Configuration Manager Queries

One of the best uses of Configuration Manager is its ability to query and actually make use of the data in a dynamic and automated way.

This is just a quick post with a few Configuration Manager WQL queries I have created or collected that may be useful to someone.

Feel free to use them, change them to suit your needs and share your own!

If you don’t know how to use these – check the bottom of the post for links to TechNet.

Collection Based Dynamic Rules:

Get Windows 7 Enterprise x64 Devices matching a specific naming convention:
Devices in a specific OU:
Devices that have a specific Hotfix installed:
Devices which are Bitlocker encrypted:
Devices which have ran a Software Metering Rule in the last x60 days:
Devices that have Visual Studio Premium 2013 installed:
Devices that are a member of a specific Active Directory group:

Query Based Dynamic Rules:

Devices which are Bitlocker encrypted:
Get users Primary devices from User based group:
Show Devices and Users of a limited Collection:
Get Identical MAC addresses:
Get a list of hardware Models that exist:
Get a list of Webcam models:

Resources:

How to Create Queries in Configuration Manager – https://technet.microsoft.com/en-us/library/gg712323.aspx

How to Create Collections in Configuration Manager – https://technet.microsoft.com/en-us/library/gg712295.aspx

Install Visio 2010 Standard instead of Premium

Unfortunately, volume license editions of Visio 2010 install Premium by default – this can then be downgraded to Visio standard by changing the Product key to Standard edition.

However – come annual Microsoft True up you don’t want any surprises or manual intervention! This is how you can change Visio to be installed by Standard or another SKU automatically without prompting.

  1. Download the latest Visio 2010 ISO from Microsoft Volume Licensing
  2. Extract the ISO using a tool such as 7-Zip
  3. Navigate to the folder containing VisioWW.msi – should be in the x86 or x64 folder depending on architecture.
  4. Right click and select New, Text Document
  5. Rename the newly created text document to: config.xml (you may have to show Extensions to rename the file extension from txt to xml).
  6. Open config.xml
  7. Type in the following and save – Once saved – install Visio normally and it should install with the correct SKU ie Visio 2010 Standard.

Note: Replace the PIDKey value with any of the Product Keys listed below to change the default install SKU:

  • Visio Standard 2010
  • 767HD-QGMWX-8QTDB-9G3R2-KHFGJ
  • Visio Professional 2010
  • 7MCW8-VRQVK-G677T-PDJCM-Q8TCP
  • Visio Premium 2010
  • D9DWC-HPYVV-JGF4P-BTWQB-WX8BJ

Capturing Windows boot performance with the Windows Performance Toolkit

The Windows Performance Toolkit, developed by Microsoft has 3 separate tools and are key to solving a lot of boot and general performance issues:

•    Windows Performance Recorder

•    Windows Performance Analyzer

•    Xperf

Download Windows Performance Toolkit

This can be downloaded by going to the Microsoft website and looking for the latest Windows Assessment and Deployment Toolkit for the operating system you want to analyze – for example: Windows 10

https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit

Download and run, we only need the Windows Performance Toolkit portion of the ADK:

Windows Performance Toolkit

Once installed navigate to: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit

Tip: You can copy the Redistributables folder if you need to install the Windows Performance Toolkit only on another computer.

Run Windows Performance Recorder

We only need too: WPRUI.EXE – Windows Performance Recorder & WPA.EXE – Windows Performance Analyzer.

Run WPRUI to launch Windows Performance Recorder

Change the Performance Scenario to Boot, and File

Select Resource Analysis and click CPU usage

Tip: You can add more: File I/O, Networking I/O, GPU usage etc if you know what in particular may be causing your boot slowness, the more you add the more data and complexity is added. I would recommend to only add additional resource analytics when required.

Windows Performance Recorder

Click Start to select where your boot traces will go and click Ok to start your boot traces, this will restart your computer 3 times.

Tip: If you need to login, please make sure you login quickly during each trace as the longer you leave it unattended the more data and delay it will collect.

Run Windows Performance Analyzer

Once the computer has been restarted 3 times and your traces have been complete navigate back to: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit and click on WPR.EXE to open the Windows Performance Analyzer or click Open in WPA from the Windows Performance Recorder dialog.

The Windows Performance Analyzer will be our canvas in analyzing issues, you can expand areas like System Activity to dig into Processes, Services. Just drag the data onto the Analysis screen to go through it

From here you can drill down into the data to find the cause or improvements for your login time, from here I can see one of the delays of my system is the CortanaUI.

I am running this on a 16GB i7 4GHZ machine running on an SSD so it isn’t really a good example, but have used this in the past to work out that my login was slow because Lync had logging turned on.

Hopefully this gets you through the first steps in diagnosis and resolving your performance issues.

Useful resources

Troubleshooting Windows Internals when unexpected events happen – https://channel9.msdn.com/events/Ignite/New-Zealand-2016/M405

Investigating website performance with Windows Performance Toolkit – https://github.com/MicrosoftEdge/MicrosoftEdge-Documentation/tree/master/performance-analysis/windows-performance-toolkit

Slow Boot Slow Logon (SBSL), A Tool Called XPerf and Links You Need To Read – https://blogs.technet.microsoft.com/askpfeplat/2012/06/09/slow-boot-slow-logon-sbsl-a-tool-called-xperf-and-links-you-need-to-read/

Database error when making changes to DHCP reservations

“An error occurred while accessing the DHCP database.”

an error occurred while accessing the DHCP database

One of the issues I have ran into since an upgrade to Windows Server 2012 R2 DHCP servers – was due to multiple processes access the DHCP database when I was attempting to Create or Modify a DHCP v4 reservation.

  1. Adding an exclusion to DHCP.MDB file for Real Time scanning on my antivirus product.
  2. Disabling the Windows indexing service from indexing the DHCP folder.

To disable the Windows indexing service from indexing the DHCP server follow the quick steps below:

  1. Open Windows Explorer – or Computer: on the DHCP server
  2. Navigate to: c:\Windows\System32\DHCP
  3. Click on the General Tab up the top and click Advanced
  4. Uncheck ‘For Fast Searching, Allow Indexing Service to Index this Folder.’
  5. Click Ok

Useful Resources:

Microsoft Anti-Virus Exclusion List – https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

How to create and mount an NFS datastore on ESXi using a Drobo 5N

This quick guide will run you through installing an NFSv3 server on your Drobo 5N and then mounting it on an ESXi host- the same setup can also be used for adding the NFS share using vSphere.

I will be setting this up on a VMWare ESXi 6.5 host, running off an Intel NUC and my NFS datastore will be hosted using my Drobo 5N

Note: Make sure you have the latest Drobo Dashboard and firmware installed on your Drobo before proceeding.

How to create the NFSv3 datastore

Open Drobo Dashboard and login with your Admin credentials

Navigate to DroboApps

Select Network Applications and select NFSv3 and click Install to install the NFSv3 application

NFSv3

The NFSv3 application uses the inbuilt Drobo Shares functionality to allow a mount path, this will only accept shares which have Everyone specified with Read/Write permissions. In the Drobo Dashboard navigate to Shares

Click on Share Settings

Click on Add

Give your new Share a name such as ‘NFS_Datastore’ and click Ok

On the right hand side select Everyone until the Pen appears, this will allow Everyone to have Read/Write access to the share click Ok

NFS Datastore

You have now created your NFS share, navigate back to DroboApps and NFSv3 and click Configure

Navigate down to select Rescan to rescan the Share list and permissions

Once the rescan has been completed look in the Exports log for your share, it should be listed at the bottom and take note of the mount path – as you will need this later to mount your datastore.

How to mount the NFSv3 datastore

Now open Internet Explorer or another browser and connect to your ESXi host

Navigate to the Storage pane

VMWare ESXi

Select New Datastore and click Mount NFS datastore and click Next

Type in the name you want to name your NFS datastore – I am following my own naming standard so: DATASTORE_NFSv3_Hotdog

Type in the IP address of your NFS server (which is your Drobo) and then type in the mount path that was given to you by the NFS export log on the Drobo in the previous steps

Once that is filled out click Next, verify the information is complete and click Finish to mount your NFS datastore, you should now be able to create a VMDK or VM on your network share and share it between hosts.

You can test that your host has read/write access to the datastore by selecting the NFS datastore and click Actions, Browse and creating a new Directory and verifying that it gets created without an issue.

If you get permission issues – make sure that Everyone is set on the Share in the Drobo Dashboard and in ESXi – Navigate to Networking, Firewall Rules and make sure NFS Client is Enabled and the properties either has All Connections from all IP addresses or the IP of your Drobo is assigned.

Firewall Rules

DFS Namespace service not starting after a reboot

Distributed file System (DFS) has some service dependencies – so if those don’t start the DFS Namespace service will also not start.

DFS Namespace

The dependencies are:

  • Remote Registry
  • Security Accounts Manager
  • Server
  • Workstation

I have seen the Remote Registry service become the culprit of the DFS-N service not starting.

In my experience – this has been caused by antivirus software changing the Remote Registry service to Disabled start-up type so when the DFS-N server restarts, one of the dependency services:

Remote Registry does not start so if you have issues with the DFS-N service not starting – check the Remote Registry Start-up type is configured to Automatic and click Start to confirm there are no errors and try starting the DFS-N service again.

Note: RemoteRegistry – although it is Automatic, it will only Start when it is being used so don’t be alarmed if it is in a Stopped state.

Remote Registry

I have also created a quick PowerShell script to do some general checking for the DFS namespace service – sets the Remote Registry service to Automatic startup, Gets the other DFS service dependancy services and changes the startup type to Automatic and starts them and finally tries to start the DFS Namespace service.

Configuration Manager – Does not have permission to update the prereq or state flag of the package

When attempting an upgrade of System Center Configuration Manager v1511 to 1606 I ran into issues relating to the permissions of the Security Scope in Configuration Manager under the account I was doing the upgrade under.

I also had issues enabling Automatic Client upgrade which was grayed out– after some research I found that it was due to the original Full Administrator account which was used by a contractor to do the SCCM environment installation had been deleted from Active Directory and had explicit ownership of All Scopes and Collections which was fixed by taking ownership of the Scope and Collections below.

ConfigMgr Error Object:instance of SMS_ExtendedStatus{ Description = “User \”DOMAIN\\User\” does not have permission to update the prereq or state flag of the package. “;               ErrorCode = 1112017920;      File = “e:\\nts_sccm_release\\sms\\siteserver\\sdk_provider\\smsprov\\sspupdatepackages.cpp”;           Line = 435;              ObjectInfo = “2”;     Operation = “ExecMethod”;        ParameterInfo = “SMS_CM_UpdatePackages.PackageGuid=\”0D256560-ED2C-45B5-8D75-4D38AB3F758C\””;           ProviderName = “WinMgmt”;          StatusCode = 2147749889;};

ConfigMgr Error Object

In order to resolve this issue – I needed to make Changes to the Configuration Manager (SCCM) SQL database. I don’t take responsibility for any damage this may cause and of course highly recommend doing this in Test first, and of course making sure a SQL backup has been done before hand.

1. Open SQL Management Studio with an account that has sysadmin permissions on your SCCM database – and connect to it.

2. Expand Databases, and locate your SCCM database. Right click your database and select New Query

3. Type in or Copy the following Query and Execute it:

select *from RBAC_ADMINS
4. You should now get all the specified Administrators for SCCM role based Full Administrator group; this includes LogonName, DisplayName and their CreatedBy and Created Date

5. Now we need to set the correct permissions on the Security Scope – find the account you want to make Full Administrator (best practice would indicate – this should be an Active Directory group, which your account is then a member of to avoid future problems) and note down the AdminID of your account

6. Clear the Query box and type in:

Update v_securedScopePermissions Set categoryid=‘sms00all’ where adminid=<ADMINID>

7. Replace <ADMINID> with the number of your account, Admin ID without the <>.

8. When you are ready to make the change, click Execute

9. You have now successfully gained Full Administrator permissions over all Scopes and Permissions. Close the SCCM console and relaunch and you should now be able to do the upgrade or enable Automatic client upgrade.

Upgrade MDT 2013 to MDT Current Branch

Upgrading MDT (Microsoft Deployment Toolkit) is generally not an issue – the main points are:

  • Upgrade the Windows ADK before upgrading MDT.
  • Make sure you have a backup (or can restore to a pre-upgraded MDT) of the Deployment Share – the Upgrade will upgrade the schema of the MDT database – including allowing new ADK features for your Deployment Share.

Now that we have a backup it is now time to go through the Windows ADK (Windows Assessment and Deployment Kit) upgrade on the MDT server and MDT current branch update. Follow the guide below to complete.

Upgrade Windows ADK

I will be using Windows ADK for Windows 10, version 1607 in my example.

  1. Download the latest Windows ADK – https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit and save the setup file to your MDT server.

Windows ADK

  1. If you try to install the ADK without upgrading, you will get the following error:

  1. So open Program and Features and select Windows Assessment and Deployment Kit – Windows 10 and select Uninstall to uninstall the old ADK (in this example I am uninstalling the v1511 Windows 10 ADK).

  1. Select Yes to uninstall the Windows ADK and Close when the uninstall has been completed

  1. Now that the old Windows ADK has been uninstalled you can now launch the new Windows ADK downloaded in Step 1 and make sure Install the Windows Assessment and Deployment Kit – Windows 10 to this computer is selected and the install path is correct and click Next

6. You can either select Yes or No to allow Microsoft to collect usage data – I am just going to select No and click Next to proceed with the install

7. Click Accept on the license agreement

8. You will now get greeted by a dialog for installing the features of the Windows ADK – you need: Deployment Tools, Windows Preinstallation Environment (Windows PE) and User State Migration Tool (USMT) and select Install

Windows ADK

9. Once the Windows Assessment and Deployment Kit installation has been completed, restart your MDT server (this is not required – but I prefer to do it to make sure any registered DLLs or registry changes have taken affect and it is in a clean state).

Upgrade MDT

1. Now that the Windows ADK has been updated – it is time to download the Microsoft Deployment Toolkit – https://www.microsoft.com/en-us/download/details.aspx?id=54259 by selecting Download

MDT Download

2. We are upgrading the x64 version so select this and click Next (same process for x32 – just download that instead).

12. Select Run to start the install

3. You will now have the Install Microsoft Deployment Toolkit Setup wizard – select Next to start the install

MDT install

4. Accept the License Agreement and select Next

5. Make sure that Microsoft Deployment Toolkit – Documents and Tools and Templates are select and the install path is correct (matches your current MDT install) and click Next

6. Select Yes or No to joining the Customer Experience Improvement Program and select Next

7. Finally – click Install to start the MDT install

8. Once installed click Finish

9. Open the Deployment Workbench

10. It should automatically have your Deployment Share listed under Deployment Shares – if you will need to click File, Add Deployment Share to add your deployment share. Right click your deployment share and select Upgrade Deployment Share

Upgrade Deployment Share

11. Verify that the information is correct and click Next to start the Upgrade

12. This will start the upgrade of the Deployment Share

13. Once the Upgrade of the Deployment Share has been completed – it is time to upgrade the Boot Image

14. Right click your Deployment Share again – and instead of Upgrade, there will be Update. Select Update Deployment Share

15. You will be greeted by the Update Deployment Share Wizard – select completely regenerate the boot images and click Next

Update Boot Image

16. You will then be forwarded to a review page, verify the permissions are correct and click Next to start regenerating the boot images.

17. Once completed you are finished. You have now hopefully successfully upgraded the ADK, MDT and Boot Images.

BgInfo Configuration & User Deployment using Group Policy

Introduction

BgInfo is beneficial for Endpoint device support by displaying the Asset number, IP address and logged on username overlaid on top of the wallpaper, it is OS independent and can be used across other Windows Desktop and Windows Server environments.

BGInfo is a free Windows Sysinternals utility created by Microsoft engineer, Mark Russinovich.

This utility runs under the user’s context. This does not need admin rights. As such this we will create this as a User Based group policy which runs upon logon.

How do I create a BGInfo package?

Use the following guide to create the BG Info package…

  1. Run and extract it to a folder – for example c:\temp\bginfo

  1. Run BGInfo, you will be prompted with the default configuration

  1. You can delete the Fields from the Black window, as applicable in this example we are just going to use x3 fields:

Host Name:    <Host Name>

IP Address:    <IP Address>

User Name:    <User Name>

  1. To add more you can select Fields, and Add. If there is a field that you may need, that isn’t selectable from the defaults you can also query Environment Variables, Registry and WMI by clicking on the Custom button. We are sticking with the defaults so click Apply to review changes.
  2. We want to also replace the Background so it isn’t the default – Black color – so click on Background…

  1. Because this will be rolled out to multiple users, we either need to have a BMP or JPG that will be on every single computer in the same location or accessible to all authenticated users on the network. We will be going with option 2 – using the domains namespace, and net logon folder to store BGInfo and the wallpaper. Copy the Wallpaper you want to an easily accessible share that authenticated users have Read access too. I am using a Wallpaper folder, under the Net Logon folder.
  2. Select navigate to: \\DOMAIN\netlogon\Wallpaper\Desktop.jpg and select Stretch as the Wallpaper position and click Ok.

  1. For future wallpaper changes. This will need to be modified again to point towards the newest wallpaper. Click Apply
  2. Verify that the settings are correct and it looks ok. If so now we need to save the configuration so it can be reused – click on File and select Save As.
  3. Name it: config.bgi

  1. Restart your computer to lose the changes and you can now test the configuration file from the Command Line, open PowerShell or Command Prompt (as a normal user) and navigate to the place where the BGInfo executable and you have saved the configuration file too and type:

bginfo.exe config.bgi /accepteula /silent /timer 0

  1. Press Enter and that should force BGInfo to load with your changes without any user prompt.

How do I deploy BGInfo package?

Use the following guide to deploy the BG Info package. Because this is a user based application and needs to run under user context on login, we are going to use a logon script using a user based group policy – for specific users only.

  1. Open Active Directory Users and Computers and create an application group to assign users too that you want to have the BGInfo wallpaper – for example _APP_BGInfo and add your user account to that group.
  2. Open Group Policy Management tool using an account that has access to create Group Policies and right click on the OU with your user account or Computer – if you have Loopback enabled and select Create a GPO in this domain, and Link it here…

  1. Specify a name for the Group Policy, such as BgInfo-UserPolicy –and click Ok

  1. Right click and Policy and select Edit…
  2. Navigate to: User Configuration\Policies\Windows Settings\
  3. Click on: Scripts (Logon/LogOff)
  4. Double click Logon to open the Logon Properties
  5. I prefer to keep my scripts, source files replicated across Domain Controllers and located in the same location as my Group Policy – so click Show Files…

  1. Copy your BGInfo executable and configuration file into the folder. If you get errors, you may need to launch Explorer or map a drive using Domain Admin credentials which usually has write access to the SYSVOL.

  1. Now we need to create a batch script, that will be ran by the group policy to launch BGInfo. Right click a blank space in the folder and select New, Text Document

  1. Rename file to: Run_BGInfo.bat

  1. Right click bat file and Open with, Notepad
  2. Go back to Windows Explorer; we now need to get the Group Policy location/path. Right Click on the Address pane and select ‘Copy as Text’
  3. Enter in the following detail (the \\DOMAIN till the Logon path is the location of your Group Policy, copied from Step 13) and click Save:

@echo off

\\DOMAIN\SysVol\luke.geek.nz\Policies\{8BBCd98E-4907-4D45-B662-8034A55B0352}\User\Scripts\Logon\Bginfo.exe \\DOMAIN\SysVol\luke.geek.nz\Policies\{8BBCd98E-4907-4D45-B662-8034A55B0352}\User\Scripts\Logon\config.bgi /accepteula /silent /timer 0

Exit

  1. Double click the Run_BGInfo.bat to confirm it works, and if not modify the batch script to work – it needs to point towards the exact BGInfo and configuration file and to avoid extra spaces it may be best to run it on the same line with a space between BgInfo.exe and the path to the configuration file only.

  1. Once it has confirmed working, go back to the Group Policy created in Step 3 and before we add the script we need to set the Scope so the policy doesn’t affect users that are not supposed to be get the BGInfo wallpaper.
  2. Under the Scope tab, remove Authenticated Users from the Security Filtering and add the Active Directory group created earlier – ie _APP_BGInfo – also check the Delegation Tab and make sure Authenticated Users is added for Read Rights.

  1. Now right click the BGInfo group policy – select Edit and navigate back to: User Configuration\Policies\Windows Settings\
  2. Click on: Scripts (Logon/Logoff)
  3. Double click Logon to open the Logon Properties
  4. Click Add and Browse
  5. Select Run_BGInfo.bat and click Open and click Ok
  6. You have now successfully created the User base policy that will run the Run_BGInfo.bat script on user logon
  7. Restart and verify that your Desktop wallpaper has now been changed. Other users of the Active Directory group will need to restart or Log off and back in – to pick up the changes.