Secondary Site Clients are All Inactive and Offline

This is how it happened. The SCCM was recovered from a bad backup with only the Primary Site SQL mdf and ldf files. The SCCM Site Status, Component Status, Site Hierarchy, and  Database Replication indicated that the SCCM is functioning properly without any error. After sometimes, we noticed the Client Activity rates from the Monitoring had went down to nearly 40%. Further checking showed that clients in some Secondary Site Collection were all inactive and offline.

I went through some of the logs and came across MP_Framework.log in Secondary Site SMS_CCM\Logs folder. It was “bleeding” non-stop! Full or error! From the log, it shows MPDB Error with error code 0x80004005, and the description is “Invalid connection string attribute”

Since this is related to SQL, I checked both the Secondary Site SQL Express and also the Primary Site SQL. From the checking I found out that the Secondary Site Machine Account is missing from the Primary Site SQL Login. The Secondary Site Machine Account is not listed under the Logins (Red Arrow)

Here’s the resolution:

I manually create the Secondary Site Machine Account (hostname) login with the SQL Command below:

Create login [Domain\SecSiteMachineAccount$] from windows;

F5 refresh the Logins and then you’ll be able to see the Secondary Site Machine Account created.

Go to the Secondary Site Machine Account Login Properties and map the login to SCCM Primary DB and grant the “smsdbrole_MP" role

OR

Just simply make the login a sysadmin server role.

Once that being done, the MP_Framework.log immediately stop bleeding and after a while, the computers shows active and online in the console.

I hope this post could help you and bring you joy! Thanks for reading!

SCCM Software Update Deployment Package Distribution Error | Content/Package does no exist

Hold on there! Don’t take the step to create a new package and re-download all the content into new package yet!

My customer has a 10GB software update deployment package. It will cost a lot of replication traffic if he create a new package and re-download the entire package.

Copy the SQL query from this blog, https://blogs.technet.microsoft.com/ken_brumfield/2013/01/10/troubleshooting-sccm-software-update-deployment-package-distribution-due-to-missing-directories/

1. Copy the SQL query and replace @missingSourceDirectory and @PackageId
2. Execute the query and this should give you the KB Article and the Software Update Name
3. Open the Software Update Deployment Package, and search for that KB Article
4. Delete it from the deployment package
5. Back to the Content Status monitoring, and check the status.
6. Repeat the steps above if you see a new GUID error

SQL Query:

DECLARE
@MissingSourceDirectory
NVARCHAR(512)
DECLARE
@PackageId
NVARCHAR(8)
SET
@MissingSourceDirectory =
'c34e2458-681f-4a8b-8941-a460c2de314a'
SET
@PackageId
= '0020000D'

SELECT
CASE
         WHEN
ci.BulletinID LIKE
''
OR ci.BulletinID IS
NULL
THEN
'Non Security Update'
         ELSE ci.BulletinID
         END
As
BulletinID
     , ci.ArticleID
     , loc.DisplayName
     , loc.Description
     , ci.IsExpired
     , ci.DatePosted
     , ci.DateRevised
     , ci.Severity
     , ci.RevisionNumber
     , ci.CI_ID
FROM dbo.v_UpdateCIs
AS
ci
LEFT
OUTER
JOIN dbo.v_LocalizedCIProperties_SiteLoc
AS
loc
ON
loc.CI_ID = ci.CI_ID
WHERE ci.CI_ID IN
(
     SELECT [FromCI_ID]
     FROM
[dbo].[CI_ConfigurationItemRelations]
cir
     INNER
JOIN [dbo].[CI_RelationTypes]
rt
ON
cir.RelationType = rt.RelationType
     WHERE
cir.ToCI_ID IN
     (
         SELECT
CI_ID
         FROM
[dbo].[CI_ContentPackages]
cp
         INNER
JOIN [dbo].[CI_ConfigurationItemContents]
cic
ON
cp.Content_ID = cic.Content_ID
         WHERE
cp.ContentSubFolder = @MissingSourceDirectory AND cp.PkgID = @PackageId
     )
)

WSUS 3.0 SP2 Re-installation Failure due to .NET Framework and Update Services Folder

I’ve just resolved this issue half an hour ago. Customer uninstalled WSUS 3.0 SP2 but failed to reinstall it back later.

The WSUSSetup.log under %temp% showed Error 0x80070643

2017-08-07 11:14:36  Error     MWUSSetup          InstallWsus: MWUS Installation Failed (Error 0x80070643: Fatal error during installation.)
2017-08-07 11:14:36  Error     MWUSSetup          CInstallDriver::PerformSetup: WSUS installation failed (Error 0x80070643: Fatal error during installation.)
2017-08-07 11:14:36  Error     MWUSSetup          CSetupDriver::LaunchSetup: Setup failed (Error 0x80070643: Fatal error during installation.)
2017-08-07 11:14:40  Error     MWUSSetup          DoInstall: Wsus setup failed (Error 0x80070643: Fatal error during installation.)

From the event viewer, Event ID 11722 showed that the installation is failed with Error 1722.

I came across Anoop Blog and resolve the installation issue. In short, WSUS 3.0 SP2 doesn’t like .NET Framework 4.6 or later very much, WSUS cannot detect those newer version. Here are some official article/blog from Microsoft regarding that, https://support.microsoft.com/en-us/help/3045727/cannot-install-wsus-3-2-on-a-server-with-the-net-framework-4-6-or-late and https://blogs.technet.microsoft.com/wsus/2017/06/12/microsoft-net-framework-4-7-coming-to-wsus/ 

The resolution is to uninstall .NET Framework 4.6 or later before the WSUS 3.0 SP2 installation. You can install the .NET Framework after the WSUS 3.0 SP2 completed.

The WSUS finally installed!
BUT more errors pops out from the event viewer.
Event ID 7053, 12022, 12032, 12012, 12002

I have tried a lot of things that people suggested like delete the wsus MMC profile under %appdata%\Microsoft\MMC, change the WsusPool Identity and Manage Pipeline, remove then re-add the Windows Process Activation Services from Server Manager, verify the permission on all the required folder, and SQL permission.

None of the above resolve my issue until I perform the steps below:

1. Uninstall WSUS 3.0 SP2 from program and features
2. Verify SQL SUSDB has been deleted, D:\WSUS content has been deleted.
3. Manually delete C:\Program Files\Update Services folder. This is the step that resolve the issue. There will be some leftover files after the WSUS uninstalled, which will not be replaced even after the WSUS re-installation
4. Delete the MMC profile under %appdata%\Microsoft\MMC
5. Reboot the server
6. Run the WSUS 3.0 SP2 setup.
7. You should be able to see the WSUS Wizard prompt. This mean that the installation is successful!
8. Close the Wizard, do not configure, let SUP do the configuration later.
9. Install the WSUS latest patch. I installed KB2938066
10. Install the SCCM SUP role

For your reference:
WSUS 3.0 (SP2):     Build 3.2.7600.226
WSUS 3.0 (SP2) + KB2720211:     Build 3.2.7600.251
WSUS 3.0 (SP2) + KB2734608:     Build 3.2.7600.256
WSUS 3.0 (SP2) + KB2828185:     Build 3.2.7600.262
WSUS 3.0 (SP2) + KB2938066:     Build 3.2.7600.274

Windows 10, v1507 End of Servicing?

Windows 10 has already with us for some time, coming to 2 years in July 2017. There are 3 build/version since Windows 10 released, v1507, v1511, v1607. Many people asked which build/version should I install? I would answer the latest. That is not because the latest has improvement or new feature set. It is simply because I want to ensure that the Windows keeps receiving its security and critical patches. If you interested on what’s new on every new Windows 10 release.

Yes, according to this site, Windows 10, v1507 end of servicing will be occur in May 2017. End of servicing simply means that Microsoft will not provide security and critical patches to Windows 10, v1507 from May 2017 onwards.

Plan now and move forward with SCCM!!!

AIP Custom Condition (Regular Expression) Tips

Today I will share my experience on configuring regular expression for automatic or recommended classification. The configuration in Azure Portal is quite straight forward. If you wish to know how to configure, Microsoft actually documented well. Refer to https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-policy-classification

This is how the configuration looks like:

Okay, back to the custom condition, it supports Word, Phrase, and Regular Expression. Talking about Regular Expression, there is a lot regular expression tester out there. I personally like this one, http://regexr.com/.

Taking (#[A-Z][A-Z&][A-Z][0-9][0-9][0-9][0][2]#) as example, after I built the regular expression, I can test it out at the bottom, and it will be highlighted in blue if it match the regular expression. It is so easy and convenient. After you satisfied, copy the regular expression and paste it to the Azure Portal. Enjoy!!

Azure AIP/RMS: SharePoint Permission vs IRM Permission Mapping

Mr.Customer asked me about how SharePoint Permission map to IRM Permission? Will the IRM Permission takeover or replace the SharePoint Permission granted to user?

https://support.office.com/en-us/article/Apply-Information-Rights-Management-to-a-list-or-library-3bdb5c4e-94fc-4741-b02f-4e7cc3c54aa1 This article actually explained the questions above. However, there is a little doubt here. Do we need all the Permission configured on the left in order to map the IRM Permissions?

For example: To map the Full Control IRM Permission. Do we need both Manage Permissions, and Manage Web Site in SharePoint Permission? Or we just need only one of the SharePoint Permission?

To answer the little doubt above, I ran few rounds of test in my environment. The answer is any one of the SharePoint Permission. You need either Manage Permissions OR Manage Web Site in SharePoint Permission to map the Full Control IRM Permission.

Another example, if Edit Items SharePoint Permission assigned to the user, he/she will have the Edit, Copy, and Save IRM Permissions. It Doesn’t Requires All 3 SharePoint Permissions (Edit Items, Manage Lists, Add and Customize Pages) To Be Assigned In Order To Map The Edit, Copy, and Save IRM Permissions !! Anyone will do….

I did some further testing by enabling “Allow viewers to write on a copy of the downloaded document” This setting will allow the user to download and edit the downloaded/offline copy. This setting OVERWRITE those with View Items SharePoint Permission OR Read IRM Permission to edit the downloaded /offline copy.

My two cents is View Items SharePoint Permission OR Read IRM Permission is meant to control the documents so that user can View only (cannot edit, modify, copy, save, etc). By enabling the “Allow viewers to write on a copy of the downloaded document” simply defeat the purpose of trying to control the documents. Enabling this setting wisely.

So long, and Thanks for reading!

Past due – Will be installed

Today I helped this new customer to deploy the Microsoft RMS Sharing App and Azure Information Protection Client to a couple of pilot computers. The deployment is deployed as Required, as soon as possible, and installation can be performed outside maintenance window.

Both applications get downloaded in the ccmcache, ContentTransferManager.log and DataTransferService.log showed download is completed. However, the Software Center showed the status as Past due – Will be installed.

So I did additional check on the computer client status, it is Approved, No Block, Not Obsolete, Active, Receiving Policy, and so on. I even restarted the targeted computer.

With luck, I found the answer in Technet forum, which is the setting in Computer Agent. “Additional software manages the deployment of applications and software updates”

The setting was set to Yes, which the default setting is No. According to Microsoft:https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-settings

“If you select this option when neither of these conditions apply, software updates and required applications will not install on clients.”

I asked them changed the setting back to default No. And then ran Machine Policy Retrieval & Evaluation Cycle and Application Deployment Evaluation Cycle on the targeted computer. Both applications get installed automatically as expected. Enjoy!!

Credits to st.kristobal, https://social.technet.microsoft.com/Forums/en-US/60f9f20f-3603-4d57-b4c0-13bb3e77a734/past-due-will-be-installed?forum=configmanagerapps