October 2008 - Posts
CCMSetup.exe has alot more switches then the previous install so to keep track of them I decided to post links to them here.
How to Install Configuration Manager Clients Manually
http://technet.microsoft.com/en-us/library/bb693546.aspx
About Configuration Manager Client Installation Properties
http://technet.microsoft.com/en-us/library/bb680980.aspx
You will want to be ready to get this one deployed.
What is the purpose of this alert?
Microsoft is scheduled to release a security bulletin (out-of-band) to address a vulnerability in all currently supported versions of Windows. The bulletin is scheduled for release at approximately 10 A.M. Pacific Time on Thursday, October 23, 2008.
This security update will be released outside of the usual monthly security bulletin release cycle in an effort to protect customers. Microsoft recommends customers prepare their systems and networks to apply this security bulletin immediately once released to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit http://www.microsoft.com/protect.
The purpose of this notification is to assist customers with resource planning for this security bulletin release. The information offered in this notification is purposely general in nature to provide enough information for customers to plan for deployment without disclosing vulnerability details or other information that could put them at risk.
Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at (866) PC SAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov.
Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates, and installing anti-virus and anti-spyware software. Additional information can be found at: http://ww.microsoft.com/protect.
New Bulletin Summary
Bulletin Identifier
Windows Bulletin
Maximum Severity Rating
Critical
Impact of Vulnerability
Remote Code Execution
Detection
Microsoft Baseline Security Analyzer can detect whether your computer system requires this update.
Restart Requirement
The update requires a restart.
Affected Software
Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008
The full version of the Microsoft Security Bulletin Advance Notification for this month can be found here: http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx.
Although we do not anticipate any changes, the information provided in this summary is subject to change until the release. At this time, no additional information on this bulletin such as details regarding severity or details regarding the vulnerability will be made available until the bulletin is published.
Public Bulletin Webcast
Microsoft will host a Webcast to address customer questions on the bulletin:
Title: Information about Microsoft Security Bulletins (Level 200)
Date: Thursday, October 23, 2008 1:00 P.M. Pacific Time (U.S. & Canada)
URL: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032393978
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you,
Microsoft CSS Security Team
As most of you know if you have read any of the reports that I have posted in the past, here at the Commonwealth we use collections to track agencies. This report will show you an overall status and then a breakdown of each agency. This is done by grabbing the parent collection and listing each agency.
**********************************************************
Note: You will need to change your ScopeID to match your location and the Collection ID in the last Select statement to your parent Collection.
**********************************************************
--AuthListID=ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B
--CollID=SMS00001
declare @CI_ID int; select @CI_ID=CI_ID from v_ConfigurationItems where CIType_ID=9 and CI_UniqueID='ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B'
declare @CollCount int, @NumClients int; select @CollCount = count(*), @NumClients=isnull(sum(cast(IsClient as int)), 0) from v_ClientCollectionMembers ccm where ccm.CollectionID='SMS00001'
Select
CollectionName=vc.Name,
NumberInCollection=@CollCount,
NonClients=@CollCount-@NumClients,
PComputers=convert(numeric(5,2), (@CollCount-@NumClients)*100.00 / isnull(nullif(@CollCount, 0), 1))
from v_Collection vc
where vc.CollectionID='SMS00001'
SELECT v_Collection.Name
, sn.StateName AS Status, COUNT(*) AS NumberOfComputers
, CONVERT(numeric(5, 2)
, ISNULL(COUNT(*), 0)* 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS PComputers
, 'ScopeId_8BF42CAA-F2A7-4063-A86D-C427EAB89450/AuthList_DC329234-6F0F-4256-879B-FBA1E43A2F0B' AS AuthListID
FROM v_ClientCollectionMembers AS cm INNER JOIN
v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID INNER JOIN
v_Collection ON cm.CollectionID = v_Collection.CollectionID LEFT OUTER JOIN
v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0)
WHERE (cm.CollectionID = 'SMS00001')
GROUP BY sn.StateName, v_Collection.Name
ORDER BY NumberOfComputers DESC
SELECT v_Collection.Name, sn.StateName AS Status, COUNT(*) AS NumberOfComputers, CONVERT(numeric(5, 2), ISNULL(COUNT(*), 0)
* 100.00 / ISNULL(NULLIF (@CollCount, 0), 1)) AS PComputers
FROM v_ClientCollectionMembers AS cm INNER JOIN
v_UpdateListStatus_Live AS cs ON cs.CI_ID = @CI_ID AND cs.ResourceID = cm.ResourceID INNER JOIN
v_Collection ON cm.CollectionID = v_Collection.CollectionID INNER JOIN
v_StateNames AS sn ON sn.TopicType = 300 AND sn.StateID = ISNULL(cs.Status, 0) AND cm.CollectionID IN
(SELECT subCollectionID
FROM v_CollectToSubCollect
WHERE (parentCollectionID = 'PA100043'))
GROUP BY sn.StateName, v_Collection.Name
ORDER BY v_Collection.Name DESC
I put this together a few years ago but there seems to be some interest on the SMS list so i figured i would share it here.
*************************************************************************
ITMU Fixes
Troubleshooting ITMU
There are 5 main reasons why ITMU doesn’t work.
- Microsoft Updates issues
- McAfee EPO issues
- WMI Issues
- System drive and Registry security
- Trusted Sites
Microsoft Updates issues
ITMU uses the same tools as MicrosoftUpdate.com, so we can treat it like we are trying to fix the website. Open internet Explorer and go to :
http://update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?returnurl=http://update.microsoft.com/microsoftupdate
This website will update the system that you are trouble shooting to the new Windows Update version 6.0. Follow the on screen prompts. When it asks you to setup automatic update set it to disabled. If the website works properly then ITMU should be functioning properly. If you receive an error then review the log below. Most of the errors can be fixed by running the Bat file that is listed below. In some situations you may need to search the internet for the error code that is listed in the log.
You can troubleshoot ITMU/ Microsoft Update by reviewing the following log.
Microsoft Update/ ITMU log:
C:\WINDOWS\WindowsUpdate.log
Note: You can view this log in real time by making the Log viewer in the SMS toolkit v2 your default log viewer.
System Security
One of the main reasons that ITMU fails is because someone removed the System\Everyone security group from the c drive and didn’t setup the new security properly. Error code 0x80070005.
ITMU uses the following account:
This account is used to install updates. If this account is missing then ITMU/ Microsoft Updates will not work properly. This account must have full control of the c drive and all folders to work properly. It will also need control of certain registry Keys.
Reset Permissions
This step will reset the permission settings on this system
Step 1: Download SubInACL (SubInACL.exe)
http://www.microsoft.com/downloads/d...inityDownloads
2. Install it on the system that needs fixed.
3. Select the C:\Windows\System32 as the Destination Folder during the Installation. Later we will use this tool to reset the permission setting on the current Machine.
Step 2:
1. Create a bat file with the following text:
@echo off
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f
@Echo =========================
@Echo Finished.
@Echo =========================
2. Execute the Bat file on the system with issues then run Windows Update again.
Mcafee EPO Exemptions
In order to get ITMU working correctly you will need to add the following exemptions to McAfee EPO:
- %Windir%\SoftwareDistribution\
- %Windir%\system32\VPCache\
- %windir%\system32\ccm\cache\
- *.cab
Some of the exemptions are listed in this KB article:
http://support.microsoft.com/?kbid=922358
ITMU System Setup
You will need to make sure that the Automatic update service in enabled. You will also need to make sure that the Automatic Update schedule settings are disabled. It should look like this:
You can disable this setting though a group policy. For ITMU to work properly we do not need automatic updates running. If it is setup to run it will cause false proxy errors in the log. This can cause some confusion so just disable it. Disabling it will not harm the system because ITMU will be doing the patching.
ITMU Common Fix
The most common issue with ITMU is an improperly register WU or XML dll.
Running the following bat file fixes most systems. Copy the lines of text between the **** into a txt file called ITMU_fix.bat . After you manually test this script on a few machines you can delete the “pause”, this will make the script silent if pushed though SMS.
ITMU_fix.bat
***************************************
@echo on
net stop wuauserv /Y
net stop bits /Y
CD /D %SystemRoot%\System32
regsvr32 /S Msxml3.dll
regsvr32 /S Wuaueng.dll
regsvr32 /s wuaueng1.dll
regsvr32 /S Wuapi.dll
regsvr32 /S Atl.dll
regsvr32 /S Wucltui.dll
regsvr32 /S Wups.dll
regsvr32 /s wups2.dll
regsvr32 /s wuweb.dll
rd /s /Q %SystemRoot%\SoftwareDistribution
net start bits
net start wuauserv
Rem Delete or Rem the Pause to make script run silent with SMS.
pause
***************************************
Trusted Sites
You may also need to add the following to a GPO for trusted sites:
This doesn’t usually FIX ITMU, but it is needed in some cases to get MicrosoftUpade.com working.
http://*.windowsupdate.microsoft.com
http://download.windowsupdate.com
http://update.microsoft.com/
https://*.windowsupdate.microsoft.com
https://windowsupdate.microsoft.com
Known issue with ITMU
Microsoft has reports of systems that are running at 100% when running ITMU but in most cases this has been resolved. It is my understanding, machines that are still experiencing this problem are usually very old slow machines to begin with.
http://support.microsoft.com/?id=924148
I was trying to installing VMWare Server 2.0 but it kept getting this error
System Administrator has set policies to prevent this installation.
Click Start -> Control Panel
- Open Administrative Tools
- Open Local Security Settings
- Click Software Restriction Policies
- If no software restrictions are defined, right click the Software Restriction Policies node and select New Software Restriction Policy
- Double click Enforcement
- Select "All users except local administrators"
- Click OK
- Reboot the machine
Found the answer here
When attempting to install VMware Server on a Windows 2003 Server host, you might see the error message System Administrator has set policies to prevent this installation.
Workaround: Right-click the installer file, choose Run as, and enter the Administrator username and password. Additional configuration steps might be required. See http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=590630&SiteID=17.
Interesting that they has this problem in RC1 and RC2 and they didn’t fix it for the final release.
However it is posted in the release notes :
http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html