Samuel Erskine at myITforum.com

MMS 2010 – The European Volcanic route to Microsoft System Center Service Manager

Click Here for more information

Microsoft System Center Service Manager takes the Berlin Wall Down Again!!

20 years after the historical event, the breakdown of the Berlin wall dividing East and West , I sit in the lounge of a hotel writing this blog.

Now you may ask what does this have to do with System Center Service Manager (SCSM)?

To answer the question I will give links to the System Center Suite of products where you get detailed information. I will then cover the divide between the products (our Berlin wall) and finally tell you a little bit about SCSM.

The suite is at the time of writing made up of the following

System Center Configuration Manager Product Information

System Center Operations Manager Product Information

System Center Data Protection Manager Product Information

System Center virtual Machine Manager Product Information

The products in the suite individually serve a number of business challenges and help to drive the integration of IT with the business. The overall goal is to turn the suite into a strategic IT asset, drive down business costs, compliment and, enable business IT maturity.

A challenge for implementers and the business who have invested in the suite is the question of integration. The products are loosely technically integrated, fully integrated by brand name and, by a number of licensing models.

Full technical and business process integration requires customization either by in-house expertise or outsourced expertise (products/people).

SCSM addresses the integration challenge of the suite and I believe would be a key enabler to businesses driving to make IT a strategic asset/business differentiator.

SCSM overview:

SCSM is a platform not a product, it provides the integration point for the rest of the suite, enables extensions from partners and drives the automation of business processes.

This is the link to the SCSM site for an extensive overview and resources http://www.microsoft.com/systemcenter/en/us/service-manager.aspx.

Below are example of integrations and business value derived from the SCSM platform.

Example 1: Configuration Manager and Active Directory

Example 2: Configuration Manager, Operations Manager and Active Directory

The Future

At the beginning of this article I talked about history in order to share the vision of the future. I spent 2 great days at the TAP customer event in Berlin and saw firsthand the direction and commitment by the product team to deliver a future best in breed product to meet a very real and relevant business need. I believe SCSM will shift the paradigm of the traditional service desk tools/products in the market now and shape the future of how we view our service desk.

SCSM beta 2 is available to the public now and is scheduled to go RTM in the first half of 2010.

Try SCSM and look out for more blog articles on implementation tips and best practises from myself and Jannes Alink SCCM MVP (a great friend and colleague)

Exclusive System Center Event - Free and Great Value at a Cool Venue

A day long System Center event taking place on the HMS Belfast on Friday the 6th of November, jointly presented by Inframon & WMUG. The event has got world class Microsoft speakers direct from the product team on their way to TechEd:

1. Ryan O'Hara - VP System Center Group, Microsoft

2. Nigel Cain - Senior Program Manager, Virtualization/System Center Service Manager, Microsoft

3. Jason Buffington - Senior Program Manager, DPM, Microsoft

4. Wally Mead - Senior Program Manager, ConfigMgr, Microsoft

This event has got something for everyone from technical decision makers to business decision makers.

Sessions Include:

* Keynote with Ryan O'Hara - VP System Center

* Intelligent Application Protection with Jason Buffington

* Service Manager with Nigel Cain and Sam Erskine

* Wally Mead does ConfigMgr - All day!

* Keeping your CIO Happy, the art of executive scorecarding with Gordon McKenna (MVP)

* Managing Risk, Governance and Compliance with SecureVantage

* Managing Non-Windows Platform with Bridgeways

* Drive down the cost of Siebel CRM/Oracle BI and Citrix with System Center Operations Manager with Hermes Softlab

* Microsoft Virtualization, The Facts

For more details and registration please visit:

http://waroncost.eventbrite.com

SCCM Installation/Deployment - Easy as A B C D – What! no screen shots?

You have the DVD and a project deadline now where do you start?

The aim of this article is to provide a general process for deploying a new SCCM site. This process can also be applied to an upgrade (I always view upgrades as an opportunity to improve, so much the same as a new site).

This is a supplement to the extensive resources available and as a result, does not aim to repeat the online documentation and training material available. I will place links to other resources I found useful in, planning and successfully deploying SCCM sites.

We will first cover the tasks to consider and perform before you start the installation (do this before clicking setup.exe and Next Next …..)

Active Directory Tasks

Schema Extension and AD publishing security rights for your site:

This process is recommended if you are deploying SCCM to an Active Directory environment. Ensure you engage with the department/team that owns Active directory schema extension as early as possible. Typically schema extensions require careful planning and have wider implications outside SCCM deployments.

The detailed steps are covered in the online documentation (How to Extend the Active Directory Schema Using ExtADSch.exe). A summary of what is required is:

• Run the schema extension utility from the installation media – Requires a user with schema admin rights
• Use ADSIEDIT.MSC (available from the Operating System support files) to create the System Management container under the target domain partition that the SCCM site would be installed in.
• Create a group for the site server computers that would host the provider role (e.g. DomainX\SCCM Site provider servers).
• Grant the new group rights to the System Management container and all its child objects. A group is recommended for easy of administration and will mean that, new site servers only need to be added to the group to complete future delegation.
• Note that if you are using groups as described above a reboot of the site server would be required to complete the group membership process.
• I would also recommend creating a separate group for site system servers (e.g. SUP servers, Distribution point servers). This would give you better flexibility in configuring security at the operating system level

The above would prevent one of the more common AD publishing errors seen in SCCM post site install. This would also impact your client deployments as correct registration of SCCM objects in AD aids in the site discovery and assignment process.

Boundary – Site Scope Tasks

One of the critical areas of your SCCM site is the configuration of site boundaries. Site boundaries basically tell your clients whether they belong to your site or not from the network layer. It is critical that you work with your network team to understand how subnets are assigned to your clients.

Failing to plan and configure site boundaries properly would impact your client deployment (discovery and assignment post installation). Though AD sites can be used, I would only recommend its use in the following scenarios:

• The AD sites are configured to support SCCM (e.g. remote offices have dedicated AD sites)
• The SCCM admin is aware of changes to AD sites or is the same person making the changes (In this case a process can be setup to keep SCCM in sync with any changes)

Our experience shows that using Subnets gives the SCCM admin more control and is a better practice. In some cases your SCCM site may span multiple domains and also include DMZ clients/workgroup clients.

Before installing your sites, get a list of all the subnets in use for all clients within the scope of deployment.

• Work with your network admin team – they have better insights into VLAN configurations etc
• Check with the DHCP admin – This would give you a logical view of your IP network configuration
• Remember that the clients subnet mask plays a critical role in which subnet the client actually belongs to (evaluation is done on the client side not your SCCM site)
• Use the description field in SCCM boundaries to document boundary information.

Using subnets takes a bit of time to setup but will save you a lot of pain in the long run.

Create Groups – Security Tasks

I am in favour of careful planning to reduce the amount of times I have to repeat a task. One of the big challenges in SCCM is role based security out of the box. I know this is coming in SCCM Vnext (saw the demo at MMS 2009). In the meantime here is the budget version of how to achieve a form of role based security.

• Create AD groups in advance for the roles of the users who would access your SCCM console.

• The first task you should perform after the installation is, copy the rights of the user who installed the site. In my scenario, I use the SCCM Global Admins group.
• Take time to configure the permissions for the other groups which you create to reflect the roles of users accessing the console (Takes time, however this should be a one off exercise)
• Setup a process to add users to the groups as and when access is required.
• Get yourself a coffee/tea or cold drink.

Deployment steps – No screen shots

This section provides high level steps to follow and should act as a to do list in your SCCM deployment.

Central Site – Reporting only

This is deploying a site that would act as a repository/roll up site for your hierarchy (the old Central site concept from SMS 2003)

• Install SCCM
• Remove the management point role
• Enable and configure the reporting point and or SRS reporting point roles
• Configure Object security permissions

Primary (Deployment) Site – Clients assigned

• Install SCCM
• Configure SCCM Object permissions
• Configure the following properties – Tasks, alerts and status systems (maintenance tasks)
• Configure site boundaries
• Prepare Site Systems – Operating system installation of roles like Distribution points etc
• Assign site system roles – SCCM site configuration
• Configure site communications – for environments where you have a hierarchy of SCCM sites (Senders etc)
• Attach sites – Doing this in advance would reduce network traffic associated with site attachments
• Enable resource discovery (AD discovery methods, network discovery etc) and client installation methods (configure accounts to be used for push installations etc)
• Enable SCCM features one at a time; start with inventory

Useful links:

Infrastructure Planning and Design Guides

Configuration Manager Documentation Library

SMS2003 to SCCM Agent Migration – Why Should I pimp My Old Agent

Introduction

I am a great fan of the program “pimp my ride”. This is a TV program where the producers take an old car and upgrade/rebuild it to a luxury standard car with a few “extras”.

Now you may ask what does this have to do with SMS 2003 to SCCM agent migration? The answer is, this is similar in my view to what you do when you perform an in-place upgrade on the agent.

In this article I explain and expand on an approach and process to get a new luxury agent without using the “pimp my ride” approach (a.k.a in-place upgrade). NB I know on good authority that a lot of work was put into the in-place upgrade and it works. This is just an approach that looks at the alternative method of addressing the same task. We also build on the software distribution approach to the agent upgrade.

The prescribed approach is based on the notion that why upgrade your old car with parts from a new car, when you can scrape the old one and just use the new one as is?

Background

In this process we assume you already have an SMS 2003 infrastructure with SMS 2003 agents deployed. We also assume you have a new installation of an SCCM site. The process focuses on using software distribution to upgrade the SMS 2003 agent to an SCCM agent in a side by side migration scenario.

Summary of process

1. Create a source folder for the upgrade files
2. Create a software distribution package to copy the source files to a local directory on all clients
3. Create a software distribution advertisement which initiates the upgrade process
4. The upgrade process cleanly removes the old agent including the certificates, then initiates a new installation of the SCCM agent. The agent is also assigned to the new SCCM site in the process.

Detailed steps

Required Software and Utilities:

• Client installation files from the SCCM site (to reduce size remove non required language files from the pre-requisite files) - \\%SiteServerName%\SMS_%sitecode%\Client
• The following from the SMS2003 Toolkit – ccmclean.exe and delcert.exe
• Custom batch file to uninstall SMS2003 (includes old cert deletion) and install SCCM client – (See sample script)

SCCM Site prerequisites:

• Create site boundaries – subnets recommended
• Set site to manual approval of clients
• Set site to only accept SCCM clients

SMS2003 Site prerequisites:

• Create Copy Source Package and Program
• Create a package source folder (e.g., SMS-SCCM-Migrate) with a subfolder called sources
• Copy the required upgrade files to the sources subfolder (including CCCMClean and Delcert) and place the script in the root folder
• Program command line %systemroot%\system32\cscript.exe copySources.vbs – CopySources.vbs is a custom script written by Joe Erskine

Migration process:

• Advertise the Copy sources package to all clients to be migrated. Confirm that the program run successfully. This would also validate current client health.
• Advertise the migrate client program to clients that have successfully received the source files.
• Copy details below to a text file and save as .bat and create a package with a program to run the batch file.

@echo off
rem ===================
rem CCMSetup parameters
rem ===================
set managementpoint==%FQDN of your management point%
set sitecode=%your site code%
set fsp=%FQDN of your FSP%
set slp= =%FQDN of your SLP%
set smsmp= =%FQDN of your management point%
rem ================
rem Other parameters
rem ================
set sourcedir=C:\Install\SMS-SCCM-Migrate

%SystemDrive%
cd %sourcedir%
md logbackup

del %windir%\SMSCfg.ini
Ccmdelcert
Start /MIN /WAIT ccmclean.exe /client /logdir:%sourcedir% /logbackup:%sourcedir%\logbackup\ /q /retry:6,600
Start /MIN /WAIT ccmsetup.exe /mp:%managementpoint% SMSSITECODE=%sitecode% SMSCACHESIZE=1024 FSP=%fsp% SMSSLP=%slp% SMSMP=%smsmp% /source:C:\Install\SMS-SCCM-Migrate

Exit
:eof

  You need to modify the parameters in the batch file (e.g., your MP FQDN etc)

• The migration process does not return a program successfully run under the SMS2003 site. Confirmation of success is when the client reports into the SCCM site for approval.
• Use the fallback status point reports to track status of installation.

This approach has an additional benefit in that your agent health can be validated by the initial software distribution to copy the source file to the client.

Copy Sources:

'==========================================================================
'
' VBScript Source File
'
' NAME:  copySources.vbs
'
' AUTHOR: Joe Erskine
'   
'
' DATE:  18/07/2006
'
' VERSION: 1.0
'
' COMMENT: SMS script to copy sources files. Set path for destination in strTargetPath and place
'  fiels/folders to be copied to location in a sub-folder called SOURCE in the package source directory
'  E.g. If package source is C:\Test, place this script in C:\Test and files/folders to transfer in C:\Test\Source
'
' USAGE: cscript copySources.vbs
'
'==============
'Version Control
'===============
'
'Ver #:  
'Modified By: 
'Date Modified:  
'Details:  
'===================
'End Version Control
'===================
'==========================================================================

Option Explicit
On Error Resume Next

'======================
'User Defined Variables
'======================

Dim strTargetPath '<- Path to copy files/folders to, Created if it doesn't exist
Dim strWinDir  '<- Windows Installation Directory

'Get the Windows Installation Directory path
strWinDir = fGetWindowsDirectory()

'<- If you need to copy to Windows directory then use:
' strTargetPath = strWindir & "Your Path Here"
' E.g. strTargetPath = strWindir & "\System32\MyFiles"

strTargetPath = "C:\Install\SMS-SCCM-Migrate\"

'==============
'Global Objects
'==============

Dim objFS
Dim objItem
Dim objFolder
Dim objShell
Dim objNetwork
Dim colItems
Dim strScriptPath
Dim strCacheRoot
Dim strSource
Dim intError : intError = 0
Dim strComment

Const FOR_READING = 1
Const FOR_WRITING = 2
Const FOR_APPENDING = 8
Const CMD_MINIMIZED = 2
Const CMD_WAIT = True
Const OVERWRITE_EXISTING = True

'=====
'START
'=====

strScriptPath = Left(WScript.ScriptFullName,_
 Len(WScript.ScriptFullName) - Len(WScript.ScriptName))
strSource = strScriptPath & "Source"
strCacheRoot = Left(strScriptPath,(Len(strScriptPath)) - 1)

strComment = "SMS Source Files Transfer Script" & vbNewLine
strComment = strComment _
 & "************************************************************" & vbNewLine
strComment = strComment & "Start Time:" & vbTab & Now & vbNewLine
strComment = strComment & "Source Folder:" & vbTab & strSource & vbNewLine
strComment = strComment & "Target Folder:" & vbTab & strTargetPath & vbNewLine
strComment = strComment _
 & "************************************************************" & vbNewLine
  
Set objFS = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
Set objNetwork = CreateObject("WScript.Network")

If objFs.FileExists(WScript.ScriptFullName) Then objFs.DeleteFile(WScript.ScriptFullName)

WScript.Echo strScriptPath
WScript.Echo strCacheRoot

If Len(strTargetPath) > 0 Then
 If objFS.FolderExists(strTargetPath) Then
 Else
  'Target folder doesn't exists so create it
  strComment = strComment & "Creating Folder:" & vbTab & strTargetPath & vbNewLine
  objShell.Run "%comspec% /c MD " & """" & strTargetPath & """",CMD_MINIMIZED,CMD_WAIT
  WScript.Sleep 2000
  If Not objFS.FolderExists(strTargetPath) Then
   intError = intError + 1
   strComment = strComment & "ERROR: Unable to create target folder -> " & strTargetPath & vbNewLine
  End If
 End If
 
 If intError = 0 Then
  If Right(strTargetPath,1) = "\" Then
  Else
   strTargetPath = strTargetPath & "\"
  End If
  
  Set objFolder = objFS.GetFolder(strSource)
  For Each objItem In objFolder.Files
   If objFS.FileExists(strTargetPath & "\" & objItem.Name) Then
    strComment = strComment & "ERROR: Target file already exists -> " _
     & strTargetPath & "\" & objItem.Name & vbNewLine
    strComment = strComment & vbTab & "- Skipping move operation" & vbNewLine
   Else
    strComment = strComment & "Moving -> " _
     & objItem.Path & vbNewLine
    WScript.Echo objItem.Path
    Err.Clear
    objFS.MoveFile objItem.Path,strTargetPath
    If Err <> 0 Then
     strComment = strComment & vbTab _
      & "  - ERROR: " & Err.Number & Err.Descripton & vbNewLine
     intError = intError + 1
    End If
   End If
  Next
  
  For Each objItem In objFolder.SubFolders
   If objFS.FolderExists(strTargetPath & "\" & objItem.Name) Then
    strComment = strComment & "ERROR: Target folder already exists -> " _
     & strTargetPath & "\" & objItem.Name & vbNewLine
    strComment = strComment & vbTab & "- Deleting target folder" & vbNewLine
    objFS.DeleteFolder(strTargetPath & "\" & objItem.Name)
   Else
    strComment = strComment & "Moving -> " _
     & objItem.Path & vbNewLine
    WScript.Echo objItem.Path
    Err.Clear
    objFS.MoveFolder objItem.Path,strTargetPath
    If Err <> 0 Then
     strComment = strComment & vbTab _
      & "  - ERROR: " & Err.Number & Err.Descripton & vbNewLine
     intError = intError + 1
    End If
   End If
  Next
  Set objFolder = Nothing
 Else
  intError = intError + 1
 End If
Else
 strComment = strComment & "ERROR:" & vbTab _
  & "No Target path specified" & vbNewLine
End If

strComment = strComment _
 & "************************************************************" & vbNewLine
strComment = strComment & "Exit Code:" & vbTab & intError & vbNewLine
strComment = strComment & "************************************************************"

Call fLogEvent(strComment)

Set objShell = Nothing
Set objFS = Nothing
Set objNetwork = Nothing

WScript.Quit(intError)

'===
'END
'===

'==========
'Functions
'=========

'******************************************************************************
'* Name:  fLogEvent(strventInfo)
'* Function: Write Script run time log to the Application Event Log
'******************************************************************************

Function fLogEvent(strEventInfo)
 objShell.LogEvent 4,strEventInfo,"\\" & objNetwork.ComputerName
End Function

'******************************************************************************
'* Name:  fGetWindowsDirectory()
'* Function: Returns a string with the Windows Installation directory
'****************************************************************************** 

Function fGetWindowsDirectory()
 Dim colItems
 Dim objItem
 Dim objWMIService
 Dim strValue
 
 Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\.\root\cimv2")

 Set colItems = objWMIService.ExecQuery("Select * From Win32_OperatingSystem")

 For Each objItem in colItems
     strValue = objItem.WindowsDirectory
 Next
 
 Set objWMIService = Nothing
 
 fGetWindowsDirectory = strValue 
End Function

SMS and SCCM Patch management – An automated security update rollback process

Introduction

SMS and SCCM give us the ability to build a process for full automated patch deployment. A healthy site with healthy clients generally leads to a “smooth” automated patch deployment process.

One of the first challenges I faced as an SMS/SCCM administrator, was answering the change management question “what is the rollback process for patch deployment?”  The only answer available is manual rollback (all hands on deck). This presents a major challenge if you do not have resources readily available during an emergency rollback scenario. Why not use your automated patch deployment tool to address this challenge.

In this article, I provide a method for rolling back security patches in line with Microsoft best practices. This process only applies to patches deployed to windows server 2003, Windows XP and below operating systems. I am working on updating the process for Vista and Windows Server 2008.

Background to process

This link provides the background to this rollback process Removing Windows software updates in the wrong order may cause the operating system to stop functioning.

The recommend method for rolling back patches is to remove patches in the reverse order of installation. This recommendation is based on the fact that most patches update the same DLLs etc. So in a scenario where 3 patches update the same DLL,

• Install Patch 1 (DLL updated to V1 backup original DLL for rollback)
• Install Patch 2 (DLL updated to V2 backup V1 DLL for rollback)
• Install Patch 3 (DLL updated to V3 backup V2 DLL for rollback)

Removing patch 2 will return the DLL to V1 and lose the update made by patch 3. So how do we keep the system consistent and not lose other updates? . The answer is to rollback all patches and redeploy without the unwanted patch(es). Another challenge is, can this be automated?

In order to achieve the above, we first need to establish the original order of deployment and create an automated rollback deployment using SMS/SCCM software distribution.

Summary of process

1. Query the client for all patches deployed and list by installation date time order.
2. All patches for the latest date listed to be removed (in general deployments would be for same day and not across multiple days)
3. Run spuninst.exe for the patch(es) to remove in the reverse order from the %SystemRoot%\$NtUninstall[KBArticleNumber]$\
4. Steps 1 to 3 achieved with a VB script delivered as a standard software distribution package advertisement
5. Initiate rollback by advertising to SMS/SCCM clients in scope using a collection

Script and Sample Screenshots

The script supplied is set to log only mode (need to change the test mode parameter to 1 for it to be in live mode). Both modes would create a hotfixundo.log file on the C:\ drive. Script kindly written by Gavin Woodall.

Copy the script to notepad and save as hotfix_undo_Live.vbs (or to any preferred name). In my case I have a package called Patch Rollback – Live. The Data Source is a package directory called Patch_Rollback (store the vbs script here and reference during package creation)

Create a program for the package using the following command line : cscript %scriptname% (in my case %scriptname% = Hotfix_undo_live.vbs). Ensure that the program is set to run whether or not a user is logged on for non interactive deployments/advertisements.

Create an advertisement for the package. Do not leave on a recurring schedule!!! – This would remove all patches from the targeted clients.

SMS 2003 Process: After each rollback create a new program (by default you will not be able to use the same program again if it has successfully run on a client). I create a new program every month just to be sure.

SCCM Process note: SCCM overcomes the SMS 2003 limitation because programs can be rerun even when successful

Copy Below to notepad and save as hotfix_undo_live.vbs (change testmode to 0 to make live)

' Script to enumerate last applied hotfixes, and rollback

on error resume next
const forappending = 8
const forwriting=2
const forreading=1
Const dictKey  = 1
Const dictItem = 2

' **********set to 0 to get out of testmode**********
testmode=1
' ***************************************************

Logpath="C:\hotfixundo.log"

Set fso = createObject("Scripting.FileSystemObject")
set windir=fso.GetSpecialFolder(0)
call stamplog("*************************************************************")
call stamplog("Starting process, windows directory is "&windir.path)

lastdate=""
' enumerate subfolders, check date.
    For Each Subfolder in windir.SubFolders
    if instr(lcase(subfolder.name),"$ntuninstall")<>0 then
        if lastdate="" then
            lastdate=subfolder.datecreated
        end if
        if datediff("d",lastdate,subfolder.datecreated)>1 then
            lastdate=subfolder.datecreated
        end if
    end if
    Next

call stamplog("Latest date found for uninstall folder is "&lastdate)
' loop again, creating a list of directories to be targeted.

set list = CreateObject("Scripting.Dictionary")

call stamplog ("Processing the following directories:")
    For Each Subfolder in windir.SubFolders
    if instr(lcase(subfolder.name),"$ntuninstall")<>0 then
        if datediff("d",lastdate,subfolder.datecreated)<1 and datediff("d",lastdate,subfolder.datecreated)>=0 then
            list.add subfolder.datecreated,subfolder.path
            call stamplog(subfolder.path)
        end if
    end if
    Next

' sort dictionary
sortdictionary list,dictkey

' loop through list, shell out to run spuninst for each directory, last first
for each location in list
call stamplog("Launching "& list.item(location)&"\spuninst\spuninst.exe")
err.clear
if testmode=0 then
run list.item(location)&"\spuninst\spuninst.exe /quiet /passive /norestart"
else
call stamplog("***TESTMODE - Uninstall NOT run***")
end if
next
call stamplog("Finished at "&date&" "&time)

' Stamp line of text to specified logfile
sub stamplog(text)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
    (logpath, Forappending, True)
objtextfile.writeline(text)
wscript.echo (text)
objTextFile.Close
end sub

' Run function
Function Run (ByVal cmd)
   Dim sh: Set sh = CreateObject("WScript.Shell")
   Dim wsx: Set wsx = Sh.Exec(cmd)
   If wsx.ProcessID = 0 And wsx.Status = 1 Then
      ' (The Win98 version of VBScript does not detect WshShell.Exec errors)
      Err.Raise vbObjectError,,"WshShell.Exec failed."
      End If
   Do
      Dim Status: Status = wsx.Status
      WScript.StdOut.Write wsx.StdOut.ReadAll()
      WScript.StdErr.Write wsx.StdErr.ReadAll()
      If Status <> 0 Then Exit Do
      WScript.Sleep 10
      Loop
   Run = wsx.ExitCode
   End Function

' Runs an internal command interpreter command.
Function RunCmd (ByVal cmd)
   RunCmd = Run("%ComSpec% /c " & cmd)
   End Function

' Sort function
Function SortDictionary(objDict,intSort)
  ' declare our variables
  Dim strDict()
  Dim objKey
  Dim strKey,strItem
  Dim X,Y,Z

  ' get the dictionary count
  Z = objDict.Count

  ' we need more than one item to warrant sorting
  If Z > 1 Then
    ' create an array to store dictionary information
    ReDim strDict(Z,2)
    X = 0
    ' populate the string array
    For Each objKey In objDict
        strDict(X,dictKey)  = CStr(objKey)
        strDict(X,dictItem) = CStr(objDict(objKey))
        X = X + 1
    Next

    ' perform a a shell sort of the string array
    For X = 0 to (Z - 2)
      For Y = X to (Z - 1)
        If StrComp(strDict(X,intSort),strDict(Y,intSort),vbTextCompare) > 0 Then
            strKey  = strDict(X,dictKey)
            strItem = strDict(X,dictItem)
            strDict(X,dictKey)  = strDict(Y,dictKey)
            strDict(X,dictItem) = strDict(Y,dictItem)
            strDict(Y,dictKey)  = strKey
            strDict(Y,dictItem) = strItem
        End If
      Next
    Next

    ' erase the contents of the dictionary object
    objDict.RemoveAll

    ' repopulate the dictionary with the sorted information
    For x=(z-1) to 0 step -1
'    For X = 0 to (Z - 1)
      objDict.Add strDict(X,dictKey), strDict(X,dictItem)
    Next

  End If

End Function

Additional Notes:

Every security update has a Removal information section listed under Security Update Deployment. So for MS09-001 you would find below for the XP operating system http://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx

Removal Information

Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility located in the %Windir%\$NTUninstallKB958687$\Spuninst folder

ITMU to SCCM Patch management – A process approach

Introduction

Having worked extensively with ITMU in SMS 2003 for datacenter patch management of servers, I welcomed the new architecture promised for SCCM.

If you are using ITMU now and are new to SCCM here is a high level summary of the patch management components:

• SCCM Clients are scanned using the clients Windows Update Agent (WUA)
• WSUS used as the scan catalog known as a SUP (basically WSUS dedicated to SCCM and no more 5MB local catalog downloads to all clients)
• Download and execute option now does a scan before and, only downloads required updates
• Security updates are categorized as in native WSUS and now have the ability to deploy non security updates including service packs.
• Status of patch deployment is provided near real-time (well every 15 minutes by default) by state messages; no longer uses advertisement reports and hardware inventory . I have an earlier blog that shows you how you can get basic information collected using hardware inventory.

Below is a link to a very good whitepaper providing extensive details.

Configuration Manager Software Updates Management Guidance - Migration from ITMU.doc

My aim in this article (blog) is to give you a field view of what it means to translate these changes into existing processes. In a nutshell going from reading about it to using it.

SCCM SUM Reduces Wizard Screens?

A statement I have read many times about SCCM is, it reduces the old ITMU wizard screens from 18 to about 7. I disagree and will quantify it with, only if you use the power and flexibility of the templates under deployment management.

If you are like me, the first thing you do with a new version of a product is to make it work like the old one (how many people turned the WK3 interface into W2K?).

My attempt at an ITMU to SCCM translator below should hopefully ease some of your pain.

ITMU to SCCM translator

Useful and New to SCCM

Now lets take a closer look at the SUM components and sample patch management process.

Summary of the steps for a sample process:

1. Create a search folder to group security updates
2. Create an empty collection with no members (to be used for the deployment templates)
3. Create a deployment template (I create two; 1 for Patch Only and 1 for Patch with Reboot)
4. Create a folder for storing the source files for packages
5. Create an update list (e.g. Select required patches for your deployment), specify download updates to create the package.
6. Drag the update list onto the deployment template to create the deployment (Deployment type will be determined by the template in this case)
7. Create a maintenance window for the collection to be targeted
8. Modify the Deployment by changing the collection specified (inherited from the template) and also the deadline date and time.

Detailed steps:

 Update Repository: this is where the software updates are displayed and categorized. Shows all software updates depending on what you have selected under the SUP (WSUS) configuration.

• Search Folders: allow you to group software updates logically for ease of selection when creating deployment packages. In my example I have a master search folder for all Security patches and one folder for every year from 2003 – 2009. Use a search criteria on Bulletin ID using % so for 2009 would be MS09%

• Create an empty collection: I am a great fun of place holder collections. I use them as a safety check before targeting the real collections. In this case I created a collection called   with no members (safe to ignore the warning).

• Create deployment templates: Now this is where the wizard pages reduction takes place. Right click the deployment templates node and select new deployment template. Once created, using the template significantly reduces the number of wizard screens. I created two, one with suppressed reboots and, the other without.

• Create a package source folder: I typically create top level folder for all packages and then sub-folders for categories of packages. In this example process we will use a subfolder called “Security_Updates”

• Create an update list: Using the “All Security updates” search folder as an example select the security updates required for the SUM package. Selection is now much better as you can use the shift key, and the control key, to block select security updates.

Select download updates during the creation of the update list. You can create a new package or select an existing page. NB be sure to specify a new subdirectory as part of the UNC to the package directory. If you do not specify a subdirectory all updates are placed in the root folder (near impossible to tidy up when you delete a package)

• Create a deployment (replaces advertisements in the ITMU deployment process): Drag and drop the update list onto a deployment template. In this example we use the patch only template. Notice that the collection used is the place holder we created and selected for our template. In addition the suppress restart and any other general properties are inherited from the template. This is the magic of the wizard reduction I mentioned. Modify the settings to required deployment deadline and target collection

  Monitor the deployment using the new Software Updates category reports.

Security Updates rollup to a central site without a Software Update Point (SUP) Part II

Creating a view for your Reports

The SMSDEF.MOF file update creates the following tables Software_Updates_V4_Data and Software_Updates_V4_HIST. The following SQL script can be used to create a custom SQL view for reports. I have included the computer names from V_R_System and the site code from v_RA_System_SMSInstalledSites

Make sure you change the database name to your Config Manager database name before using. Also the name of the view can be edited to suit you own naming convention.

USE [SMS_XXX]
GO
/****** Object:  View [dbo].[V_Custom_Update_Status]    Script Date: 10/20/2007 17:06:38 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE VIEW [dbo].[V_Custom_Update_Status]
AS
SELECT DISTINCT
                      TOP (100) PERCENT  dbo.v_R_System.ResourceID, dbo.v_R_System.Netbios_Name0 AS ClientName, dbo.v_RA_System_SMSInstalledSites.SMS_Installed_Sites0 AS Site_Code,
                      dbo.Software_Updates_v4_DATA.Article00 AS KB_Number, dbo.Software_Updates_v4_DATA.Bulletin00 AS Bulletin_ID,
                      dbo.Software_Updates_v4_DATA.ScanTime00 AS Scan_Date_Time, dbo.Software_Updates_v4_DATA.Status00 AS Update_Status,
                      dbo.v_R_System.Operating_System_Name_and0 AS OS, dbo.Software_Updates_v4_DATA.Title00 AS Update_Title
FROM         dbo.v_R_System INNER JOIN
                      dbo.Software_Updates_v4_DATA ON dbo.v_R_System.ResourceID = dbo.Software_Updates_v4_DATA.MachineID INNER JOIN
                      dbo.v_RA_System_SMSInstalledSites ON dbo.Software_Updates_v4_DATA.MachineID = dbo.v_RA_System_SMSInstalledSites.ResourceID
ORDER BY Bulletin_ID DESC

Granting Select Permissions on the custom View

The following roles Smsschm_users and webreport_approle need to be granted select permission on any custom views created. Without performing the permissions step, the reports will only work in SQL Server Management Studio.

Sample Report Query

The following is a sample query to create a summary report from the new view (make sure your edit the view name if you did not use the suggested name). Modify to suit your needs.

SELECT Bulletin_ID, KB_Number, OS,(100 * Installed /(Installed+Applicable)) AS '%Compliant', Installed+Applicable AS Total
From (Select Bulletin_ID, OS, Update_Title AS BulletinInfo,
SUM(CASE WHEN Update_Status = 'Installed' THEN 1 ELSE 0 END)as 'Installed' ,
SUM(CASE WHEN Update_Status = 'Missing' THEN 1 ELSE 0 END) AS 'Applicable'
from v_Custom_Update_Status 
where Bulletin_ID like 'MS08-%'AND OS LIKE '%Server%'
group by Bulletin_ID,OS,Update_title) AS ps
Order by Bulletin_ID DESC, OS

The report is filtered on all security updates for the year 2008 and by server operating systems only. Edit the filters to change the year and the operating system as needed.

Security Updates rollup to a central site without a Software Update Point (SUP)

1. Edit the SMS_DEF.MOF file and append the reporting class data at the end of this article
2. Stop sms_executive on parent site
3. Change sms_def.mof file in: %ConfigMgrInstallDir%\inboxes\clifiles.scr\hinv  (Append the class CCM_UpdateStatus at the end of the file.)
4. Start sms_executive on the parent site
5. Repeat steps 2-4 for child site where the SUP is installed
6. Make sure policy is updated on clients assigned to child site
7.  Run scan/install updates on the clients
8.  Run HINV cycle on client (or wait for cycle to run per schedule)
9. Check dataldr.log on the child site, once HINV is received; Software_Updates_V4_DATA table is created in the database with all the info as per the class below.
10. Same table gets created on the parent site’s database as well

//-------------------------------------

// SMS - Software Update Status

//-------------------------------------

[SMS_Report(TRUE),

SMS_Group_Name("Software Updates v4"),

SMS_Class_ID("MICROSOFT|UPDATESTATUS|1.0"),

Namespace("\\\\\\\\.\\\\root\\\\ccm\\\\SoftwareUpdates\\\\UpdatesStore")]

{

    [SMS_Report(TRUE), Key]

    string UniqueId;

                    [SMS_Report(TRUE)]

    string Title;

                [SMS_Report(TRUE)]

    string Bulletin;

                [SMS_Report(TRUE)]

    string Article;

                [SMS_Report(TRUE)]

    string Language;

    string      SourceUniqueId;

                [SMS_Report(TRUE)]

    DateTime    ScanTime;

                [SMS_Report(TRUE)]

    uint32      SourceVersion;

    [SMS_Report(TRUE)]

    uint32      RevisionNumber;

                [SMS_Report(TRUE)]

    string      Status;

    CCM_SourceStatus Sources[];

};