All posts by MikeL

CM 2012 – Configuration – Custom Client Settings for SUP

A client recently requested preliminary design for moving security updates from WSUS to CM 2012.  There were several requirements for the move as well:  1) SUP would need to be tested on a small group of clients initially;  2) WSUS would need to remain in parallel during the process in order to keep current desktop/laptop clients and servers patched; 3) WSUS would need to remain in place after the move as the server team would continue to use it until their conversion to CM 2012.

I’m only going to focus on how custom client settings were used to segment out the test group from the main body of desktops and laptops.  (There were Group Policy and other adjustments which had to be made as well, but they are not part of this discussion.)

First, I created a test collection to house the initial software updates test group.

CCSSUP01

Current Default Client settings have Software Updates turned off.

CCSSUP02

I created a custom client device setting specifically targeted at software updates.  You can do this by navigating to Administration > [expand] Overview > [expand] Site Configuration > [select] Client Settings, then either right-click on Client Settings and select “Create Custom Client Device Settings” or click the same-named icon in the top ribbon.

On the General tab of the resulting screen, I named the Custom Device Settings “Software Updates – Enabled” and checked the Software Updates box.  Checking this box reveals the Software Updates tab in the left panel.

CCSSUP03

On the Software Updates tab, I enabled software updates on clients (1 in the picture below), set bundling of updates having deadlines within 1 day of any update which has reached its deadline. (2 and 3 in the picture below) Save the custom client setting by clicking OK and then deploy it to the test collection.  I set the priority of the setting to 1.  If this is your first custom setting, it will default to a priority of 1.  You can change the priority of any custom setting by right-clicking on the setting and using the Increase or Decrease Priority selections from the drop-down menu.  Remember that the lower the priority number, the higher the priority in settings application on the client machine.

CCSSUP04

The newly deployed shows up under the deployments tab of the custom settings.

CCSSUP06

Force a Machine Policy Retrieval & Evaluation Cycle on the machines located in the test collection and the new custom settings will be applied.  You can check this by looking at the Components tab of the Configuration Manager control panel applet.

CCSSUP08

Initiate a Software Updates Scan Cycle on the machines located in the test collection and then spot-check the WUAHandler.log file on those machines to validate that the clients are pointing to the correct SUP server and that the scan is not encountering any errors which need addressing.  You should see something similar to the below entries in the log file.

Enabling WUA Managed server policy to use server: [YOUR SERVER HERE]
Async searching of updates using WUAgent started.
Async searching completed.
Successfully completed scan.

If you feel so inclined, use a tool such as Roger Zanders Client Center to check things out. (http://sccmclictr.codeplex.com/  –  don’t forget to donate!)

CCSSUP10

Server 2012 – Configuration – Disable Internet Explorer Enhanced Security

Another one of those items which can be hard to find if you are new to the GUI of Server 2012.

Within Server 2012, startup Server Manager and select your server (select local server if performing configuration on the server on which you are currently logged).  Then look to the second column to the right for an item labeled “IE Enhanced Security Configuration.”  Click the link to the right of the word “Configuration.”

SRV2012-DES01

I generally do not disable this except for Administrators of the server, and then only temporarily to make things easier during a build.  Click the “Off” radio button and then click OK.  Be sure to turn this back on if it is required by your security polices and the temporary task is complete.

SRV2012-DES02

CM 2012–Configuration – Software Update Point Settings

I’ve had this question posed a number of times, “How do I change the Software Update Point settings after I’ve installed SUP?”  If you’re new to the CM 2012 console, finding where to configure additional settings can be somewhat challenging at times.

Navigate to Administration > Site Configuration > Sites > the site which has SUP installed
Right-click on the site and select Configure Site Components > Software Update Point

Step 01

Choose the tab which contains the items you want to configure. In the picture below, I drew arrows to the update classifications tab and the products tab.  When you are finished, click Apply and OK.

Step 02

CM 2012 – Troubleshooting – The Create Application Wizard completed with errors

I have set up a lab within Hyper-V for various System Center Products and I wanted to run through some scenarios with SCCM 2007 to CM 2012 migrations. There are about twelve or so servers setup to simulate a domain, DNS, DHCP, etc…. the basic things needed to do system and scenario testing and extra servers for playing around. So, I set up an SCCM 2007 environment, complete with clients, packages, etc., all working fine. I also set up a CM 2012 environment in native mode and a SQL 2012 server running on a separate server. I left off some of the extra roles such as EPP, SUP, SMP, etc., as I wanted to test basic raw functionality during a migration. My plan was to run through several migrations of various types to learn as much as possible.

Much to my satisfaction, after a few eventful evenings involving PKI, certificates and order of installation for IIS components, I had a CM 2012 system with a nice green column of checkmarks within the System and Component Status displays. My next order of business was to test some functionality before performing the test migration, so I started with application creation. I chose a pretty simple application, the Microsoft Config Manager 2012 Toolkit (SP1), went through the default steps and made no custom changes, only to receive this error message: (This is an isolated test environment, so I really don’t care if server names are displayed – figured I’d say that before I received a pm or something.)

The Create Application Wizard completed with errors
The Create Application Wizard completed with errors

There were no error details other than the line indicating that the SMS Provider reported an error – so I checked the SMSProv.log file. The first error generated was very long so I’ll omit most of the body of the error and provide the front and back ends. In addition, here are the three error messages which followed as well.

———————————————————–

error 14: SQL Error Message Failed to generate documents:A .NET Framework error occurred during execution of user-defined routine or aggregate “fnGenerateLanternDocumentsTable”:
… (omission of large part of message)
ExitCode Code=”1618″/></p1:ExitCodes><p1:UserInteractionMode>Hidden</p1:UserInteractionMode></p1:CustomData></p1:Installer></p1:DeploymentType></AppMgmtDigest> SMS Provider 9/5/2013 5:03:28 PM 3704 (0x0E78)

ERROR CCISource::InsertObject returned 14 SMS Provider 9/5/2013 5:03:28 PM 3704 (0x0E78)

*~*~e:\nts_sccm_release\sms\siteserver\sdk_provider\smsprov\sspconfigurationitem.cpp(2152) : There is a failure while generating lantern documents for this configuration item~*~* SMS Provider 9/5/2013 5:03:28 PM 3704 (0x0E78)

*~*~There is a failure while generating lantern documents for this configuration item ~*~* SMS Provider 9/5/2013 5:03:28 PM 3704 (0x0E78)

———————————————————–

I searched for several hours trying to find any references to the errors I was receiving or issues between .NET 4 and CM 2012. There were several pleas for help, but no solid solutions. Then I decided to start searching on security update conflicts and came across this post:

http://blogs.technet.com/b/configmgrteam/archive/2013/07/17/issues-reported-with-ms13-052-kb2840628-and-configmgr.aspx

My first attempt to test the cause of the issue was to uninstall KB 2840628, which did not change anything, even after rebooting both the SQL server and the primary site server. I was going to employ the security settings work around, then I read the details of the KB article, which indicated that the update had been republished 8/13. I had installed the update on the SQL server on 8/8, so I installed the new update, rebooted both the SQL server and the primary site server and all is working fine.

I just thought I would post this in the event others may be experiencing this issue.