You might notice that some computers are appearing multiple times in WSUSAdmin - Computers and some of them disappear very often. This is due to duplicate SUS client IDs. Take a look at this script which deletes duplicate SUS client IDs found on a computer. These IDs are often found on computers where the operating system was installed using an image-based setup.

Script Code

============================================

@echo off
Echo Save the batch file "AU_Clean_SID.cmd". This batch file will do the following:
Echo 1.    Stops the wuauserv service
Echo 2.    Deletes the AccountDomainSid registry key (if it exists)
Echo 3.    Deletes the PingID registry key (if it exists)
Echo 4.    Deletes the SusClientId registry key (if it exists)
Echo 5.    Restarts the wuauserv service
Echo 6.    Resets the Authorization Cookie
Echo 7.    More information on http://msmvps.com/Athif
Pause
@echo on
net stop wuauserv
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
net start wuauserv
wuauclt /resetauthorization /detectnow
Pause

============================================

SUS client ID will be generated at next detection.

NOTE: Backup your server first before you attempt the following action!

Create and Execute a batch file named, FIXVSS08.BAT:
    Please note the following:
    - Run the batch file as Administrator.
    - This is only for Windows 2008, not Windows 2003.
    - After running the .bat file, reboot the server to bring all of the writers into a stable state.

Copy and paste the following into Notepad, then click Save As and save it as FIXVSS08.BAT.

rem FILENAME: FIXVSS08.BAT
rem
net stop "System Event Notification Service"
net stop "Background Intelligent Transfer Service"
net stop "COM+ Event System"
net stop "Microsoft Software Shadow Copy Provider"
net stop "Volume Shadow Copy"
cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 /s ATL.DLL
regsvr32 /s comsvcs.DLL
regsvr32 /s credui.DLL
regsvr32 /s CRYPTNET.DLL
regsvr32 /s CRYPTUI.DLL
regsvr32 /s dhcpqec.DLL
regsvr32 /s dssenh.DLL
regsvr32 /s eapqec.DLL
regsvr32 /s esscli.DLL
regsvr32 /s FastProx.DLL
regsvr32 /s FirewallAPI.DLL
regsvr32 /s kmsvc.DLL
regsvr32 /s lsmproxy.DLL
regsvr32 /s MSCTF.DLL
regsvr32 /s msi.DLL
regsvr32 /s msxml3.DLL
regsvr32 /s ncprov.DLL
regsvr32 /s ole32.DLL
regsvr32 /s OLEACC.DLL
regsvr32 /s OLEAUT32.DLL
regsvr32 /s PROPSYS.DLL
regsvr32 /s QAgent.DLL
regsvr32 /s qagentrt.DLL
regsvr32 /s QUtil.DLL
regsvr32 /s raschap.DLL
regsvr32 /s RASQEC.DLL
regsvr32 /s rastls.DLL
regsvr32 /s repdrvfs.DLL
regsvr32 /s RPCRT4.DLL
regsvr32 /s rsaenh.DLL
regsvr32 /s SHELL32.DLL
regsvr32 /s shsvcs.DLL
regsvr32 /s /i swprv.DLL
regsvr32 /s tschannel.DLL
regsvr32 /s USERENV.DLL
regsvr32 /s vss_ps.DLL
regsvr32 /s wbemcons.DLL
regsvr32 /s wbemcore.DLL
regsvr32 /s wbemess.DLL
regsvr32 /s wbemsvc.DLL
regsvr32 /s WINHTTP.DLL
regsvr32 /s WINTRUST.DLL
regsvr32 /s wmiprvsd.DLL
regsvr32 /s wmisvc.DLL
regsvr32 /s wmiutils.DLL
regsvr32 /s wuaueng.DLL
sfc /SCANFILE=%windir%\system32\catsrv.DLL
sfc /SCANFILE=%windir%\system32\catsrvut.DLL
sfc /SCANFILE=%windir%\system32\CLBCatQ.DLL
net start "COM+ Event System"

To configure manual agent installs settings

1.Log on to the computer with an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group.

2.In the Operations Console, click the Administration button.

Note 

When you run the Operations Console on a computer that is not a Management Server the Connect To Server dialog box will display. In the Server name text box, type the name of the Operations Manager 2007 Management Server that you want the Operations Console to connect to.

3.In the Administration pane, expand Administration, and then click Settings.

4.In the Settings pane, expand Type: Server, right-click Security, and then click Properties.

5.In the Global Management Server Settings - Security dialog box, on the General tab, do one of the following:

To maintain a higher level of security, select Reject new manual agent installations, and then click OK.

To configure for manual agent installation, click Review new manual agent installations in pending management view, and then click OK.

How to deploying SCOM Agents to the Workgroup clients
Steps that were followed:
=====================
1. Request a certificate for the OpsMgr server using its FQDN
A. Browse to http://<CA_Server>/CertSrv from the OpsMgr server
B. Click the Request a Certificate link

C. Click the Advanced Certificate Request link.
D. Click the Create and submit a request to this CA link.
E. In the Name field, enter the FQDN of the Operations Manager server.
F. In the Type of Certificate Needed drop down select Other…
     i. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
G. Check Mark keys as exportable.
H. Check Store certificate in the local computer certificate store.
I. In the Friendly Name field enter the FQDN of the OpsMgr server (must exactly match the Name field).
J. Click Submit.

K. Click the Yes button in the security pop-up.
2. Get the certificate request approved by the appropriate authority

3. Install the new certificate on the OpsMgr server
A. Revisit http://<CA_Server>/CertSrv from the OpsMgr server
B. Click the View the status of a pending certificate request link.

C. Click the link for newly issued certificate.
D. Click the Install this certificate link.
E. Select Yes to Security Warning dialog.
F. You should now see Your new certificate has been successfully installed.

4. Export the new certificate on the OpsMgr server and import it with MOMCertImport.exe
A. Open the Certificates snap-in for Local Computer
      i. Launch MMC.exe from the Run box
      ii. Select Add/Remove Snap-in from the File menu
      iii. Select the Certificates Snap-in and click Add
      iv. Select the Computer Account radio button and click Next
      v. Select the Local Computer radio button is selected and click Finish
      vi. Click Close and then click OK

B. Export the certificate to a PFX file
      i. In the MMC, expand the Certificates (Local computer) node
      ii. Expand the Personal node and select Certificates
      iii. Locate the certificate for the OpsMgr server FQDN
      iv. Right-click on the certificate and choose All Tasks -> Export…
      v. Click Next on the Welcome page

      vi. Select Yes, export the private key and click Next

      vii. Click Next on the Export File Format page

      viii. Enter a secure password and click Next

      ix. Enter a valid path and file name with a PFX extension and click Next

      x. Click Finish and verify that The export was successful is displayed

C. Run MOMCertImport.exe to import the certificate PFX file
      i. Open a CMD prompt and change directory to SupportTools\i386 on the SCOM 2007 CD
      ii. Execute: MOMCertImport.exe <path to PFX file> /password <password specified during export of PFX file>
      iii. Use the Services MMC to stop and restart the OpsMgr Health Service
5. Install the Certificate Authority Certificate Chain on each intended agent and the Management Server.
NOTE: Instead of executing step 5 on each agent, you can download and save the chain to a .p7b file .

Copy to each agent and install. Then proceed to step 6.

A. Browse to http://<CA_Server>/CertSrv from the intended agent
B. Click the Download a CA certificate, certificate chain, or CRL link
C. Click the Install this CA certificate chain link.
D. Select Yes to the security dialog popup.

     i. Select Yes if presented with a second security dialog popup
E. You should now see The CA certificate chain has been successfully installed

F. Open the Certificates snap-in for Local Computer
      i. Launch MMC.exe from the Run box
      ii. Select Add/Remove Snap-in from the File menu
      iii. Select the Certificates Snap-in and click Add
      iv. Leave My user account selected and click Finish
      v. Select the Certificates Snap-in and click Add again
      vi. Select the Computer Account radio button and click Next
      vii. Select the Local Computer radio button is selected and click Finish
      viii. Click Close and then click OK     
G. Copy the Trusted Root Certificate from Current User to Local Computer
      i. Expand the Certificates - Current User node
      ii. Expand the Trusted Root Certification Authorities node
      iii. Select Certificates and locate the new trusted Root CA
      iv. Right-click the certificate and choose Copy

      v. Expand the Certificates (Local Computer) node
      vi. Expand the Trusted Root Certification Authorities node
      vii. Right-click on Certificates and select Paste

6. Obtain and import a certificate for the intended agent using its NetBIOS name
A. Browse to http://<CA_Server>/CertSrv from the intended agent
B. Click the Request a Certificate link
C. Click the Advanced Certificate Request link.
D. Click the Create and submit a request to this CA link.
E. In the Name field, enter the NetBIOS name of the intended agent
F. In the Type of Certificate Needed drop down select Other…
      i. In the OID field, enter 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
G. Check Mark keys as exportable.
H. Check Store certificate in the local computer certificate store.
I. In the Friendly Name field enter the NetBIOS name of the intended agent (must exactly match the Name field).
J. Click Submit.
K. Click the Yes button in the security pop-up.
7. Get the certificate request approved by the appropriate authority
8. Install the new certificate on the intended agent
A. Revisit http://<CA_Server>/CertSrv from the OpsMgr server
B. Click the View the status of a pending certificate request link.

C. Click the link for newly issued certificate.
D. Click the Install this certificate link.

E. Select Yes to Security Warning dialog.
F. You should now see Your new certificate has been successfully installed.
9. Export the new certificate on the intended agent and import it with MOMCertImport.exe
A. Open the Certificates snap-in for Local Computer
      i. Launch MMC.exe from the Run box
      ii. Select Add/Remove Snap-in from the File menu
      iii. Select the Certificates Snap-in and click Add
      iv. Select the Computer Account radio button and click Next
      v. Select the Local Computer radio button is selected and click Finish
      vi. Click Close and then click OK
B. Export the certificate to a PFX file
      i. In the MMC, expand the Certificates (Local computer) node
      ii. Expand the Personal node and select Certificates
      iii. Locate the certificate for the intended agent NetBIOS name
      iv. Right-click on the certificate and choose All Tasks -> Export…

      v. Click Next on the Welcome page
      vi. Select Yes, export the private key and click Next

      vii. Click Next on the Export File Format page

      viii. Enter a secure password and click Next

      ix. Enter a valid path and file name with a PFX extension and click Next

      x. Click Finish and verify that The export was successful is displayed

C. Manually install the SCOM 2007 agent on the intended agent machine

i. Install MSXML 6.0

     ii. Install MOMAgent.msi

D. Run MOMCertImport.exe to import the certificate PFX file
      i. Open a CMD prompt and change directory to SupportTools\i386 on the SCOM 2007 CD
      ii. Execute: MOMCertImport.exe <path to PFX file> /password <password specified during export of PFX file>
      iii. Use the Services MMC to stop and restart the OpsMgr Health Service

E. Check Pending Management 

F. Check Agent Managed

SYMPTOM
===============
Event 1207 (CNO computer account password update failed, access is denied)

PROBABLE CAUSE
===============
Some default ACL entries are missing on the CNO

RESOLUTION
===============
We compared the default ACL entries of a CNO against the problematic CNO in production environment and made the following changes on the one in production
a. Removed "Account Operators" group from "Member of" list
b. Added ACL entry where we grant "Full control" for "Account Operators" which "Apply to: This object only"
c. Added ACL entry where we grant "Full control" for "Administrator" which "Apply to: This object only"
d. Changed ACL entry where we grant "Full control" for "SELF" which "Apply to: This object only"

參考文件：

Description of the failover cluster security model in Windows Server 2008
http://support.microsoft.com/kb/947049

Q. 如何讓CNO 有權限幫 VCO 在 AD 裡建立相對應的電腦帳號?
A. 解決方法有兩種，分別是 Delegation 跟 Pre-stage VCO

Delegation 方法如下:

請使用以下步驟設定權限委派 "User Right Delegation"

Delegate User with the Right to Create/Delete Computer Account

1. Open ADUC console, right click on the "Computers" OU and click "Delegate Control", click "Next"

2. "Add" the "TPFHS01$" computer object that you would like to delegate task(s) (ie, Authenticated Users), click "Next"

3. Select "Create a custom task to delegate", click "Next" ("Delegate the following common tasks" are predefined tasks for your convenience, we will not be using this)

4. Select "Only the following objects in the folder", check "Computer Objects", check "Create selected objects in this folder", check "Delete selected objects in this folder", click "Next"

5. Check "Full control" in Permissions, click "Next"

6. Click "Finish"

7. Verify the setting by right clicked the OU and click "Properties".  Under "Security" tab you will find the user selected in step 2.

Pre-stage VCO方法如下:

以下是 VCO Pre-stage Account 的方法，請參考。

http://technet.microsoft.com/en-us/library/cc731002(WS.10).aspx#BKMK_steps_precreating2

Steps for prestaging an account for a clustered service or application

It is usually simpler if you do not prestage the computer account for a clustered service or application, but instead allow the account to be created and configured automatically when you run the High Availability wizard. However, if it is necessary to prestage accounts because of requirements in your organization, use the following procedure.

Membership in the Account Operators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To prestage an account for a clustered service or application

1. Make sure that you know the name of the cluster and the name that the clustered service or application will have.

2. On a domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

3. In the console tree, right-click Computers or the default container in which computer accounts are created in your domain. Computers is located in Active Directory Users and Computers/domain node/Computers.

4. Click New and then click Computer.

5. Type the name that you will use for the clustered service or application, and then click OK.

6. On the View menu, make sure that Advanced Features is selected.

    When Advanced Features is selected, you can see the Security tab in the properties of accounts (objects) in Active Directory Users and Computers.

7. Right-click the computer account you just created, and then click Properties.

8. On the Security tab, click Add.

9. Click Object Types and make sure that Computers is selected, and then click OK. Then, under Enter the object name to select, type the cluster name account, and then click OK. If a message appears, saying that you are about to add a disabled object, click OK.

10. Make sure that the cluster name account is selected, and then, next to Full Control, select the Allow check box.

問題徵狀：

在安裝KB2686509時，出現以下的錯誤訊息：安裝程式無法繼續，因為一或多個先決條件安裝KB2686509要求失敗。其他詳細資料請查閱記錄檔C:\Windows\KB2686509.log

<錯誤畫面如下>

如果您檢查C:\Windows\KB2686509.log，將會看到以下的錯誤

4.766: 2012/05/10 09:02:56.015 (local)

4.766: C:\WINDOWS\SoftwareDistribution\Download\5fd47775e1be4d25f956fdb91deff05e\update\update.exe (version 6.3.13.0)

4.828: DoInstallation: GetProcAddress(InitializeCustomizationDLL) Returned: 0x7f

4.828: Failed To Enable SE_SHUTDOWN_PRIVILEGE

4.828: Hotfix started with following command line: -q -z -er /ParentInfo:c9b475749f9b1942901712dac21d2293

4.953: In Function GetReleaseSet, line 1240, RegQueryValueEx failed with error 0x2

6.422: Return Value From IsMachineSafe = 0

6.422: IsMachineSafe returned 441092

6.422: Fist Condition in Prereq.IsMachineSafe.Section Failed

6.422: Condition Check for Line 1 of PreRequisite returned FALSE

6.422: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102

6.422: KB2686509 安裝程式遇到錯誤:  安裝程式無法繼續，因為一或多個先決條件的安裝 KB2686509 要求失敗。其他詳細資料請查閱記錄檔 c:\windows\KB2686509.log

6.438: ReadStringFromInf: UpdSpGetLineText failed: 0xe0000102

6.438: 安裝程式無法繼續，因為一或多個先決條件的安裝 KB2686509 要求失敗。其他詳細資料請查閱記錄檔 c:\windows\KB2686509.log

6.438: Update.exe extended error code = 0xf0f4

問題發生的可能原因：

如果您在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard layout 機碼右方有設定ScanCode Map"的值，就可能發生此問題。

解決方法:

1. 如果您確定在HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard layout 機碼右方有設定ScanCode Map"的值，請暫時先匯出備份>刪除此機碼>安裝Hotfix，再匯入此機碼解決。
2. 如果您有大量的機器遇到此問題，您可以將以下四行文字存成一個bat檔，再針對此bat檔派送。(KB2686509的執行檔依照您的位置再去修改第三行的文字內容)

reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" c:\1.reg
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /f
C:\WindowsXP-KB2686509-x86-CHT.exe /quiet /norestart
reg import c:\1.reg

參考資料

MS12-034: Description of the security update for CVE-2012-0181 in Windows XP and Windows Server 2003: May 8, 2012

http://support.microsoft.com/kb/2686509/en-us