January 31, 2010

Package processing thread in distmgr.log file?

When I was troubleshooting the copy package issue as mentioned in my earlier post, I got some some messages "package processing thread in queue".

I started to find out the exact meaning of this and found that the threads are used for copying packages to distribution points. If we distribute more packages at one time than the number of threads then the package will be putting on queue. The retry count is used when a copy fails.

Note: In legacy version of SMS (without SPs), the number of distribution points that could be effectively managed by a site server is small because SMS allocates a single thread per package. This results in SMS copying content to one particular distribution point, and when successful, moving to the next distribution point.
From SMS 2003 SP1, it copies content to multiple DPs in parallel. Because of this change, the failure of a single DP does not halt software distribution. This change improves both reliability and response time for package deployment, and effectively allows a single site to support a much larger number of distribution points.

The following improvements and benefits have resulted from this change:

1. Less time for package distribution to all DPs of the site
2. A single site can support more distribution points
3. Site hierarchy can be simplified to replace some secondary sites with distribution points in some of scenarios.
4. Faster Software and Patch distribution.
5.Lower hierarchy deployment costs, which results in fewer site servers

Lower maintenance costs, because it is easier to manage a distribution point than a site

January 29, 2010

Failed to hash file, Win32 error = 64: Package not copying to DP

I got this error on one of my DP while I was trying to copy package on all the DPs.
I checked the distmgr.log file from the primary server from where i was copying it to the DPs and got the error.

As a resolution step, I removed package from that DP and copy it again.

It worked well.

January 27, 2010

Why MS integrated SQL Reporting Service with Configuration Manager 2007 R2?

With Configuration Manager 2007 R2, a new site role called "Reporting Services Point" was introduced that facilitates reporting using SQL Reporting Services 2005/2008. This is accomplished via a conversion wizard that ships with Configuration Manager 2007 R2 and allows the user to convert all the Configuration Manager reports that currently exist on that site server to SQL Reporting Services based reports and deploy them to the SQL Reporting Server.

Site Role Installation and Configuration

The following outlines the overall workflow in getting a SQL Reporting Services based reporting point up and running:

1.Pre-requisites: Any machine having a valid SQL Reporting Server 2005/2008 instance running on it.
2.Run the site role wizard and install the "Reporting Services Point" on the SQL Reporting Server. The site role wizard asks for a root folder name which is basically the folder on the reporting server under which all the reports will be deployed.
3.Once the site role wizard is completed successfully, you should see the server appearing under the Reporting Services node under the Reporting node in the administration console.
4.Right click on the server and launch the "Copy Reports Wizard"
5.Run through the "Copy Reports Wizard" and select all the reports that you want to convert to SQL Reporting Services based reports.
6.The wizard will then go through the selected reports, convert them into SQL Reporting Services based reports and deploy them to the reporting server under the folder specified in step 2. above.
7.The copy reports wizard groups all the reports based on report categories creates a folder for each report category and deploys the reports under the respective report category folder.
8.Once all the reports are deployed, you can see all the report folders in the administration console and run any of the reports from any of the folders. You have the option of running the reports from within the administration console or run the reports directly from SQL Reporting Services using the SQL Report Manager (web UI). The SQL Reporting server report manager URL has the following naming convention:
For the default SQL Reporting Server instance the URL to access the report and report folders would be:


For named SQL Reporting server instances the URL would be:


Other functionalities provided within the Configuration Manager administration console

1.Report subscription wizards to create subscriptions for any of the Configuration Manager reports

2.Report authoring tools:

Model based report wizard
The Configuration Manager 2007 R2 release ships two out-of-the-box report models one for Client Health Reporting and the other for Software Updates Management. The model based report wizard facilitates users to create custom reports using these report models.

SQL Based report wizard
The SQL based report wizard facilitates SQL savvy users to specify SQL queries and generate reports off of these queries. The wizard presents the users with a list of all available Configuration Manager database views and the corresponding columns to facilitate users to formulate SQL queries more easily and make the process less prone to errors and typos.

What are the benefits of SQL reporting services in SCCM?

Benefits of using SQL Reporting Services:

1.Ability to export reports to any other formats like Word, Excel, PDF etc.
2.Ability to create report subscriptions that can be scheduled to run at specific times and send out reports to interested people. A good user scenario around this would be to create a report subscription for the Software Updates reports and schedule them to run late on Tuesday night or early Wednesday morning after all the "patch Tuesday" updates are applied to all systems.
3.Report authoring experience is very much enhanced with the tools that come with SQL Reporting Services like SQL Report Designer. You could either create report models or create SQL-based reports and run them off of the SQL Reporting Server.
4.Timeouts can be configured on a per-report basis depending on which reports potentially return large amounts of data.
5.Since the reports are standard SQL Reporting Services reports, they can be easily imported and exported from one SQL Reporting server to another.
6.A common request from customers is to be able to run reports off of a Configuration Manager database replica before enabling them on the production environment. This is a gem of a functionality that can be easily accomplished by simply making the data source for the reports point to any valid Configuration Manager database; in this case point the data source of the reports to the database replica and once they have been verified just change the data source to point to the actual production database. This proves to be very useful for benchmarking environments.
7.Report branding is another frequently requested functionality by many customers. This commonly entails customizing the look and feel of reports by changing fonts, font sizes, custom logos etc. With the ability to create custom reports using SQL Reporting Services, customers can now apply their own report branding to the reports.
8.SQL Reporting Services provides the functionality to enable report caching to facilitate lower execution times on subsequent report execution requests. The cache timeout value can be configured appropriately depending on how often you expect the report data to change.
9.Report snapshots that are an alternative to report caching and can be scheduled to execute at specific times. When you select a report snapshot for viewing, the report server retrieves the stored report from the report server database, and shows the data and layout that were current for the report at the time the snapshot was created.

SCCM Reports: Useful Microsoft links

Below are the Microsoft links which helps to understand SCCM reports.

Reports home page: http://technet.microsoft.com/en-us/library/bb632942.aspx

How to manage reports: http://technet.microsoft.com/en-us/library/bb632699.aspx

Technical reference for reporting: http://technet.microsoft.com/en-us/library/bb694105.aspx

January 26, 2010

What is difference between Obsolete and Inactive Clients?

I had to understand the difference as it was asked by the management and every administrator should know it.

Obsolete Clients

Obsolete client s are those that have been replaced by new ones. This usually happens during refresh OS deployments where the hardware stays the same and thus the hardware id is the same but the SMS GUID changes because the OS has been reloaded or the GUID is regenerated for another reason but the hardware remains the same.

Reasons - 
1. hard disk swapping
2. Renaming machines
3. Reimage OS
4. Reinstalling SMS/SCCM agent on the machines without proper uninstall.  

Inactive Clients

Inactive client s are those that have not been discovered recently by the heartbeat discovery. The definition of recently is defined in the delete task as a number of days. Please note that obsolete client s are also marked inactive. 

1. Offline machines
2. Machines having DNS issue/No name resolution
3. Machines are in inventory stock

Note: While I was trying to figure out why the some of the machines come under no status or waiting state, the above difference has helped me a lot.
I am putting some scenario here-

I have 100% healthy sms clients in the company's infrastructure and perform the activities like deleting obsolete clients, removing AD stale objects on daily basis. Inspite of this, I used to get some machines in "no status" and "waiting" category.

The reasons, I figured out, were:
offline machines/no name resolution machines were in "waiting" category and machines which were in IT stock or were inactive for a period of time, listed under "no status" category.

January 22, 2010

Reasons to malfunctioning of SMS/SCCM Clients

SMS Client Malfunctioning: Possible reasons

1. Machines are not in network.
2. AD Stale Objects
3. Machines not coming under the specified site boundaries
4. Site Code Not Assigned to the machines properly
5. Name Resolution Issue
6. Firewall restrictions: Relevant Ports used by SMS/SCCM should be opened
7. Machines with duplicate GUIDs
8. Policies are not getting downloaded from MP (Management Point)
9. Management Point not functioning well
10. The SMS Client Configuration Manager cannot connect to the client Admin$ share or to the Remote Registry Service (IPC$)
11. The SMS Advanced Client Push Installation account is configured incorrectly or is missing or is locked out
12. Advanced Client Push Installation is not enabled at the appropriate site
13. Newly discovered client computers are not assigned to the current site
14. The SMS Advanced Client Network Access Account is configured incorrectly or is missing or is locked out in a non-Active Directory environment
15. The SMS Advanced Client cannot access the installation file on the SMS site server
16. Clear Install Flag is running: As a result, sms client will reported as NO.

Explanation on SCCM Discovery Methods - What exactly they discover?

1. Heartbeat discovery
It pings all the machines existing in the network, i.e domain and workstation group machines are discovered automatically and shown under "All Systems" collection. If we enable Heartbeat Discovery, the discovery data is refreshed on a schedule that you determine. If we disable Heartbeat Discovery, the discovery data is refreshed only when another discovery method is invoked or run on a schedule.

2. Windows User Account Discovery and
It discovers all user accounts in same domain.

3. Windows User Group Discovery
Windows User Group Discovery is useful for creating group-based collections for software distribution

4. Network Discovery
Network Discovery discovers the client operating system only if the computer is configured to share resources. It discovers the following-
Topology and client
Topology, client, and client operating system

5. Active Directory User Discovery
It discovers the following:
User name
Unique user name (includes domain name)
Active Directory domain
Active Directory container name
User groups (except empty groups)

Note: We should run Active Directory User Discovery only on primary sites.

6. Active Directory System Discovery
It discovers the following:
Computer name
Active Directory container name
IP address
Assigned Active Directory site

Note: Polling performed by Active Directory System Discovery can generate significant network traffic (approximately 5 KB per client computer).

7. Active Directory Security Group Discovery
It discovers the following:
Domain Local Security groups
Domain Global Security groups
Universal Security groups

Note: We can run Active Directory Security Group Discovery only on primary sites. It polls Active Directory for all system resources in its database, including those discovered at child sites, and including secondary sites. Because Active Directory Security Group Discovery does not contact the computers directly, the computers do not have to be turned on to be discovered.

8. Active Directory System Group Discovery
It discovers the following:
Organizational units
Global groups
Universal groups
Nested groups
Non-security groups

Note: We can run Active Directory System Group Discovery only on primary sites. It polls Active Directory for all system resources in its database, including those discovered at child sites, and including secondary sites. Because Active Directory System Group Discovery does not contact the computers directly, the computers do not have to be turned on to be discovered.

January 21, 2010

How to Manage Obsolete Clients?

If you want to get accurate deployment success rate(%), it's required to manage obsolete client on daily basis.

What I do normally:
Open SMS Administrator Console-> Expand Site Hierarchy-> Expand Site Settings->Expand Site Manitenance-> Select tasks-> open "Delete obsolete Client Discovery data" properties and enable it.

You need to delete data older than 1 days.

After that click on the "All Systems" collection and check whether any client still shows as obsolete. You can delete those client from the console itself.

Note: During the deployment, package can be targeted to non obsolete clients only.

Troubleshooting Management Point Issue : Steps to be taken

MP Issues Desription:
Failed to send http request /SMS_MP/.sms_aut?MPLIST. Error 12029 SMS_MP_CONTROL_MANAGER 1/11/2010 4:51:40 PM 3924 (0x0F54)

Http verification .sms_aut (port 80) failed with no header received SMS_MP_CONTROL_MANAGER 1/11/2010 4:51:40 PM 3924 (0x0F54)

How to Handle:
Within IIS, a virtual directory is added under the default website during the Management Pointinstallation. The virtual directory is called “SMS_MP” (without the quotes). This virtual directoryis how the advanced clients are able to communicate with the MP and ultimately via theISAPI’s convert the data transmitted to the MP to files and information for insertion into the SMS database.

Need to mention that the MPControl is a self-checking component of the Management Point. In case it’s giving error messages first you need to check if the functionality is working at all.

A good test would be to check if a given client talking to that MP can send up HW inventory (you can check in resource explorer) AND if the client can get policy (policy spy on the client)

In order to send a Full HW Inventory you need to fire this vbs on the client and the trigger a HW Inventory cycle

Dim oLocator
Set oLocator = CreateObject("WbemScripting.SWbemLocator")
Dim oServices
Set oServices = oLocator.ConnectServer( , "root\ccm\invagt")
' Delete the specified InventoryActionStatus instance
x = "{00000000-0000-0000-0000-000000000001}"
oServices.Delete "InventoryActionStatus.InventoryActionID=""" & x & """"

If the functionality is ok, most likely only the self tests are wrong. In this case you need to check with the MP troubleshooter or with the URL’s. The cause could most likely be network related

If the functionality is wrong we need to check
IIS permissions (clients have anonymous access? Is the IUSR and the IWAM account locked?)

The SMS Management Point and SMS Agent Host service consist of several COM objects. TheSMS Agent Host service usually runs under the context of LocalSystem, so increased DCOMsecurity does not often cause a problem for the Advanced Client. The SMS Management Point, however, runs under the identity of the IWAM account, so any additional restrictions on DCOMsecurity can prevent the MP from functioning. If the MP does not start under the IWAM identitiy, but uses either a copy of this account or an entirely new account, then default permissions may not be enough to start the MP.

SQL (Has the MP account a “clear way” through the OS and SQL permissions to the SQL tables? Use SMS groups on the site servers!!)

Status Message Codes in IIS
If the client’s request does appear in the web service log, the next field to look for is the status code. The three digit return code of an http request will consist of two parts. The first digit will indicate the general status.

General Status Codes in IIS
First Digit General Status
2xx Success
3xx Redirection
4xx Client Error
5xx Server Error
The second two digits will give a more descriptive explanation of the status. In some
instances, such as a 401 or 403 error code, there will be a sub code, such as 401.1 or 403.4
A complete list of IIS status codes can be found in the following article:

294807, “HOW TO: Turn Off the Internet Explorer 5.x and 6.x "Show Friendly HTTP Error
Messages" Feature on the Server Side”

UrlScan version 2.5 is a security tool that restricts the types of HTTP requests that Internet Information Services will process. By blocking specific HTTP requests, the UrlScan security toolhelps prevent potentially harmful requests from reaching the server.URLSCan is an ISAPI filter that was designed to block extremely long or incorrectly formatted
web requests, which are common means of expoiting buffer overflows. It also can block avariety of verbs and commands in web requests that can exploit security holes orconfiguration errors.
URLScan 2.5 consists of URLScan.dll, the ISAPI filter, and URLScan.ini, the configuration file. The SMS 2003 toolkit has a modified version of the URLScan.ini file that allows theManagement Point ISAPI extensions to pass through. Any previous version of this ini file will cause URLScan to block client communication with the management point. Clients will be able to download packages for advertisements they already know about, but they won’t be able to get policy updates or upload inventory. An incorrect version of URLScan on an SMS MP will show up in the IIS logs as:

2005-02-04 17:03:48 GET /ccm_system/request - 80 - ccmhttp 404 0 2
2005-02-04 17:03:48 GET /ccm_system/request - 80 - ccmhttp 404 0 2
2005-02-04 17:03:50 GET /ccm_system/request - 80 - ccmhttp 404 0 2

NTFS Permissions for IUSR
This section will talk about the standard default NTFS permissions in a typical SMS environment. In a typical SMS environment, you will have a Management Point, a Reporting Point; BITS enabled Distribution Point, and a Server Locator Point. Each of these SMS site components requires a virtual directory within IIS and subsequently NTFS permissions for each of those virtual directories.
Below is the default breakdown for those SMS components for reference.
Management Point (SMS_MP virtual directory)
○ Default path: c:\SMS_CCM\SMS_MP
○ Default NTFS Permissions:
■ Administrators-Full Control
■ Interactive-List Folder Contents
■ IUSR account-List Folder Contents
■ IWAM account-List Folder Contents
■ SYSTEM-Full Control
Management Point (CCM_Incoming virtual directory)
○ Default path: c:\sms\ccm\incoming
○ Default NTFS Permissions:
■ Administrators-Full Control
■ IUSR account-Special:
□ Traverse Folder/Execute File
□ List Folder/Read Data
□ Read Attributes
□ Read Extended Attributes
□ Create Files/Write Data
□ Create Folders/Append Data
□ Delete subfolders and files
□ Read Permissions
■ IWAM account Special:
□ Traverse Folder/Execute File
□ List Folder/Read Data
□ Read Attributes
□ Read Extended Attributes
□ Create Files/Write Data
□ Create Folders/Append Data
□ Delete subfolders and files
□ Read Permissions
■ SYSTEM-Full Control
Management Point (CCM_Outgoing virtual directory)
○ Default Path: c;\SMS\CCM\Outgoing
○ Default Permissions:
■ Administrators-Full Control
■ IUSR Account-Read
■ IWAM Account-Read
■ SYSTEM-Full Control
Management Point (CCM_SYSTEM virtual directory)
○ Default Path: c:\SMS\CCM\ ServiceData\System
○ Default Permissions:
■ Administrators-Full Control
■ Interactive-List folder contents
■ IUSR Account-List folder contents
■ IWAM Account-List folder contents
■ SYSTEM-Full Control
Reporting Point (SMSReporting virtual directory)
○ Default Path: C:\inetpub\wwwroot\SMSReporting_
○ Default Permissions:
■ Administrators-Full Control
■ SMS Reporting Users
□ Read & Execute
□ List Folder Contents
□ Read
■ SYSTEM-Full Control
BITS Distribution Point (SMS_DP_SMSPKGC$)
○ Default Path: C:\SMSPKGC$
○ Default Permissions:
■ Administrators-Full Control
■ Guests
□ Read & Execute
□ List Folder Contents
□ Read
■ Users
□ Read & Execute
□ List Folder Contents
□ Read
Server Locator Point (SMS_SLP virtual directory)
○ Default Path: C:\SMS\BIN\I386\SMS_SLP
○ Default Permissions:
■ Administrators-Full Control
■ Everyone
□ Read & Execute
□ List Folder Contents
□ Read
■ SYSTEM-Full Control
Resetting the Password for IUSR
This section will describe how to perform a manual IUSR reset if the issue arises where the
IUSR becomes out of sync via either a attempted manual removal of IIS or a failed attempt to
reset the password via the AD Users and Computers or local user interface if a member
1. Reset the IUSR Password via the local user reset password option or use AD Users and
Computers if the machine happens to be a domain controller.
2. Reset the IUSR Password in the metabase.xml or metabase.bin file using the Metabase
Explorer tool which can be downloaded from the below URL link:
a. Open metabase explorer on the target machine where the password will be reset.

- A good plan is also to take a network trace from traffic between client – MP and MP – server

SMS Query to get Server Inventory Report

For the server inventory, pls run the below query on SQL server management studio.

select distinct a.name0,a.user_name0, a.operating_system_name_and0, a.ad_site_name0,
from v_r_system a,v_GS_COMPUTER_SYSTEM b,v_GS_PC_BIOS c,
where (a.resourceid=b.resourceid and b.resourceid=c.resourceid
and c.resourceid=d.resourceid and d.resourceid=e.resourceid
and e.resourceid=f.resourceid and f.resourceid=g.resourceid
and g.resourceid=h.resourceid)and a.operating_system_name_and0 like '%server%'

For any further help, pls leave a comment.

SMS Query to get Asset Inventory Report of all the workstations

I created this sms query to get the TCO report for the management:(Which now being used as Asset Inventory Report)

select distinct a.name0,a.user_name0, a.operating_system_name_and0, a.ad_site_name0,
from v_r_system a,v_GS_COMPUTER_SYSTEM b,v_GS_PC_BIOS c,
where (a.resourceid=b.resourceid and b.resourceid=c.resourceid
and c.resourceid=d.resourceid and d.resourceid=e.resourceid
and e.resourceid=f.resourceid and f.resourceid=g.resourceid
and g.resourceid=h.resourceid)and a.operating_system_name_and0 like '%workstation%'

After getting the data, you need to keep these data in excel sheet and apply the advanced filter as some of the time, we get duplicate data after running query.

For any further help, pls mail me or leave a comment.

January 19, 2010

TechNet Webcast: Technical Overview: System Center Configuration Manager 2007 SP2 and R3 (Level 200)

Here's the link below:


Let's enhance our skills.

What's New in Microsoft System Center Operations Manager 2007 R2 ?

Microsoft System Center Operations Manager 2007 R2 delivers end-to-end service management of applications and IT services running across your datacenter fabric, providing you greater control and insight into the health and performance of your Microsoft, UNIX, and Linux servers, and the workloads running on them. With Operations Manager 2007 R2, you can reduce the cost of managing your datacenter, and assure delivery of IT services to expected and agreed levels.

Download Operations Manager 2007 R2:

Enhances application performance and availability across platforms in the datacenter through cross platform monitoring, delivering an integrated experience for discovery and management of systems and their workloads, whether Windows, UNIX or Linux.

Download the Service Level DashboardEnhances performance management of applications in the datacenter with service level monitoring, delivering the ability to granularly define service level objectives that can be targeted against the different components that comprise an IT service.

Increases the speed of access to monitoring information and functionality with UI improvements and simplified management pack authoring. Examples include an enhanced console performance and dramatically improved monitoring scalability (e.g., over 1000 URLs can be validated per agent, allowing scaling to the largest of web-based workloads)

Basic difference between .MSI and .MST File

Packages (.MSI files)

This is the file that contains the instructions for MSIEXEC.EXE to install the application. The MSI file is a Database file format and is now the preferred application packaging format for the windows platform. Sometimes the MSI file gets too big and some or all of the files are placed in a .CAB file.

Transforms (.MST files)

In the MSI world, if you didn't create the MSI file, you want to keep the MSI file from the developer intact. To make changes beyond what the original MSI does you use a transform. The transform is applied at the time that the MSI package is installed.If you would repackage an application and it would fail, the Original Developer of the application would sometimes refuse to support it since repackaging strips out their installation logic.

If you create your own MSI packages you can also use transforms to change some parameters for each department of your company. That way you have only one package to maintain and nobody can accuse you of doing a better package for one department vs. another.

Note: Transform files are in fact MSI files with a different file extension. The contents of both files are merged together at install time. They are not supposed to add files to the package but there are way. Wise Package Studio does allow adding files using Transforms but they create a CAB file to bring files in without breaking the MSI rules.

MSI Authoring Tools

MSI Authoring Tools: The below are tools which can be used to edit MSI packages-

•InstallShield Developer
•Wise for Windows Installer
•InstallShield Express
•InstallShield DevStudio
•Instyler EX-it!
•MaSaI Editor
•Wise for Visual Studio.NET

InstallShield Command Line Parameters

The following are the InstallShield Command Line Parameters:

/v Passes parameters to MSI package.
/s Causes setup.exe to be silent.
/l Specifies the setup language.
/a Performs administrative installation.
/j Installs in advertise mode.
/x Performs setup uninstall.
/f Launches setup in repair mode.
/w Setup.exe waits for the installation to finish before exiting.
/qn A Windows Installer MSI parameter that causes everything but setup.exe to be silent. This sets the user interface level to zero.

MSI Repackaging Tools

1. AdminStudio
2. Package Studio
3. WiX
4. InstallAware
5. MSI Studio
7. Prism Pack
8. WinInstall
9. RapidInstall (Deployment Solution)
10. SMS Installer
11. NetInstall
12. MSI Packager
13. InstallSpy
14. Wise Packaging Studio

Script to ping a list of machines and export result in Excel File

Please create a file "MachineList.txt" and include machine name in this file.

copy the below script in notepad and save as "ping_result.vbs" file.
run the script in command prompt by specifying the same path.

run method: cscript ping_result.vbs


Set objExcel = CreateObject("Excel.Application")
objExcel.Visible = True
intRow = 2

objExcel.Cells(1, 1).Value = "Machine Name"
objExcel.Cells(1, 2).Value = "Results"

Set Fso = CreateObject("Scripting.FileSystemObject")
Set InputFile = fso.OpenTextFile("MachineList.Txt")

Do While Not (InputFile.atEndOfStream)
HostName = InputFile.ReadLine

Set WshShell = WScript.CreateObject("WScript.Shell")
Ping = WshShell.Run("ping -n 1 " & HostName, 0, True)

objExcel.Cells(intRow, 1).Value = HostName

Select Case Ping
Case 0 objExcel.Cells(intRow, 2).Value = "On Line"
Case 1 objExcel.Cells(intRow, 2).Value = "Off Line"
End Select

intRow = intRow + 1

objExcel.Selection.Interior.ColorIndex = 19
objExcel.Selection.Font.ColorIndex = 11
objExcel.Selection.Font.Bold = True

Script to connect to an SMS Provider

' Connect to an SMS Provider

Dim objSwbemLocator
Dim objSWbemServices
Dim ProviderLoc
Dim Location

set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")

set objSWbemServices= objSWbemLocator.ConnectServer _
(".", "root\sms")

Set ProviderLoc = objSWbemServices.InstancesOf("SMS_ProviderLocation")

For Each Location In ProviderLoc
If Location.ProviderForLocalSite = True Then
Set objSWbemServices = objSWbemLocator.ConnectServer _
(Location.Machine, "root\sms\site_" + Location.SiteCode)
End If

Script to update SMS Package

On Error Resume Next
Dim objSWbemLocator
Dim objSWbemServices
Dim ProviderLoc
Dim Location
Dim PackageID
Dim colPackages
Dim Package

'Enter the package ID of the package to be updated

'To connect to the local SMS site's Provider by using SWbemLocator
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")

Set objSWbemServices= objSWbemLocator.ConnectServer(".", "root\sms")
Set ProviderLoc = objSWbemServices.InstancesOf("SMS_ProviderLocation")

For Each Location In ProviderLoc
If Location.ProviderForLocalSite = True Then
Set objSWbemServices = objSWbemLocator.ConnectServer _
(Location.Machine, "root\sms\site_" + Location.SiteCode)
End If

'To find the package ID in the SMS_Packages class and use the RefreshPkgSource Method to initiate update.
Set colPackages = objSWbemServices.ExecQuery _
("Select * from SMS_Package where PackageID = '" & PackageID & "'")

If colPackages.count <;>; 0 Then
For Each Package In colPackages
Package.RefreshPkgSource( )
WScript.Echo "Package '" & PackageID & "' Updated!"
WScript.Echo "Package '" & PackageID & "' Not Found!"
End If

January 18, 2010

The Configuration Manager 2007 Toolkit

The Configuration Manager 2007 Toolkit - Microsoft’s System Center Configuration Manager 2007 Toolkit contains a number of tools to help you manage and troubleshoot ConfigMgr 2007.
You can download the Toolkit from http://www.microsoft.com/downloads/details.aspx?familyid=948e477e-fd3b-4a09-9015-141683c7ad5f&displaylang=en (or go to http://www.microsoft.com/downloads and search for System Center Configuration Manager 2007 Toolkit).

Hardware Inventory Through WMI

ConfigMgr uses two MOF files to control hardware inventory:

SMS_Def.mof—Specifies the information reported to the management point during the client inventory retrieval cycle. The actual SMS_Def.mof file is not downloaded to the ConfigMgr client. Instead, the client receives changes to reporting class configuration as part of its machine policy.

Configuration.mof—Defines custom data classes the hardware inventory client agent will inventory. In addition to standard WMI classes, such as the Win32 classes, you can create data classes to provide inventory data that is accessible through WMI, such as data from the client’s system Registry. ConfigMgr clients download the Configuration.mof file as part of their machine policy retrieval cycle. Any changes are compiled and loaded into the WMI repository.

The ConfigMgr client stores its machine policy in the Root\CCM\Policy\Machine WMI namespace. You can use the WMI Object Browser from the WMI Administrative Tools to examine some to the inventory-related objects in this namespace. To launch the WMI Object Browser and connect to the ConfigMgr machine policy namespace, perform the following steps:

1.Select Start -> All Programs -> WMI Tools -> WMI Object Browser.
2.The WMI Object Browser opens a web browser and attempts to run an ActiveX control.
3.If your browser blocks the control, select the option Allow Blocked Content.
4.Change the entry in the Connect to namespace dialog box to Root\CCM\Policy\Machine and then click OK.
5.Click OK to accept the default logon settings.

Using the WMIDiag Utility

Using the WMIDiag Utility - SMS was one of the first applications to take advantage of WMI. At one time, SMS was often the only WMI management application running on many Windows machines. In those days, it was a common practice among SMS administrators to simply delete the repository when WMI errors were detected, and then restart WMI to re-create the repository. This is no longer a safe practice, because many applications depend on data stored in the repository. Moreover, WMI errors can result from many other problems in your environment and may have nothing to do with WMI itself.

Rather than deleting the repository, you should obtain the WMI Diagnosis Utility (WMIDiag) from the Microsoft download site (http://www.microsoft.com/downloads/details.aspx?familyid=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&displaylang=en, or go to http://www.microsoft.com/downloads and search for WMIDiag). WMIDiag can help you diagnose most WMI problems, and in many cases it provides detailed instructions on how to correct those problems.

How can I manage WMI?

The Windows WMI Control is a graphical tool for managing the most important properties of the WMI infrastructure. Only members of the local Administrators group can use the WMI Control. To run this tool, perform the following steps:

1.Launch the Computer Management MMC snap-in. The exact procedure will vary depending on the version of Windows you are running. Generally you can right-click Computer or My Computer, and choose Manage.

2.Expand the Services and Applications node in the tree pane.

3.Right-click WMI Control and choose Properties.

Managing WMI on a Remote Machine - You can use the WMI Control tool to manage WMI on the local machine or on a remote machine. To connect to WMI on a remote machine, you follow the same procedure previously described in this section, with one additional step. Immediately after step 1, right-click the Computer Management node at the top of the tree and choose Connect to another computer. Then enter the name or IP address of the computer you want to manage and click OK. After connecting to the remote machine, complete steps 2 and 3 in the procedure.

Note that in addition to administrative privilege on the remote machine, you will need appropriate DCOM permissions (described later in this section). Also, DCOM network protocols must not be blocked on the remote machine or on any intermediary devices.

How WMI fetch data?

1.Management applications submit a request to the WMI infrastructure, which passes the request to the appropriate provider.

2.The provider then handles the interaction with the actual system resources and returns the resulting response to WMI.

3.WMI passes the response back to the calling application. The response may be actual data about the resource or the result of a requested operation.

Understanding difference between WQL and SQL

Below are few points which make difference between WQL and SQL-

  1. WMI provides its own query language that allows you to query managed objects as data providers
  2. WMI Query Language (WQL) is essentially a subset of SQL (Structured Query Language) with minor semantic changes.
  3. Unlike SQL, WQL does not provide statements for inserting, deleting, or updating data and does not support stored procedures.
  4. WQL does have extensions that support WMI events and other features specific to WMI. WQL is the basis for Configuration Manager queries, whereas SQL is used for ConfigMgr reports.
  5. One important advantage of WQL is that a WQL query can return WMI objects as well as specific properties.
  6. Because management applications such as the Configuration Manager console interact with WMI objects, WQL queries can return result sets that you can use within the ConfigMgr infrastructure.
For example, Configuration Manager collections are based on WQL queries.

Hope it helps!

Benefits of Extending Active Directory

Once you extend the Active Directory schema and perform the other steps necessary to publish site information to AD, clients in the same AD forest as your ConfigMgr sites can query AD to locate Configuration Manager services and retrieve important information about your ConfigMgr sites. Those clients in workgroups and domains without trust relationships are not able to take advantage of the schema extensions.

The following ConfigMgr features require extending the AD schema and publishing site information to AD:

Global roaming—Roaming in ConfigMgr allows clients such as laptop computers to connect to the network at various locations and receive certain services from the local site. The schema extensions allow a client to query AD for the mSSMSRoamingBoundaryRange objects and determine whether a site exists on the IP subnet of their current network location. This is known as global roaming. Without the schema extensions, clients can only receive services when at their assigned site or roaming to the sites below their assigned site in the ConfigMgr hierarchy.

Global roaming can make content available to clients at network locations where it would otherwise not be available. Global roaming can also prevent unnecessary network traffic otherwise caused by those clients at remote locations requiring services from their assigned site.

Network Access Protection—You can use ConfigMgr’s NAP capabilities to prevent clients that do not comply with specified security patch requirements from connecting to the network. NAP requires the client to retrieve health state reference information stored in the attributes of the mSSMSSite AD object.

Client site assignment—To receive ConfigMgr services, you must first assign a client system to a site. The schema extensions provide an option for the client to retrieve the information from AD that it needs to identify and contact its assigned site.

Client installation properties—A number of configurable options, such as the size of the download cache, are available through the extended schema.

Site mode settings—The extended schema can supply information to the client about the site’s security mode and certificate information required for native sites.

Server locator point and management points—Clients can use Active Directory to identify the server locator point and management points. Without the schema extensions you must provide this information in other ways, such as manually creating special Windows Internet Naming Service (WINS) entries.

Custom Transmission Control Protocol (TCP)/Internet Protocol (IP) Port information—If a site has been configured to use nonstandard ports for client communications, this information can be provided through the schema extensions.

In addition, the schema extensions allow for automated public key exchange, thus facilitating site-to-site communication. If you have clients assigned to your central site and do not have the schema extended, recovery from a site failure can require reprovisioning all clients manually using the trusted root key.

ConfigMgr 2007 schema modifications

ConfigMgr 2007 schema modifications create four new classes and 14 new attributes used with these classes. The classes created represent the following:

Management points—Clients can use this information to find a management point.

Roaming boundary ranges—Clients can use this information to locate ConfigMgr services when they connect to the network at a location not within the boundaries of their assigned site.

Server locator points (SLPs)—Clients can use this information to find an SLP.

ConfigMgr sites—Clients can retrieve important information about the site from this AD object.

Introduction to COM - What It Is and How to Use It?

Very useful information. Pls refer to below link-


ID Mifs Vs No ID Mifs

For SMS, standard MIF files are called NOIDMIF files. These files do not contain a unique identifier for the data. They have no ID. SMS automatically associates NOIDMIF file data with the computer that the NOIDMIF files are collected from.

SMS also supports IDMIF MIF files. These files do contain a unique ID, and are not associated with the computer they are collected from. IDMIF files can be used to collect inventory data about devices that are in the vicinity of a computer, but not actually associated with it. For example, a shared network printer, video cassette recorder, photocopier, or similar equipment is not associated with any specific computer, but you might want to record data about it for asset management purposes. This data is stored in separate tables in the SMS site database.

IDMIF extensions (or custom DDRs) can also be used to create new tables in the SMS site database that you might need for reporting purposes. For example, you might have asset management data that is not strongly tied to individual computers. This data is not appropriate for NOIDMIF files or MOF extensions, but you want to join it with SMS data for reporting purposes.

What is MIF: Management Information Format? Why SCCM use it?

Management Information Format (MIF file) is a format used to describe a hardware or software component. MIF files are used by Desktop Management Interface (DMI) to report system configuration information. Although MIF is a system-independent format, it is used primarily by Windows systems. To install a new device in a Windows 95 system, the corresponding MIF file is needed.

SCCM can use MIF files to determine the success or failure of an installation. After a program has finished executing, SCCM will look in the %windir% and %temp% directories for new MIF files (created after the time of the program execution start) and then match them on any or all of the following criteria:

•Name of the MIF file (only need to specify the name portion, leaving off the “.MIF”, in package properties)

January 17, 2010

Recommended Reading books for SCCM, SCOM and WMI Scripting

System Center Configuration Manager (SCCM) 2007 Unleashed (Paperback)
Kerrie Meyler (Author),Byron Holt (Author),Greg Ramsey (Author)

System Center Operations Manager 2007 Unleashed (Paperback)
Kerrie Meyler (Author),Cameron Fuller(Author),John Joyner (Author),
Andy Dominey (Author)

WMI Scripting:
Wilson, Ed Microsoft Windows Scripting with WMI: Self-Paced Learning Guide.

WMI Tools

Some WMI tools can also be useful during the design and development phases. These tools are:

The MOF compiler (MOFComp.exe):
The Managed Object Format (MOF) compiler parses a file containing Managed Object Format statements and adds the classes and class instances defined in the file to the CIM repository. The MOF format is a specific syntax to define CIM class representation in an ASCII file (e.g. MIB are to SNMP what MOF files are to CIM). MOFComp.exe is included in every WMI installation. Every definition existing in the CIM repository is initially defined in an MOF file. MOF files are located in %SystemRoot%\System32\WBEM. During the WMI setup, they are loaded in the CIM repository.
The WMI Administrative Tools: The WMI Administrative Tools are made of four tools: WMI CIM Studio, WMI Object Browser, WMI Event Registration and WMI Event Viewer.

WMI Administrative Tools can be downloaded here.


The most important tool for a WMI provider developer is WMI CIM Studio as it helps in the initial WMI class creation in the CIM repository. It uses a web interface to display information and relies on a collection of ActiveX components installed on the system when it runs for the first time.
WMI CIM Studio provides the ability to:
1.Connect to a chosen system and browse the CIM repository in any namespace available.
2.Search for classes by their name, by their descriptions or by property names.
3.Review the properties, methods and associations related to a given class.
See the instances available for a given class of the examined system.
4.Perform Queries in the WQL language.
5.Generate an MOF file based on selected classes.
6.Compile an MOF file to load it in the CIM repository.

WinMgmt.exe is not a tool; it is the executable that implements the WMI Core service. Under the Windows NT family of operating systems, WMI runs as a service. On computers running Windows 98, Windows 95 or Windows Me, WMI runs as an application. Under the Windows NT family of operating systems, it is also possible to run this executable as an application, in which case, the executable runs in the current user context. For this, the WMI service must be stopped first. The executable supports some switches that can be useful when starting WMI as a service or as an application. WMI provider developers who may want to debug their providers essentially need to run the WMI service as an application.

WBEMTest.exe is a WMI tester tool, which is delivered with WMI. This tool allows an administrator or a developer to perform most of the tasks from a graphical interface that WMI provides at the API level. Although available under all Windows NT-based operating systems, this tool is not officially supported by Microsoft. WBEMTest provides the ability to:
1.Enumerate, open, create and delete classes.
2.Enumerate, open, create and delete instances of classes.
3.Select a namespace.
4.Perform data and event queries.
5.Execute methods associated to classes or instances.
6.Execute every WMI operation asynchronously, synchronously or semi-asynchronously.

The WMI command line tool (WMIC):
WMIC is a command-line tool designed to ease WMI information retrieval about a system by using some simple keywords (aliases). WMIC.exe is only available under Windows XP Professional, Windows Server 2003, Windows Vista and Windows Server 2008. By typing “WMIC /?” from the command-line, a complete list of the switches and reserved keywords is available. ( windows vista users, "WMIC /?" won't work, instead type only "/?" )
There is a Linux port of WMI command line tool, written in Python, based on Samba called 'wmi-client'

WBEMDump is a tool delivered with the Platform SDK. This command line tool comes with its own Visual C++ project. The tool can show the CIM repository classes, instances, or both. It is possible to retrieve the same information as that retrieved with WMIC. WBEMDump.exe requires more specific knowledge about WMI, as it doesn’t abstract WMI as WMIC. However, it runs under Windows NT 4.0 and Windows 2000. It is also possible to execute methods exposed by classes or instances. Even if it is not a standard WMI tool delivered with the system installation, this tool can be quite useful for exploring the CIM repository and WMI features.

SMS: WMI terms and concepts

WBEM is a unifying architecture that allows access to data from a variety of underlying technologies - including Win32, WMI, the Desktop Management Interface (DMI), and the Simple Network Management Protocol (SNMP). WBEM is based upon the Common Information Model (CIM) schema, which is an industry standard driven by the Desktop Management Task Force (DMTF).

The Systems Management Server Site Database, Administrator Console and the Client Hardware Inventory component all depend on WMI.

WBEM provides a three-tiered approach for collecting and providing management data. This approach consists of a standard mechanism for storing data (a CIM-compliant database), a standard protocol for obtaining and disseminating management data (COM/DCOM; other protocols are also possible and under investigation), and a Win32 DLL known as a WBEM provider.

A component of the CIM (Common Information Model) is the CIMOM (Common Information Model Object Manager) repository. This datastore is where providers determine how to retrieve their information.

Although not technically accurate, it helps to think of the CIMOM in terms of a database. Definitions of WMI terms, and the corresponding concept in database terminology are in the following list.

WBEM term WBEM definition Database term
Namespace A collection of all classes. Database

Class Describes datatypes in a
schema. Object class definition. Table
Properties A single attribute of a class. Column
Instance One object of this class type. Row
Value The data for a property of a Field
specific instance.

Providers and WBEM
A WBEM provider supplies instrumentation data for parts of the CIM schema. Microsoft has written the WMI provider (a WBEM provider) that interfaces with the kernel mode WMI component. The kernel mode WMI component provides services that allow WMI-enabled drivers to implement WMI, and also acts as an interface to the WMI provider.

Systems Management Server uses the SMS Site Provider as the mechanism between the SMS Administrator's Console and the site server's SQL database. The Systems Management Server Hardware Inventory Client component uses the WMI Win32 provider.

How SMS Uses WMI

SMS uses WMI to collect information about SMS clients and for the management and operation of SMS itself. Specifically, SMS uses WMI for:

The SMS Administrator console, which gathers and sets all SMS configuration and inventory details (using the root\SMS\site_ namespace).

Resource Explorer, which gathers inventory data from the same namespace as the SMS Administrator console, but uses the group classes for a specific computer. Resource Explorer also uses the SMS_PropertyDisplayNode class in the root\SMS\inv_schema namespace for window formatting details.

All other SMS administration tools, including support tools, resource kit tools, recovery tools, scripts, and any tools you have written with the SMS software development kit (SDK).

The Legacy Client Hardware Inventory Agent, which gathers hardware inventory data from WMI (by default from the root\CIMv2 namespace), and records which WMI classes should be reported by the Legacy Client Hardware Inventory Agent. The classes that the agent should report are recorded in the root\CIMv2\SMS namespace. The settings in that namespace are usually transferred to clients by using the SMS_def.mof file. The \root\CIMv2\SMS\Delta namespace records the values of the classes when they were last reported, so that hardware inventory deltas can be calculated.

The Advanced Client. Configuration policies and most client data are stored in WMI in the root\CCM namespace and its namespaces.

The Advanced Client Inventory Agent, which gathers hardware inventory data from WMI (by default from the root\CIMv2 namespace) and records the values of the classes when they were last reported, so that hardware inventory deltas can be calculated.

The SMS Provider and SMS Component Management Provider, which use WMI as the interface model and store some details in the WMI repository. The SMS Provider also uses the root\SMS\inv_schema namespace for localization details.

Queries and collections, which use the WBEM Query Language (WQL) and the SMS Provider.

Network Discovery. Configuration options are stored in the root\NetworkModel namespace.

Network Trace, which uses the SMS Component Management Provider and SMS Component Polling Provider.

Reporting (using tools other than the reporting tool included in SMS 2003 or that use the SMS SQL Server views), which uses the WBEM Open Database Connectivity (ODBC) driver. ODBC is a commonly used database interface.

A pointer to the SMS Provider server, which uses the root\SMS\SMS_ProviderLocation class.

Because SMS uses WMI, you can:

Script SMS operations to ease your SMS administration tasks. For more information, see Appendix C, "Scripting SMS Operations."

Increase or decrease the details that SMS collects as part of the hardware inventory. For more information, see Chapter 2, "Collecting Hardware and Software Inventory."

Build tools to manage SMS. For more information, see the SMS SDK.

Directly connect to client computers, if they are accessible on your network, to verify in real-time any details that you see in Resource Explorer.

January 16, 2010

Links to download Windows Server 2003 Tools


Windows Server 2003 Tools

Active Directory Migration Tool v.3.0
The Active Directory Migration Tool version 3 (ADMT v3) provides an integrated toolset to facilitate migration and restructuring tasks in an Active Directory infrastructure.

Domain Rename Tools
The Windows Server 2003 Active Directory Domain Rename Tools provide a security-enhanced and supported methodology to rename one or more domains (as well as application directory partitions) in a deployed Active Directory forest. The DNS name and the NetBIOS name of a domain can be changed using the domain rename procedure.

File Replication Services (FRS) Monitoring and Troubleshooting Tools
File Replication Service (FRS) is the replication engine used by Windows Server 2003 to keep Distributed File System (DFS) shares synchronized. FRS is also used by the operating system to replicate the contents of the SYSVOL folder in domain controllers and is integral to the domain controller advertising itself. In either scenario, it is important to ensure that the service is functioning properly and that replicated content is in a consistent state.
Internet Information Services Downloads
This page links to a variety of tools and other resources for migrating and enhancing Internet Information Services (IIS) 6.0.
Log Parser 2.2 Tool
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory.

Microsoft File Server Migration Toolkit
With Microsoft File Server Migration Toolkit system administrators can easily migrate shared folders from servers running Windows NT Server 4.0 or the Windows 2000 family of servers, to a server running Windows Server 2003 or Windows Storage Server 2003.

Microsoft Operations Manager Base Management Pack
The Microsoft Operations Manager Base Management Pack modules provide preconfigured rules, responses, and prescriptive advice for managing Microsoft Windows Server 2003 and Windows 2000 services, including the Active Directory directory service, IIS, and networking and file replication services.

Microsoft Operations Manager Resource Kit Tools
These resource kit tools help you simplify and enhance the management of your Windows–based platform. Tools include the Server Status Monitor (SSM), which enables you to monitor the simple up or down status of a small group of servers.

MIIS 2003 Management Pack for Microsoft Operations Manager
The Microsoft Identity Integration Server (MIIS) 2003 Management Pack for Microsoft Operations Manager (MOM) monitors MIIS 2003 components and helps ensure that all necessary services that support MIIS 2003 are running, identity integration is performing normally and predictably, automation of identity integration does not result in data corruption or loss, and any events that could adversely affect MIIS 2003 or MIIS 2003-managed systems are visible.

MIIS 2003 Management Pack Guide for Microsoft Operations Manager
This is the guide to the MIIS 2003 Management Pack for MOM, which provides monitoring data for each of the MIIS 2003 solution scenarios. This document provides guidance on how MIIS 2003 enables the integration and management of identity information across multiple repositories, systems, and platforms.

MIIS 2003 Resource Tool Kit
The Microsoft Identity Integration Server 2003 Resource Tool Kit adds functionality and flexibility for remote administration and configuration of an MIIS 2003 server. Use these tools to parse input files, view management agent configurations, run management agents in batch mode, search for domain and directory information, archive files, and monitor Windows Management Interface (WMI) statistics on the Windows Server 2003, Enterprise Edition, hosting MIIS 2003 and SQL Server.

Remote Desktop Connection
Remote Desktop Connection makes it possible for a user to connect remotely to a machine that has Remote Desktop or Terminal Server enabled.
Remote Desktop Web Connection
The Remote Desktop Web Connection ActiveX control allows you to access your computer through Remote Desktop, via the Internet, from another computer using Internet Explorer.

Sonar.exe: File Replication Service (FRS) Status Viewer
Sonar.exe is a command-line tool that allows administrators to monitor key statistics and status about members of a file replication service (FRS) replica set. Administrators can use Sonar to watch key statistics on a replica set in order to monitor traffic levels, backlogs, and free space.

Server Performance Advisor
This tool was developed to diagnose root causes of performance problems in Windows Server 2003, particularly for IIS 6.0 and Active Directory.

Windows Application Compatibility Toolkit 3.0
The Windows Application Compatibility Toolkit 3.0 for Windows XP and Windows Server 2003 contains the tools and documentation you need to design, deploy, and support applications on these platforms.

Windows Server 2003 Administration Tools Pack
The Windows Server 2003 Administration Tools Pack (Adminpak.msi) provides server management tools that allow administrators to remotely manage Windows 2000 Servers and Windows Server 2003 family servers. This is the final version (build 3790) of the Adminpak.msi file.
Windows Server 2003 Resource Kit Tools
The Windows Server 2003 Resource Kit Tools are a set of software tools for administrators, developers, and power users to manage Active Directory, Group Policy, TCP/IP Networks, Registry, Security, Scalability and many other areas of the Windows Server 2003 operating system.

Windows Rights Management Services Client and Server SDKs
Get the tools, documentation, and sample code you need to get started building end-to-end solutions to fit your organization's or customer's information protection needs.

Comparison of the SMS 2003 Client Health Monitoring Tool and Configuration Manager 2007 Client Status Reporting

SMS 2003 Client Health Monitoring Tool
1.Uses a separate SQL database to store client health data.
2.Uses Microsoft Excel to display client health reports.
3.Contains checks for heartbeat discovery and software and hardware inventory.

Configuration Manager 2007 R2 Client Status Reporting
1.Stores client status data in the Configuration Manager 2007 site database.
2.Uses standard Configuration Manager 2007 reports which can also display trending data collected by the feature.
3.Contains additional checks for status messages.

Software Distribution Security Best Practices

Best Practices
Always configure advertisements to download content
Configuring to Download content from distribution point and run locally is more secure because Configuration Manager 2007 verifies the package hash after the content is downloaded and discards the package if the hash does not match the hash in the policy. If you configure the advertisement to Run program from distribution point, no verification takes place and attackers can tamper with the content. If you must run the program from the distribution point, use NTFS least permissions on the packages on the distribution points and use Internet Protocol security (IPsec) to secure the channel between the client and the distribution point and between the distribution point and the site server.

Do not allow users to interact with programs if run with administrative rights is required

When you configure a program, you can set the option Allow users to interact with this program so that users can respond to any required prompts in the user interface. If the program is also configured to Run with administrative rights, an attacker at the computer running the program could use the user interface to escalate privileges on the client computer. You should use Windows Installer-based setup programs with per-user elevated privileges for installations that require administrative credentials but that must be run in the context of a user who does not have administrative credentials. Using Windows Installer per-user elevated privileges provides the most secure way of deploying applications with this requirement.

Do not create subcollections if you need to restrict software distribution on them
An advertisement to a collection with subcollections is sent to all members of the collection and subcollections, even if the administrator has only the Advertise right to the collection (not the subcollections). Any administrator who can link a collection to another collection can cause that collection to receive the advertisements targeted to the other collection, even if they do not have Advertise permissions on any collection. For this reason, you should watch for the addition of subcollections to collections with advertisements, and be cautious of whom you give permission to for reading collections that receive advertisements.

Set package access permissions at package creation
Changes to the access accounts on the package files (as opposed to the distribution point shared folders) become effective only when you refresh the package. Therefore, you should set the package access permissions carefully when you first create the package, especially if the package is large, if you are distributing the package to many distribution points, or if your network capacity for package distributions is limited. To quickly initiate the refresh of all distribution points, you can use the Update Distribution Points task for the package.

Secure software at the package access level
By default, the package files on distribution points are fully accessible by administrators and readable by users. Users with administrative rights on client computers can set the client to join any site, even if the computer is not within the boundaries of the site. When the clients have joined the site, they can receive any software distributions that are available at that site and for which the computer or user meets the qualifications of the relevant collections. For this reason, software that should be limited to specific users should be secured at the package access level to those users, rather than being limited by site availability or collection criteria. However, restricting the access of the Internet Guest account to packages will cause package access to fail for Internet-based clients. For more information, see Example Package Access Scenarios.

After upgrading, if you had packages in SMS 2003, update all packages
SMS 2003 (released version) used MD5 to hash packages;Configuration Manager 2007 and SMS 2003 service packs later than SP1 use SHA-1. To rehash all of the packages with SHA-1, you should update all packages created in SMS 2003 (released version) that have not already been updated with an SMS service pack. Failing to do so might cause clients to discard valid packages if the advertisement is configured to download the package and run it locally.

Best Practices for Distribution Points
Remove the distribution point role from the site server By default, the site server is set up as a standard distribution point. However, you should assign this role to other site systems and remove it from the site server to reduce the attack surface. Clients have no valid reason to talk directly to the site server or any role configured on the site server. This is especially important if you chose to enable Background Intelligent Transfer Service (BITS) on the distribution point, because installing Internet Information Services (IIS) to create a BITS-enabled distribution point greatly increases the attack surface of the site system.

Do not create distribution point shares or branch distribution points on Internet-based clients
Although Configuration Manager 2007 might not block you from doing so, creating any type of distribution point on an Internet-based client greatly increases your attack surface and should be avoided. Create distribution points only on site systems that can be managed within the intranet or the perimeter network.

After switching to a custom Web site, remove the default virtual directories
When you change from using the default Web site to using a custom Web site, Configuration Manager 2007 does not automatically remove the old virtual directories. You should manually remove the virtual directories created under the default Web site. This is especially important if you configured the distribution point to Allow clients to connect anonymously (Required for mobile device clients) while using the default Web site and then you disable anonymous connections after switching to the custom Web site. In this case, the old virtual directories will still be configured for anonymous access. For the list of virtual directories created on BITS-enabled distribution points, see About BITS-Enabled Distribution Points.

Implement access controls to protect branch distribution points Branch distribution points can be installed on any Configuration Manager 2007 client, including Microsoft Windows XP Professional workstation computers. Workstation computers are generally not subject to the same physical access controls as server computers, so you must monitor your usage of branch distribution points. Do not distribute sensitive source files to branch distribution points if there is a risk of an attacker stealing the hard drive or the entire branch distribution point. You should configure all advertisements so that clients download packages from a branch distribution point and run them locally rather than running them across the network. Configuration Manager 2007 verifies the hash on downloaded packages and discards any packages it cannot verify, but there is no package verification on packages run from the distribution point.

Enable the encrypted mode for Application Virtualization Streaming–enabled distribution points
In Configuration Manager 2007 R2, when you configure an Application Virtualization Streaming–enabled distribution point, you have the option of choosing Real Time Streaming Protocol (RTSP) or RTSP over TLS (RTSPS). Enabling encryption helps protect against attackers tampering with the data stream.

Security Issue

The following issue has no mitigation.

Packages are not validated until after they are downloaded Configuration Manager 2007 validates the signatures on packages only after they have been downloaded to the client cache. If an attacker has tampered with a package, the client could waste considerable bandwidth in downloading the package only to have it discarded due to an invalid signature.

Privacy Information
Software distribution allows you to run any program or script on any client in the site. Configuration Manager 2007 has no control over what types of programs or scripts you run or what type of information they transmit. During the software distribution process, Configuration Manager 2007 might transmit information between clients and servers that identify the computer and logon accounts.

Configuration Manager 2007 maintains status information about the software distribution process. Software distribution status information is not encrypted during transmission unless you enable native mode. Status information is not stored in encrypted form in the database.

Status information is stored in the site database and deleted by default every 30 days. The deletion behavior is configurable by setting both the Status Filter Rule properties and the site maintenance task. No status information is sent back to Microsoft.

The use of Configuration Manager 2007 software installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software and is separate from the Software License Terms for Configuration Manager 2007. You should always review and agree to the Software Licensing Terms prior to installing the software using Configuration Manager 2007.

Software distribution does not happen by default and requires several configuration steps. Before configuring software distribution, consider your privacy requirements.

Choose Between a Standard and Branch Distribution Point

Before deciding to protect any distribution points, you need to know the following information:

The location of all distribution points in the site

The location of all distribution points in the hierarchy if you support roaming

The location and available bandwidth of any slow network links

The largest package sizes you tend to distribute

You should consider protecting a distribution point if any of the following are true:

The distribution point is across a slow network link from other clients in the site

The distribution point is a branch distribution point

You frequently distribute large packages and want only clients closest to the distribution point to download content from it

You should be careful about protecting all distribution points in the site for the following reasons:

If all distribution points in the site are protected but not all boundaries are assigned to protected distribution points, a client belonging to an unassigned boundary will be unable to access any distribution points and the package will fail.

If a client roams to a new site and the package is not available in the resident site, the client will attempt to fall back to the assigned site but will fail if all of the distribution points in the assigned site are protected. For more information about roaming scenarios involving protected distribution points.

If you protect your distribution points, for each advertisement or software update deployment that you create, you must consider whether to allow clients to fall back to unprotected distribution points when the content is not available on the protected distribution point. Before making the decision, consider the following factors:

If the package is very large and would consume too much bandwidth, you can prevent fallback to unprotected distribution points, understanding that the clients might not receive the content at all.

If the package is small or if the content is critical, you can allow fallback to unprotected distribution points.

Choose between Server and Server Share Distribution Point


1. Configuration Manager 2007 automatically creates a common package share when the first package is copied to the distribution point.

2. There is less chance of failing to copy a package because Configuration Manager 2007 creates a new SMSPKGx$ share when more space is needed.

3. The server can be configured as a branch distribution point.

4. The server can be configured to support Internet-based clients.

1. Every time Configuration Manager 2007 copies a package to the distribution point, it chooses the NTFS drive with the most free space, making it difficult to determine which drive letter will hold the new package.

2. Configuration Manager 2007 can take over all available NTFS disk space on the server.

Server Share

Configuration Manager 2007 will not use space reserved for other functions on other partitions.

1. Administrator must manually create a shared folder before creating the new site system server share.

2. Configuration Manager 2007 might fail to create a package if there is no free space on the partition where the shared folder was created.

3. Configuration Manager 2007 does not create a data discovery record (DDR) to monitor the health of the site system.

4. The server share cannot be configured as a branch distribution point.

5. The server share cannot be configured to support Internet-based clients.

Difference between Refresh DP and Update DP: SMS/SCCM

Updating distribution points includes these steps:
Recopy the source files for a package to the compressed version located at the site where the package originated.
Copy the source files to the local distribution points.
Replicate the new compressed version to all child sites that are selected as distribution points for this package.

Refresh the package includes this step:
Replicate the existing compressed version of the source files to selected distribution points.

MSI Packaging Tools

Windows Installer technology was introduced in the Windows 2000 platform to take some of the pain out of deploying and managing Windows applications across an enterprise. In previous versions of Windows (NT/9x), developers usually created installation packages using a variety of proprietary tools developed by third-party vendors such as InstallShield Software and Wise Solutions. To bring some kind of consistence to this situation, Microsoft included Windows Installer as a core service (msiexec.exe) within Windows 2000 to install, repair, and remove software based on instructions contained in .MSI files. These .MSI files are basically database files that contain all the information an application needs in order to install a packaged application. Then once you package your application you can deploy it using Group Policy by one of two methods:

Assigning an application. You can assign a .MSI package to either a computer or a user. If you assign it to a computer, the packaged application installs the next time the computer reboots. If you assign it to a user, the application typically installs when the user tries to run it from the Start menu or tries to open a file that has a file extension associated with the application.
Publishing an application. You can publish a .MSI package to users only. This provides the user with an option within Add or Remove Programs in Control Panel that lets them manually install the application if they want to.
Once Microsoft included Windows Installer technology in Windows 2000, they also made it their policy to include .MSI installation packages in all applications they developed for Windows. What they didn’t include at the time was a tool of their own for repackaging traditional Setup-based applications into .MSI packages. Instead, Microsoft decided to include a “light” version of WinINSTALL called WinINSTALL LE (WinINSTALL Limited Edition) in the Valueadd folder on the Windows 2000 product CD. Administrators could then use WinINSTALL LE to repackage legacy applications into .MSI packages that could then be deployed using Group Policy. Microsoft apparently also decided to leave it to third-party vendors to develop full-featured .MSI packaging tools to meet the needs of customers who needed to deploy third-party and custom applications across their enterprise.

As a result of this decision, the marketplace has a number of competing .MSI packaging tools and .MSI authoring environments available at present, and the remainder of this article looks at three popular packaging tools that are available. Some of these tools are free while others are commercial products with varied pricing and licensing requirements, check out their websites for details. Using any of these tools can make your life easier as an administrator of a large, Windows-based network, since they save you the time of having to visit desktops to install the applications that make your business work.

Advanced Installer
The free version of Advanced Installer from Aphyon is powerful and easy to use, but if you want to get into advanced packaging tricks like setting attributes, installing .NET assemblies, installing ODBC drivers and so on, then you’ll need to opt for the more powerful Professional version instead. Aphyon also provides optional features through add-ons that can be purchased extra. One cool feature of Advanced Installer is that it stores its Windows Installer project files in XML format. This simplifies versioning of packages you’re developing and lets you keep track of packages using a version control system. Another feature of Advanced Installer is that you can perform most actions from the command line. This allows you to automate application packaging using scripts, something that can be useful if you have a large enterprise with many applications to deploy. The current version of Advanced Installer is version 2.3 and you can download it here for Windows 2000/XP platforms.

WinINSTALL MSI Packager from Software OnDemand is a tool from the same evolutionary line that produced WinINSTALL LE discussed previously. Because of this heritage, WinINSTALL MSI Packager is a popular .MSI packaging tool today in many enterprise environments. Not only can the tool be used to easily package applications for deployment, it also lets you test them against standards like the Microsoft Logo Certification. This ensures your packaged applications will install properly on the latest Windows operating systems. The current version of WinINSTALL MSI Packager is version 8.6 and you can download an evaluation version of this software here. Software OnDemand also has two other tools you may want to look at: the upscale WinINSTALL 8.6 full product that lets you not only deploy applications but also manage them, and WinINSTALL LE 2003 which is the latest incarnation of the free “light” version that was included on the Windows 2000 product CD.

Wise for Windows Installer
Wise for Windows Installer from Wise Solutions Inc. is another application packaging tool that is popular in some enterprise environments. This tool fully complies with Microsoft’s .MSI standards while also extending the capabilities of .MSI packages without making changes to their native format. The result is a powerful tool that can be used to deploy legacy, Web-based, and .NET applications quickly and easily. Enterprises that make heavy use of Microsoft SQL Server for back-end databases and Internet Information Services (IIS) 5.0 or 6.0 for front-end Web applications should take a close look at this product. If all you want to do is package applications into .MSI format, this tool is so easy and intuitive to use you hardly need a manual. Wise for Windows Installer comes in several editions including Standard, Professional, and Enterprise editions to meet your deployment needs according to your budget. Wise for Windows Installer is also part of a larger family of Wise Solutions products that includes Wise Package Studio and Wise Installation System 9.0.

Microsoft IT: Centralized Management Support Structure in detail

Service Desk
Microsoft IT currently uses a service desk team to create and assign tickets to incident and problem management teams. The service desk team documents all ticket activities, reports against SLAs, and collects metrics that can be used for problem management analysis and investigations. The service desk team also builds a knowledge database that supports repeatable process improvements and provides the Microsoft product groups with valuable feedback.

Incident Management
The primary goal of the incident management team is to restore normal service operation as quickly as possible and to minimize the adverse impact on business operations, thus maintaining the best possible levels of service quality and availability.

Problem Management
The objective of the problem management team in Microsoft IT is to minimize the adverse impact on the operational ability of a business due to incidents and problems caused by errors within the IT infrastructure, and to prevent the recurrence of incidents related to these errors. To achieve this goal, the problem management team seeks to establish the root cause of incidents and then initiate actions to improve or correct the situation.

Change Management
The Microsoft IT change management team provides a disciplined process for introducing required changes into a complex IT environment with minimal disruption to ongoing operations. The change management team is also closely aligned with the release management process and manages the release and deployment of changes into the production environment.

Service Level Management
Microsoft IT developed service level management in line with the requirements and priorities of the services documented and offered in the service catalog for the business, and the specific requirements of the negotiated SLAs. Microsoft IT uses the monitoring of a service against the requirements in real time, and the reporting and reviewing of key trends in historical data, to highlight and remove failures that affect the level of performance of the service.

Centralized Management Support Structure of Microsoft IT

The existing Microsoft IT NOC consisted of three teams that used different processes to perform a variety of technical support functions. These functions ranged from basic, routine tasks to highly complex issues. The three teams were responsible for the following activities:
Network connectivity, wireless access points, switches, and routers
Server configuration and monitoring

Telephony switches and hardware
One of the business challenges that Microsoft IT identified was a lack of standardized processes and workflow efficiencies between these three operationally independent teams. Several teams performed most incident response and change request work. Limited ownership and a lack of collaboration resulted in inefficiencies, and the organization barriers were a hindrance to the support structure. With interdependencies in technology, there was also a need for knowledge convergence across support teams to troubleshoot complex issues. Adhering to support service level agreements (SLAs) on complex issues was a huge challenge that affected the business.

To facilitate a more efficient and consistent structure, Microsoft IT transformed the NOC into the following support teams:

Change operations provided by a global change operations team. This team is responsible for routine change management.

Incident operations provided by a global incident operations team. This team is responsible for customer contact via a service desk team and routine incident management.

Problem management provided by technical escalation teams. These teams are responsible for problem management, creation process efficiencies, and the resolution of complex incidents and chronic errors.
With this new structure in place, Microsoft IT used MOF service desk, incident management, problem management, and change management best practices, coupled with MOM 2005 alerts and events, to respond to customer incidents and change requests.

Delegating support tasks between Microsoft IT and vendors enables Microsoft IT resources to respond more quickly to complex incidents and change requests and focus on chronic error resolution by using MOF best practices for problem management.

SCCM 2007 wrt Asset Intelligence: What's New?

Recent Usage Inventory:
•SCCM metering agent will inventory the last time any executable was running in the user context.
•Data returned through hardware inventory.
•Additional reports will help you answer the “When was the last time this was used?” question.

Auto-created Metering Rules:
•Last Usage Inventory can be used to auto-create full metering rules which you can decide to enable.
•Simplifies the process of creating metering rules.

Asset Change Summarization:
•A summary of changes to computer assets is stored in a central table.
•Managing deltas help reduce the complexity of asset management.
•Additional reports help you answer the “What has changed recently in my environment?” question.
•Client Access Licenses usage tracking for Microsoft Windows and Exchange:
•Both User and Device CALs usage is tracked.
•Based on Security audit logs.
•Additional reports answer the “who used up the CALs” , “when did they do that” questions.

Extending hw inventory to get SMS client's cache size status

If you want to extend HWinventory so you know what client has what size of
Cache, add this to SMS_Def.Mof in clifiles.src\hinv on your server. No need to mofcomp anything on your clients. The clients already know about this class, they just need to be told via a policy change (by added this to your sms_def.mof on the server) to start reporting on it.

// SMS Advanced Client Cache Reporting Class
#pragma namespace ("\\\\.\\root\\cimv2\\sms")

[ SMS_Report (TRUE), SMS_Group_Name ("SMS Advanced Client Cache"),
Namespace ("root\\\\ccm\\\\softmgmtagent"),

class CacheConfig : SMS_Class_Template
[SMS_Report (TRUE),key ] string ConfigKey;
[SMS_Report (TRUE)] boolean InUse;
[SMS_Report (TRUE)] string Location;
[SMS_Report (TRUE)] uint32 Size;

Client Cache Size: When the packages delete from the Cache?

As per SMS policies refreshal, it will attempt to do cleanup; going from memory,if something was downloaded and never used, it'll clean it up after 30 days; if it was downloaded & used,it'll be cleared about 24 hours later.

Incremental and cumulative SPs?

A service pack can be incremental, which means it only contains the updates that were not present in the previous service packs or, it can be cumulative, which means it includes the contents of all its predecessors. In the case of Microsoft's products, an incremental update was called a service release. For example, Office 2000 must be upgraded to service release 1 (SR-1) before one can install SP2.

Recent service packs for Microsoft Windows have not been cumulative starting with Windows XP Service Pack 3. Windows XP SP3 requires at least SP1 to be present on an installed copy of Windows XP, although slipstreaming SP3 into the gold release is still supported. An unsupported workaround to install SP3 on Windows XP RTM also exists. Windows Vista Service Pack 2 also is not cumulative and requires at least SP1 to be present on an installed copy of Windows Vista.

What's difference between Security Patch, HotFix and Service Pack?

Security Patch - Publicly released update to fix a known bug/issue
A security patch is a change applied to an asset to correct the weakness described by a vulnerability. This corrective action will prevent successful exploitation and remove or mitigate a threat’s capability to exploit a specific vulnerability in an asset.

Security patches are the primary method of fixing security vulnerabilities in software. Currently Microsoft releases their security patches once a month, and other operating systems and software projects have security teams dedicated to releasing the most reliable software patches as soon after a vulnerability announcement as possible.

Hotfix - update to fix a very specific issue, not always publicly released
A hotfix is a single, cumulative package that includes one or more files that are used to address a problem in a software product (i.e. a software bug). Typically, hotfixes are made to address a specific customer situation and may not be distributed outside the customer organization.

A hotfix package might contain several encompassed bug fixes, raising the risk of possible regressions. An encompassed bug fix is a software bug fix which is not the main objective of a software patch, but rather the side-effect of it. Because of this some libraries for automatic updates like StableUpdate also offer features to uninstall the applied fixes if necessary.

In a Microsoft Windows context, hotfixes are small patches designed to address specific issues, most commonly to freshly-discovered security holes. These are small files, often automatically installed on the computer with Windows Update (although some may only be able to be obtained via Microsoft Support) and could contain a hot patch eliminating the need for a reboot.

Service Pack - Large Update that fixes many outstanding issues, normally includes all Patches, Hotfixes, Maintenance releases that predate the service pack.

A service pack (in short SP) is a collection of updates, fixes and/or enhancements to a software program delivered in the form of a single installable package. Many companies, such as Microsoft or Autodesk, typically release a service pack when the number of individual patches to a given program reaches a certain (arbitrary) limit. Installing a service pack is easier and less error-prone than installing a high number of patches individually, even more so when updating multiple computers over a network.Service packs are usually numbered, and thus shortly referred to as SP1, SP2, SP3 etc