Orchestrator

Orchestrator Run Book 10801 Error

Leave a comment

Just felt I needed to write a post in for this as I have spent a very frustrating morning trying to get a perfectly good (and fairly simple) run book to work with ConfigMgr 2012 R2 / MDT 2013.

All ran fine in the runbook tester but once I added the step to a task sequence and ran it my SMSTS.log file looked as follows:Scorch2Now the 10801 error seems somewhat ubiquitous regardless of what the actual issue is. For example, you’re as likely to receive it for a run book you’ve forgotten to check in as you are for using an account without publishing permissions. Unfortunately given how commonly this error seems to occur, there appears to be precious little about it on the internet. Indeed I have to confess I never found the proper solution to fix the problem. Anything vaguely approaching a solution seems to centre around running the following SQL script on the Orchestrator database. It might be worth trying this before attempting the workaround below:

TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

However, this DIDN’T work for me.

WORKAROUND

I did however fix my problem nonetheless. The ‘solution’ for me was simply to create a brand new run book and recreate my previous steps. Once I’d done this, I tested again against a dummy task sequence before putting into my live sequence and all was well. I apologise this isn’t a proper ‘fix’ for the issue, but as I say at the time of writing there is very little on the subject and nothing I could find with my specific errors. Hopefully it will be quicker just to try this than spend several hours banging your head against a wall.

 

 

 

 

OSD / SCCM / MDT, Software Updates

Software Updates My Way :-) (plus a useful tool to help out)

Leave a comment

There are a 101 ways of deploying software updates out there and you’ll undoubtedly get a different answer on the best way to deploy updates from every ConfigMgr admin you ask. Indeed it obviously depends on the environment and company politics how best the solution is implemented. This is my tuppence worth.

As an admin, you have enough to do in setting up the required updates in the first place. In many environments you’ll then have to raise the necessary change requests and all the headaches that entails. Then there is the deployment itself:
“Why did it install that?”
“Why didn’t it install that?”
My solution to this is to move the onus to the application or server owner to set up when their computers are patched.

1, STRATEGY:

Select you maintenance window(s). Ensure the window is of sufficient length to take into account all the updates that need deploying. If a ‘hard’ maintenance window is in force, bear in mind you might not finish installing and rebooting before it closes if it is set too short. For my example I will select three per day for different deployment types. This doesn’t mean there will necessarily be computers populated in all three collections, but the option is there. Agree these with all interested parties first. For example:

1800-2000 (Special applications)
2300-0100 (Workstations)
0300-0500 (Servers)

2. DURATION:

By duration I’m talking about how long to complete the deployment to the enterprise. For me, there are two scenarios here. I will typically roll out patches to the servers and/or workstations in my test domain before rolling out to live. The duration for the full rollout is 14 days for each environment (test/non prod and production). This (usually) leaves a few days in between patch Tuesday to download the new updates and deliver the update list for the coming month to interested parties to approve, before rollout on the following Sunday (‘Patch Sunday’). In many situations you may not have the advantages of a test environment to hand. In these situations you may potentially argue that a longer rollout period was necessary. However there are few situations I have ever seen where a 14 day cycle isn’t sufficient if proper testing is put in place.

3. DEFER OWNERSHIP:

As alluded to earlier, IMO the onus should be on the SCCM admin to set up the job but after that it should be up to the application owner or server team to administer when their servers are patched. Ideally the patch window for the server should be set at the server build stage and should be specified in the original request.
My approach to this is to ensure all the software update collections have a query rule assigned which defines a particular AD group that can be updated by the interested party. Responsibility then falls squarely on the owner for any problems related to when the machine is updated.

4. AD GROUPS, QUERIES AND COLLECTIONS
This is how I set up my collections in SCCM along with the queries and groups.
EXAMPLE AD GROUP:
Name: PR1-SCCM PRD-07-2300-0100 (Site PR1, Prod environment, day 7, 2300-0100)
EXAMPLE COLLECTION:
Software Updates – WK1 – Saturday – 2300-0100 or Software Updates – WK2 – Wednesday- 2300-0100
EXAMPLE QUERY RULE:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemGroupName = ‘DOMAIN\\PR1-SCCM PRD-07-2300-0100’ and SMS_R_System.Name not in (select distinct SMS_R_System.Name from SMS_R_System where SMS_R_System.SystemGroupName = ‘DOMAIN\\MW Exception Group’)
Note:
DOMAIN\\MW Exception Group represents a group that a computer can be dropped into if for some reason it needs removing from its usual schedule temporarily.

5. NO REBOOT GROUP
In addition to the three daily maintenance window collections, another daily collection I have set up is one with no reboot. Indeed this is of particular interest to certain application owners who only have a narrow window where servers can be down. They take the responsibility on themselves to manually reboot these machines at a time convenient to them.

6. ADMINISTRATION
So…if should you decide the above all sounds like a great idea (that’s a big if, but go with me here) we’re talking about over 60 collections to deploy updates to. That’s going to take all week to set up isn’t it, particularly if there are a lot of update to deploy? Well yes, it is. If done manually. Powershell would traditionally be your friend here and when I first started this, that is exactly what I was using. What I found in practice though was even with this I wanted to see what was going to happen first and again you could write scripts to do this too. What I decided on though was to write a tool that would do everything for me. When I say everything, I am including creating collections, hard maintenance windows (if required), AD groups, queries and of course the selection, deployment schedule and deployment of the updates themselves. This tool is adaptable for different environments and should make the whole process very simple. Whilst I take no responsibility for how you use it in your environment, I have used it in live and prod environments at clients I have consulted and all sorts of different test environments. I include the download and source code at the end of this blog.

7. TO WRAP UP

This blog has detailed my specific approach but the high-level is really what it’s about. As I mentioned in my opening paragraph, one size does not fit all but I do believe some of the pressure (and work) can and should take a shift sideways. Some computers you’ll most likely always have to deal with, eg workstations/laptops. The systems that cause the most headaches though are the servers and I firmly believe ownership can and should be shifted here. It won’t work everywhere but it’s all about changing culture.

Toolio_SoftwareUpdateTool_Instructions

ToolioSoftwareUpdateTool_Source_v2.9.1 (C# source code)

Toolio_Installer_v2.9.1 (exe)

Let me know any issues you have and hopefully I’ll be able to help you out. Please make sure you test before putting into production and I take no responsibility for use!

 

OSD / SCCM / MDT, Uncategorized

SMS_MP_CONTROL_MANAGER – Error communicating with component

Leave a comment

Had this recently in an SCCM 2007 environment. After a bit of poking around I decided to reinstall the management point but this failed to fix the problem. Looking in the MPSetup.log is the error:

Fatal MSI Error – mp.msi could not be installed

After ensuring all the WebDAV setting were correct I started to scratch my head a bit before seeing one or two forum entries which suggested fairly major surgery but crucially included the step to run CCMClean. Well, this did make me think and I checked the SCCM client on the primary site. This was a lab environment and there was an overlapping boundary which caused a CM2012 client to be installed on this box.

Resolution:

I simply removed this client, removed and reinstalled the MP and everything was fine.

OSD / SCCM / MDT, Software Updates

Patching workgroup computers and template VMs in CM2012

Leave a comment

I recently needed to update the templates of our VMWare servers to reduce the amount of patching required after each deployment. IMO it’s good practice to do this every six months or so and reduces the time it takes for the server to be in a state that is ready for business.

Our template is essentially a non-domain-connected workgroup with no licence key as you’d expect (this all gets added during the orchestration process). As such this presents additional challenges as regards deployment from SCCM which would typically be to a domain-joined machine. The process below can be used for any deployment  to a workgroup-based machine of any type from SCCM, it just so happens I need to do this for software updates to a server.

1.) Ensure you have a local administrative account set up on the workgroup machine, eg %computername%\SBond in my example below.
2.) RDP onto the machine using account above. Copy the CM2012 client install folder from a site server (eg Primary or MP) and paste it via an RDP session on the desktop.
TIP: Copy over CMTrace.exe too, you’ll more than likely use it for something.
3.) Add the local account to ConfigMgr:
UserAccount

4.) Bring up an administrative cmd prompt and CD to C:\Users\<localuser>\Desktop\Client. Run the following command (update as appropriate):

ccmsetup.exe SMSSITECODE=WPR SMSMP=<APPROPRIATE MANAGEMENT POINT>.domain.com DNSSUFFIX=Domain.com FSP=<FSP.domain.com>  CCMLOGMAXSIZE=10240 CCMENABLELOGGING=true SMSCACHESIZE=10240

5.) Recommended: Depending on your setup, you may wish to add the following registry entry for preferred MPs. Select at least one MP on the same subnet as your machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\AllowedMPs
REG_Multi_SZ
MP.domain.com (eg)
This should stop much of the noise you’ll get trying to contact MPs you’re not interested in. This might be the case if you have cross forest relationships, etc. This step can safely be ignored if your configuration is reasonably simple.
6.)  Leave for 10 mins or so and then find machine in ConfigMgr. Right-click and select Approve.
7.) Open the CM Client applet and if you don’t already have all the tabs you’d expect usually ~7) then click Machine Policy Refresh under the Actions tab and Find Site under the Site Tab. Give it a few more minutes and the tabs should all appear.
8.) Finally, Add the computer to the appropriate patch collection and wait for patches to download. Ensure there are no further patches to run after reboot.
9.) Remember to remove the registry entries from earlier before handing back the machine!
 
NOTE
1.) In my case, because the template machine hasn’t been deployed, it doesn’t have a licence. If you select to run the software update scan cycle you’ll see a popup like that below. You can safely ignore this, it will still install the updates. You will also see this popup from time to time just before they start installing. Just ignore it.
error

 “You may be a victim of software counterfeiting.”

2.) I noticed all the machines had the same name. Because they’re in a workgroup, this is acceptable to CM and had no noticeable detrimental impact on deployment.

Surface

Surface Pro 4 (and Samsung SSD woes)

6 Comments

So I finally received the long awaited delivery of my Surface Pro 4 i7 16GB 512SSD. Once accompanying products have been purchased (keyboard, mouse, etc) this was a purchase in excess of £2K. I justified this to myself because this could realistically support a mini Hyper-V and dev environment on a device which really was truly portable. A proper OS makes this a truly useful and exciting device.

My excitement was however short-lived when I discovered the performance of the SSD was awful. Worse, in fact, than the Surface 3! If I’m paying top dollar I want top spec and was set to send my Surface back to Microsoft. I then read on various forums that Microsoft had sourced their SSDs for the top-end models from two different manufacturers, Samsung and Toshiba. Unfortunately it appears most people have received hardware with the Samsung drives in which are slower. These drives, while reasonably fast to read (1200+ MB/s) were exceptionally slow to write (average around ~150MB/s). Compare this with the Toshiba drive or Surface Pro 3 which was around five times faster!

Anyway, following some digging it appears Samsung have released a firmware update for their SSD which brings it back into line. For typical bench scores after the applied update, see below. In short, this is a must-have update, almost as important as the various stability updates around. Download here.

UPDATE:

The link above seems to be constantly ‘busy’. I fortunately still have a copy of the driver which you should be able to access here. Also, if you have downloaded the May 2016 drivers, I have written an update post.Benchmark

Software Updates

Software Updates: error 0xc80003f3 or error 0x8007000e in ScanAgent.log or WUAHandler.log

Leave a comment
PROBLEM:
You may also see the following message in the ScanAgent.log:
Sources are current, but Invalid. TTL is also invalid.
SCANAGENT.log
Invalid
WUAHANDLER.log
0xc80003f3

1. You’ve tried reinstalling the client.

2. You’ve installed Windows6.1-KB3050265-x64
3. Maybe even https://support.microsoft.com/en-gb/kb/2887535
Errors just won’t disappear…well help is at hand.
These errors translate to the following:
0x8007000E -2147024882 E_OUTOFMEMORY
0x8007000E -2147024882 [DCOM belly up] CAgent::CreateJob failed Not enough storage is available to complete this operation.
and
0xC80003F3 -939523085 hrOutOfMemory The computer is out of memory
However, you look at the available memory and can clearly see there is plenty to be playing with.
 
SOLUTION:
 
Turns out you need to up the pagefile on the affected box – this shouldn’t even require a reboot and immediately the errors will disappear from the logs and lovely software updates will all appear in Software Center.
One slight oddity I did notice was that while the software updates appeared, they wouldn’t start downloading/installing. I waited quite while and they just seemed to sit there. I restarted the SMSAgent host and this cleared them but wouldn’t pick them up again despite manually instigating the Scan or Software Updates Deployment actions from the SMS agent applet. I needed to restart the box, and then run these actions again manually after that and all started to work as expected and start downloading/installing.
Simon
OSD / SCCM / MDT, Software Updates

Software Updates Failure – 0x800F0902

Leave a comment

0x800F0902

Symptom

You try to deploy software updates to a system and no updates will install. The system picks up the updates, tries to install but ultimately fails after hanging for ages. Eventually you are presented with the error above.

Resolution

BITS is most likely not running. It is unlikely it isn’t installed as you would expect it to be installed if the ConfigMgr agent is installed but it may not be running. Start the service and try again.

 

OSD / SCCM / MDT, Software Updates

Phantom reboots following new software update installation

2 Comments

A word of caution….

Situation:

All servers in our a newly-formed environment required a first set of ‘baseline’ patches to bring them up to speed, after which we would set up a monthly patch update schedule.

Following this ‘inaugural’  deployment of around 380 patches. everything appeared on the face of things, to go smoothly. Machines all received updates and rebooted as expected. I could see from reports however that one or two patches had failed to install for some reason in this deployment. I figured that we could schedule in another time to try these again, maybe even the following month as none were actually deemed critical. In any case this was another conversation I needed to have with the application owners.

Two days later I got a call saying that a sizeable percentage of the server collection I had patched ‘randomly’ rebooted again at various times that morning. A significant amount of arm waving ensued and I was asked to look into it, especially as it was clear from the event logs that the reboot had been instigated by the CCMExec:

The process C:\Windows\CCM\CcmExec.exe (COMPNAMEXXX) has initiated the restart of computer COMPNAMEXXX on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x80020001
Shutdown Type: restart
Comment: Your computer will restart at 08/14/2015 09:58:37 AM to complete the installation of applications and software updates

I frantically checked all deployments and confirmed there was absolutely no deployments due and everything had basically gone out as expected. In fact nobody had even touched the console that morning.  Further digging revealed the following in the logs of affected machines:

Log Name: System
Source: Microsoft-Windows-WindowsUpdateClient
Date: 12/08/2015 17:24:00
Event ID: 20
Task Category: Windows Update Agent
Level: Error
Keywords: Failure,Installation
User: SYSTEM
Computer: COMPNAMEXXX.domain.local
Description:
Installation Failure: Windows failed to install the following update with error 0x80092004: Update for Windows Server 2008 R2 x64 Edition (KB3045645).

Then, later on:

Log Name: System
Source: Microsoft-Windows-WindowsUpdateClient
Date: 14/08/2015 10:02:43
Event ID: 19
Task Category: Windows Update Agent
Level: Information
Keywords: Success,Installation
User: SYSTEM
Computer: COMPNAMEXXX.domain.local
Description:
Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 R2 x64 Edition (KB3045645)

Similar entries appeared for several of the failed updates. Clearly what had happened is that another software update scan cycle had taken place and detected that the machine was missing several important updates, specifically those that had failed previously. The updates were then automatically re-tried and successfully installed the second time round. Presumably they needed a reboot before they would install correctly although I have read plenty to suggest this shouldn’t happen. Regardless, the second successful installation instigated our phantom reboots.

My recommendation here would be to ensure you have a dedicated Maintenance Window to alleviate this headache. There were one or two that picked these updates up and installed them after my discovery and the Maintenance Window prevented the reboot from occurring. Obviously it won’t be properly patched until the client has been restarted but that can at least be left to the application owner to decide on a suitable time to do this.

OSD / SCCM / MDT, Software Updates

ADR Gotcha – ADR only fires from the site server

Leave a comment

Very short and (not so) sweet post with a word of warning on ADRs.

CM2012 SP1 R2

I wanted to set up and Automatic Deployment Rule to select a bunch of updates and automatically download and set up my Software Update Group. In my client’s environment the only box with internet access belongs to the SUP. Unfortunately, if you want your ADR to carry out the tasks above then you will need to ensure your Primary Site Server has access to the internet as well.

An ADR will always fire from the Primary Site Server and without internet access, the ADR will fail to download any updates.

You’ve been warned!

OSD / SCCM / MDT

The self-signed certificate could not be created successfully

Leave a comment
Cert
This is an issue that can occur in any situation where a site system role requires a certificate. I have seen it happen when creating a new Management Point or creating a new PXE service point. In the situations I have been in, I find this tends to be profile-related so check that you’re logged on with a ‘proper’ profile, ie not temp, etc.
Assuming this is the case, follow the steps below.
THE FIX
1. Go to C:\Users\<USER ACCOUNT>\AppData\Roaming\Microsoft\Crypto\RSA\<GUID>
2. Delete GUID files within.
3. I restart SMSAgent Host (maybe required)
4. Try again. The GUID files will automatically be recreated and you should be able to proceed with the cert creation.

 

Headaches of an SCCM Admin.