Select Site Maintenance at the top right of the ConfigMgr console.

The Site Maintenance window will open. Select Delete Aged Discovery Data. This setting determines how long Discovery Data is maintained in the ConfigMgr database. When this data is completely deleted for a device, the device is removed from the ConfigMgr database and console.

The Delete Aged Discovery Data Properties box will open, change the setting Delete data that has been inactive for (days): setting to your preferred setting.


Because I also want to make sure that the Hardware Inventory is maintained for our inactive devices, I have also selected Delete Aged Inventory History.

The Delete Aged Inventory History Properties box will open, change the setting Delete data that has been inactive for (days): setting to your preferred setting.

This should keep the inactive devices in our ConfigMgr database, so we can use them for demo purposes, and keep the associated Hardware Inventory connected with them. More information about ConfigMgr maintenance tasks are located here. Microsoft reference for Maintenance Tasks.

Where Have You Been?

There’s a great scene in the second Harry Potter movie after Ron, Fred and George Weasley return to the Burrow after rescuing Harry from Number 4 Privet Drive. In that scene Molly Weasley, their mother, yells at the three Weasley boys “where have you been?” The boys then fumble with all kinds of great excuses for why they left the house with the flying car.

So… that begs the question regarding this blog, where have I been?

It’s not super complicated. I ended up moving on from the company that I was working for in 2019, and got a great gig with a new employer. It is 100% work from home before it was cool!

 The funny thing is that I started writing blogs for them about using their software and I never really found the time to work on my own blogs. Then Covid came. Nothing really changed about my position, except that it got busier, and I had to write even more blogs. That meant that I neglected writing for myself even more.

But it’s time for a change. I’m coming back with some new content about ConfigMgr and life, and I’m even going to be linking to the blogs that I’ve been writing for my “new” employer. Don’t mind that I’ve been there for over two years at this point and can hardly consider them new… but here we are.

Saying the Right Thing the Right Way

Saying things the right way can make all the difference

Working with the security team in our organization can be challenging. Often they come into meetings with preconceived ideas about how things work or how things are supposed to work. The default answer to a new technology or new request from the business or a user is “no” rather than the “how can we do this securely” that I would prefer.

That changed on a very important technology yesterday, and that was because of someone being able to say the right thing the right way.

The story starts two years ago, which makes it over a year before I got here. Security was working on a requirement that drives on all laptops and tablets be encrypted. Microsoft was brought in for a POC to get MBAM up and running in the environment. Everything was working great until someone from the Security Team said “well now we need to turn on FIPS compliance.” The Security Team wanted to be compliant to the Federal Information Processing Standards. This is fine, until you turn FIPS on for the Desktop. When you do that, every certificate and every connection then becomes FIPS compliant. When that happens it changes how everything is encrypted and it basically breaks EVERYTHING. Additionally the MBAM clients stop talking to the MBAM server, and you have no way of reporting on what is encrypted and what is not. Because of this issue it was decided to use Symantec Endpoint Encryption instead of Bitlocker.

Recently the Security team was given a presentation on security by Microsoft and the question of Bitlocker came up yet again. The response from the security team was “have you fixed FIPS compliance yet?” To Microsoft’s credit, they asked some important questions that found some interesting answers. The way that FIPS had been enabled earlier is well known to break everything. In fact Microsoft recommends against doing it that way. In addition, they noted that it is not required to have FIPS “turned on” on each endpoint to be FIPS compliant. They provided resources to the security team that showed why this works and how other organizations are using Bitlocker in FIPS compliant environments.

The bottom line was, in order to be FIPS compliant an organization does not need to turn on the FIPS switch on the computers and break everything. FIPS compliance can also be achieved by using FIPS compliant algorithms in the encryption. News flash, the default algorithms for Bitlocker are already FIPS compliant.

Once this was explained and accepted, we are now moving down the road to removing SEE from the environment and installing Bitlocker. And we are right back where we should have been two years ago.

An (old) ugly problem rears its ugly head

We ran into an issue yesterday that continued into today that is an oldie but a goody… Windows 7 computers started showing up with a black background and claiming that “This Copy of Windows is not Genuine.” It’s one of those things that when you see it you immediately start to look at the KMS server to make sure that it’s accepting connections and is working correctly. It was.

We contacted Microsoft, and before we even had an engineer assigned our TAM had responded with a solution. The problem is a KB (KB971033) installed on Enterprise Windows 7 systems that was meant for retail versions of Windows 7.

the KB is from 2010 and doesn’t even exist in our SCCM updates, so the computers that have it must have gotten it from some lawless time when they were being updated in a different way. Apparently it started causing problems again yesterday, but looking through the web I was able to find several others that have had the problem surface at random times through the years.

Anyway, here are the instructions on how to fix the problem.

Here is the procedure that you need to follow –

  1. Uninstall KB971033 (if it is still installed)
  2. Reboot the machine
  3. Run this commands manually, or through a .bat script on ONLY problematic Windows 7 Enterprise machines.
net stop sppuinotify
sc config sppuinotify start= disabled
net stop sppsvc 
del %windir%\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 /ah 
del %windir%\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 /ah 
cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
ren tokens.dat tokens.oldbad
cd cache
ren cache.dat cache.oldbad
net start sppsvc 
cscript c:\windows\system32\slmgr.vbs /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH 
cscript c:\windows\system32\slmgr.vbs /ato
sc config sppuinotify start= demand

The key above is for Windows 7 Enterprise specifically, if you have other editions please refer to the following article and change the product key in the above command.

KMS Client setup keys – https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys

 

Windows Updates released out of band 11/28/2018

I always love when Microsoft releases out-of-band patches for Windows.

It seems that these updates kind of get swept under the rug (unless it’s a huge vulnerability) because everyone already has patch processes defined that are centered around Patch Tuesday.

Our testing and partial roll-out process basically takes the whole month before the updates are finally installed. Because of this, updates like the ones released yesterday aren’t part of our updates until next month.

Link to info about the updates

When your day isn’t going well…

At least you didn’t have to send an email to the whole Health System with the following text:

“It has come to our attention that the flyer for the career fair sent out yesterday indicated the incorrect date.  The flyer has been modified to now include the correct date and location of the event.  Thank you.”

It was sent to everyone. In the whole Health System. Once with the wrong information, and once with the correct information…

Microsoft Windows 10 Servicing Changes, Windows Virtual Desktop (The beginning of the end of locally installed Windows?)

At this point this blog should probably be called “Microsoft servicing. When it changes I’ll write a new blog.”

So it’s official, Microsoft has changed the servicing model for Windows 10 yet again. This time the changes are quite large, including a “tick-tock” schedule for Windows 10 Enterprise and Education versions. The full details can be read here:

https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/

There are some important things to note from the document above. First of all, the support schedule for Windows 10 Enterprise and Education has changed to 30 months for the September Update. “Tick-tock” comes into place because the alternate update (the March update) will still have 18 months of support.

Changing the support time for Windows to 30 months is great news for those of us who are unable to move to a new version of Windows 10 for several months because of software needing to be certified for the new OS. For example we have a piece of software that is installed on every computer in the environment. The time between Windows 10 release and when the software is certified to use in the OS can be as long as 6 months. Because of this we were facing only 12 months of use on a specific Windows 10 version before we would need to upgrade it again. If you add in the time to deploy to our 16,000 computers, upgrades would be happening constantly. This was not going to be a great solution for our users, and the amount of support IT was going to have to provide for this model was going to increase greatly.

Microsoft listened to us as corporate administrators. Let me say that again. We talked, and Microsoft listened to us. Microsoft clearly wanted to be able to move Windows 10 versions out of support quickly so they could move development time to newer versions. They also clearly didn’t want a repeat of Windows 7 where they will be providing updates until 2020 for software that was originally released in 2009. However we made enough noise, and Servicing was changed!

With 30 months of support for the September Windows 10 version, even if the certification of our software takes 6 months, we still should have 24 months of support for each version of Windows 10! The real question is who is going to be installing the Enterprise or Education March versions? I would wager there won’t be many organizations.

Windows 7 Extended Security Updates

The second announcement in the above article is about the extension of servicing for Windows 7. Microsoft is calling it Windows 7 Extended Security Updates (ESU). If you need to keep computers on Windows 7 for some reason past 2020 (even though you’ve known about Windows 7 retirement for several years at this point) Microsoft will let you purchase extra support until 2023. But it’s going to cost you. Microsoft isn’t saying how much at this point, but it is saying that you can expect the cost to go up each time you renew the support (up to January of 2023).

Windows Virtual Desktop

At Microsoft Ignite this week Microsoft has introduced something else that is desktop related. It’s called Windows Virtual Desktop. To read the announcement check out the website below:

https://azure.microsoft.com/en-us/blog/microsoft-365-adds-modern-desktop-on-azure/

Windows Virtual Desktop is much what it sounds like. It’s a full blown Windows 7 or 10 desktop that exists in Azure. You connect through the internet to your Virtual Desktop which will come pre-loaded with Office 365 applications. They were very clear to mention that there is a browser plug in that can be installed so that you can connect to your virtual desktop right through your web browser. The demos were also quick to note that connection speeds were great, the demos were run from Orlando, FL and were using an Azure data center in the Seattle area. No word on if the issue with Azure a couple of weeks ago would have affected your WVD in a negative way (I bet it would have).

Another thing that is important to note about the WVD is that you can create Windows 7 desktops. When you do this, they will automatically have the Extended Security Updates, which means this might be a good way to get updates until 2023 for users that need it.

It’s hard to say how much of an impact WVD’s will have. Certainly I can run a VMware virtual machine in a web browser if that is something that I would want to do, but of course that would require a separate license of both Windows and Office. If Microsoft can come in at a cheaper price than someone would be paying otherwise, it is definitely something to look at.

Here’s another thing to think about; Is this our first glimpse at what our security team has been worrying about for some time now? Is this the beginning of the end of a legacy Windows operating system running on a local computer? Is this the beginning of a future “desktop” where all you need to connect to it is a web browser? This presents a lot of benefits for those of us who are managing computers, it also adds a lot of challenges.

 

But Seriously, check the run times of your Updates…

Just got to work this morning with several computers that failed our Windows Updates deployment with the exact same issue as the one I most recently blogged about, the “updates handler job was cancelled.”

I checked which ones were failing, and it was the “Cumulative Update” for whichever version of Windows was on the computer.

The run-times for the Cumulative Updates had been reduced to an even shorter time of FIVE MINUTES?! We absolutely have computers that will not be able to complete this in a five minute time frame. I switched it back to 60 minutes.

Why did these move to 5 minutes? No idea. Maybe Microsoft knows…