Brett Wilms at myITforum.com

Upcoming SCCM Related Webcasts

2009-05-05T18:00:00Z

Fresh from MMS 2009, Microsoft has a couple interesting webcasts coming up. I just signed up for the following:

TechNet Webcast: How Microsoft does IT: System Center Configuration Manager 2007 Client Health Strategies (Level 300)

TechNet Webcast: How Microsoft does IT: Using Local Policies to Solve Complex System Center Configuration Manager 2007 Client Challenges (Level 300)

If you're not familiar with Paul Thomsen, who is running these webcasts, he has been working with the SMS/SCCM product for over 12 years and knows his stuff. I always get a few useful takeaways when I attend his sessions.

Microsoft Offers Secure Windows … But Only to the Government

2009-05-02T12:28:00Z

This Wired article discusses how Microsoft and the Air Force worked together to develop a specially configured version of Windows XP in order to minimize administration and security vulnerability:

"The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of the box. That way, Air Force administrators wouldn’t have to spend time re-configuring, and the department would have uniform software across the board, making it easier to control and maintain patches."

Not bad, if you can swing that type of negotiation with Microsoft. But what does this mean for businesses and consumers? As stated in the artice, security experts are waiting for the "trickle down" effect from partnerships such as these, but there are no signs of it yet

Microsoft Changing the Behavior of AutoRun in Windows

2009-04-29T17:21:00Z

Microsoft announced this morning that they will be changing the behavior of AutoRun so that is is not enabled for devices other than optical media. This is in response to the changing threat environment, most notably with Conficker, which utilizes the AutoRun feature on Windows to exploit vulnerabilities through use of mass storage devices (USB keys, external hard disk drives, etc).

Windows 7 RC will be the first to receive these changes followed by an update for Windows Vista and Windows XP.

Here's the article from the Microsoft Security Response Center: http://blogs.technet.com/msrc/archive/2009/04/28/changes-in-windows-to-meet-changes-in-threat-landscape.aspx

2007 Microsoft Office Suite Service Pack 2

2009-04-28T17:15:00Z

Maybe I was sleeping or too busy last week, but I just noticed Microsoft released Service Pack 2 (SP2) for the 2007 Microsoft Office Suite.

Some changes worth highlighting are:

OpenDocument Format (ODF) support
Built-in Save As PDF/XPS support
General performance improvements

View the full list here: http://support.microsoft.com/kb/953195

Using SQL to Search Collection Queries

2009-04-23T12:57:00Z

Computers aren't perfect. Sometimes they just don't report properly to SMS. In one particular case, we had a computer whose Add/Remove Programs information was not populating in the SMS database. For this reason, they were showing applicable for several recurring advertisements we had out there and kept having jobs forced on them. Not fun for the user.

It was requested of me to manually filter the computer out of the query based collections to give them time to rebuild the machine. Even though I was hesitant to do so I finally did, adding something like AND Name != 'COMPUTERNAME' at the end of the query statements.

A month has past and now I've been asked to remove those statements, as the computer is healthy again. Easy enough...oh wait...what collections did I modify again?

I went to my old friend - the SQL database - to see if it could help me with my problem. Turns out, it had everything I needed.

I logged on to my server and opened SQL Server Management Studio. After connecting, I clicked "New Query" and made sure the SMS database was selected in the "Available Databases" dropdown. I then used the following statement:

SELECT *
FROM v_CollectionRuleQuery crq JOIN v_Collection col on crq.CollectionID=col.CollectionID
WHERE crq.QueryExpression LIKE '%COMPUTERNAME%'

This gave me everything I needed in order to find the queries that contained the computer in question. SQL to the rescue yet again!

Is a Secondary Site the Answer?

2009-04-14T14:27:00Z

As mentioned before, we're working on a side-by-side upgrade to SCCM 2007 from SMS 2003. We have less than 10,000 clients and currenty have a primary site in each of three geographical regions to serve as the Management Point for the regional clients. One of the challenges we are facing is that we are without a server to complete the side-by-side process in one region. So, we're trying to figure out the best way to address this situation:

1. In-place uprade the current SMS 2003 site server to SCCM 2007
2. Move the clients to another location temporarily, rebuild the current server and move them back
3. See if we can setup a Secondary Site in region and eliminate the need for a full primary site

Option three sounds very appealing to us, however it is the most "uncertain" of our options. We have always used Primary Sites and have never considered Secondary Sites in the past. I've been doing a lot of reading and have found the following benefits to implementing a Secondary Site with a Proxy Management Point:

1. One less SCCM license to purchase
2. Less administration than a Primary Site server
3. Transfers information as Site-To-Site traffic using custom bandwidth limitations and compression

On the downside, we need to figure out if the Secondary Site and Proxy management Point can be installed on another application server. Additionally, we'd have to figure out who we would want the parent to be. And from an aesthetic perspective, we would then have two Primary children and one Secondary child. Why not go Secondary site all the way?

The following articles helped me get a little better grasp of the subject matter. Hopefully I'll have this one figured out sooner rather than later.

Determine If a Proxy Management Point is Needed at a Secondary Site
Proxy Management Point: Benefits and Otherwise

Report: All collections for a specific computer

2009-04-13T13:53:00Z

The SMS 2003 web report query below returns the collection membership for a specific computer name. It also displays whether the collection has an advertisement associated with it. I've found it very helpful when trying to determine what advertisements a client should be receiving as well as if the client has ended up in some "funny" collections. It is similar to the canned report "All advertisements for a specific computer".

SELECT  fcm.Name,
  col.Name,
  adv.AdvertisementName,
  col.CollectionID

FROM  v_Collection col JOIN
  v_FullCollectionMembership fcm ON col.CollectionID=fcm.CollectionID LEFT JOIN
  v_Advertisement adv ON col.CollectionID=adv.CollectionID

WHERE  fcm.Name LIKE @name
ORDER BY col.Name

Copy and paste the above query into SMS web reporting, remembering to create a prompt. Or simply download the attached TXT file, rename it to a MOF and import it into SMS Reporting.

All collections for a specific computer (custom).mof.txt

Microsoft Security Bulletin Advance Notification for April 2009

2009-04-09T17:10:00Z

Microsoft released their Advance Notification for April 2009 Software Updates.

It looks like five Windows patches (two of which are "Elevation of Privilege"), and one each for IE, Excel, and ISA.

Conficker Eye Chart

2009-04-09T17:05:00Z

The Conficker Eye Chart is a simple detection tool for determining whether your computer has been infected by Conficker. Depending on what images appear (or don't appear) in your browser you may be infected with a specific variant. Pretty clever. Why didn't I think of that?

What's that TMP file doing filling up my free space?

2009-04-09T11:38:00Z

In our environment, we have roles separated out. The software packaging team handles preparation of the application and packaging in SMS. The Systems Management Team handles everything else.

A new packaging team member was learning the ropes of SMS packaging and gave me a call.

"Brett, the package isn't available for me to deploy yet. I copied it to the Distribution Point, but it hasn't shown up yet. Can you have a look?"

Meanwhile, I get a call from our storage team.

"Brett, you seem to have a very large file growing continually larger on your D drive. You might want to take a look."

He was right. There was a TMP file growing at about 270MB per minute on my D drive. I saw the free space drop in chunks. I didn't know what to do. Before I knew it, free space was gone and then - poof - the file had disappeared and all my space was returned to me. That was about the best possible scenario I could have imagined (the one I was expecting was much worse).

I performed a Windows search in the SMS\logs directory, looking for files containing the phrase "TMP". One file was returned - distmgr.log. Could the package distribution issue and the monster TMP file somehow be related? Then I saw this in the log:

Starting to compress \\CENTRALSITESERVER\PKG_SRC to D:\_S Ms9ie.TMP for package ABC000E4
...
Cannot write to output file, Win32 Error = 112
CTool::CompressAndAppendFile failed, error = 4, win32 = 112, filename = (null)
Cannot compress \\CENTRALSITESERVER\PKG_SRC to D:\_S Mroa3.TMP, last failed file is , Win32 error = 112
STATMSG: ID=2309 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=CENTRALSITESERVER SITE=ABC PID=1940 TID=9476 GMTDATE=Tue Mar 24 21:30:35.329 2009 ISTR0="ABC000E4" ISTR1="\\CENTRALSITESERVER\PKG_SRC" ISTR2="" ISTR3="D:\_S Mroa3.TMP" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="ABC000E4"
Cannot create the compressed copy for package ABC000E4.
StoredPkgVersion (0) of package ABC000E4. StoredPkgVersion in database is 0.
SourceVersion (1) of package ABC000E4. SourceVersion in database is 1.
STATMSG: ID=2302 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=CENTRALSITESERVER SITE=ABC PID=1940 TID=9476 GMTDATE=Tue Mar 24 21:30:35.344 2009 ISTR0="PACKAGER - PI 2008" ISTR1="ABC000E4" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="ABC000E4"
Failed to process package ABC000E4 after 28 retries, will retry 72 more times
Exiting package processing thread.
Used 0 out of 3 allowed processing threads.

It turned out that the packge created by the new team member was pointing to the root of our package repository, instead of the subdirectory. SMS tried to compress the data for the "package" (which in this case was the source files for ALL packages) but due to space limitations, it choked and said "I quit".

I went into the package, corrected the source directory, resent it to the distribution point and everything was happy. Lesson learned - a little more supervision and direction may be necessary for first time packagers.

Conficker Traffic - A Picture Is Worth A Thousand Words

2009-04-07T12:09:00Z

An image does wonders in explaining the amount of traffic that can be caused by the Conficker worm:

A Look Inside Conficker P2P Traffic

[via Chris Mosby]

System Center Configuration Manager Checkilists

2009-04-07T11:46:00Z

We are in the process of our migration from SMS 2003 SP3 to SCCM 2007 SP1 R2. Our upgrade track is "side-by-side", allowing us the flexability to get SCCM up and running and become comfortable with the environemnt before migrating clients.

As part of planning for the upgrade, I have often referenced the documentation available on TechNet for System Center Configuration Manager 2007. In addition to the expected planning and deployment documents, I've recently come across Configuration Manageer Checklists:

Configuration Manager Planning Checklist
Configuration Manager Deployment Checklist
Configuration Manager 2007 Upgrade Checklist

These documents force you to think through each step in the planning and deployment process and reference other documents for more detailed tasks.

Allow me to introduce myself...

2009-04-04T11:48:00Z

Now that I've gotten a cople posts under my belt, I figure it's time for brief introduction. I've been an active myITforum member for a little over three years now (time sure does fly). I started participating on the forums when I accepted a role supporting an SMS 2003 environment. In that time I've gone from the "new guy" to the lead for the product in our company.

I enjoy perusing through the SMS database in search of ways to get more information out, which is why I tend to gravitate towards reporting. I've also developed an interest for the security side of things, seeing that we are the ones who deploy the Software Updates. It interests me (scares me?) what this arena is going to be like in 10 years.

On a personal level, I live nearby Akron/Cleveland, OH. I'm getting married this year and training for my second season of triathlons (specifically offroad, Xterra triathlons). It's a lot of work - both mentally and physically. Mountain biking is a great hobby of mine, but I need to find things to do when the trails are wet and muddy, so I run, cross-country ski, hike...basically anything that gets me outdoors and in the woods is best. I've also got an 18 month old rescue Italian Greyhound that both challenges me an brings me wonderful joy.

We've all had technical issues we couldn't search our way out of. We've all had those forum posts with zero responses where you realize everyone else is as clueless about it as you are. My goal with this is to share little bits of what I learn along the way in my adventures in Systems Management so as to increase the Internet knowledge base (and some other stuff while I'm at it). Hopefully I help someone out in the process, whether through a Google search on an issue or through regular readership. Regardless how you got here, thanks for coming.

Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution

2009-04-03T17:09:00Z

Microsoft released Security Advisory 969136 last night, reporting an unpatched vulnerabilty in Microsoft Office Powerpoint. I'm wondering if this one will make it into the April Software Updates? My gut feeling is "No", since they still haven't addressed the Microsoft Office Excel vulnerability published in late February.

That's okay. I've got enough work getting Adobe Reader and Adobe Flash Player up-to-date with their latest releases.

More links for you:
http://blogs.technet.com/msrc/archive/2009/04/02/microsoft-security-advisory-969136.aspx
http://tools.cisco.com/security/center/viewAlert.x?alertId=17966
http://blogs.zdnet.com/security/?p=3088&tag=nl.e539