The System Center Configuration Manager team would like to announce that the following has been Released To Manufacturing (RTM).
Download an evaluation version of ConfigMgr07 R2 from Microsoft Download Center.
Your contributions have been instrumental in this release and we encourage you to continue your participation in the Configuration Manager TechCenter Community Page (http://technet.microsoft.com/en-us/configmgr/bb625749.aspx) where you can continue to find technical information, links for downloads, and to participate in online discussion forums.
On the Microsoft Connect site, you can also participate by submitting Bugs and Design Change Requests through the feedback links. As always your feedback is important for all System Center Configuration Manager products.
NOTE: The R2 Evaluation version requires the SCCM site to be running the SCCM SP1 evaluation version. R2 will not install on a full SP1 site and you may receive an error:
“You can only install on an SCCM SP1 evaluation installation"
The SCCM admin console does not support configuring the Software Update Point WSUS servers to use basic proxy authentication. One could run the WSUS administration console and enable basic proxy authentication, but SCCM will overwrite those settings. The following workaround will allow for basic proxy authentication on a SUP server:
1. Stop Site Component Manager and SMS Executive on the SCCM server.
2. Go to WSUS and enable basic proxy authentication.
3. Go to <SCCM Install Dir>\inboxes\sitectrl.box and make a backup of the sitectrl.ct0 file.
4. Edit with Notepad sitectrl.ct0 and look for a section similar to this one:
BEGIN_SYSTEM_RESOURCE_USE
RESOURCE<Windows NT Server><["Display=\\Server\"]MSWNET:["SMS_SITE=PS1"]\\Server\>
ROLE<SMS Software Update Point>
PROPERTY <UseProxy><><><1>
PROPERTY <ProxyName><><proxyname><0>
PROPERTY <ProxyServerPort><><><80>
PROPERTY <AnonymousProxyAccess><><><0>
PROPERTY <AllowProxyCredentialsOverNonSsl><><><1>
PROPERTY <UserName><><SCMATRIX\SUMWSUSAdmin><0>
BEGIN_PROPERTY_LIST
<Objects Polled By Site Status>
<["Display=\\Server\C$\Program Files\Microsoft Configuration Manager\"]MSWNET:["SMS_SITE=PS1"]\\Server\C$\ Program Files\Microsoft Configuration Manager\>
END_PROPERTY_LIST
END_SYSTEM_RESOURCE_USE
5. Add the AllowProxyCredentislOverNonSsl line and save the file.
6. Restart Site Component Manager.
There is also a sample script here to perform these changes.
The Preload Package Tool (PreloadPkgOnSite.exe) is used to manually install compressed copies of software distribution package source files on Configuration Manager 2007 sites. After package source files are installed, a status message is sent up the site hierarchy indicating the presence of the new package source files. This avoids sites higher in the hierarchy from copying package source files over the network when distribution points at child site are selected to host software distribution package content that has already been preloaded on them.
The following feature enhancements have been made to the tool since it was released in the SMS 2003 Toolkit:
- SQL Server named instance support
- Administrator specified StoredPkgVersion value support
On my previous post I suggested the use of a collection and TranGUID.exe to clean up from the SMS database clients with duplicate GUIDs. Unfortunately tranguid.exe from the SMS 2003 Toolkit, does not generate a new GUID on SCCM clients running in Native mode. The tool does work on SCCM clients running in Mixed mode. At the time of this writing, there is no tool for SCCM that will force a Native mode client to get a new GUID. The best workaround to generate a new GUID on a Native mode client is to:
1. Delete the ...\%windir%\smscfg.ini file from the client.
2. Delete the client from SCCM.
3. Delete the SCCM certificate from the client.
4. Re-start the SMS Agent Host service on the client.
The above steps will force the generation of a new GUID on SCCM clients running in Native mode.
The short answer is no. There are two kinds of possible duplicate computer records in SCCM. The first one is machines with the same hardware ID. The hardware ID is unique to each computer and it is based on its hardware properties. CPU type, MAC address, memory, etc. are some of the properties used to determine the machine hardware ID. We could get conflicting records in SCCM when the OS is reinstalled on a computer. The client will get a new GUID from SCCM, but its hardware ID will remain the same. In this scenario we end up with two records in the database for the same computer. SCCM 2007 can detect and correct conflicting records automatically, or the administrator can choose to do it manually.
The second type of duplication is duplicate GUIDs. These are machines with different hardware IDs that share the same SMS Identifier or GUID. A common scenario that causes duplicate GUIDs is hard disk duplication or cloning. The auto correct conflicting records feature in SCCM will not detect or fix duplicate GUIDs. The best way to identify and fix duplicate GUIDs is by using the Managing Duplicate Globally Unique Identifiers in Systems Management Server 2003 white paper. Using the three queries documented in the white paper to create a collection and then target the collection with TranGUID, is a very easy procedure to fix clients with duplicate GUIDs. SCCM administrators should avoid duplicate GUIDs since among other things, they could affect the server performance when processing discovery and inventory data.
To summarize we could have:
1. Conflicting records – Records with the same machine ID
2. Duplicate GUIDs – Records with the same SMS Identifier or GUID
What is the purpose of this alert?
This alert is to notify you that Microsoft has revised security advisory 954474 – System Center Configuration Manager 2007 Blocked from Deploying Security Updates - on 17 June 2008.
Summary:
Microsoft has completed the investigation into public reports of a non-security issue that affects environments with all supported versions of System Center Configuration Manager 2007 that deploy updates to Systems Management Services (SMS) 2003 clients. Regarding this issue, Microsoft first published security advisory 954474 on Friday, June 13th 2008.
The revision to security advisory 954474 discusses the release of an update to correct this issue under Microsoft Knowledge Base Article 954474. Microsoft encourages customers affected by this issue to review and install this update.
Recommendations:
Please review Microsoft security advisory 954474 for an overview of the issue, details on affected components, suggested actions, frequently asked questions (FAQ) and links to additional resources. Review Microsoft Knowledge Base Article 954474 for more information on the update to fix the issue.
Additional Resources:
· Microsoft Security Advisory 954474 – System Center Configuration Manager 2007 Blocked from Deploying Security Updates - http://www.microsoft.com/technet/security/advisory/954474.mspx
· Microsoft Knowledge Base Article 954474 - System Center Configuration Manager 2007 Blocked from Deploying Security Updates - http://support.microsoft.com/kb/954474
· The Manageability Team Blog: http://blogs.technet.com/smsandmom/
· MSRC Blog: http://blogs.technet.com/msrc
Regarding Information Consistency:
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Security Advisories posted to the web are occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in the web-based Security Advisory, the information in the web-based Security Advisory is authoritative.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
Thank you,
Microsoft CSS Security Team
The Configuration Manager 2007 SP1 fix list KB article has been published.
You can find it at KB953649.
The short answer is, we can't. That does not mean that we don't have a way to update that package on the Branch Distribution Point (BDP), it just means that we can't refresh them. In SCCM refreshing vs. updating a package has different meanings. When we run the Manage Distribution Points Wizard and select the option to refresh a package on distribution points, we are asking the Distribution Manager service to use the existing compressed version of the package and extract it to the specified distribution points. This is true unless we used the always obtain files from source option on the package properties. When we select the option to update a package, we are asking Distribution Manager to get the files from the source directory, create a new compressed version of the package, possibly send the compressed version to child sites, and then extract the new version to the distribution points. If you are wondering when should we use a refresh vs. an update think about the following scenarios:
Scenario #1
There is a central site in your headquarters office (NY) with primary child sites on remote offices. Software packages are created on the central site. There is a slow WAN connection between the central site and the child sites. One of the child sites is in Dallas and has distribution points in Dallas, Austin, and Houston. There is a hard drive failure on the Houston distribution point and a new hard drive is installed. There is no backup of the hard drive that was replaced since it only contained SCCM packages.
Scenario #2
There is a central site in your headquarters office (NY) with primary child sites on remote offices. Software packages are created on the central site. There is a slow WAN connection between the central site and the child sites. One of the child sites is in Dallas and has distribution points in Dallas, Austin, and Houston. The signature files for the antivirus application used by the company got updated. We updated the package source files and now need to get those files to the distribution points.
In Scenario #1, we could use the refresh package on the Houston distribution point option. The central site server will send an instruction to distribution manager on the Dallas site to extract the local compressed version of the package to the Houston distribution point. This will save time and traffic across the WAN link. In Scenario #2, we need to get new files for a package to the distribution points. In that case we need a new version of the compressed package to be sent over the WAN to the child sites. Distribution Manager on the Dallas child site will get the new compressed package and will then extract it to its local distribution point and the the ones in Austin and Houston.
The above is a very simplified explanation of what happens behind the scenes and I am not going to get in the details of delta replication. That is because this blog is about BDPs, so lets get back on track. If we run the Manage Distribution Points Wizard the first thing we are going to find out if we try to refresh a package on a BDP is that they are not listed in the Wizard. There is no refresh option for the BDPs because distribution manager does not handle packages on BDPs. The BDP role is a client side role. The BDP gets machine policies that tell the client what packages to download and share. Let say that in scenarios #1 and #2 the Houston distribution point is a BDP. In that case the refresh will not work obviously because it is not an option in the admin console. On scenario #1, to get the packages back on the Houston BDP we would have to use update option. On scenario #2, we would also get the new signature files to the Houston BDP by selecting to update the package on the distribution points.
Want to test your SCCM 2007 knowledge? Then download the following quizzes…
System Center Configuration Manager 2007 Product Feature Quizzes
Overview
The System Center Configuration Manager 2007 User Assistance team has created a set of quizzes to help you assess your understanding of the dependencies and requirements for key features of Configuration Manager. These quizzes are intended to raise your level of awareness of the some of the nuances of these features before you configure and use them. They can also be used to help train other Configuration Manager administrators within your organization. Each quiz consists of 10 questions that can be answered Yes or No. Regardless of your answer, the quiz will display the correct information, and include one or more links to the corresponding related content located in the Configuration Manager 2007 Documentation Library located on the Configuration Manager TechCenter. We are testing the usefulness of this format, and ask for your feedback on the format and the content contained in each quiz. Please send feedback to SMSDOCS@Microsoft.com.
The following quizzes are available:
Configuration Manager 2007 Client Installation Quiz
Configuration Manager 2007 Client Management Quiz
Configuration Manager 2007 Client Site Assignment Quiz
Configuration Manager 2007 Desired Configuration Management Quiz
Configuration Manager 2007 Internet-Based Client Management Quiz
Configuration Manager 2007 Native Mode Quiz
Configuration Manager 2007 Network Access Protection Quiz
Configuration Manager 2007 Wake On LAN Quiz
New! - Configuration Manager 2007 Software Updates Operations Quiz
New! - Configuration Manager 2007 OSDeployment Quiz
New! - Configuration Manager 2007 What’s New Quiz
New! - Configuration Manager 2007 Software Updates Configuration Quiz
New! - Configuration Manager 2007 Mobile Device Management Quiz
New! - Configuration Manager 2007 Fundamentals Quiz
New! - Configuration Manager 2007 Client Roaming Quiz
New! - Configuration Manager 2007 Software Updates Interop Quiz
New! - Configuration Manager 2007 Setup Quiz
New! - Configuration Manager 2007 Software Distribution Quiz
A customer must have purchased the Microsoft Desktop Optimization Pack and be licensed to use SoftGrid 4.5. With the appropriate Softgrid client licenses, SoftGrid server infrastructure can be freely distributed and used throughout the customer’s hierarchy. The SoftGrid 4.5 client is required for the integration with SCCM.
Do you want an easy way to search the online SCCM 2007 documentation? You need to try the System Center Content Search gadget for the Windows Vista Sidebar.
The gadget is also good for searching the documentation of other System Center products.
If you had a custom report or a SQL query in SMS 2003 to find what machines installed an update or what machines were missing it, and you upgraded to SCCM, you probably found out that your report or query no longer works. This is because there are new tables in the SCCM database to store software updates information. SCCM does include reports for software updates compliance, but what if I want a quick SQL query or a custom report?
We can use the v_UpdateInfo to find updates data like their Bulletin ID, their KB article, their description, etc. We can also use the v_Update_ComplianceStatusAll view to find updates scan data, or the status of a specific update on your clients. The status for the software updates is a numeric field so let me translate them for you:
0 = Detection state unknown
1 = Update is not required
2 = Update is required
3 = Update is installed
So now that we have the views we need and the meaning of the update status values, we can write our own report or query. If I wanted to query SQL to find out all the clients that installed security bulletin MS07-064, the query will look something like this:
select Name0 as ComputerName
from v_R_System a
left join v_Update_ComplianceStatusAll comp on a.ResourceID=comp.ResourceID
join v_UpdateInfo ui on comp.CI_ID=ui.CI_ID
where comp.Status = 3 and ui.BulletinID = 'MS07-064’
If I wanted to know the clients missing that security bulletin I would change “where comp.Status = 3” to “where comp.Status = 2”.
