So whats this thing about Broswer Choice to start with ? Well you can read more about it here.
So if you would like to block this behaviour like most enterprise organisations want to do. There is a way to block that this updates comes into play. You simply just need to add a registry value to your machines. If the registry key is present the users will not experience the Browser Choice experience on that machine.
Registry key: HKEY_LOCAL_MACHINESoftwareBrowserChoice
Value Name: Enabled
Value Type: DWORD
Possible Values: 1 Display browser choice update
0 Do not display browser choice update
There are different ways of adding it , choose the method that suites your environment best.If you just want to test it on your own machine simply run this command , and verify that the reg value is there.
reg add HKLMSoftwareBrowserChoice /v Enable /t REG_DWORD /d 0×00000000 /f
So what machines will this update be displayed on? It will be targeted to machines with the corresponding regional settings as European Union and is a Client OS so it wont be deployed to servers.
If you want to use the lastLogontimeStamp value in Config Mgr reports its fully possible. The value will give you a date when your machine last was in contact with your Active Directory with some modifications, In fact the date will be between 9-14 days behind the actual date with default settings. But at least it gives you a hint on your clients activity. More about the value here: http://blogs.technet.com/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx .
So first you need to collect the value this is possible to do with your system discovery task. All we need to to is to configure an extra attribute to be collected “lastLogontimeStamp”.
Go to your discovery task and the Active Directory Attribute and add a new value lastLogontimeStamp, and press ok and at the next discovery the value will be collected.
The Value itself is is stored in INT8 se we need to convert the value to Date and Time when we Display it. My SQL Skills are note the best in the world so I asked my friend John to help me out and so he did. So for further references please read the blog post he wrote about it.
In my case I am on SQL 2008 so I did my function and used it in my query to get the machine name and the lastLogontimeStamp in my Report.
Function to Convert Int8 to Date Time
CREATE FUNCTION dbo.udf_Int8_to_DateTime(
RETURN (DATEADD(mi,@Int8 / 600000000 + DATEDIFF(Minute,GetUTCDate(),GetDate()),CAST(’1/1/1601′ AS DATETIME2)))
SQL Report to get Machine Name, Usaername and Last AD Contact using the function created in the previous step.
SELECT v_R_System.Name0, v_R_System.User_Name0, CAST(dbo.udf_Int8_to_DateTime(v_R_System.LastLogonTimeStamp0) as varchar(11)) as LastADContact
ORDER BY LastADContact asc
This has been tested on SQL 2008, but you should always test on lab systems before moving any code to production. This is released “AS IS” and confers no rights.
Sometimes you want to exclude certain folders or drives from beeing scanned to have a clean Inventory, an example you may not want to scan a server with large volues for data like home directories or the IT department Install library. This causes both load on the server /client having the drive and it causes you to get this information into the database and you need to handle it in your reports.
Simply do like this
- Create a file named skpswi.dat
- Add the attribute hidden
- Put it in the folder/drive you would like to exclude from Software Inventory
More is to be found here: http://technet.microsoft.com/en-us/library/cc180976.aspx
Sometimes you need to reset the Windows update Agent to get it working like it should. If you haven’t updated to the SP2 version of WSUS i strongly recommend doing that on your Software Update Point as allot of fixes where released in that Service Pack. Below is a set of commands you can use to reset a Windows update Agent, the easiest way is to save the commands in a bat file and launch it on your XP clients in proffered way manually of with software distribution.
net stop bits
net stop wuauserv
Del "%ALLUSERSPROFILE%Application DataMicrosoftNetworkDownloaderqmgr*.dat"
Ren %systemroot%SoftwareDistributionDataStore *.bak
Ren %systemroot%SoftwareDistributionDownload *.bak
Ren %systemroot%system32catroot2 *.bak
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
cd /d %windir%system32
netsh reset winsock
net start bits
net start wuauserv
Is it possible to just download the prerequsites on forehand if you dont have Internet access on the server where you intend to install Configuration Manager.
Yes you can , you need to use the command without the quotes “MEDIAPATH:SMSSETUPBINI386setup.exe /download drive:path”
Make sure the folder you download to is created before you execute the command otherwise it will not launch.
I just got the question on what rights the domain join account needs. So here it is.
First of all you need to create an account for it in this example I named min svc-sccm-domainjoin and then locate the OU where your computer accounts will reside in. And then right click on it and set the security rights.
First you need to set the following rights on the OU and with the setting Apply to: This object and all descendant objects.
- Create Computer Object
- Delete Computer Object
After that you need to add the following rights with the setting apply to: Descendant Computer objects.
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service princ
When using software Updates with Configuration Manager you may want to deploy a new WU Agent to your machines for several reasons. WUA might cause all kinds of problems with client scanning and deployment. So my recommendation is to keep the WU Agent up to date. It’s not all times the clients update the agent by itself so therefore you will see a manual way of deploying it in this article.
After that you need to create a package with the source files and distribute it to your DPs.
You also need to specify a program for the package I use this syntax for my x86 platform as I don’t want to force a restart and hide it from the end user.
- Download the wuredist.cab from this url http://update.microsoft.com/redist/wuredist.cab
- When you have downloaded the file you need to extract and open the wuredist.xml file.
- In the file you should look for the download source for the different platform agents. Below I have listed the current once but it will change as time go by.
You also need to create a collection for your machines to target an example query could be the following. With this query all active non obsolete clients that doesn’t have WUA 7.2.6001.788 will be listed. Make sure you have not like or like otherwise the version handling won’t work.
WindowsUpdateAgent30-x86.exe /WUForce /quiet /norestart
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_WINDOWSUPDATEAGENTVERSION on SMS_G_System_WINDOWSUPDATEAGENTVERSION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_WINDOWSUPDATEAGENTVERSION.Version not like "7.2.6001.788" and SMS_R_System.Client = 1 and SMS_R_System.Obsolete != 1 and SMS_R_System.Active = 1
7. After this you need to create a advertisement to deploy to the collection and follow your deployment in the reports.
How do I get more than 2000 results in my WQL queries ?
To set the amount of results returned in Configuration Manager you can right click and choose properties on the Query Object. This is a new method instead of doing it via changes in the Registry like in the previous versions.
1. Right click and choose properties.
2. Type in your preferred value and press OK.