SCCM 2012 - Automatic Deployment Rule - Error 0X87D20415

Problem:

You create an automatic deployment rule and run it but it fails with the following error code:

0X87D20415

Cause:

The search parameters you've set on the automatic deployment rule have pulled back too many updates. The number of updates that a ADR can detect is capped at 1000. If you open up the %install directory%\Microsoft Configuration Manager\Logs\ruleengine.log file on the SCCM server, you should be able to view the progress of the ADR and an explanation of why it failed:

Resolution:

Reduce the range of settings you've configured in the Software Updates settings to ensure fewer updates are discovered, e.g. reduce the 'Date Released or Revised' from a year to a month:

SCCM 2012 R2 - Client Push Error - WNetAddConnection2 failed (logon32_logon_new_credentials) using account

Symptoms:

Assuming your SCCM server and clients aren't all in the same subnet/VLAN, you may ecounter the following error message in the ccm.log;

WNetAddConnection2 failed (logon32_logon_new_credentials) using account --- (00000035)

ERROR: Unable to access target machine for request"xxxxxx", machine name "xxxxx", access denied or invalid network path.

The ccm.log can be found in %SCCM Install Directory%\Logs\ccm.log

Cause:

Either the account used for the client push doesn't have the requisite permissions or the communication between the SCCM server and the target machine is being blocked.

Fixes:

Check the network side of things. Ports required to be open in order to push out the SCCM Client:

• Server Message Block (SMB) between the site server and client computer (TCP 445)
• RPC endpoint mapper between the site server and the client computer (UDP 135; TCP 135)
• RPC dynamic ports between the site server and the client computer (TCP Dynamic)
• Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP (TCP 80)
• Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS (443)

Check the account you added in Client Push. Is the password right? In 2012, use the 'verify option to confirm whether or not the account can access the admin$ share on the target machine:

Windows Share - Error - The mapped network drive could not be created because the following error has occurred: The account is not authorized to login from this station

Symptoms:
Suddenly unable to map a drive to a network drive which previously you were able to map to fine on a particular workstation/server. Curiously, you can map to the share fine from other servers/workstations but this one particular machine won't play ball.

Error Message:

"The mapped network drive could not be created because the following error has occurred:  The account is not authorized to login from this station"

Potential Fixes:

Check permissions on share - have they changed at all? 

If the permissions look ok it's time for some compare and contrast - between some settings on a machine which will allow the drive to be mapped and the problem machine. 

First off, on each machine open the Local Security Policy console (secpol.msc). Check the following settings on both machines:

Are they the same? If not then it may be worth having a look at what group policies are being applied to the respective machines. If the way in which the two machines are attempting to sign their communications is different this may well explain the drive mapping issue. 

Next port of call, assuming the difference isn't the Local Security Policy, is the registry.  Generally, you'll want the following registry settings to be the same on both and, most likely, you'll want them to look like this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters

• enablesecuritysignature = 1
• requiresecuritysignature = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

• enablesecuritysignature = 1
• requiresecuritysignature = 0

In my experience this last point is the one which tends to resolve the issue but since tweaking the registry can be a bit dicey, this option is best left till last!

SCCM - Build - "A required CD/DVD drive device driver is missing. Please insert the installation media...etc..."

Whenever i have encountered this error message when trying to build a bare metal machine from installation media (DVD, CD, Bootable USb etc) the root cause has always been a bad iso file. If you can, re-download the installation image and start again....

On the other hand it could be something else:
http://support.microsoft.com/kb/2755139
http://support.microsoft.com/kb/952951
or one of the many other things folk have written about on the interweb

Windows 7 - Change lock screen / login screen background image and user icon

SECTION A: Change the lock screen/login screen

Part 1: Create folder to hold background image

• Click start and type %windir%\system32\oobe
• In the oobe folder create a folder named info
• In that folder create a folder named backgrounds

Part 2: Create background image

• Open paint (or some similar product) and create or copy in your desired background
• Save your picture as backgroundDefault.jpg
• The picture needs to be under 244kb in size (so you may have to re-open it and reduce its size)
• It must be named exactly as described.

Part 3: Edit registry to apply new background

• Open the regedit
• Browse to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background

• Is OEMBackground key in there?
• If not, then you need to create it by right clicking on the background folder and selecting new DWORD name it OEMBackground
• Next double left click on OEMBackground key and change the value from 0 to 1
• Now you should have the following

Your new custom background image should now be applied when you logon or lock the screen.

SECTION B: Change the user icon

The easy way to do this is to click on the start menu and then click on your user icon. From there you can change the image.

Alternatively, you can do it within Windows Explorer should you want all users to have the same image. This is relatively straightforward since it just involves swapping out an image file. The location of the icon for all users is:

C:\User\All Users\Microsoft\User Account Pictures\user.bmp

Simply create a new icon image, called it user.bmp and save it into the above location.

SCCM - Software Update Point - WSUS - The Basics

What does the SUP do?

It provides Software Update metadata to clients that are using the Windows Update Agent (WUA) to scan for missing updates.  


The Set Up:

The Software Update Point is comprised of two parts: WSUS and the WSUS Control Manager. 

WSUS is the core Windows component which syncs with update.microsoft.com and pulls down update metadata. 

WSUS Control Manger is the means by which SCCM controls WSUS


The Database Gets Populated:

In the SCCM hierarchy, the top most SUP gets its metadata catalogue from Microsoft Update and stores this information in its database.  

This metadata catalog is also copied into the SCCM database via the sync process. 

Once this has happened the Software Update node in the admin console will be populated with the update catalogue info. You are now in a position to create Update Lists and Update Deployments based on the catalogue of available updates. 


The Client Side of Things:

SCCM clients utilize the WUA to connect with a SUP and get the specific metadata that are relevant for the client. 

The client is scanned for missing or installed updates and results from the scanning are stored in a WMI repository.  

The SCCM agent collects the results and passes them through the State message system and those results are stored in the SCCM database for every client and every update.  

Reports can then be generated from the scan data to produce accurate and detailed compliance reports.

SCCM - WSUS - HTTP Error 500.19 - 0x8007007e

Problem: 

Install WSUS on Server

The WSUSsetup.log (c:\username\AppData\Local\Temp\WSUSSetup.log) suggests everything has installed successfully…..

….however, WSUS kicks out a Connection Error when it opens (hitting ‘Reset Server Node’ doesn’t help much).

Since WSUS relies on IIS, you check the IIS landing page on the local host; http://localhost/, unfortunately returns the following error:

HTTP Error 500.19 - Internal Server Error 
The requested page cannot be accessed because the related configuration data for the page is invalid. Module DynamicCompressionModule 
Notification SendResponse 
Handler StaticFile 
Error Code 0x8007007e 
Requested URL http://localhost:80/ 
Physical Path C:\inetpub\wwwroot 
Logon Method Anonymous 
Logon User Anonymous

Cause:

The error Code 0x8007007e translates as ERROR_MOD_NOT_FOUND (i.e. The specified ‘DynamicCompressionModule’ could not be found).

When WSUS is installed, it adds the XPress compression scheme module (suscomp.dll) into IIS. In IIS, Compression Schemes are defined globally and so will attempt to load in every application Pool within IIS. As such, it will kick out this error when the 64bit version of suscomp.dll attempts to load in an application pool which is running in 32bit mode.

This module entry looks like:

<scheme name="xpress" doStaticCompression="false" doDynamicCompression="true" 
dll="C:\Windows\system32\inetsrv\suscomp.dll" staticCompressionLevel="10" 
dynamicCompressionLevel="0" />

Fix:

Disable the XPress compression scheme that was introduced by WSUS from the configuration using the command below:

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']

After you have run the command you should find that the IIS landing page appears as expected and that the WSUS console opens correctly:

Sidenote: To re-enable this compression scheme use the following command: 

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /+[name='xpress',doStaticCompression='false',dll='%windir%\system32\inetsrv\suscomp.dll']

SCCM 2007 - preinst.exe /syncchild failure - sitecode is unknown

Problem:

When trying to sync your parent site with a child site in SCCM 2007 you run the following command:

preinst.exe /syncchild <sitecode>

Unfortunately preinst.exe kicks this back:

<sitecode> is unknown

Resolution:

Although chances are you have full admin rights with SCCM, chances are this is determined by security group membership and is not explicitly defined. For some unknown reason, in order to get the command to work you need to grant your user account explicit rights to the Class of SITE. To do this, open up the SCCM Admin Console and....

• Drop down the Security Rights Box and 
• Filter on the word "site"
• Click on "New" 
• Class security right
• Grant your user account full rights to the SITE class:

Now when you run the command you should be met with a more successful message:

SCVMM 2012 R2 - Patching Machines and Clusters - Cluster Aware Updating

This following guide is based on the fact that your environment already has a WSUS installation somewhere (presumably on either an SCCM server or management server). Since SCVMM references WSUS, you can’t do much unless you’ve got WSUS installed somewhere.

Add in WSUS/SCCM update server:

Create a new baseline:

Search for whichever updates you need (server type/classification):

Highlight all the updates you want and click Add…

In the next window select an assignment scope (this can be done later though so you can always leave this blank if you're not sure what to pick):

The summary page will then give you a quick rundown of what you’ve selected:

Check the new baseline has been created:

Switch to the Fabric view. Drop down the cluster you applied the baseline to. Click on the Compliance button and you should be able to see your baseline:

At this point the compliance state will be unknown since the machine hasn't yet been scanned against the new baseline. To do this, highlight the machine and click Scan:

The Scan will then begin and should come back with a result:

In the above example the machine is fully compliant so there is no need to remediate. Were the machine to be missing updates, however, you would need to highlight the machine and click on the Remediate button. From here you can select which missing updates you want installed and whether you want to allow reboots. If you happen to be remediating an entire cluster in one shot you can also choose whether to live migrate the clients which reside on each host as SCVMM runs through the patching/rebooting.

SCCM 2012 - SCVMM - "PXE-E11: ARP Timeout" error - Building Generation 1 Virtual Machine

Scenario:

In SCVMM, I created a Generation 1 virtual machine with a Legacy Network Adapter. A basic Task Sequence has been created to deploy Windows Server 2012 R2 Standard. DHCP server options are set to 66:(SCCM server name) and 67:boot\x64\wdsnbp.com. The new Gen 1 server is imported into SCCM and placed into the relevant operating system deployment OU. The machine is then powered on in SCVMM.

When the Gen1 VM server starts up, it pulls down a dhcp address before hitting "PXE-E11: ARP timeout" error message followed by "PXE-E38: TFTP cannot open connection":
:
 

Testing:

Just to confirm there was an ARP problem, I built another VM in SCVMM - except this was a Generation 2 VM with a non-Legacy NIC. After being imported into SCCM, the Gen 2 VM server was powered on. It then managed to download the NBP file without issue but then failed the secure boot verification process, with the "Boot Failed. EFI Network. Failed Secure Boot Verification. No Operating System was Loaded. Press a key to retry the boot sequence....":

In an attempt to resolve the issue on the Gen 2 VM I powered off the VM, navigated to the properties of the VM in SCVMM and unchecked the Secure Boot Verification tickbox.......but this simply caused the machine to bomb out even faster ("Boot Failed. EFI Network. No Operating System was loaded...")

Checked the firewall logs - couldn't see any activity from the Gen1 server but it was showing activity from Gen2 talking to the PXE point. The only difference between the two servers was the NICs (Gen1 had Legacy and Gen2 had the standard NIC). Disabled the legacy NIC on the Gen1 server in SCVMM and added a standard NIC. Didn't even get a dhcp address. Re-enabled the Legacy NIC and left the standard NIC enabled, booted the server up and suddenly this happened:

The server pxe booted, popped up in the SMSPXE.log and began to build. I have played around with the NIC combinations at least half a dozen times and always get the same result. 

Fix:

When building a Gen 1 virtual machine it appears that, should you encounter the above error, you may need to include both a Legacy and non-Legacy network adapter when building the VM in SCVMM. Both adapters need to be active and plumbed in to the appropriate network/VLAN before the machine can successfully start the build. Once the machine has built you can remove whichever NIC you no longer require.