Cannot Remove a DP – Old Site System from SCCM

The most simple and stupid solution is to just wait 24h, and then SCCM will let you remove it 🙂

If you want it fast, you can try this:

Open your regedit:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SMS_SITE_COMPONENT_MANAGER\Component Servers

Find out your old DP, and on each “Deinstallation Start Time” REG_DWORD value to 1.. then restart  SMS_SITE_COMPONENT_MANAGER.

 

However, if the old DP already no longer accessible, you can directly remove it from SQL database:

Here is the ultimate way to remove a DP from SCCM:

use CM_<sitecode>
declare @ServerName varchar(15)
set @ServerName=’<orphanFQDN>

delete from statusmessages where [email protected]
delete from Summarizer_Components where MachineName like ‘%’[email protected]+’%’
delete from summarizer_sitesystem where sitesystem like ‘%’[email protected]+’%’
delete from statusmessageinsstrs where insstrvalue like ‘%’[email protected]+’%’
delete from sysreslist where [email protected]
delete from sc_sysresuse where nalpath like ‘%’[email protected]+’%’


Prompt to Rename Computer During Task Sequence via Powershell

Here is my powershell script to prompt to rename computer during SCCM OSD Task Sequence.

It will first auto popular machine name according to serial number, and then ask user to rename computer. If user do not do anything, the pop out window will auto close within 30 seconds.

# Smart Computer Re-name System
# Rui Qiu
# 8/9/2018, Last edit 8/25/2018
# v2.0

#Hide the progress dialog
$TSProgressUI = new-object -comobject Microsoft.SMS.TSProgressUI
$TSProgressUI.CloseProgressDialog()

# Check Hardware Type & Model
$hardwaretype = Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty PCSystemType
$model = Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty Model
If ($model -like “HP*Z*”) {$pre = “Z”}
Else {
If ($hardwaretype -ne 2) {$pre = “D”}
Else {$pre = “L”}
}
Write-Host “DEBUG – Machine Type is $pre”

# Check Serial Number
$SerialNumber = (Get-WmiObject -Class Win32_BIOS | Select-Object SerialNumber).SerialNumber
Write-Host “DEBUG – Serial Number is $SerialNumber”

# Prepare New Computer Name
$OSDComputerName = $pre + “-” + $SerialNumber
Write-Host “DEBUG – New Default Computer Name will be $OSDComputerName”

# Ask if user wants to rename
Add-Type -AssemblyName PresentationCore,PresentationFramework
$MessageBody = “$OSDComputerName will be the machine name, do you want to change it?”
$MessageTitle = “Computer Name”
$Prompt = new-object -comobject wscript.shell
$Box = $Prompt.popup(“$MessageBody`n”,30,”$MessageTitle”,4)

switch ($Box){

‘6’{
[void][Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’)
$title = ‘New Computer Name’
$msg = ‘Please Enter the ComputerName you want to use:’
$name = [Microsoft.VisualBasic.Interaction]::InputBox($msg, $title)
[System.Windows.MessageBox]::Show(“New Computer Name will be $name”)
$OSDComputerName = $name
Write-Host “DEBUG – Your Computer Name will be $OSDComputerName”
Return

}

‘7’ {
[System.Windows.MessageBox]::Show(“We will keep the automated name $OSDComputerName”)
Return
}

}

# Make New Computer Name
$TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$TSEnv.Value(“OSDComputerName”) = “$OSDComputerName”
$out = $TSEnv.Value(“OSDComputerName”)
Write-Host “DEBUG – OSDComputername is set to $out ”
Rename-Computer -NewName “$OSDComputerName”


SCCM Compliance Rule For Checking CredSSP Envryption Oracle Remediation Status

Here is my powershell detection script for checking machines with CredSSP Envryption Oracle Remediation Status with SCCM Compliance Rule:

# Check CredSSP Envryption Oracle Remediation Status
# Rui Qiu
# 8/21/2018
# ver1.4

$osversion = Get-WmiObject -Class Win32_OperatingSystem | Select BuildNumber -ExpandProperty BuildNumber
$matches = “KB4103718”, “KB4103712”, “KB4103730”, “KB4103726”, “KB4103725”, “KB4103715”, “KB4103723”, “KB4103731”, “KB4103727”
$fix = Get-Hotfix | select HotFixId -ExpandProperty HotFixId
$Compliance = “No”

if ($osversion -eq “17134”) {
$Compliance = “Yes”
$Compliance
Break }

foreach ($match in $matches) {
if ($fix -contains $match) {
$Compliance = “Yes”}
}

$Compliance


E_SMPERROR_MIGRATIONID_NOT_FOUND (204)

When I was using state migration point for user data backup and recover during OSD, it failed multiply times today. and the error message was

“SMP request to failed with error: E_SMPERROR_MIGRATIONID_NOT_FOUND (204)”

Not sure what went wrong, just tried again and failed again.

Then I realized that I was backing up user data in one location, when I recover user data, the computer was in another location.

When I checked the Migration Status in SCCM, indeed that backup was in the wrong location.

Then I added new location to the existing Migration Point server from Site System Roles, and it fixed the issue right away!

 


SCCM PXE Boot TFTP Issue

My SCCM PXE Boot environment was working fine a few months ago, and but it broke and showing this when I boot up any machines:

Client Mac Addr: xxx GUID: xxx
Client IP: xxx MASK: xxx DHCP IP: xxx
Gateway IP: xxx
TFTP…
PXE-M0F: Exiting Intel Boot Agent.

So the client can get an IP. that’s a good sign.

Then I checked SMSPXE.log on the DP server..There are some error messages, and I followed those, and it got me into wrong direction. ( Removing and Re-installing PXE component didn’t help at all)

Later I enabled detailed logging with WDS Service:

And found out this error message:

So it looks like the client having issues downloading the boot image via TFTP…

then I checked if the WDS server is listening on TFTP 67/68 port…

NETSTAT -an|more

I couldn’t found 67/68 port… So what is wrong with WDS ?

Finally….out of curiosity, I clicked this setting from “Windows Deployment Services”, and wola! it worked!

 


My Shavlik Filter (Ivanti)

This is my Shavlik Filter for auto publishing

 

 

 

 


SCCM DP Installation Notes

distmgr.log

CWmi::Connect() failed to connect to \\DP-name.dm.xxx.yyy.corp\root\CIMv2. Error = 0x800706BA
0x800706BA = the RPC server is unavailable.

Failed to install DP files on the remote DP. Error code = 1722

– primary site computer account is in local admin group
– windows firewall disabled on both computers (firewall set service remoteadmin enable, file sharing)
– remote diff compression installed
– IIS installed (ISAPI, Windows Authentication, IIS6 Metabase comp, IIS6 WMI Compatibility)
-mofcomp.exe smsdpprov.mof

Copy the smsdpprov.mof file into Distribution Point installation drive, you can find the smsdpprov.mof file under <drive:>\Program Files\Microsoft Configuration Manager\bin\X64 in your primary site server


SCCM Package for Registry Permissions Change

Orignally I have Powershell script for doing that, but it turns out not so good:

if (!(Test-Path HKCC:))
{New-PSDrive -PSProvider registry -Root HKEY_CURRENT_CONFIG -Name HKCC}
$RegPath= ”HKCC:\SOFTWARE\XXX”
New-Item -Path ”HKCC:\SOFTWARE\” -Name Encompass -Force
$acl = Get-Acl $RegPath
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (“BUILTIN\Users”,”FullControl”,”Allow”)
$rule2 = New-Object System.Security.AccessControl.RegistryAccessRule (“Everyone”,”FullControl”,”Allow”)
$acl.SetAccessRule($rule)
$acl.SetAccessRule($rule2)

Here is the bath file to do the registry permissions change:

reg add “HKCC\SOFTWARE\XXX” /f
REGPERM /K “HKEY_CURRENT_CONFIG\SOFTWARE\XXX” /A:Everyone:F /E /I /F

Here is the little program can make great registry permission change:

regperm

 

 


Fix WPAD Vulnerability by Changing Host File with SCCM

It was a bit more diffcult than I thought, originally I was using compliance settings, but then it didn’t work so well. So I go back to the classic application deployment by SCCM.

Here is the detection method:

# WPAD Vulnerability Remediation Discover Script
# Rui Qiu
# v 2.0
# 4/5/2018
# Last edit: 4/11/2018

$i = 0
$results = Select-String -Path $env:SystemRoot\System32\Drivers\etc\hosts -Pattern wpad
foreach($result in $results)
{$i+=1}

# Write-Host $results
if ($i -eq 2 )
{Write-Host “Installed”}

 

Because some workstations are still on Powershell 2.0, so I have to use a Hosts Commander to remove and add wpad entries.

Install-Module PsHosts
Remove-HostEntry wpad*

Add-HostEntry -Address 255.255.255.255 -Name wpad
Add-HostEntry -Address 255.255.255.255 -Name wpad.corp.lan

https://code.google.com/archive/p/hostscmd/

Here is the batch file command:

hosts.exe rem wpad*
hosts.exe add wpad 255.255.255.255
hosts.exe add wpad.corp.lan 255.255.255.255


Rapid7 Insight Agent Update Fix Discover Script

# Rapid7 Insight Agent Update Fix Discover Script
# Rui Qiu
# v1.1
# 4/3/2018

$folder = “C:\Program Files\Rapid7\Endpoint Agent”

if (test-path $folder)
{
$content = (get-content config.json | where { $_ -match “smart_ttl_start” } )
# echo $content
$key = ‘ “smart_ttl_start”: 128,’
# echo $key
if ($content -eq $key)
{$Compliance = “Yes”}
Else
{$Compliance = “No”}

}
else
{$Compliance = “Yes”}

$Compliance