Unified physical and virtual IT management for midsized businesses
An update has been released to resolve issues where System Center Essentials updating Windows 7 SP1- based computers with locally published content may fail with error 0x80070570. Please refer to http://support.microsoft.com/kb/2607070 for more details and download.
This hotfix is expected to be installed individually on all Win7 SP1 machines which are managed by SCE server. However, you can use Software Deployment’ feature in SCE Server to deploy these packages on all Win7 SP1 machines in a single go. Please see "How to Deploy" section below.
Command line parameters for the Package -
These are the command line parameters available for WindowsUpdateAgent30-x86 (KB2607070).
This option helps you to deploy the hotfix on Win7 SP1 machines from SCE server itself in an unattended way.
How to Deploy
Install directly on all Win7 SP1 machines which are managed by SCE server
This is a straight forward install of any typical Microsoft hotfix. You can download the package and launch WindowsUpdateAgent30-x86 (KB2607070) on Win7 SP1 client systems in your SCE environment. Installer will prompt for a reboot if installed in an attended mode. If you use /quiet, it will not prompt for a reboot but then you would need to reboot the system in order to get the patch applied and functional.
What will happen when you use Default Deployment Procedure in SCE using ‘Software Deployment’ feature?
Kindly refer to this TechNet link for additional details on how to create and deploy software packages.
If you install using DISM mechanism as explained below in the blog, you won't encounter these issues and you can overcome them. However, patch gets deployed correctly with an explicit reboot if you follow default flow of local publishing and deploying the package from SCE console. To do that,
3. Please download KB2607070 locally onto your machine from download center.
4. In the New Software Package Wizard provide the path to WindowsUpdateAgent30-x86.exe in the textbox under “Deploy a package from stand-alone setup file” option and click “Next”.
5. Provide package name and package description in the next page of the wizard and click Next.
6. Apply necessary settings in the Target System Types page and click next
7. In the “Install/ Uninstall Parameters” page for quiet installation provide “/quiet” switch in the “Installation Parameter(s)” and click next
8. Click Create button in the Summary page, this creates a package.
9. Select appropriate group of computers in Add and Remove Approvals wizard and click ok, by default Win7 SP1 clients will be listed under “All Windows Client” group.
With these steps, you have published the package for managed Win7 SP1 machines. Now these Win7 SP1 machines can have the published WindowsUpdateAgent30-x86.exe (KB2607070) package available in the Windows Update window.
Admins can set a deadline and this hotfix would be pushed on the user systems even if they don’t install it explicitly. (See highlighted below)
Within few minutes of a specified deadline when package offering is complete, please reboot individual Win7 SP1 systems.
Otherwise, users on managed computers can always install the hotfix on the system before the deadline by obeying the below steps-
3. Select the update deployed on the SCE server and click OK.
4. Click Install Updates button.
5. This will install the update on the client machine by closing the Windows Update client window.
6. We need to restart the client machine for this update to get affected.
Installation using DISM (Deployment Image Servicing and Management) -
* This is based on approach proposed by LGS on SCE TechNet Forum*
You can use an open source tool called RunIt.exe where as DISM is available in system32.
4. Click OK when extraction is complete.
5. Create an empty folder (WUA Update) on desktop.
6. Download runit.exe from web and copy it to newly created WUA Update. Move/Copy 'extracted' folder to WUA Update.
7. Open System Center Essentials.
8. Go to "Software" Click on the “New Package” under “Software Packages” section in “Tasks” pane.
9. Select the “Deploy a package from a setup file requiring additional folders” radio button in the New Software Package Wizard.
10. Provide the Folder Location by browsing to the folder WUA update. Click Ok.
11. To provide the Package setup file, click Browse beside package setup file text box.
12. Select RunIt.exe and click Open. Click Next in the wizard
13. Provide Package Name and Package Description and click Next.
14. Select appropriate target system types as mentioned below and click Next.
15. Map 3010 return code with Success With Reboot, by providing details(Code and Value) and clicking on Add.
16. Click Next.
17. Provide the installation parameters as mentioned below and click Next.
Install Parameters are - /L dism /Online /Add-Package /Packagepath:extracted /quiet /norestart.
Internally Windows update triggers following command. RunIt.exe /L dism /Online /Add-Package /Packagepath:extracted /quiet /norestart
RunIt.exe : invokes the exe file specified after parameter “/L” with the remaining parameters(/Online /Add-Package /Packagepath:extracted /quiet /norestart)
Dism: it is an exe file provided by Windows used for Servicing and management of Deployment image.
Online: Specifies that the action is effect on current windows running image Add-Package: adds the packages specified by PackagePath parameter to the Image /quiet and /norestart: these parameters will be used by the package while install happens on next reboot.
18. Click Create on summary page.
19. Package Creation would get progressed and then click Finish.
20. Add and Remove Approvals window appears. Select appropriate options in this window and click Ok.
21. Within few minutes after the deadline exceeds, you would observe a restart prompt on your machine.
At the Dynamics Convergence 2010 conference I mentioned to several people that it is possible to create a dynamic group based on whether a piece of software is installed or not but I never went into the details of how to do it. This posting describes how to create a group for a particular piece of installed software (Microsoft Office 2003 Web Component for the purpose of illustrating the process).
Creating a group based on if software is installed is helpful for approving new versions of software for installation (e.g. you want to upgrade from version 2 to version 3),
There is a three step process to create a dynamic group based on if a software application is installed:
The first step is to create an attribute that we can use to evaluate whether a computer has a piece of software installed or not. This can be based on either a registry key or WMI query. If you have a choice between using a registry key or a WMI query, opt for a registry key – the lookup process is more efficient.
You can use any registry key or WMI query. For this blog, since I am looking for a 32bit application installed on a 64bit computer, I’m going to use a registry entry under
If I was searching for a 32bit application on 32bit computer (or a 64bit application on a 64bit computer) then I could look in:
I’m using the above registry key location since it tends to be a reliable way to determine which software is installed. In the above registry locations will be any currently installed software that has an uninstall program or feature.
To create an attribute:
We have now created an attribute, whose value will be collected every 12 hours from each Windows Computer managed by Essentials.
Now that we have an attribute, we can use the attribute to define a group whose membership will change based on whether the value of the attribute is true (i.e. Office 2003 Web Components are installed).
To create the Managed Group:
We have now created a group whose membership is controlled by the value of the attribute defined earlier. In our case, we now have a group for all computers with the Microsoft Office 2003 Web Component installed.
Managed groups do not show in the Computers workspace by default. Our final step is to add the group we created in the previous step into the Computers workspace, where it will then be available for approving software and updates.
You now have a computer group whose membership will change depending on the software installed on the computers managed by Essentials.
By saving the attributes and group definitions in their own management pack you can export and share your software groups with other people. You can also export the management pack and manually edit it (its XML) if you want to create multiple groups without stepping through the wizards.
Before you create lots and lots of groups, it is important to know that we’ve tested Essentials 2010 to be able to handle up to 100 computer groups. While the process above will also work with Essentials 2007, we are aware of scale issues that can cause group synchronization to stop working in Essentials 2007 when there are around 30 groups (for some people the number is higher, for others it is lower).
If you've used Essentials 2007, you noticed that it monitored Windows, Exchange, SQL and Active Directory 'out of the box.' Essentials is able to do this because it come pre-loaded with management packs that encapsulate knowledge for how to monitor these applications. If you wanted to monitor additional applications, you needed to import a new management pack to monitor the application. Management Packs are available from a catalog, just recently moved to Microsoft Pinpoint.
In Essentials 2010, we added a feature to help you understand which management packs are needed to monitor the applications and operating systems in your environment. We call this feature 'Monitoring Configuration'. The feature detects applications installed or used in your environment, and then recommends that management packs are imported to monitor these applications. Recommended management packs are determined by detecting applications that are installed in the Essentials server domain using Active Directory LDAP queries and OpsMgr SDK interrogations.
When Essentials 2010 ships, it will include the ability to detect and import management packs for these applications:
Here’s a screencap of the Monitoring Configuration dialog recommending import of the Hyper-V and DPM management packs. Clicking the ‘Import’ button will import these packs, and any dependencies, and configure Essentials to start monitoring these applications.
You’ll also notice there are two options to be configured.
Automatic Discovery of new monitoring – this option configures Essentials to scan once a day for new applications installed in your environment that are not already monitored. If a new application is detected for which a management pack is not imported and available, you will be notified via a banner in the Computer workspace. Do not notify about MPs that I chose not to import – this option allows you to configure Essentials not to recommend management packs that you have chosen not to import. You can still import these recommended packs in the future; you just won’t be notified about them.
Microsoft can update the list of detectable applications and operating systems in the future through product updates, so that as new management packs are released, you’ll know that they are available and recommended,
One last topic; management packs are frequently updated. To help you know when there is an updated management pack available via the management pack web service. The screenshot above shows Essentials checking for updated packs.
When packs are available, click the link which launches the ‘MP Import’ wizard. Then select to obtain packs from the ctlalog. Lastly, select ‘Updates available for installed management packs’ in the View drop down to see packs that are newer version of packs that are already imported in Essentials.
We’d love to hear your feedback on this future – drop us a note through our forums: http://social.technet.microsoft.com/Forums/en-US/systemcenteressentials/thread/d9924697-120f-4a33-b945-28ddab7434e4
Essentials 2010 uses up to three agents to manage computers:
I'll focus this article on troubleshooting the deployment of the Operations Manager agent using the Computer and Device Management Wizard (aka Discovery Wizard), the most common agent deployment mechansim, explain how the Windows Update agent is configured once the Operations Manager agent has been installed, and close with an explanation of the backup agent deployment mechanism we introduced in Essentials 2010 RC.
Before the Operations Manager agent can be deployed to a computer, it first must be discovered. This is accomplished using a LDAP search against Active Directory. Check out this OpsMgr blog article for a deep dive into the discovery process: http://blogs.technet.com/momteam/archive/2007/12/10/how-does-computer-discovery-work-in-opsmgr-2007.aspx
Essentials also includes scheduled 'Computer Discovery' which performs the LDAP scan on a daily schedule, discovering new un-managed computers, and attempting to deploy the OpsMgr agent to these newly discovered computers.
Once a computer has been discovered, Essentials deploys the agent by copying over the agent installation files and starting the momagentinstaller process.
You can view the agent deployment status in the task window that is displayed from the Discovery Wizard, by looking through the Task Status view in the Monitoring space, or by checking to see if the computer is in the Managed Agents or Pending Actions view in the Administration space.
Agent Deployment Failures
If deployment of the OpsMgr agent has failed, you will see the failure messages in the Task Status window or Pending Actions view. Check ou this great resource from OpsMgr MVP Cameron Fuller which contains many of the agent installation failure reasons and how to resolve them: http://cameronfuller.spaces.live.com/blog/cns!A231E4EB0417CB76!928.entry
Windows Update Agent configuration
Once the Operations Manager agent has been deployed to the computer and has succcessfully contacted the Essentials server, the Windows Update agent is configured to be controlled by the Essentials server. If Essentials has been configured to use domain group policy, this occurs by adding the AD computer account for the computer into the 'SCE Managed Computers <management group>' security group in AD, which grants the computer the 'Apply GPO' privilege to 'SCE Managed Computers <management group>' GPO which includes the configuration settings that will cause the agent to be configured. If Essentials has been configured to use local group policy, a runtime task will use the SCECertPolicyConfigUtil.exe (installed with the OpsMgr agent installation files) to configure the local GPO on the managed computers, again applying settings that will configure the Windows Update agent.
Backup Agent Deployment
New in Essentials 2010 RC is a backup agent deployment process that kicks in if Essentials is configured to use domain group policy and OpsMgr agent deployment has failed. The process uses both Group Policy and the ability of Essentials to distribute software to install the Operations Manager agent after first configuring the Windows Update agent on the computer for which agent deployment has failed. This process happens in the background; you'll know that its working when a few hours have passed after agents failed to deploy and they have 'automagically' been installed on the same computers.
We hope that you experience a trouble-free agent deployment experience in Essentials 2010 and start to get a ton of manageability from it very shortly after installation!
The monitoring capability within Essentials comes from Management Packs, and the majority Management Packs that work with Operations Manager also work with Essentials. This is great, because it means there is a wealth of deep monitoring that is available for Essentials.
During the Beta and RC period we’ve had lots of great feedback (please keep it coming), and some of this feedback has focused on the monitoring capabilities provided by Management Packs. This post covers the common feedback, and configuration changes to improve the monitoring experience for the following management packs:
There is an issue with the Windows 7 Client OS MP that will generate errors after the initial import of the management pack. You are likely to see 4 alerts that are very similar. You can dismiss the alerts and they should not reappear. The 4 alerts you are likely to see will all start with:
OleDb Module encountered a failure 0x80040e37 during execution and will post it as output data item. : Invalid object name
and then have one of the following:
These issues may be fixed in a future release of the Windows 7 Client Operating System Management Pack. When an updated version of a management pack is available you will see a yellow notification bar at the top of the Computers workspace in the Essentials console.
By default, if you attempt to view CPU Performance, Processor Queue Length or Memory in the Computers workspace for computers running XP, Vista or Windows 7 the graphs will be empty.
To show information for Client Computers you will need to enable the following rules for each OS:
To enable collection of these performance counters:
More information is in the Management Pack Guide.
By default, the Microsoft Exchange 2007 Management Pack will not automatically discover any Exchange 2007 Server roles, and no monitoring is distributed to Exchange 2007 servers.
Initially, the only discovery that runs automatically is called the Exchange 2007 Discovery Helper Discovery. It is a lightweight registry discovery that runs on all Windows servers. Its only purpose is to discover Exchange 2007 servers in your environment without actually starting monitoring.
To verify that Discovery Helper has discovered your Exchange 2007 servers
If no Exchange 2007 servers are discovered, you might want to make the discovery run more frequently than the default. You can change the frequency of the Exchange 2007 Discovery Helper Discovery in Object Discoveries located under Authoring in the Operations console.
To enable Exchange 2007 Server Role Discovery
Exchange 2007 CCR Clustered Mailbox Server Role Discovery
Discovers CCR and SCC clustered Mailbox servers
Exchange 2007 CCR Node Role Discovery
Discovers CCR node servers in a CCR cluster (the physical nodes)
Exchange 2007 Standalone CCR Node Discovery
Discovers standalone CCR node roles (nodes that are participating in log shipping but are not part of an active Mailbox server) and standalone mailbox roles
Exchange 2007 CAS Role Discovery
Discovers Client Access server roles
Exchange 2007 Hub Transport Role Discovery
Discovers Hub Transport server roles
Exchange 2007 Edge Role Discovery
Discovers Edge Transport server roles
Exchange 2007 UM Role Discovery
Discovers Unified Messaging (UM) roles
For example, to enable discovery of all Hub Transport servers, right-click the Exchange 2007 Hub Transport Role Discovery and select Overrides\Enable the Object Discovery\for all objects of type Exchange 2007 Discovery Helper. If you want, you can choose to discover servers using a group (containing Exchange 2007 Discovery Helper instances) or a single instance of Exchange 2007 Discovery Helper. It is also possible to use a group containing the computer objects of the Exchange servers.
More information is in the Management Pack Guide and also on the Operations Manager blog.
Importing the Exchange 2010 Management Pack on the Release Candidate of Essentials 2010 will cause the following alert to be generated:
Critical hotfixes required for reliable operation of the Exchange Server 2010 and other management packs are not installed on this server. Please see the appropriate KB article for more information, and to download the required hotfix.
The hotfixes referred to by this alert are included in the released version of Essentials 2010.
These updates resolve issues affecting state rollup using dependency monitors. These updates allow the Exchange Server 2010 Management Pack to accurately monitor whether Exchange databases are mounted. Without these updates you are also likely to see inaccurate availability reporting.
If desired, you can disable this alert:
This is only a temporary workaround for use with the RC and should be reverted when upgrading to the RTM version of Essentials 2010.
More information is in the Management Pack Guide
A number of workflows in the SQL Server 2008 Management Pack run scripts, which rely on SQL Data Management Objects (SQL-DMO) to query information from the SQL Server. SQL-DMO is now deprecated and is not shipped as a part of SQL Server 2008. Every system with SQL Server 2008 that will be monitored must have SQL-DMO installed from the Microsoft SQL Server 2005 Backward Compatibility Components.
To install SQL-DMO on computers running SQL Server 2008:
These issues may be fixed in a future release of the SQL Server 2008 Management Pack. When an updated version of a management pack is available you will see a yellow notification bar at the top of the Computers workspace in the Essentials console.
If you are using the Express edition of SQL (installed by Essentials) you will see the following errors:
Warning Service Check Data Source Module Failed Execution
Warning Service Check Probe Module Failed Execution
Both errors will mention the following workflow:
Workflow name: Microsoft.SQLServer.2008.DBEngine.FullTextSearchServiceMonitor or
Workflow name: Microsoft.SQLServer.2005.DBEngine.FullTextSearchServiceMonitor
This will happen on any system that has SQL installed without the Full Text Search Engine. You can apply an override on that monitor to disable it for the systems that don't have that service installed.
To disable these monitors, perform the following steps: