Configure Branch Cache SCCM 1810

We recently started to roll out Windows 10 and started to see spikes on our WAN links caused by the increased size of updates. We look at installing local DP on each site but this would add a lot of over head for managing these DP’s.

We then looked at using branch cache, I decided to do a post on enabling branch cache in SCCM.

First I need to check on clients if branch cache was enabled to do this run the below command.

netsh branchcache show status all

BC1

Once confirmed we need to enable branch cache in SCCM client settings this can be either enabled on an existing device policy or create a new policy I am going with a new policy.

Logon to SCCM Admin console > Administration > Client settings

Right click on client settings > Create Custom Client Device SettingsBC2

Give the policy a Name and select Client Cache SettingsBC6

set the below settings

  • Change Configure BranchCache to Yes
  • Change Enable BranchCache to Yes
  • Configure the cache size settings (default is 10%)

BC3

As part of Windows 10 OS it does it’s own branch Cache while downloading updates and it will overwrite SCCM client settings. To disable this setting we can create a group policy and apply just to windows 10 OS’s.

Below is the location of the settings that need to be disabled

Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Delivery Optimization, set (Download Mode) to disabledBC5

If the policy is not showing it is probable because the ADMX template for windows 10 has not been added.

The last part is to enable Branch Cache in SCCM for the distribution points by selecting the properties of the distribution point as given below.BC4

To test that the policy has been applied go to a client device and update the machine policy. Then run netsh command again and we should now see branch cache has been enabled.

netsh branchcache show status allBC7

SCCM Task Sequence Windows 10 Language Pack’s Install

On a recent project there was a requirement to install different language pack’s and configure regional / keyboard settings. I was having issue getting this working so I though I would do a post on how I ended up getting it working correctly.

First problem I had was trying to find the language packs I ended up downloading the language pack ISO from the Microsoft visual studio site.

lp

Once downloaded I need to mount the ISO and copy the required lp3

Once all the required language packs where copied. Create a new packages for each packlp4lp5lp6lp7lp8

The next step is to configure the XML file’s that will be used to configure the regional and keyboard settings for each language pack. I used this support how to as a refrence for the XML:

https://support.microsoft.com/en-ie/help/2764405/how-to-automate-regional-and-language-settings-in-windows-vista-window

Below is the XML file that was used for the German language pack:

lp11

I used the below sites to get the GEO ID & the Input Locales

GEO ID : https://docs.microsoft.com/en-ie/windows/desktop/Intl/table-of-geographical-locations

Input Locales: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs

Once we have all the language packs completed create a single package with all the XML’s file’slp15

Next step is to add the steps to the Windows 10 task sequence

Add a run command line task, use the command below and replace with the required language pack .cab file. Select the corresponding package.

Below is for the german .cab

dism.exe /norestart /online /add-package /packagepath:.\Microsoft-Windows-Client-Language-Pack_x64_de-de(German).cablp10

After this step add a restart task lp12

Next step is to apply the XML file’s to set the regional / Keyboard settings. Below is the command line I used

rundll32.exe shell32,Control_RunDLL intl.cpl,,/f:”.\German.xml”

When copying the command above check that the double quotes are in the correct format or the command could fail to apply the xml fileLP13

After this step do another restart, the last step I did was to configure time zone for each region. I used the below site to get the time zone values

Time Zone Values: https://support.microsoft.com/en-us/help/973627/microsoft-time-zone-index-values

Below is the command line to set the time zones

cmd.exe /c tzutil.exe /s “W. Europe Standard Time”lp14

Below is the finished task sequence with all languages addedlp17

Last step was to set a condition to apply each package. I used host name as the condition to apply the language packs as each country has its own naming convention this was the easiest way for melp16

Once this is competed I tested and all packages were applied without error.

lp1lp2

SUP Migration WUHandler Error CWuaHandler::SetCategoriesForStateReportingExclusion

Just want to put this up in case anyone else run in to this issue. I had to test migrated WSUS and SUP role from my Primary site server to its own standalone server, so I could complete the same task in production.

After the migration all updates showed as unknown for all devices. I check the update deployment log and WUAHandler.log under c:\Windows\CCM and the update scan started but just sat at  the below log output

Assignment({968F78AA-AE13-495C-83D9-74920944C702}) already in progress state (AssignmentStateDetecting). No need to evaluate

sup2

When I checked the WUAHandler log I could see the below but the site never registered the new WSUS server.

CWuaHandler::SetCategoriesForStateReportingExclusion called with {GUDI } for bundles

I checked the general bits like the site status, component status and wsyncmgr.log all where green and working correctly. I then checked a few post online and most pointed to a Content version / MinSourceVersion miss match issue from the WSUS DB.

I checked this and my content version was the same as in MinSourceVersion so that was not the issue.  I then had a look at the Window update registry key on the clients to see if the new WSUS was registered. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

It wasn’t 😦

Finally had a look boundary (Should have done this first ) and turns out I was a bit forgetful and didn’t add the new site server to the boundary group’s so no client’s where able to see the new SUP server.

Once I added to all boundary groups and did an update scan cycle all updates started to show a few hours later and the WUAHanlder log now showed the WSUS connection.

sup3

yay it’s all fixed 🙂

Point to take away, always add new site servers to boundary groups first 🙂

 

Removing WSUS on SCCM Server Causes HTTP Error 500.19

Recently I was migrating my WSUS deployment off my SCCM server to a new standalone server so that I could enable Windows 10 and Windows Server 2016 updates.

After removing the role I started getting critical alerts for the management Point, Clients couldn’t be installed and I was getting 500.19 error from the SCCM IIS site.

SCCM MP Errorsccmerror2

IIS Errorsccmerror

I had a quick search and found a blog post by Jörgen Nilsson that had the reason for the error.

https://ccmexec.com/2014/03/uninstalling-wsus-on-primary-site-server-causing-http-error-500/

When removing the WSUS role there are configuration settings that are written to the Applicationhost.config that reference a .dll file used by WSUS that is removed during the WSUS role removal. The Applicationhost.config is located under C:\Windows\System32\inetsrv\config

If we check the Applicationhost.config there should be an entry the same as below:

<scheme name=”xpress” doStaticCompression=”false” doDynamicCompression=”true” 
dll=”C:\Windows\system32\inetsrv\suscomp.dll” staticCompressionLevel=”10″ 
dynamicCompressionLevel=”0″ />

Running the following command will remove the references of .dll that is installed by WSUS

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name=’xpress’]sccmerror3

After running the above command the management point is back working and I can now access all SCCM URL’ssccmerror4

SCCM 1806 Software Center Customisation

Since SCCM 1710 there was the addition to device settings to allow customisation of software center 1806 added an additional customisation to add a custom web page as an additional tab. As above you need to be at 1710 or above to have these customisation options.

by default the below would be the basic colour and appearance for the software center:

soft1

To start I usually create a new policy to test before pushing out to all users.

  • Open SCCM console
  • Go to Administration > Client settings

Right click and create a new policy (I called mine Custom Software Center)soft2

Click the Software Center check box in the policysoft3

Under device settings set select these new settings to specify company information to yes. soft4

Then go to customize. Edit company name, set color scheme and add a company picture. Below is the default settings. The logo image file needs to be a maximum size is 400×100 and 750kbsoft5

Here is the updated settingssoft6

To add a custom tab with URL to a support site or blog post. Go to tabs and put a check box on: Specify a custom tab for Software Center. (This is only available if SCCM is 1806 or above.)

  • Add a custom tab name
  • Add a URL

soft7

Once finished editing the policy it then needs to be deployed to the require collection. Right click on the custom policy and go to deploy.soft8

Then select the device collection to deploy tosoft10

Once the policy is deployed, go to a device in the collection to update the machine policy. Go to Control Panel > Configuration Manager > Actions > Machine policy retrieval & Evaluation cycle and click run now. soft11

Once the policy is updated the Software Center should be updated with the new color scheme, company logo and custom URLsoft12.png

 

Windows Updates Fail Error Code 0x800F0831 Server 2012 R2

I recently had and issue installing Windows updates on some servers running Windows Server 2012 R2. The server would install most updates but not the monthly update rollups or the security only updates.

I checked the event logs and saw event 0x800F0831Up2

This didn’t give much information on why the update was failing so I checked the CBS log and found the below error. This pointed to a missing or corrupted update for KB4343898 which in my case was the August 2018 monthly update rollup. Up3

CBS Failed to resolve package ‘Package_1101_for_KB4343898~31bf3856ad364e35~amd64~~6.3.1.9’ [HRESULT = 0x800f0831 – CBS_E_STORE_CORRUPTION]

CBS Mark store corruption flag because of package: Package_1101_for_KB4343898~31bf3856ad364e35~amd64~~6.3.1.9. [HRESULT = 0x800f0831 – CBS_E_STORE_CORRUPTION]

Next step was to check to see if the update was showing on the server so I used the PowerShell command Get-hotfix to search for the update.

Get-hotfix | where {$_.hotfixid -like “KB4343898”}Up4

If I check the package folder C:\Windows\servicing\Packages  I can see the update is referenced but not the package showing the error in the CBS log. UP6

I had this issue a few years back and the fix was to add the update using Dism and the update cab file. To extract the update run expand updatefile /f:* exportpath

expand C:\temp\windows8.1-kb4343898-x64.msu /f:* C:\temp\KB4343898Up5Once the update is extracted use Dism to add the problematic update this should install the missing files.

Dism /online /Add-package:C:\temp\KB4343898\Windows8.1-KB4343898-x64.cabUp7

Once completed reboot the server if required, then try the update again, it should now install without issue.

 

Adding Multiple Devices To SCCM Collection PowerShell

I recently needed to add a few hundred devices to a collection in SCCM. I couldn’t use a query to achieve this as there where no attributes that I could use. So it would have to be a direct query and I didn’t really want to manually add hundreds of servers as this would take a long time and PowerShell is a much easier and faster option. I decided to write a quick script to get a list of device from a txt file and do a loop to add each device to the specified collection.

First I need to open a PowerShell connect to SCCM I prefer to use Powershell ISE as I can edit and test my script while in one console. To connect go to the SCCM console On the blue drop down icon on the top left, click it and then choose Connect via Windows PowerShell ISE.

Coll1

Once PowerShell ISE is open you should see the connection script.  Just click run script at top of ISE to connect to SCCM. Coll2

Once in ISE copy the script below and change the collectioname, computers and logpath variables to the correct location and collection that you want to added to.  Below is what the script should look like when it run.

Coll3

$collectionname = “RDS Deploy Collection”
$Computers = Get-content “c:\temp\Server_List.txt”
$logpath = “c:\temp”
foreach($computer in $computers) {
try {
Write-Host “Adding $computer to $collectionname” -ForegroundColor Green
Add-CMDeviceCollectionDirectMembershipRule -CollectionName $collectionname -ResourceId (get-cmdevice -Name $computer).ResourceID
}
catch {
Write-Warning “Cannot add client $computer object may not exist”
$computer | Out-File “$logpath\$collectionname-invalid.log” -Append
$Error[0].Exception | Out-File “$logpath\$collectionname-invalid.log” -Append
}
}

There is also a log file that will be export to give devices that have not been added and the error exception generated by PowerShell.

Coll4

Using SCCM CMPivot

With the release of SCCM current branch 1806 there is a lot of new features. One feature I really like is CMPivot as this gives real-time results from queries instead of doing SCCM SQL query which will only have information from the last inventory scan from the SCCM agent.  This is very helpful if you want to run real-time queries on devices to check for  services status, installed software, OS information and more.

There are some prerequisites for using CMPivot:

  • SCCM must be up to 1806 or higher
  • The Configuration Manager administrator needs the Read permission on the SMS Scripts object, and the Run Scripts permission on the Collection object. The Scripts Runner role has these permissions.
  • SCCM clients must be running the 1806 agent or higher
  • To gather data for the following entities, target clients require PowerShell version 5.0:
    • Administrators
    • Connection
    • IPConfig
    • SMBConfig

To launch CMPivot open the SCCM console and go to device collections. Select the collection you want to query.CMP1

Once you open CMPivot you will get the welcome screen this will give information on how to run queries and the different object and functions that can be queried. CMP2

I will just be doing a basic query to check for a specific service. Highlight the entities you want to query and select insert.  If you run the queries with just service it will return all services from every device in the collection.CMP3

Use the where operator to filter results to only what is required.  Just put in a pipe | and add where then CMPivot will present the list of available entities.CMP4

Below I’m looking for all servers that have WinRM service this can be changed to any service that needs to be queried. CMP5

We can also combine queries to get list of devices that have a service installed but the service is not running. This can be usefully if you need to troubleshoot an application issue on multiple devices that might require a certain services.  I used to use script to check this type issue but CMPivot is a lot easier and all the result are returned directly back to the CMPivot console. CMP6

Once the query is completed there are some other options that can be run.

  • Create a collection based on the devices returned from the query 
  • Pivot to: This can be used to look up other info on a selected device
  • Remote Control for the selected device
  • Open the Resource Explorer for the selected device
  • Export list of devices to a CSV or clipboard 

CMP7

Run script is the only task that can be run on single or multiple devices.CMP8

Another use for CMPivot is querying a specific file. A version number can added to the query. A good use case for this is if there is an application upgrade and the version number of the file changes this can be used to find devices that have not been upgraded successfully. CMP9