Upgrading ConfigMgr 2007 RTM to SP1: Common Prerequisite Components Download Failures

I have found 3 common failures during the ConfigMgr (SCCM) 2007 Setup Prerequisite Components Download task:

1. Destination Path has spaces
2. Execution account does not have rights to the internet: Proxy Problem
3. Using the path where you stored the prerequisites from RTM

The following is what you will experience in the Setup Wizard if you have any of these 3 failures:

During the setup…

1. Check for updates and download newer versions to an alternate path step
2. Select local file location
3. Successfully downloaded all prerequisite components
4. Error: Component manifest was not found or it was invalid

Because the error is in the wizard, it precludes you from doing any error checking we are going to do some tests via the command line.

Note: log files referenced below can be found on the root of your primary partition.

• ConfigMgrPrereq.log
• ConfigMgrSetup.log

Command Line to download prerequisites:

.\SCConfigMgr07_UPD_EN\SMSSETUP\BIN\I386\setup.exe /download <DestinationPath>

1. Destination Path Has Spaces

Do not specify a destination directory with spaces.  This error will occur even if the directory is in quotes.  You will get the following error:

Fix: Use a path with no spaces.  Yep that’s it.  Easy.

2. Account running the command line does not have rights to access the internet: Proxy Problem

If you are lucky enough to have an environment like mine, where your regular account does not have rights to execute an installer file (no local admin) and your account that does have rights which you opened a command prompt to run the exe (see below) does not have rights to access the corporate proxy.  You will get the following error:

Fix: How do I get internet access to my admin account?

1. Open a command prompt
1. Winkey + R
2. Cmd.exe
2. Open a command prompt with an account with admin rights
1. Runas /user:Domain\UserID cmd
3. Open Internet Explorer (must be done from admin rights prompt)
1. C:\
2. cd "Program Files\Internet Explorer"
3. iexplore.exe
4. Change the proxy settings (you can see the current proxy setting by opening IE with your normal account and following the same steps below)
1. IE7 and IE6 (same method buttons are in slightly different place)

                                                               i.      Tools

                                                             ii.      Internet Options

                                                            iii.      Connections Tab

                                                           iv.      LAN Settings

                                                             v.      Enter values for Proxy Server

5. Open a webpage
6. When it asks you for credentials make sure you check the save credentials option!

3. You use the path where you stored the prerequisites from RTM

Scenario: If you still have the path where you downloaded your prerequisites from the RTM version of ConfigMgr and attempt to run the /download command from the SP1 version of ConfigMgr.  The download will succeed without transferring any files.  However when you run the setup wizard again, you will get the same Component manifest was not found or it was invalid error.

Why is this?  Well there are 5 files that changed from RTM to SP1

1. Ccmsetup.cab (added in for SP1)
2. ConfigMgr.manifest.cab
3. WindowsUpdateAgent30-ia64.exe
4. WindowsUpdateAgent30-x64.exe
5. WindowsUpdateAgent30-x86.exe

Fix: There are two brutally easy fixes.

1. Choose a different destination directory
2. Delete the files 2-5 from the list above

Then run the command line again.

If you avoid all 3 off these problems you’ll have no problems with the download prerequisites step.

Enjoy

http://myitforum.com/cs2/blogs/scassells/default.aspx

SysInternals Tools run from the web and passing admin rights

Anthony put up a cool post about being able to run SysInterals tools from the web.  Here:

http://myitforum.com/cs2/blogs/socal/archive/2008/05/28/sysinternals_2D00_tools_2D00_can_2D00_now_2D00_run_2D00_from_2D00_the_2D00_web.aspx

Upgrading ConfigMgr 2007 RTM to SP1: Prerequisite Checks - Command Line versus Wizard

Two methods exist to check your Prerequisite’s

1. Use the splash.hta and Run the prerequisite checker
2. Use the Command Line switch /prereq
1. .\SCConfigMgr07_UPD_EN\SMSSETUP\BIN\I386\setup.exe /prereq

What makes this so interesting?

Method 1 (the wizard) returns:

•     All Required Prerequisite tests have completed successfully.

Method 2 (running via the command line) returns the 4 following warnings:

·        Schema extensions

o       Configuration Manager Active Directory schema extensions are not required, for site server installation, but are recommended to fully support the use of all Configuration Manager features.

·        Windows Server 2003-based schannel hotfix

o       Configuration Manager out of band service point requires Windows Server 2003-based schannel hotfix. The schannel hotfix is available for download at: http://support.microsoft.com/kb/942841/en-us.

·        Windows Remote Management (WinRM) v1.1

o       WinRM v1.1 is required to run the out of band console and must be installed before primary site or Configuration Manager console installations or upgrades. WinRM 1.1 is available for download at: http://support.microsoft.com/kb/KB936059.

·        MMC updates for Configuration Manager (Software Updates)

o       This software update addresses several MMC errors that may occur when running the Configuration Manager console. This update should be applied if any of the following occur: Configuration Manager console stops responding when the host computer is low on available memory, context menu errors on console home pages, or inconsistent display after drag-and-drop operations do not succeed. More information about this update is available at: http://go.microsoft.com/fwlink/?LinkId=98349.

TechNet Reference for all possible values: http://technet.microsoft.com/en-us/library/bb680951.aspx

Something interesting: Each of the above hotfixes for Server 2003 are not publicly available.  You must submit an online request to obtain the hotfix. At this link: http://go.microsoft.com/?linkid=6294451

Delete a successful Direct Member from an SMS 2003 / ConfigMgr 2007 collection based on a date in VB

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following tool has several inputs and loops
' Inputs:
'       Server Name
'       Site Code
'       Date to query on
'       Blank or a capital Y
'
' This tool will query for direct memberships in all collections before date from input
'
' Created by Shaun Cassells
' http://myitforum.com/cs2/blogs/scassells/default.aspx
'
'
'
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Dim loc
Dim oArgs
Dim strComputer, ResID
Dim strServer, strSiteCode
'Dim Rules() As Variant    'Array of rules for DeleteMembershipRules
Dim total, TotalMembers

Set oArgs = WScript.Arguments

If oArgs.Count = 3 Then
 WSCRIPT.ECHO "Please use 3/4 inputs"
 WSCRIPT.ECHO " SMS Server"
 WSCRIPT.ECHO " SMS Site Code"
 WSCRIPT.ECHO " Date to display rules before -ex. '1/1/2008'"
 WSCRIPT.ECHO " Blank displays results / Y = delete"
 WSCRIPT.ECHO ""
End If
If (oArgs.Count < 3) or (oArgs.Count > 4) Then
 WSCRIPT.ECHO "Please use 3/4 inputs"
 WSCRIPT.ECHO " SMS Server"
 WSCRIPT.ECHO " SMS Site Code"
 WSCRIPT.ECHO " Date to display rules before -ex. '1/1/2008'"
 WSCRIPT.ECHO " Blank displays results / Y = delete"
 WSCRIPT.ECHO ""
 WSCRIPT.QUIT
End If
   strServer = oArgs(0)
   strSiteCode = oArgs(1)
   strDate = oArgs(2)
   If oArgs.Count = 4 Then
    bGO = oArgs(3)
   End If

'convert extra chars in date to be correct format
strDate = replace(strDate, "\", "/")
strDate = replace(strDate, "-", "/")

'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Set loc = CreateObject( "WbemScripting.SWbemLocator" )
Set WbemServices = loc.ConnectServer( strServer,"root\SMS\site_" & strSiteCode)
'WScript.Echo strComputer & " ResourceID in " & strServer & " is " & ResID

'Remove single or double quotes from date string
strDate = replace(strDate,"'","")
strDate = replace(strDate,"""","")
'wscript.echo strDate

'Query that finds count of successful direct members in all collections
'Excludes SUSFP and ITMU
'Excludes nonstandard resources
strQry =  "SELECT     dbo.v_AdvertisementInfo.CollectionID, dbo.v_AdvertisementInfo.CollectionName, COUNT(dbo.v_CollectionRuleDirect.ResourceID) AS Total " & _
" FROM dbo.v_CollectionRuleDirect INNER JOIN dbo.v_AdvertisementInfo ON dbo.v_CollectionRuleDirect.CollectionID = dbo.v_AdvertisementInfo.CollectionID INNER JOIN dbo.v_ClientAdvertisementStatus ON dbo.v_CollectionRuleDirect.ResourceID = dbo.v_ClientAdvertisementStatus.ResourceID AND  dbo.v_AdvertisementInfo.AdvertisementID = dbo.v_ClientAdvertisementStatus.AdvertisementID " & _
" WHERE (dbo.v_ClientAdvertisementStatus.LastStateName = 'succeeded') AND (dbo.v_ClientAdvertisementStatus.LastStatusTime < CAST('" & strDate & "' AS DateTime)) AND (dbo.v_AdvertisementInfo.CollectionName NOT LIKE '%SUSFP%') AND (dbo.v_AdvertisementInfo.CollectionName NOT LIKE '%ITMU%') AND (dbo.v_CollectionRuleDirect.RuleName NOT LIKE 'ResourceID=%') " & _
" and (dbo.v_AdvertisementInfo.CollectionID like '" & strSiteCode & "%') " & _
" GROUP BY dbo.v_AdvertisementInfo.CollectionName, dbo.v_AdvertisementInfo.CollectionID " & _
" ORDER BY Total desc" 'dbo.v_AdvertisementInfo.CollectionID"
'wscript.echo strQry

'Connect SQL
Set cn = CreateObject("ADODB.Connection")
Set cmd = CreateObject("ADODB.Command")
constring = "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=SMS_" & strSiteCode & ";Data Source="& strServer
cn.ConnectionString = constring
cn.Open
Set cmd.ActiveConnection = cn
cmd.Prepared = True
cmd.CommandText = strQry
'wscript.echo strQry
Set rs = cmd.Execute
If rs.EOF Then
 WScript.Echo "Query did not return any succesful direct members !  Please try again." & VBCrLF & "You entered date:  " & strDate
Else
 Wscript.ECHO "------------------------------------------------------------------------------"
 Wscript.ECHO "Collection ID, Number of Identified Members, Collection Name"
 Wscript.ECHO "------------------------------------------------------------------------------"
 'Used to count loops - total number of collections (summary)
 total = 0
 'Used to show how many members returned (summary)
 TotalMembers = 0
 Do Until rs.EOF
  total = total + 1
  TotalMembers = TotalMembers + rs(2)
  If bGO = "Y" Then
   Wscript.ECHO "------------------------------------------------------------------------------"
  End If
  Wscript.Echo rs(0) & ", " & rs(2) & ", " & rs(1)
  
  If bGO = "Y" Then
   'Wscript.ECHO "SMS_Collection.CollectionID=""" & rs(0)& """"
    Set instCollection = WbemServices.Get("SMS_Collection.CollectionID=""" & rs(0)& """")
   
   'Query finds exact number of members to delete
   strQry2 = "SELECT dbo.v_CollectionRuleDirect.RuleName, dbo.v_CollectionRuleDirect.ResourceID " & _
   " FROM dbo.v_CollectionRuleDirect INNER JOIN dbo.v_AdvertisementInfo ON dbo.v_CollectionRuleDirect.CollectionID = dbo.v_AdvertisementInfo.CollectionID INNER JOIN dbo.v_ClientAdvertisementStatus ON dbo.v_CollectionRuleDirect.ResourceID = dbo.v_ClientAdvertisementStatus.ResourceID AND dbo.v_AdvertisementInfo.AdvertisementID = dbo.v_ClientAdvertisementStatus.AdvertisementID " & _
    " WHERE     (dbo.v_ClientAdvertisementStatus.LastStateName = 'succeeded') AND (dbo.v_ClientAdvertisementStatus.LastStatusTime < CAST('" & strDate & "' AS DateTime)) AND (dbo.v_CollectionRuleDirect.RuleName NOT LIKE 'ResourceID=%') AND (dbo.v_AdvertisementInfo.CollectionID = '" & rs(0) & "')"
 
   'note array is ZERO to one minus total size
   ReDim Rules((rs(2)-1)) '(0 to rs(2)) array must contain exact number of objects
   i = 0
    
   cmd.CommandText = strQry2
   Set rs2 = cmd.Execute
   If rs2.EOF Then
    WScript.Echo "No succesfully completed direct members found!  Please try again." & VBCrLF & "You entered:  " & strDate
   Else
    Do Until rs2.EOF
     Wscript.Echo rs2(0) & ", " & rs2(1)
     ' Identify and delete the direct rule.
      Set instDirectRule = WbemServices.Get("SMS_CollectionRuleDirect").SpawnInstance_
       instDirectRule.ResourceID = rs2(1)
       Set Rules(i) = instDirectRule
       i = i+1
       'wscript.echo i
     rs2.MoveNext
    loop
   End If
  
  Wscript.ECHO "------------------------------------------------------------------------------"
  WSCRIPT.ECHO "Deleting total of " & rs(2) & " members from " & rs(1)
 
  ' commit rules delete  
  
     'On Error Resume Next
     instCollection.DeleteMembershipRules  Rules
     'On Error GoTo 0
     'Wscript.ECHO "------------------------------------------------------------------------------"
     'Wscript.Echo "*************************Pausing********************************"
     'Wscript.ECHO "------------------------------------------------------------------------------"
     'Wscript.Sleep(5000)
   End If
  Set rs2 = Nothing
 rs.MoveNext
 
 'The following can be used to limit the number of loops.
 ' useful to remove the process lock when doing lots of deletes
 If (bGO = "Y") And (total > 100) Then
  'Call Cleanup
 End If

 Loop
 Wscript.ECHO "------------------------------------------------------------------------------"
 Wscript.ECHO "Total collections = " & Total & VBCrLF & "    Total Members = " & TotalMembers
 Wscript.Echo " for successful direct rule collections before " & strDate
End If
Call Cleanup
Wscript.quit

Sub Cleanup
 cn.Close
 
 Set rs = Nothing
 Set cmd = Nothing
 Set cn = Nothing
 Set instances = NOTHING
 Set WbemServices = NOTHING
 Set strQry = NOTHING
 Set loc = Nothing
 Wscript.quit
End Sub

Fun with Office Assistant Merlin in VB

'Created by Shaun Cassells
''''''''''''''''''''''''''''''''''''''''
agFl = "C:\Windows\Msagent\Chars\merlin.acs"
'''''''''''''''''''''''''''''''''''''''''''

'Create an MSAgent Object
Set objAgent = CreateObject("Agent.Control.2")

objAgent.Connected = TRUE
'Load the Merlin as the current char
objAgent.Characters.Load "Merlin", agFl

'generate a character object for the agent object
Set objCharacter = objAgent.Characters.Character("Merlin")

'Show the Agent
objCharacter.Show
'Make it animate and talk
objCharacter.Play "GetAttention"
objCharacter.Play "GetAttention"
objCharacter.MoveTo 500,400
objCharacter.Play "Announce"
objCharacter.Speak "Remember Kids, Be cool Lock your Computer!"
objCharacter.Play "Surprised"
objCharacter.Speak "Jeremy Clarckson, say's that is a lot of Torques!"
objCharacter.Play "Pleased"
objCharacter.Think "Maybe I should move around a little ...."
objCharacter.MoveTo 1500,400
objCharacter.Play "Alert"
objCharacter.Speak "Hey you!"
objCharacter.GestureAt 800, 0
objCharacter.Speak "Yeah You!"
objCharacter.Play "Congratulate"
objCharacter.Speak "Lock your puter!"
objCharacter.Play "Congratulate_2"

'Now hide the agent
objCharacter.Hide

'The below three lines are very important for the correct functioning of the agent char. else
' the script will conclude it's execution even before the character is loaded
'on the screen
Do While objCharacter.Visible = TRUE
'This makes the script wait until the objCharacter.Hide statement is executed
    Wscript.Sleep 250
Loop

'End of Script

Direct Connect: death of the DMZ becoming reality

The following article blurb sounds like a wonderful solutions accelerator.  I can't wait to get rid of a DMZ or even better our VPN dialers.  I wonder how well this will work with laptop encryption and two factor authentication. 

------

Last Friday, Steve Riley - security architect at Microsoft did an excellent session about various security subjects in Amsterdam. One of the subjects was a technology that I only knew of as highly secret within Microsoft and probably one of the biggest changes in network security to come.

Imagine that corporate end users are able to take their corporate mobile systems to any Internet connected place and work with corporate resources without a VPN or gateway. This enables the users to connect to Active Directory, have their clients managed while at home or traveling. At the same time users get full access to the corporate network without the hassle of extra client software or gateways.

Direct Connect uses IPv6 with IPSec to create save direct connectivity to servers on corporate networks for trusted clients. This is quite a revolutionary approach, as it enables clients from the Internet to bypass the DMZ. The concept relies on IPSec authentication and encryption. Microsoft's new IPSec implementation in Windows Vista and Server 2008 allow IPSec connections to be based on both computer and user credentials, combined with Network Access Protection for system health enforcement. The only thing an edge router has to do, is filter incoming traffic to allow only IPSec initiation requests and subsequent IPSec traffic. Any standard router can do just that.

Steve Riley pointed out that you can build a Direct Connect infrastructure with standard products currently available from Microsoft and that Microsoft will provide more information in the near future. He also mentioned that Microsoft marketing is not yet thrilled, because no extra licenses will be needed to build a Direct Connect infrastructure.

Microsoft is currently running a (secret) pilot with Direct Connect that enables participants to use their corporate laptops to directly work with systems on the corporate network from the Internet.

I told Steve I can't wait for the white paper "How to build a Direct Connect infrastructure" and get instant access to my home systems from any place in the world.

source: http://www.xpworld.com/

Great Idea: Organic Pepper Spray

Just hit me this morning a truly great idea.

I am going to patent the idea of Organic Pepper Spray.  How great would that sell in California in little earthy green bottles and hemp carrying cases.

I know I jest, but the idea is a really good one.  Any one interested in starting up a business?

SMS 2003: How to get the fastest execute of a dependent package chain on a client

SMS 2003 and SCCM 2007 / ConfigMgr 2007 allow the execution of packages in a specific order.  This post will not cover the server / package / program settings; rather, this will cover how a client evaluates a series of offers some of which are dependent programs. 

So what happens when a client receives multiple advertised offers that includes packages with dependencies?

Okay this tells me, it goes into a loop, evaluating each iteration until eventual completion. 

How does the client decide which Advertisement to evaluate first?

If multiple advertisements are received at the same time, the SMS 2003 client will evaluate those advertisements in order from lowest AdvertID to highest.

Note: The phrase “at the same time” could be:

·        During a regular policy polling interval

·        Or if a package takes an extended period to execute it is possible another policy refresh can occur

·        Or an zealous SMS admin can force a client policy refresh

Is it better to advertise the top of a chain or to advertise each individual app in the chain?

• If you advertise only the top of the chain, the loop will iterate from top to bottom and run the lowest program in that chain.  Once the execution finishes, it will start again at the top and work its way down.  N+(N-1)+…
• If you create an advertisement to each step of the program dependency.  You would avoid the iterations, as each step would be the lowest level of the chain.  Best Case 1+1+…
• However, there is the possibility that when you created the AdvertIDs you did not do it in order.  Remember, the client evaluates multiple AdvertIDs (when all received at the same time) from lowest number to highest.   That this execution could take MUCH longer.  You would get a lot of “Waiting Dependent Program” status messages.  (N+(N-1)+…) + (N+(N-1)+…) + …

Summary: The fastest way for a client to execute a dependency chain of programs is to create advertisements to each program in the chain in order from lowest to highest.

PowerShell: SMS 2003 / ConfigMgr 2007 scripting

I decided it was about time I learned more PowerShell and SMS 2003 / SCCM 2007 scripting.  I hope you enjoy this series, as I fail, experiment, and learn nuances of the PowerShell language.

There seem to be a lot of information about 3 ComObjects for SMS 2003 / SCCM 2007 on the internet.  Those are:

• SMS Client Actions
• Microsoft.SMS.Client
• Control Panel
• Client Actions
• cpapplet.cpappletmgr
• Software Distribution
• UIResource.UIResourceMgr

How do I use a COM Object in PowerShell?

1. Create an Object
2. Declare the type of Object
3. Set Source

You do this by the keyword “New-Object”

BTW, you can get help by using “Get-Help”

PS C:\ > Get-Help New-Object

This will return useful information about New-Object.  The parameter we are interested in is:

        Programmatic Identifier (ProgID) of the COM object.

Next important thing to know is how to declare a variable.  You put a $ sign infront of a string.  That’s it. 

Here is how you would connect to each of the following COM objects.

PS C:\> New-Object -ComObject Microsoft.SMS.Client

PS C:\> New-Object -ComObject UIResource.UIResourceMgr

Note running any of the following above will return a blank line.  Nothing more. Why?  Because you didn’t do anything with the COM, you opened a connection, then closed it.  Clean.

How do I do something with it?

More to come.

PowerShell: How do I connect to SMS 2003 and perform Client Actions?

The Microsoft.SMS.Client COM object exposes several client actions.

PS C:\ > $a = New-Object -comObject Microsoft.SMS.Client

Now what do I do with the $a variable?  Let’s see what members are exposed from the COM.

PS C:\> New-Object -comObject Microsoft.SMS.Client | get-member

Note: the following results are contained in the SMS 2003 SDK 3.1

• AutoDiscoverSite
• Retrieves the site code of the locally available site based on the client's current roaming situation, without assigning the client to the site
• DiscoverDefaultMP
• Retrieves the assigned management point for a client, without assigning the client to the management point.
• EnableAutoAssignment
• Enables or disables the auto-assignment feature of the client.
• GetAssignedSite
• Gets the currently assigned site of the client
• GetCurrentManagementPoint
• Gets the management point to which the client is currently assigned.
• Note: This method is deprecated. Use the ISmsClient2::GetCurrentManagementPointEx Method
• ReAssignSite
• Forces the client to rediscover its assigned site and then reassign itself to that site.
• RemoveAssignedSites
• Removes all site assignments for the client
• ResyncPolicy
• SetAssignedSite
• Sets the client's assigned site
• SetCurrentManagementPoint
• Sets the current management point for the client
• UseAdminLocator

• Local administrator privileges are required to call this interface.
• The IID for ISmsClient is DF56E387-A8BF-409a-8D1C-33CD1908C01A

Cool, show me how to use one.

PS C:\ > $a.AutoDiscoverSite()

Returns the 3 char Site Code

Example: Change a site code, force a policy resynchronization, then set client back to default Site Code.

PS C:\ > $a = New-Object -comObject Microsoft.SMS.Client

1. Check what site is currently assigned

PS C:\ > $a.GetAssignedSite()

2. Change Site Setting to Something else

PS C:\> $a.SetAssignedSite("LAB")

3. Check What site is currently assigned

PS C:\ > $a.GetAssignedSite()

4. Force a policy refresh and send new discovery record

PS C:\> $a.ResyncPolicy()

5. Force the client back to the correct Site Code

PS C:\> $a.ReAssignSite()

Step 2 would fail: if you do not have security rights to perform that action:

Step 4 would fail: if you do not have security rights to perform that action:

PowerShell: Get A Process Owner

Today in the MSSMS email list someone asked: “how do I know who owns a process?”  They wanted to know if the user account had elevated privileges. Well I can help you find the process owner in one line of code… elevated privileges will require and LDAP query J

Pre-Req

• You will need to know the process name
• You will need PowerShell installed

To return all the processes on a local workstation

To return all the processes on a remote workstation

Warning: This will usually error out.  See PowerShell 2.0 for remote connectivity

Cool.  I have 64 processes. 

How do I filter on a single process?  In PowerShell you can pass the results of one command to another in line with a vertical pipe ‘|’.  Great, so I pass the results of the query above and perform a ‘where’.  Where? What is a ‘where’? Where is like asking a question.  Where clouds are blue, or in this case, where the ProcessName equals ‘powershell.exe’

Great, now we have the process, I do not see an owner property.  What do I do now?

Along with properties in WMI there are also methods. What is are methods? Methods are actions that can be preformed on a class, in this case win32_process.  Get-Member will return all the membertypes, including Methods.

Note: The above is only a partial list

See the GetOwner Method?  Let’s try that against the process we selected.

Hmm still some system properties.  I just want the Domain and User. 

How about a quicker way just to get the User?

One last thing, lets try using the Get-Member against the getowner() method.

Okay, in one line I can get who owns a process?  That’s neat.  Is there an online reference for all the methods?  Yep, try here for get-process and here for get-wmiobject win32_process.

Summary: you can look up the owner of a process in PowerShell in one line versus 20+ it would require in VBA

Have fun playing with PowerShell and Get-Member

How to stop an errant Advertisement in SMS 2003 / SCCM 2007

Scenario: An advertisement went out for a package that is causing havoc.  Let’s say, it is rebooting servers and workstations.   How do you stop it NOW!?!?!  With a Big Red Stop Button (BRSB).

Below are 5 scenarios with varying speeds and success rates.

Method 1: Stop the IIS service or the SMS_OFFER_MANAGER service on all servers. 

Upside: Everything stops

Downside: Everything stops including normal client communications or any other distribution

Method 2: Delete the source package files off the DP(s) update: change the ntfs folder premissions to deny any client from reading the source files.  Thanks jnelson

Upside: All clients trying to run errant advertisement will say “Waiting For Content”

Downside: Copying the package source back to the DP after everything calms down.

Method 3: Delete the Advertisement (Do not do this)

Upside: Makes you feel better

Downside: Does not stop any clients until a policy refresh is triggered.  You also lose all tracking of the damage you have wrought.

Method 4: Disable the Program

Upside: Prevents further execution

Downside: Does not stop any clients until a policy refresh is triggered.

Method 5: Expire the advertisement

Upside: Prevents further execution

Downside: Does not stop any clients until a policy refresh is triggered.

Summary:  Best solution for Big Red Stop Button (BRSB) appears to be Method 2.  Delete the files off the DP.  You will need to know the PackageID. (see reports below) and the location of the DPs (see reports below).  

Best order of execution to achieve BRSB

1. Identify PackageID
1. See report below
2. See console command line below
2. Identify DPs that you will need to target
1. See report below
3. Run a script to delete the files off the DPs
4. Disable the program
5. Disable the advertisement (change the execution expiration time)
6. View reports on advertisement success rate so you know who to go fix

If there is desire for me to post the scripts or more screen shots on how to do this, please respond to this post, and I’ll whip more docs up. 

Now that the package has stopped, the clients have received new policies to prevent the errant program from executing again.  How do I get the files back on the DP?  Easy, refresh the Distribution Points from the package.  Refresh will keep the DP version the same.  Reminder: if you update the DPs.  You will be creating a new version, which may cause clients to execute this new package.  (Been there)

Helpful Reports (SMS 2003)

List of All packages:

List of All Active Package Distributions:

List of All DPs:

Location of DP (SMS 2003)

How to add NodeInfo to the SMS 2003 console? 

Add the following switch to the console command line

Adds a property sheet that contains node information such as the GUID, WMI instance data, and the named values associated with the node to a node's property page. You access the node information sheet by selecting the Node Information tab. Typically, you use this option when you develop or debug extension snap-ins that extend the SMS Administrator console.

This option can be set to 1 or 2. Setting NodeInfo to 1 places the Node Information sheet last on the property page. Setting NodeInfo to 2 places the Node Information sheet first on the property page.

SMS 2003 command line:

SCCM 2007 commandline

Some XP SP3 Users Experience Crashes, Mostly Due to OEM Problems