Microsoft System Center Reporting Manager 2006 has reached its end of support date as of October 11, 2016. System Center Reporting Manager 2006 was built as a Microsoft SQL Server-based data warehouse that integrated management data from Microsoft Operations Manager (MOM) 2005, asset information from Microsoft Systems Management Server (SMS) 2003, and business context data to create customized queries and reports. No subsequent versions of this product were released.

For monitoring and reporting capabilities available today, learn more about Microsoft System Center Operations Manager and Microsoft System Center Configuration Manager.

Have questions about supported products? Visit Microsoft Support Lifecycle to view a list of supported products and related policies.

Just a quick note on a new hotfix we just released. The problem you may encounter is that the Configuration Manager console displays garbled text for content in double-byte or extended character set languages. This text is visible in the following sections of the console:

• Feature names and descriptions in the Update Pack Installation wizard for Configuration Manager, version 1511 or 1602
• Feature names and descriptions in the Features node of the Updates and Servicing section in the console for version 1606
• Prerequisite names and descriptions in the Updates and Servicing status section of the console in Configuration Manager version 1606

Note that this only affects Microsoft System Center Configuration Manager current branch sites installed or upgraded before September 26, 2016. Installations occurring after that time will not experience the problem.

A hotfix is now available that addresses this problem. For information on how to obtain and install the hotfix, please see the following:

3196771 – Garbled characters are displayed in the console after you upgrade to System Center Configuration Manager, current branch (https://support.microsoft.com/en-us/kb/3196771)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

ConfigMgr 1511 ConfigMgr 1602

If you have read the Best Practices for Software Updates in Configuration Manager, you may have noticed that we recommend sharing the SUSDB for Software Update Points (SUPs) off the same Configuration Manager site server. A shared SUSDB setup is becoming increasingly common place, however it can be a bit confusing navigating exactly how to do it properly. This can lead to problems arising from configuration mistakes not-so-happy-little-accidents. To make sure you don’t have any of these problems, here’s some guidance on how to get this all setup properly.

Requirements

The requirements for a shared SUSDB are the same as for a NLB WSUS 6.X setup. All of the front end WSUS computers that are to share SUSDBs should be running the following:

1. The same version of WUSS.
2. The same version of Windows
3. The same Windows updates installed on the server.
4. The same WSUS patches should be installed on all computers that share the same SUSDB.

Also, SQL Server must meet the minimum database requirements. You may use a SQL cluster if you wish, but keep in mind that Windows Internal Database (WiDS) is not supported for sharing the SUSDB.

Lastly, you will need a shared WSUS content directory that you have already created using either a standard network share or Distributed File System (DFS). All of the WSUS computer accounts must have change permissions for the share.

PART I: Installing WSUS

You may install WSUS using this article via PowerShell if you wish, or by using Option 1, Step 1 of the NLB WSUS 6.X article. However, I will be using Server Manager followed by the post installation tasks run via PowerShell.  It is also worthwhile to note that when you install WSUS specific patches that you have downloaded files for, you would want to follow the guidance laid out for NLBs where you patch one node at a time.

1. Open Server Manager, click on “Manage” then select “Add roles and features”:

2. Follow the prompts until you get to “Server Roles”, then check “Windows Server Update Services” and click Next.

3. The Add Roles and Features Wizard will then pop up and offer to install any prerequisites needed. Click on “Add Features”, then click “next” to continue to Features. Skip through WSUS heading and get to “Role Services” for WSUS.

4. Uncheck “WID Database”, select “Database”, then click “Next”.

5. Fill in the share that you created as part of the previously mentioned requirements when you get to “Content”. In this case, the share is on the server I am currently installing WSUS on however it does not have to be on one of the WSUS computers. Take note of the author’s taste in music based on the domain name. There will be a pop quiz on it later. Click “Next”.

6. Fill in the SQL server name (\Instance if needed) and click “Check connection”. The wizard will tell you if you successfully connected or not. If it successfully connected, click “Next”. If not, troubleshoot why your computer will not connect to the SQL server.

7. Click “Next” to get through the information about IIS, until you get to Web Server Role (IIS) Role Services. At this point, I usually like to add the HTTP logging for IIS since it is not added by default. Other Role Services can be added at this point if needed as well. Note that the default location for IIS logging is c:\inetpub\logs\logfiles and you may want to change this default as well after you complete your install. After deciding if you want IIS logging or not, accept the rest of the default Role Services for IIS.

8. When you get to the Confirmation page, click “Install”, then click “Close” when finished.

9. Now we have to do some post installation tasks. You can do this a few different ways:

Option 1: Open the WSUS console and work through the prompts:

Option 2: Through Server Manager from the notification:

Option 3: Via PowerShell, which is my preference:

a) Launch PowerShell using administrator credentials.

b) Change to the C:\Program Files\Update Services\Tools folder.

c) Run the following, filling in the information specific to your environment:

.\Wsusutil.exe postinstall SQL_INSTANCE_NAME=”Server\Instance” CONTENT_DIR=”\\Servername\sharename”

Notes on the post install configuration process

Please note that you need the “.\ “ in front of wsusutil.exe or it will not execute in PowerShell. For the default SQL instance, just type in the server name. You do need the quotes in the above command. It will launch the post install which installs the SUSDB, recreates the website on port 8530 (default) and points to the ContentDir. The post install command will create a log in the <user>\AppData\Local\Temp directory which will be in the form of tmpXXX.tmp. This log may be 0kb for a little while. It will spawn another log called WsusUtilUseCustomWebSite.log. The website log will disappear if all goes well with the website install, then the tmpXXX.log will be written to at that point. The tmp log will show you the tables, stored procedures, views, etc being created/verified in the SUSDB.

10. Do these same steps for any other WSUS computers that will be Software Update Points (SUPs) off the same Configuration Manager Primary Site. You can have up to 4 front end WSUS servers sharing a SUSDB. If you are setting up WSUS to use SSL, additional WSUS configuration is required.

PART II: Verifying the WSUS Settings

1. Open IIS and expand it. Right-click the Content vDir and select “Manage Virtual Directory”, then “Advanced Settings”:

2. Under Physical Path, you may (or may not) notice that the path looks a little off. If you do not see \\ in front of your server name, add it then click “Ok”.

This is wrong:

This is right:

3. Open the registry and navigate to HKLM\Software\Microsoft\Update Services\Server\Setup. Check the registry keys below.

– ContentDir: This should be the same as the Content Directory you specified during the post install process.

– IISTargetWebsiteIndex: This is the IIS site ID. Your IIS logs are named after this by default:

– PortNumber: The default port is 8530. 8531 for SSL.

– SQLDatabaseName: This is always “SUSDB”. It is not supported to rename the database.

– SQLServerName: This is the ServerName (and \Instance, if applicable).

– UsingSSL: Set to 0 for false and 1 for true.

4. This is optional, but you can also check the content location from the database. You can see that it automatically adds the \WSUSContent directory at the end of it as IIS did for the vDir.

select LocalContentCacheLocation from tbConfigurationB

PART III: Installing the SUPs

1. Decide which SUP you want to install first. Typically I choose the server that is less utilized or that has better specifications as the first SUP to install if my servers are not quite exactly like each other.

2. Install your SUPs like you normally would. I am going to install my SUP role on my remote WSUS computer first, then install the SUP role directly on my primary site server second. Since this is a new computer to my environment, I select “Create Site System Server” from the Home tab under Administration –> Site Configuration –> Servers and Site System Roles, then type in the FQDN of the server and my installation account if needed.

Next set the proxy server and the credentials for it if needed.

Now select the Software Update Point Role and click “Next”:

Select your ports based on what you saw in Part II, Step 3 in the registry:

Configure any additional settings for the proxy, then step through the rest of the wizard to finish installing the role.

You will see the new machine show up under Servers and Site System Roles.

3. Monitor SUPSetup.log on the SUP computer along with WCM and WsyncMgr logs on the site server to see if you have any additional issues.

4. Add the next SUP off the site. Note that you may see that your SUP lists Microsoft Update as its source rather than the upstream WSUS. This is usually an indication that the WSUS configuration is pending, or it’s having issues like the one below. You will see the catalog version update when your computer finishes the first sync with the upstream server.

PART IV: Fixing Common Configuration Issues

Issue 1: The WSUS Content Directory is set to the wrong location

One of the most common configuration issues I run across is that the WSUS Content Directory is set to the wrong location for one of the WSUS front end servers. Typically content files for updates are not stored in the WSUS Content Directory when using Configuration Manager to install patches, however it is used for EULA files. A clue that this may be your issue is machines reporting they can’t find a EULA file in the WindowsUpdate.log/etl:

WARNING: Fail to download eula file http://JoyDivision:8530/Content/AE/C324C69722CB5F82E63CE9C6D73CFBF8675309AE.txt with error 0x80244019

To resolve this, first verify the steps from Part II above for the computer you are attempting to get the text file from. Usually you will see that something does not match. It’s important to know that the registry will not show the directory “\WSUSContent” directory at the end of the path, unlike SQL and the IIS virtual directory for content. In this example, all of my settings seem to be pointing to D: on this WSUS front end server rather than the share name \\2012R24GB.

We already know what the problem is, but there are a few other symptoms that point to this being the issue as well. For example, I can’t browse to the URL of txt file above and IE notes it is 404’d:

If I right-click on the Content virtual directory in IIS from the front end WSUS and select “Explore”, I see that the directory is empty (not always though):

I can see that the file is in the share:

TIP: WSUS files places the files in the directory that matches the last two places of the file name. In this case it would be AE.

Now that we know what the problem is, let’s fix it! Run WSUSutil postinstall from PowerShell to set the correct location (see part I, step 3 above):

Verify all of the items from IIS, the registry as well as SQL to ensure they are set correctly.

Next, run a WSUSutil reset to verify and re-download any missing files:

Verify that the reset is running from C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log on the front end WSUS computer. You will see a notification event for it typically followed by a reporting event that Content Sync started:

Issue 2: Some front end WSUS computers cannot access the shared content directory

Another fairly common problem is when some of the front end WSUS computers are unable to access the shared content directory for some reason. Normally you will see some sort of 401 error (401.3’s mostly) in the IIS logs when trying to get a content file. You will also see errors from the Windows Update Agent in windowsupdate.log.

A typical Windows Update error on a client will look something like this:

WARNING: WinHttp: SendRequestUsingProxy failed for http://JoyDivision:8530/Content/AE/C324C69722CB5F82E63CE9C6D73CFBF8675309AE.txt error 0x800710dd

Here is a typical IIS error logged at the same time:

10.10.10.5 HEAD /Content/ AE/C324C69722CB5F82E63CE9C6D73CFBF8675309AE.txt 8530 – 10.10.10.221 Windows-Update-Agent – 401 3 5 281

Frequently the resolution for this is to change the pass-through authentication settings on the Content VDir in IIS. Check out the diagram for how this works.

To do this, first highlight the Content vDir for WSUS in IIS then double click “Authentication”:

Next, click on Anonymous Authentication and select “Edit”:

Change this from IUSER to Application Pool Identity and click “OK”. Keep an eye on the IIS logs for any errors when accessing content to help determine if this resolves the problem.

Note the WSUSPool’s identity:

Tips for troubleshooting other permission problems

1. Verify permissions listed here.

2. Use a check file for testing and troubleshooting. To do this, create an empty text file in the \WSUSContent folder and call it ContentFolderAclsCheck.txt, then restart the WSUS Service. Now run wsusutil checkhealth and check the application event log to assure no 10012 errors for the content directory. Verify that the contentfolderaclscheck.txt is no longer there. the CheckHealth parameter will process the file and remove it if permissions are working correctly.

Part V: Performance Tips

1. I like to just go ahead and modify the WSUS Application Pool’s memory limit for recycling since I know approximately what the memory usage is during peak scanning times in my lab.

Appcmd can be used to determine the PID of the process running WSUS AppPool. To do this, from an elevated Command Prompt, change to the Windows\System32\inetsrv folder amd run appcmd.exe list wp to get a list of Application Pools and their PIDS. You can see here that my WSUS isn’t very busy right now since I just built it and have no clients scanning against it:

2. Right after I finish my first sync, I like to go ahead and schedule WSUS Maintenance and run it for a few different reasons:

a. Primarily, I run this directly after my first sync to go ahead and decline superseded updates that I know I will not be deploying so that my clients will scan faster and my WSUS computers do not consume resources for items I don’t need. The WSUS will sync these in initially since they are in the catalog.

b. Since I just got a fair amount of updates imported, I might as well reindex the SUSDB while I am looking at it.

c. I also like to test my scheduled tasks so I am confident they will kick off on schedule.

I hope this information helps, and if you are interested in taking this to the next step and using NLB for your SUP, take a look at my buddy Cameron’s article here.

As always, thanks to The Scripting Guy for the scripts and to my colleague Vinay Pamnani for his valuable input.

Meghan Stewart, Support Escalation Engineer
Microsoft Enterprise Cloud Group

Hi everyone, just a quick note to let you know that we released a new hotfix to address a known issue in ConfigMgr 2012 SP2 and ConfigMgr 2012 R2 SP1. The issue is that when the Application Install task sequence step is applied to pre-staged media, the application downloads from a distribution point instead of using the files that are stored on the media. This increases the time for task sequence execution from pre-staged media. This issue does not affect stand-alone media in which the Application Install step uses files from the media as expected.

A supported hotfix is available from Microsoft Support to address this issue. For complete details please see the following:

3183710 – Pre-staged media is not used in System Center 2012 Configuration Manager (https://support.microsoft.com/en-us/kb/3183710)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

Author: Meghan Stewart | Support Escalation Engineer

Occasionally you may find that you want to start over in WSUS with a fresh database (SUSDB). There can be any number of reasons for this, but typically I see people doing this if their SUSDB is rather old, has a ton of unneeded updates in it, and maintenance has not been done on the SUSDB in years. In those cases you can find that a rebuild may be faster and easier than fixing the problematic SUSDB. Typically speaking, I see people wanting to recreate the just the content dir if they accidentally unchecked the “download update files to this server only when updates are approved” and ended up with a hard drive full of unneeded files. Whatever the reason, here are the steps for recreating the SUSDB and the WSUS Content folder for a Windows Server 2012 based WSUS computer:

1. Open PowerShell as admin.

2. Stop the WSUS service and IIS Service with the following command:

stop-service WSUSService, W3SVC

Verify that both are stopped by running get-service WSUSService, W3SVC

It should look something like this:

3. Open SQL Server Management Studio and connect to the instance for SUSDB.

How you connect via SQL Server Management Studio is different depending on whether you installed SUSDB on Windows Internal Database (WID) or SQL Server. This was specified when you installed SUSDB. If you are not sure which you used, you can check a registry key on the WSUS server located at HKLM\Software\Microsoft\Update Services\Server\Setup to verify. Take a screenshot/registry export of this and look for the SQLServerName value. If you see just a server name or server\instance, you are using SQL server. If you see something that has the string ##SSEE or ##WID in it, you installed on Windows Internal Database, as demonstrated below:

Note that if you see ##SSEE, this blog post is not applicable to you.

If you installed SUSDB on Windows Internal Database

If you installed SUSDB on Windows Internal Database (WID), you will need SQL Management Studio Express installed in order to remove the database. If you’re not sure which version of SQL Server Management Studio Express to install, here’s an easy way to figure that out:

For Windows Server 2012 and Windows Server 2012 R2, go to C:\Windows\WID\Log and find the error log that has the version number you’re using. Lookup the version number here:

321185 – How to determine the version, edition and update level of SQL Server and its components (https://support.microsoft.com/en-us/kb/321185)

This will tell you what Service Pack level it is running. Include the SP level when searching the Microsoft Download Center for SQL Management Studio Express as sometimes it does matter.

Once SQL Management Studio Express is installed, launch it and it will prompt you to enter the server name to connect to. If your OS is Windows Server 2012, use \\.\pipe\MICROSOFT##WID\tsql\query. Note that if you are not running Windows Server 2012 or 2012 R2, this blog post is not appropriate to use.

Also note that for WID, you may want to run SQL Server Management Studio Express as administrator if you were not the person who installed WSUS.

If you did not install SUSDB on WID

If you did not install SUSDB on WID, simply type in the server name (\instance if needed):

4. Backup the existing SUSB, just in case you need it later. Better safe than sorry

Open SQL –> expand databases –> right-click SUSDB, then select “New Query”.

Paste in the following, changing the directories to the directory of your choosing.

backup database [susdb] to disk =’D:\SQL\Backup\susdb.bak’ with copy_only

5. Open SQL –> expand databases-> right-click SUSDB –> Delete. Be sure that you select “Close existing connections” at the bottom of the wizard.

Optionally, you can also delete the backups (delete is the default).

6. Delete or rename the content directory, then recreate it. Please note that this will not delete/rename if the two services mentioned above are still running.

You can find the directory directory for the content folder by looking in HKLM\Software\Microsoft\Update Services\Server\Setup\ContentDIr *

Rename the directory by running REN WSUS WSUS_old, or delete it by running DEL WSUS, then confirm All with “A”:

Recreate the directory by running MKDIR WSUS. Note that the default permissions will be reapplied when you run the post install.

If you are not removing the SUSDB, but are removing the content and need to re-download files for updates you have already approved, do the following to initiate the download:

a. CD “C:\Program Files\Update Services\Tools”

b. Run .\WsusUtil.exe reset

7. Start the services:

Start-service WSUSService, W3SVC

Verify that both are started by running get-service WSUSService, W3SVC

8. Reinstall the SUSDB by running the post install. The command varies depending on if you run WIDs or not.

First, CD to Program Files\Update Services\Tools.

For Full SQL (or non WIDS), run the following:

.\Wsusutil.exe postinstall SQL_INSTANCE_NAME=”Server\Instance” CONTENT_DIR=”<drive>:\WSUS”

For WIDS, run this:

.\Wsusutil.exe postinstall CONTENT_DIR=”<drive>:\WSUS”

General Post install notes

You need the “.\ “ in front of wsusutil.exe or it will not execute in PowerShell. For the default SQL instance, just type in the server name. You do need the quotes in the above command. This will launch the post install which installs the SUSDB, recreates the website on port 8530 (default) and repoints everything to the ContentDir. The post install command will create a log in the <user>\AppData\Local\Temp directory which will be in the form of tmp*.tmp. This log may be 0kb for a little while. It will also spawn another log called WsusUtilUseCustomWebSite.log. The website log will disappear if all goes well with the website install, then the tmp*.log will be written to at that point. The tmp log will show you the tables, stored procedures, views, et cetera being created/verified in the SUSDB.

After doing this, when you first launch the WSUS console, it will bring up the WSUS Configuration Wizard. You can run through this wizard if you would like and select your options such as products, upstream server and proxy. If you are using SSL, please note that additional configuration is required.

Hopefully you’ll never be faced with having to recreate your SUSDB. If you do, hopefully this will help make that process go as smoothly as possible.

Meghan Stewart, Support Escalation Engineer

Microsoft Enterprise Cloud Group

Hi everyone, I wanted to take a minute and let you know about a new guide/troubleshooter we have available that will help you understand and troubleshoot all aspects of content distribution in Microsoft Configuration Manager (ConfigMgr 2012, ConfigMgr 2012 R2 and current branch).

The guide helps administrators understand the content distribution process and serves to build a foundation for diagnosing and resolving general content distribution related problems. This guide explains the content distribution process, including Distribution Point (DP) installation and upgrade, the content library, package creation and distribution, as well as the various threads and components involved. Useful SQL queries that provide valuable insight into the various stages of the process are also provided.

You can find more information and get started with the guide here.

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

Hi everyone, I wanted to let you know that update 1610 for the Technical Preview Branch of Microsoft System Center Configuration Manager has been released. This month’s new features include:

• Improvements to the notification experience for high-impact task sequence and required application deployments: Task sequence deployments that have a high-impact to the end user, such as operating system deployments for example, now display more intrusive notifications. However, end users can dismiss (snooze) these notifications, and control when they reappear. Any relevant client settings for notification frequency are still honored.
• Deny previously approved application requests: As an administrator, you can deny a previously approved application request. This prevents new installations of the application To install this application later, users must resubmit a request.  If the application was previously installed, it will not be uninstalled.
• Filter by content size in automatic deployment rules: Use the content size filter in automatic deployment rules to prevent large software updates from automatically downloading to better support simplified Windows down-level servicing when network bandwidth is limited.
• Exclude clients from automatic upgrade: When you configure settings to control how clients automatically upgrade, you can now specify a collection to exclude specific clients from the upgrade. This applies to automatic upgrade as well as other methods such as software update-based upgrade. This can be used for a collection of computers that need greater care when upgrading the client.

For all the details please see this post on the Microsoft Enterprise Mobility and Security blog.

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

Author: Ray Rosen, Microsoft Premier Field Engineering

Public Key Infrastructure (PKI) is used in varying degrees in different organizations, and since System Center Configuration Manager 2007, it has been leveraged to support Internet Based Client Management. PKI is also an option to identify systems, as the Discovery Data Manager automatically approves clients when a PKI certificate is used for client identity. As long as the site systems that handle client communication trust the client authentication certificate chain, then the client receives service.

When an organization stands up PKI simply to support Configuration Manager, no contention exists within the computer’s certificate personal store. This is the default location where a new certificate is installed for the computer. However, when an organization heavily leverages PKI, the default personal store may contain a number of certificates, and the situation may complicate the usage of certificates for Line of Business (LOB) applications, Configuration Manager, or both.

Configuration manager allows the administrator to specify strings or attributes in the certificate subject or subject alternative name to select a certificate, but when the Configuration Manager client certificate’s presence in the personal store affects a LOB application, the fact that Configuration Manager is ‘OK’ provides little relief to the administrator. To better handle the scenario, the admin may instead specify a custom certificate store for selecting a client authentication certificate, which eliminates any conflict with other applications. Here’s an example of how to leverage this capability.

First we need a certificate template to issue certificates for client authentication. Use the same process as always to duplicate the Workstation Authentication template for this purpose and give the template a meaningful name, but do not enable Autoenrollment.

Note that Template name will omit spaces that exist in Template display name. Also set the security on the template for Domain Computers and Domain Controllers to Read and Enroll the certificate. Autoenroll is not required since we will use a script to issue the certificate.

Once the template is created, instruct the Certificate Authority to issue the certificate. When complete, it will appear in the main Certificates Templates screen:

Next, a script needs to run on each client to perform the following:

1. Create a custom certificate store if one does not exist.
2. Request a new certificate if one does not exist in the custom store.
3. Request a new certificate if all existing certificates are about to expire in the custom store.

So why use a script instead of Autoenroll? The goal is to avoid contention in the personal store, and the fastest way to ensure a clean personal store is to move the certificate out of the personal store immediately after it is installed. This option does not exist for Autoenrollment.

A sample script to do this is posted here, however please note that this script will only work on Windows 8 and Windows Server 2012 or later. The script needs to run as local system or administrator on every client, and depending on the environment, this can be accomplished by one of the following:

1. Using a startup script via GPO
2. Setting up a Task Scheduler task to call it from a network share via GPO
3. If already a Configuration Manger client and a HTTP MP will persist, a Compliance Settings script, package deployment, etc. could do the job.

Whichever method you choose, the script needs to run at least as frequently as the number of days specified before expiration so you can ensure that a new certificate always replaces an expiring one before it expires.

After the script has executed, the site properties can be modified to use the custom store as specified in your script:

On the next machine policy poll after committing the site properties change, the clients will use the new settings and look for a client authentication certificate in the custom store. Once found, it will be used to update the client’s registration with its primary site and become the client’s new crypto identity.

Ray Rosen, Microsoft Premier Field Engineering

Here’s a quick tip on an issue you might run into after upgrading to ConfigMgr 2012 R2 SP1 Cumulative Update 1. When the upgrade is complete, you may find that your Configuration Manager clients are automatically upgraded to the Service Pack 1 client version. This is a known issue in which the Configuration Manager Client Retry Task is created under Microsoft\Microsoft\Configuration Manager in Task Scheduler. After it’s installed, the Configuration Manager client cannot delete the scheduled task that was created in this location, therefore the client is scheduled to be reinstalled every five hours. For all the details including a workaround, please see the following:

3123029 – Configuration Manager clients are automatically upgraded after a ConfigMgr 2012 R2 update to CU1 (https://support.microsoft.com/en-us/kb/3123029)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

Just a quick FYI that we just released an anti-malware platform update package for the following clients:

• Microsoft System Center 2012 R2 Configuration Manager Endpoint Protection Service Pack 1 (SP1) clients
• Microsoft System Center 2012 R2 Configuration Manager Endpoint Protection clients
• Microsoft System Center 2012 Endpoint Protection Service Pack 2 (SP2) clients
• Microsoft System Center 2012 Endpoint Protection Service Pack 1 (SP1) clients
• Microsoft Forefront Endpoint Protection 2010 clients
• System Center Configuration Manager, current branch

For complete details regarding the issues fixed as well as download and installation instructions, please see the following:

3199963 – Revised September 2016 anti-malware platform update for Endpoint Protection clients (https://support.microsoft.com/en-us/kb/3199963)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

We just released a new KB article that discusses an issue where a Service Connection Point that’s running on Microsoft System Center Configuration Manager current branch doesn’t download updates. If you’re experiencing this problem you’ll also notice entries that resemble the following logged in DMPDownloader.log:

Download manifest.cab SMS_DMP_DOWNLOADER 8/2/2016 2:20:24 PM 7568 (0x1D90)
WARNING: Failed to download easy setup payload with exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. SMS_DMP_DOWNLOADER 8/2/2016 2:20:25 PM 10760 (0x2A08)
WARNING: Retry in the next polling cycle SMS_DMP_DOWNLOADER 8/2/2016 2:20:25 PM 10760 (0x2A08)

You may also notice client connectivity issues when you use Microsoft Intune.

For complete details, including the cause as well as the steps to resolve the problem, please see the following:

3187516 – Configuration Manager Service Connection Point doesn’t download updates (https://support.microsoft.com/en-us/kb/3187516)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

We have a new KB article that describes a problem where the Endpoint Protection view v_GS_AntimalwareHealthStatus reports an incorrect Endpoint Definition status based on the AntivirusSignatureUpdateDateTime value in versions of Microsoft Configuration Manager that are older than version 1511. This problem prevents some of the information typically found in state messages for Endpoint Protection from being displayed in this view.

This is a known problem that’s fixed in ConfigMgr 1511 and all later versions. For complete details please see the following:

3183902 – v_GS_AntimalwareHealthStatus view reports incorrect Endpoint Definition status in Configuration Manager 2012 (https://support.microsoft.com/en-us/kb/3183902)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

We’ve just released a new compatibility update that addresses an issue that occurs in Microsoft Forefront Endpoint Protection 2010 after you install the following anti-malware update for Forefront Endpoint Protection 2010:

3199963 – Revised September 2016 anti-malware platform update for Endpoint Protection clients (https://support.microsoft.com/en-us/kb/3199963)

Microsoft Forefront Endpoint Protection 2010 clients managed by System Center Configuration Manager 2007 will appear in the “Out of Date” deployment status collection after update 3199963 is installed.

For complete details please see the following:

3196190 – Update is available for Forefront Endpoint Protection 2010 (https://support.microsoft.com/en-us/kb/3196190)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

When using Microsoft Configuration Manager for Build and Capture task sequences, or for operating system deployment of Windows 10 version 1511, the process may hang during installation of Office software updates during the Install Software Updates step. In some cases, this step can hang for more than 24 hours.

This can occur when using a Windows 10 version 1511 image that has not been patched to the May 10, 2016 cumulative update. In this scenario, a deadlock may occur if the Install Software Update step is trying to install a large number of updates. This is a particularly common issue for Office-related updates which can trigger a deadlock in the CCMExec and TSInstallSWUpdate processes, preventing the step from proceeding.

For complete details please see the following:

3172742 – Image deployment hangs during Build and Capture task sequences when installing Office updates (https://support.microsoft.com/en-us/kb/3172742)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

What is end of support?

The Current Branch (CB) of System Center Configuration Manager is governed by the Microsoft Modern Lifecycle Policy. Under the Modern Lifecycle Policy, support will be provided continuously if customers stay current by following the servicing guidelines. For Configuration Manager (CB), each update release is supported for twelve (12) months from its general availability (GA) release date. The first release of the Current Branch, version 1511, was made generally available on Dec 8^th, 2015 and will reach its end-of-support date on Dec 8^th, 2016. After this date, there will be no more security updates or technical support for Configuration Manager (CB – version 1511).

What does this mean?

It means that you should take action, if you are currently on Configuration Manager (CB – 1511). Microsoft will no longer provide security fixes for this version of Configuration Manager. It is important that you update your hierarchy or standalone primary site to the latest version.

If you are planning to upgrade from System Center 2012 Configuration Manager SP2 or System Center 2012 R2 Configuration Manager SP1 to the Current Branch of System Center Configuration Manager, use the latest baseline release, version 1606. This can be downloaded from Volume Licensing Service Center (search for “System Center Config”). It can also be downloaded from Microsoft Evaluation Center and MSDN.

Frequently Asked Questions

I am running System Center 2012 Configuration Manager Service Pack 1 or System Center 2012 R2 Configuration Manager. Can I upgrade to the Current Branch of System Center Configuration Manager after Dec 8^th, 2016?

The 1606 baseline does not support upgrading from either of these two versions of Configuration Manager. You will first need to upgrade to either System Center 2012 Configuration Manager Service Pack 2 or System Center 2012 R2 Configuration Manager Service Pack 1 and then upgrade to Configuration Manager (CB – version 1606).

As you are probably aware, Microsoft previously announced Windows servicing changes on down level operating systems aiming to have a more consistent and simplified servicing experience to down level operating systems. As part of this simplified servicing model, the 2^nd Tuesday of each month will see the release a new Security Monthly Quality Rollup and a new Security Only Quality Update. As the Security Monthly Quality Rollup contains the same security fixes as the Security Only Quality Update, as well as all fixes from previous monthly rollups and Security Only Quality Updates, there is a supersedence relationship between these updates. This supersedence allows installers of the Security Monthly Quality Rollup to see that fixes in earlier Rollups and Security Only updates are included, and allows for machine disk space to be managed appropriately when updates are superseded. See More on Windows 7 and Windows 8.1 servicing changes for more information about the servicing changes and supersedence rules.

Cross-Month and Intra-Month Supersedence Relationships

In Configuration Manager 2007 (ConfigMgr 2007), superseded updates are automatically expired and can no longer be deployed using the built-in software updates management (SUM) feature. As noted above, there is a cross-month supersedence relationship as well as an intra-month supersedence relationship between Security Only Quality Updates and Security Monthly Quality Rollups. For example, the Security Monthly Quality Rollup released in November will supersede the Security Only Quality Update also released in November as well as the updates (Security Monthly Quality Rollup and Security Only Quality Update) released in October.

Operational Impact (Security Monthly Quality Rollup Deployments)

Configuration Manager 2007 customers have roughly a month (from the 2^nd Tuesday of each month to the following 2^nd Tuesday) to test and fully deploy a new Security Monthly Quality Rollup for a given month using the SUM feature. If this deployment does not complete before the next superseding rollup is released, there are two primary options to continue:

1. Choose to switch to testing and deploying the latest superseding Security Monthly Quality Rollup using the SUM feature.

OR

2. Choose to deploy the superseded Security Monthly Quality Rollup using an alternate deployment method (outside of SUM), such as general software distribution.

Operational Impact (Security Only Quality Update Deployments)

Given that new Security Only Quality Updates are superseded by the new Security Monthly Quality Rollup for the same month, they will be marked as expired and unavailable for deployment each month via the SUM feature. Customers that desire to install Security Only Quality Updates will need to do so using an alternate deployment method (outside of SUM), such as general software distribution.

Alternate Deployment Methods (Software Distribution)

Using the software distribution feature to deploy superseded updates, which you may have done previously in the past, will entail manually downloading the desired update content from the online Microsoft Update Catalog site. The update content will be .MSU based. Wusa.exe is the command line installer that can be used to install the updates. See Description of the Windows Update Standalone Installer in Windows for more information about using Wusa.exe.

Important Notes:

1. There will be update content packages per down level OS and per platform. Multiple packages and programs may be needed, as applicable.

2. You may need to create specific collections for targeting. It could be as simple as ‘All Windows 8.1 Computers’ or as complex as ‘All Windows 8.1 Computers that Require October’s Security-only Quality Update’.

3. You may need to test and define recurring advertisements designed to reinstall updates that are removed by end users.

4. Configuration Manager (current branch) and Configuration Manager 2012 have a Supersedence Rules feature that allows customers to define the expiration behavior for superseded updates. For example, instead of superseded updates being expired immediately, you can define that there is a three (3) month wait, allowing additional deployment time.

Microsoft System Center Configuration Manager 2007 System Center 2012 Configuration Manager ConfigMgr 2012 R2

If you’re using Microsoft System Center Configuration Manager current branch, Heartbeat Discovery Data Records (DDRs) sent by devices enrolled in mobile device management may not be processed on the site server. When this occurs, errors that resemble the following are recorded in the DDM.log file on the site server and the DDR file is rejected:

CDiscoveryPropertyBase::Validate – Property has no name
CDiscoveryItem::ParseMem – Property “” is invalid.
CDiscoverDataManager::GetItem – parsing failed. Bad DDR
Moving bad file {DDR_filename}.DDR to {SMS_Install_directory}\inboxes\auth\ddm.box\BAD_DDRS\{DDR_filename}.DDR.
CDiscoverDataManager::ProcessDDRs_PS – Moved bad DDR

This issue can cause the decommissioning of the enrolled device if the Delete Aged Enrolled Devices maintenance task is enabled and no other discovery data for the managed device is sent within the threshold defined.

For the latest information regarding this issue as well as how to obtain and install the hotfix, please see the following:

3202796 – Devices enrolled in Mobile Device Management are incorrectly decommissioned in System Center Configuration Manager (https://support.microsoft.com/en-us/kb/3202796)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

Cumulative Update 4 (CU4) for Microsoft System Center 2012 Configuration Manager SP2 and Microsoft System Center 2012 R2 Configuration Manager SP1 is now available. For all of the latest information on this update as well as the list of issues fixed, please see the following:

3195483 – CU4 for System Center 2012 Configuration Manager SP2 and System Center 2012 R2 Configuration Manager SP1 (https://support.microsoft.com/en-us/kb/3195483)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

Happy Friday everyone! Today we’re happy to announce that version 1610 for the Current Branch (CB) of Microsoft System is now available. To read about all of the great new features and enhancements that have been made, plus how to get the update today, check out this post by the Configuration Manager product team.

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

If you try to upgrade from a version of the Configuration Manager console that has the Traditional Chinese (Hong Kong) language pack installed to an installation of Configuration Manager (Current Branch v1606) that does not have that language pack installed, the upgrade may fail with the following error message:

Internal Error 2711. LP3076

We have a new KB article that discusses this scenario along with instructions on how to work around it. For more details please see the following:

3205809 – Internal Error 2711 when you upgrade Configuration Manager Console to version 1606 (https://support.microsoft.com/en-us/kb/3205809)

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group