Monthly Archives: June 2015

Maintenance Window types in ServiceWindowManager.log

Recently when troubleshooting some Maintenance Window issues for SCCM 2012 clients, I was watching the client log ServiceWindowManager.log

Each Maintenance Window has a type. For example I set a Maintenance Window for All Deployments.

mainwin1

You can see that this had Type=1.

If you are curious to see what other maintenance windows you may have set for the client, you can check out this link or look at the table below.

https://msdn.microsoft.com/en-us/library/jj155420.aspx

Value Service Window Type Description
1 ALLPROGRAM_SERVICEWINDOW All Programs Service Window
2 PROGRAM_SERVICEWINDOW Program Service Window
3 REBOOTREQUIRED_SERVICEWINDOW Reboot Required Service Window
4 SOFTWAREUPDATE_SERVICEWINDOW Software Update Service Window
5 OSD_SERVICEWINDOW OSD Service Window
6 USER_DEFINED_SERVICE_WINDOW Corresponds to non-working hours.

Execution Request for package Packname program Programname state change from WaitingContent to WaitingContent – SCCM 2007

In an SCCM 2007 environment I was having issues with a client getting a certain package.

When checking Execmgr.log the error showed was “Execution Request for package Packname program Programname state change from WaitingContent to WaitingContent – SCCM 2007″

This error was strange because the particular site where these machines were located were downloading packages without issues previously. I tried deleting the advertisement and re advertising the package but the same issue occured

I then checked the CAS.log and it showed “No matching DP Location found”

The CAS log got me to check out the boundaries, and there was the issue. Whoever set up the site did not add the correct boundary for this site or someone deleted a boundary. I am pretty sure it was to do with the IP Subnet boundaries.

Anyway once the correct boundary was added, I did a machine policy evaluation cycle on the client and the package started downloading fine.

Execmgr.log
Execution Request for package Packagename program Programname state change from WaitingDependency to WaitingContent
Content is available for program ProgramName.

Cas.log
Download completed for content Packagename under context System
Hash verification succeeded for content Packagename downloaded under context System

The packages then had no issues.

Wsyncmgr.log – Sync failed: The request failed with HTTP status 503: – SCCM 2012

I was told by a client that they were having issues synchronizing software updates using SCCM 2012.

The first thing I checked was the Wsyncmgr.log to find out what was going on. The Wsyncmgr.log showed “Sync failed: The request failed with HTTP status 503: Service Unavailable. Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer”

On the SCCM 2012 server running the SUP role, I opened up IIS Manager, looked at the Application Pools and noticed that the WsusPool was set to “Stopped“. I started it again and thought it was fixed, but the client advised me that it had crashed again shortly later.

iisapp2

I checked Task Manager on the server and noticed that IIS Worker Process was using 1864.1MB of memory.

iisapp5

I then right clicked on the WsusPool back in IIS Manager, then Advanced Settings, and noticed that the memory limit was set to a lower ammount.

iisapp4

I increased this limit to 4GB to be safe, restarted the WsusPool and then the SUP was able to syncrhonize fine. The Wsyncmgr.log looked good and the problem never came back for the client.

Part 2 – Deploying Software Updates with Maintenance Windows – SCCM 2012

Part 2 of this post I will be creating a Software Update Group for all released Windows 8.1 Updates and deploy them to a Windows 8 client which is a member of a Collection with a Maintenance Window set.

Part 1 can be seen here if you missed it.

Once I create an all updates deployment group for a product, I would normally create the groups on a monthly basis for products. For example Patch Tuesday when Microsoft releases patches. I would create a software update group and deployment package for all Windows 8.1 updates called WIN_8_1_ALL today on June 21st, then create another Win_8_1_15072015 on 15th of July 2015 for the next lot of updates Microsoft releases.

Lets get started. In the Software Library, then Software Updates, then All Software Updates, I have specified the criteria (on far right side) to search for the Product = Windows 8.1 Updates. I will be adding all Windows 8.1 updates to a software update group.

sup16

Once I have created my Windows 8.1 Software Update Group, I will be download them to a Deployment Package. I right clicked on the newly created Software Update Group and clicked Download.

sup17

I have given the deployment package the same name as my software update group to make things easier, and specified the path to where I will download these software updates to.

sup18

I have used the default settings for the rest of the settings. The updates will now download. This will take a while. My all Windows 8.1 updates deployment package was around 5GB.

sup19

Once my Windows 8.1 deployment package has finished downloading, I have created a collection to prepare to deploy my Windows 8.1 updates.

I will be using Maintenance Windows in this example to make sure my Windows 8.1 client installs updates during the times I specified in my Maintenance Window.

After the device collection is created, I right clicked on the collection and went to the Maintenance Windows tab to create a new Maintenance Window.

sup20

I have created my schedule and applied my maintenance window schedule type to Software Updates.

sup21

I did a Machine Policy Retrieval & Evaluation Cycle on my Windows 8.1 and looked at the ServiceWindowManager.log in C:\Windows\CCM\Logs to verify that my client picked up the new Maintenance Windows.

sup27

I have now gone back into the SCCM 2012 console, back to the Software Update Group I created earlier and will now be deploying my Windows 8.1 updates group to the collection I created with the Maintenance Window.

sup22

sup23

I have made my deployment type to Required.

sup24

I have set the available time to 5:35PM and my deadline to 5:36PM. Once my client picks up the policy, the updates won’t install until my Maintenance Window of 6PM has been activated.

sup25

I have left these settings as is. I want my client to restart during the maintenance window.

sup26

I have selected the default settings for the rest and finished the deployment wizard.

On my Windows 8.1 client I have run Software Updates Scan Cycle and Software Updates Deployment Evaluation Cycle

sup28

I looked at the UpdatesDeployment.log on my client in C:\Windows\CCM\Logs and it said that it was waiting for the next maintenance window to start so it could install the updates. Once it hit 6PM which is the time of my maintenance window, the updates started installing.

Once all the updates have been installed on the client and the client has been restarted to apply the updates, I checked the Monitoring node, then deployments, then the Windows 8.1 deployment I created and I can see that my test Windows 8.1 client is now compliant.

sup29

Part 1 – Installing Software Update Point Role – SCCM 2012

This will be a 2 part series. The first part will involve installing the Software Update Point in SCCM 2012 on Windows Server 2012 R2. The Second Part will focus creating a Windows 8.1 Software Update Group and deploying that group to a Windows 8.1 machine using a Maintenance Window.

Lets get started.

Head into Add Roles and Features wizard and select the Windows Server Update Services role and click next

sup1

Select WSUS Services, I have unticked WID Database and have chosen to use my SQL database which is hosting my SCCM 2012 Database.

sup2

Enter a path. I have created a folder on my drive called WSUS and shared it.

sup3

I have entered in the name of the SQL server in my lab (I am using default instance)

sup4

Click install.

sup5

Click Launch Post-Installation tasks

sup6

Once post installation tasks have finished, click on tools then select Windows Server Update Services

sup7

Click Cancel here

sup8

WSUS is now installed. Lets go back into the SCCM 2012 console and add the SUP role.

sup9

Select the Software Update Point

sup10

I have chosen use ports 8530 and 8531 because I am using Windows Server 2012 R2

sup11

I have skipped proxy and account settings. I am syncrhonizing from Microsoft Update.

sup12

Select the schedule you would like to synchronize WSUS.

sup13

I have left the Supercedence rules, Classifications, and Languages as default. I have also selected Windows 8.1 for the Products. You can set these later if you like in the Administration node. Here is a screenshot if you would like to configure any SUP settings later.

SUP13.1

sup14

To check if installation was successful, you can view the SUPSetup.log

You should be able to see metadata in the All Software Updates section. You can also synchronize the updates from here as well.

sup15.1

You can view the synchronizing status by looking at the wsyncmgr.log to see the progress or any errors.

sup15

ERROR DPConnection::ConnectRemoteIISManagementWMI() – Failed to connect to DP.domainname.com error = 0x8004100e

I noticed packages were not distributing to one of the Server 2012 R2 SCCM 2012 distribution points. The packages had failed. When checking the distmgr.log on the primary site it showed a few errors such as:

cWmi::Connect() failed to connect to \\DP.domainname.com\root\MicrosoftIISv2.2. Error = 0x8004100E

ERROR DPConnection::ConnectRemoteIISManagementWMI() – Failed to connect to DP.domainname.com error = 0x8004100e

WMI2

For some reason IIS 6 WMI Compatibility was not installed on the distribution point. Once installed, I did an iisreset, redistributed the packes and I could see the packages distributing in distmgr.log

Here is a screenshot of it once it is installed:
WMI1

SCCM Software Updates: 0x800B0004 – The subject is not trusted for the specified action

I noticed some third party updates were not being installed by clients when being deployed as a Software Update from SCCM 2012. SCUP System Center Updates Publisher (SCUP) is being used to push out third party updates to clients.

When checking the compliance for the deployment in the Monitoring node then Deployments, the “Error” tab for the deployment showed “The subject is not trusted for the specified action” with a error code of 0x800B0004.

FlashFailed

0x800B0004 error is related to a certificate issue. In my case, the WSUS SCUP certificate had expired on the client computers which meant they would not install Software Updates published from SCUP. Checking MMC on my machine and adding certificate manager, I took a look at the Trusted Publishers and the certificate was there and expired. Once the certificate was updated and Software Update Deployment evaluation policy was run, my SCCM client started to download the third party updates and install them. This also happened on other client workstations once the new certificate was applied.

For more informationr regarding SCUP (System Center Updates Publisher) certificates, take a look at https://technet.microsoft.com/en-us/library/hh134732.aspx

PXE image failing – SCCM 2007 to 2012 migration

While in the middle of doing an SCCM 2007 to SCCM 2012 migration, my SCCM 2012 PXE Task Sequences would fail after the image had applied and the client was downloading and installing additional applications.

First thing I did before the image failed was to press F8 to load up a command prompt, then type in CMTrace so I could view the logs easily.

The log of interest was the cas.log which told me that the machine was unable to find any distribution points when locating the software. I knew the boundary was correct and that the boundary group was correct also.

The number of discovered DPs(including Branch DP and Multicast) is 0

Anyway, I double checked the boundary groups in SCCM 2012 and noticed that the SCCM 2007 running migration jobs automatically created a boundary group for the SCCM 2007 distribution point and assigned the boundaries I was using to it. This caused my clients unable to locate software to download and install additional programs.

I had migrated everything I needed from 2007 to 2012, so I simply stopped the 2007 migration job and deleted the automatically created 2007 boundary groups.

I then reimaged the machine and the cas.log looked good and could find the distribution point it needed to download the additional software for the Task Sequence.

Clients failing to download Windows updates – Group policy settings were overwritten by a higher authority

I was facing an issue where every SCCM 2012 client at a certain site would not download Windows updates from the SUP on the SCCM 2012 server.

First thing I checked was the C:\Windows\CCM\Logs\WUAHandler.log on the client.

Reading WUAHandler.log in CMTrace I saw:

Enabling WUA Managed server policy to use server: http://servername.domain.com:8530 WUAHandler 20/05/2015 12:05:39 PM 6628 (0x19E4)
Waiting for 2 mins for Group Policy to notify of WUA policy change… WUAHandler 20/05/2015 12:05:39 PM 6628 (0x19E4)
Group policy settings were overwritten by a higher authority (Domain Controller) to: Server servername.domain.com:8530 and Policy ENABLED WUAHandler 20/05/2015 12:05:41 PM 6628 (0x19E4)
Failed to Add Update Source for WUAgent of type (2) and id ({03C8F032-8F2F-4821-9359-A1732F6F7A9D}). Error = 0x87d00692. WUAHandler 20/05/2015 12:05:41 PM 6628 (0x19E4)
Its a WSUS Update Source type ({03C8F032-8F2F-4821-9359-A1732F6F7A9D}), adding it. WUAHandler 21/05/2015 1:08:23 PM 6312 (0x18A8)

What was happening was the SCCM agent was trying to set the server to get the updates from http://servername.domain.com:8530 but there was a group policy set which overrides the SCCM setting, and was changing the location to servername.domain.com:8530. Notice the difference? The group policy was set without the http://

I found the incorrect setting in group policy and added the http:// to the link, did another “Software Updates Deployment Evaluation Cycle” on the client and all the updates started flowing through for all machines.

WDS service unable to start

I have had a few issues with the WDS service not starting on some of my distribution points.

One server was easily fixed by checking and fixing the permissions for the SYSTEM account for the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 folder.

It needed to have Full Permissions to start. For some reason the permission was removed which caused the service to fail each time I started to fix it.

WDS

Another time I had this issue, it turned out to be a corrupt SQL computer account in the SCCM SQL database.

Each time I tried to start the WDS service under the System Account it would generate Failure Audit alerts in the Application Log:

Event Type:    Failure Audit
Event Source: MSSQLSERVER
Event Category:          (4)
Event ID:         18456
Date:               3/12/2015
Time:               1:00:00 PM
User:               Domain\ComputerAccount$
Computer:       SCCMDB
Description:
Login failed for user ‘Domain\ComputerAccount$’. [CLIENT: x.x.x.x]

I removed the login for ComputerAccount$ from the SQL Management Studio and re-created it with the same permissions and the WDS service can now start.