Sunday, September 28, 2008

Prerequisites for Asset Intelligence :- SMS_def.mof 9 Modification Prerequisites for Asset Intelligence

Prerequisites for Asset Intelligence
 

The Asset Intelligence feature in Configuration Manager 2007 has both external dependencies and dependencies within the product that should be considered when implementing Asset Intelligence or attempting to view Asset Intelligence report information.

The prerequisites for Asset Intelligence in Configuration Manager 2007 include the following:

  • Client agent prerequisites
  • Hardware inventory file modification prerequisites
  • Site maintenance task prerequisites
  • Windows event log setting prerequisites

Client Agent Prerequisites

The Asset Intelligence reports depend on client information obtained through client hardware and software inventory reports.

To obtain the information necessary for all Asset Intelligence reports, the following client agents must be enabled:

  • Hardware inventory client agent
  • Software metering client agent

Hardware Inventory Client Agent Dependencies

To collect inventory data required for some Asset Intelligence reports, the hardware inventory client agent must be enabled. In addition, some hardware inventory reporting classes must be enabled in the SMS_DEF.mof file on the primary site server computer.

For information about enabling the Hardware Inventory Client Agent, see How to Configure Hardware Inventory for a Site.

Software Metering Client Agent Dependencies

A number of Asset Intelligence software reports depend on the software metering client agent for data. For information about enabling the software metering client agent, see How to Configure Software Inventory for a Site.

The following Asset Intelligence reports depend on the software metering client agent to provide data:

  • Software 07A - Recently Used Executables by Number of Computers
  • Software 07B - Computers that Recently Used a Specified Executable
  • Software 07C - Recently Used Executables on a Specific Computer
  • Software 08A - Recently Used Executables by Number of Users
  • Software 08B - Users that Recently Used a Specified Executable
  • Software 08C - Recently Used Executables by a Specified User

Hardware Inventory File Modification Prerequisites

Important file modification prerequisites apply to the Configuration.mof file and to the SMS_def.mof file.

For more information about the Configuration.mof file, see About MOF Files Used by Hardware Inventory.

For more information about editing the Configuration.mof file, see How to Extend Hardware Inventory Using the Configuration.mof File.

Configuration.mof File Modification Prerequisites

Client Access License (CAL) data collection must be enabled in the Configuration.mof hardware inventory data class file to provide data for the Asset Intelligence Client Access License reports. To enable CAL data collection, the Configuration.mof file must be edited and associated maintenance tasks must be enabled. In addition, computer security policies must be configured to audit Success logon events. For more information about enabling success event logging, see How to Enable Success Logon Event Logging.

For more information about Asset Intelligence CAL data reports, see About Client Access License Reports .

For more information about the maintenance tasks that must be enabled to support the Asset Intelligence CAL reports, see the "Site Maintenance Task Prerequisites" section in this topic.

To enable data collection for CAL data, the CCM_CALTrackConfig WMI data class must be edited in the Configuration.mof file to configure the following required settings.

Note
The Configuration.mof file is located on the primary site server computer in the <ConfigMgr installation directory> \ Inboxes \ clifiles.src \ hinv directory.

CALCollectionType

The CALCollectionType parameter controls whether CALs are tracked for devices, users, or both. To enable CAL data collection, the CALCollectionType parameter value must be changed from the default value of 0 to a value that specifies the type of data to be collected. The CALCollectionType parameter can be set to one of the values described in the following table.

Parameter Setting Setting Description

0

Data collection disabled

1

User CAL collection only

2

Device CAL collection only

3

All CAL collection enabled

Note
If you want to enable CAL data collection on more than one Configuration Manager 2007 or Configuration Manager 2007 SP1 primary site, the Configuration.mof file for each site must be edited.

CALCollectionFrequencyDays

A single server can be accessed regularly by thousands of users and devices. Creating a record in the Configuration Manager site database for each connection could result in high network bandwidth usage. Polling for which users or devices access the server on a weekly basis is adequate for tracking CAL usage. The CALCollectionFrequencyDays parameter value controls the frequency, in days, of CAL data collection. The default value is 7 days, but a value between 0 and 90 days can be specified. Setting this parameter to 0 causes polling to be run based on the CALCollectionFrequencyMinutes parameter.

CALCollectionFrequencyMinutes

When the CALCollectionFrequencyDays parameter setting is set to 0, polling occurs based on the CALCollectionFrequencyMinutes parameter setting. The CALCollectionFrequencyMinutes parameter setting controls the frequency, in minutes, of CAL data collection. A value between 1 and 1,440 minutes can be specified.

Note
Polling for CAL information too frequently in large sites can result in a significant network impact.

CALCollectionTimeWindow

Current Microsoft licensing models allow for CALs to be reassigned every 90 days. The CALCollectionTimeWindow parameter reflects this licensing model. If the model is changed, this parameter can be adjusted to agree with the new licensing model. The default is 90 days, but a value between 1 and 365 days can be specified.

CALSupportedWindowsVersions

To limit polling to servers, this parameter lists the operating system versions that are polled for client access information. This parameter setting should not be modified. Modification of this setting will result in inaccurate CAL counts. The default value is "5.0,5.2,6.0."

SMS_def.mof Modification Prerequisites

The following hardware inventory reporting classes in the SMS_def.mof file can be enabled to support Asset Intelligence reporting requirements:

Note
The SMS_def.mof file is located on the primary site server computer at <ConfigMgr installation directory> \ Inboxes \ clifiles.src \ hinv directory.

  1. SMS_SystemConsoleUsage
  2. SMS_SystemConsoleUser
  3. SMS_InstalledSoftware
  4. SMS_AutoStartSoftware
  5. SMS_BrowserHelperObject
  6. SMS_InstalledExecutable
  7. SMS_SoftwareShortcut
  8. SoftwareLicensingService
  9. SoftwareLicensingProduct


    For more information about hardware inventory reporting classes used by Asset Intelligence, see Hardware Inventory Reporting Classes Required for Asset Intelligence Reports.

Site Maintenance Task Prerequisites

Two site maintenance tasks are associated with CAL information stored in the site database:

  • Delete Aged Client Access License Data Properties
  • Summarize Client Access License Weekly Usage Data

For information about enabling and scheduling site maintenance tasks, see How To Schedule a Site Maintenance Task

Delete Aged Client Access License Data

The Delete Aged Client Access License Data maintenance task is not necessary for data collection, but it should be enabled to prevent the accumulation of unnecessary data stored in the site database. The purpose of this task is to periodically delete aged CAL data from the site database that is no longer needed.

For more information, see Delete Aged Client Access License Data Task Overview.

Summarize Client Access License Weekly Usage Data

The Summarize Client Access License Weekly Usage Data task establishes summaries of usage over time and directly supports the Asset Intelligence license management report: License 11A - Historical Client Access License (CAL) Utilization.

The CAL data that is collected from client hardware inventory reports represents a single computer at a single point in time. To have meaningful reports, it is necessary to periodically gather these points together into summaries that are stored and used for the purpose of tracking usage trends over time.

For more information, see Summarize Client Access License Weekly Usage Data Task Overview.

Windows Event Log Setting Prerequisites

Four Asset Intelligence reports display information gathered from the Windows security event logs on client computers. If the security event log settings are not set correctly, these reports will contain no data, even if the appropriate hardware inventory reporting class is enabled.

The following Asset Intelligence reports rely on collected Windows security event log information:

  • Hardware 3A - Primary Computer Users
  • Hardware 3B - Computers for a Specific Primary Console User
  • Hardware 4A - Shared (Multi-user) Computers
  • Hardware 5A - Console Users on a Specific Computer

To enable the hardware inventory client agent to inventory the information required to support these reports, you must first modify the Windows security event log settings on clients to log all Success logon events, as well as enable the SMS_SystemConsoleUser SMS_def.mof reporting class. For more information about modifying security event log settings to log all Success logon events, see How to Enable Success Logon Event Logging.

Note
The SMS_SystemConsoleUser SMS_def.mof reporting class will retain successful logon data for only the previous 90 days of the security event log, regardless of the length of the log. If the security event log has fewer than 90 days of data, the entire log is read.

Wednesday, September 24, 2008

Disk Space Threshold Registry Key


Disk SpaceThreshold

By default Windows sends an administrative alert when the amount of free space remaining on a hard disk drive falls below 10 percent. This percentage can be configured using this setting.

Open your registry and find the key below.

Create a new DWORD value called "DiskSpaceThreshold" and set it to the percentage of free disk space remaining before an alert is sent.

Restart Windows for the change to take effect.

 

Registry Settings
System Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\
Parameters]
Value Name: DiskSpaceThreshold
Data Type: REG_DWORD (DWORD Value)
Value Data: 0 - 99 percent (Default is 10)

 

Monday, September 22, 2008

Configuring SLP / MP in WINS


Configuring SLP in WINS

To manually configure the SMS 2003 Server Locator Point (SLP) server in WINS, type the following from a command prompt:

C:\>netsh <enter>
NETSH>wins <enter>
WINS>server <enter>
WINS SERVER>add name Name=SMS_SLP endchar=1A rectype=0 ip={xxx.xxx.xxx.xxx}
(NOTE: Replace x's with IP address of server acting as SLP)

Command completed successfully.
(This will appear if you used the proper syntax.)

This can also be configured in one simple command (all on one line) as follows:
wins server \\SERVERNAME add name Name=SMS_SLP endchar=1a rectype=0 ip={xxx.xxx.xxx.xxx}

To verify the SLP entry in WINS:

WINS SERVER>show name Name=SMS_SLP endchar=1A

Name : SMS_SLP [1Ah]
NodeType : 1
State : ACTIVE
Expiration Date : Infinite
Type of Rec : UNIQUE
Version No : 0 1bc1
RecordType : STATIC
IP Address : xxx.xxx.xxx.xxx
Command completed successfully.

Configuring MP in WINS
To manually configure the SMS 2003 Management Point (MP) in WINS, type:

WINS SERVER>add name Name=SMS_MP endchar=1A rectype=0 ip={xxx.xxx.xxx.xxx}
(NOTE: Replace x's with IP address of server acting as SLP)

Command completed successfully.
(This will appear if you used the proper syntax.)

To verify the MP entry in WINS:
WINS SERVER>show name Name=SMS_MP endchar=1A

Name : SMS_MP [1Ah]
NodeType : 1
State : ACTIVE
Expiration Date : Infinite
Type of Rec : UNIQUE
Version No : 0 1bc2
RecordType : STATIC
IP Address : xxx.xxx.xxx.xxx
Command completed successfully.

When finished, type:
WINS SERVER> exit <enter>
C:\>

Everything was going really well with the newest version of SMS 2003, including an average software distribution success rate of more than 95%. About a month later, when hardware became available, another primary site was configured at our Disaster Recovery location, including a separate server to act as a Central Site for both primary sites.

Problems Arise
From this point, strange things began to happen. Some of our SMS 2003 Advanced Clients were not even receiving configured advertisements and our success rate dipped as low as 60% successful.

Thanks to Michael Niehaus's expertise, the syntax for configuring a Management Point in WINS is slightly different if all the SMS sites in the hierarchy share the same WINS database!!!

Configure Multiple MPs in one WINS Database
To configure multiple SMS 2003 Management Points (MP) in WINS that share the same database, follow this syntax:

add name Name=MP_<sitecode> endchar=1A rectype=0 ip={xxx.xxx.xxx.xxx}
(NOTE: Replace x's with IP address of server acting as SLP)

To verify the MP entry in WINS:

show name Name=MP_<sitecode> endchar=1A

Enjoy,
Paddy

Tuesday, September 16, 2008

WScript.Echo "Computer connecting error: " & strComputer

WScript.Echo "Computer connecting error: " & strComputer
 
This is the code to get the output in vbscript with computername

Tuesday, September 9, 2008

Play with Script for Windows Firewall

Scripting for Windows Firewall

 

Add an Authorized Application


Adds Freecell.exe to the list of authorized applications in the current Windows Firewall profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set objApplication = CreateObject("HNetCfg.FwAuthorizedApplication") objApplication.Name = "Free Cell" objApplication.IPVersion = 2 objApplication.ProcessImageFileName = "c:\windows\system32\freecell.exe" objApplication.RemoteAddresses = "*" objApplication.Scope = 0 objApplication.Enabled = True  Set colApplications = objPolicy.AuthorizedApplications colApplications.Add(objApplication) 	 

Add an Application to the Standard Profile


Adds Freecell.exe to the list of authorized applications in the Windows Firewall standard profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy Set objProfile = objPolicy.GetProfileByType(1)  Set objApplication = CreateObject("HNetCfg.FwAuthorizedApplication") objApplication.Name = "Free Cell" objApplication.IPVersion = 2 objApplication.ProcessImageFileName = "c:\windows\system32\freecell.exe" objApplication.RemoteAddresses = "*" objApplication.Scope = 0 objApplication.Enabled = True  Set colApplications = objProfile.AuthorizedApplications colApplications.Add(objApplication) 	 

Create a New Port


Opens port 9999 in the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set objPort = CreateObject("HNetCfg.FwOpenPort") objPort.Port = 9999 objPort.Name = "Test Port" objPort.Enabled = FALSE Set colPorts = objPolicy.GloballyOpenPorts  errReturn = colPorts.Add(objPort) 	 

Delete an Authorized Application


Deletes Freecell.exe from the list of authorized applications in the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set colApplications = objPolicy.AuthorizedApplications  errReturn = colApplications.Remove("c:\windows\system32\freecell.exe") 	 

Disable the Firewall


Disables the Windows Firewall for the current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  objPolicy.FirewallEnabled = FALSE 	 

Delete an Open Port


Closes port 9999 in the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set colPorts = objPolicy.GloballyOpenPorts errReturn = colPorts.Remove(9999,6) 	 

Disable Remote Administration


Disable Windows Firewall remote administration.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set objAdminSettings = objPolicy.RemoteAdminSettings objAdminSettings.Enabled = FALSE 	 

Enable the Firewall


Enables Windows Firewall for the current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  objPolicy.FirewallEnabled = TRUE 	 

Enable File and Printer Sharing Through Windows Firewall


Enables File and Printer Sharing on a computer running Windows XP Service Pack 2.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set colServices = objPolicy.Services Set objService = colServices.Item(0) objService.Enabled = TRUE 	 

Enable Remote Administration


Enables remote administration of Windows Firewall fro the current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set objAdminSettings = objPolicy.RemoteAdminSettings objAdminSettings.Enabled = TRUE 	 

List Authorized Applications


Lists all authorized applications for the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set colApplications = objPolicy.AuthorizedApplications  For Each objApplication in colApplications     Wscript.Echo "Authorized application: " & objApplication.Name     Wscript.Echo "Application enabled: " & objApplication.Enabled     Wscript.Echo "Application IP version: " & objApplication.IPVersion     Wscript.Echo "Application process image file name: " & _         objApplication.ProcessImageFileName     Wscript.Echo "Application remote addresses: " & _         objApplication.RemoteAddresses     Wscript.Echo "Application scope: " & objApplication.Scope     Wscript.Echo Next 	 

List Authorized Applications in the Standard Profile


Lists all authorized applications for the Windows Firewall standard profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy  Set objProfile = objPolicy.GetProfileByType(1) Set colApplications = objProfile.AuthorizedApplications  For Each objApplication in colApplications     Wscript.Echo "Authorized application: " & objApplication.Name     Wscript.Echo "Application enabled: " & objApplication.Enabled     Wscript.Echo "Application IP version: " & objApplication.IPVersion     Wscript.Echo "Application process image file name: " & _         objApplication.ProcessImageFileName     Wscript.Echo "Application remote addresses: " & _         objApplication.RemoteAddresses     Wscript.Echo "Application scope: " & objApplication.Scope     Wscript.Echo Next 	 

List All Globally-Open Ports


Lists all globally-open ports for the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set colPorts = objPolicy.GloballyOpenPorts  For Each objPort in colPorts     Wscript.Echo "Port name: " & objPort.Name     Wscript.Echo "Port number: " & objPort.Port     Wscript.Echo "Port IP version: " & objPort.IPVersion     Wscript.Echo "Port protocol: " & objPort.Protocol     Wscript.Echo "Port scope: " & objPort.Scope     Wscript.Echo "Port remote addresses: " & objPort.RemoteAddresses     Wscript.Echo "Port enabled: " & objPort.Enabled     Wscript.Echo "Port built-in: " & objPort.Builtin Next 	 

List Firewall Properties


Lists Windows Firewall properties for the current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile Wscript.Echo "Current profile type: " & objFirewall.CurrentProfileType  Wscript.Echo "Firewall enabled: " & objPolicy.FirewallEnabled Wscript.Echo "Exceptions not allowed: " & objPolicy.ExceptionsNotAllowed Wscript.Echo "Notifications disabled: " & objPolicy.NotificationsDisabled Wscript.Echo "Unicast responses to multicast broadcast disabled: " & _     objPolicy.UnicastResponsestoMulticastBroadcastDisabled 	 

List Firewall Service Properties


Lists service properties for the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set colServices = objPolicy.Services  For Each objService in colServices     Wscript.Echo "Service name: " & objService.Name     Wscript.Echo "Service enabled: " & objService.Enabled     Wscript.Echo "Service type: " & objService.Type     Wscript.Echo "Service IP version: " & objService.IPVersion     Wscript.Echo "Service scope: " & objService.Scope     Wscript.Echo "Service remote addresses: " & objService.RemoteAddresses     Wscript.Echo "Service customized: " & objService.Customized     Set colPorts = objService.GloballyOpenPorts     For Each objPort in colPorts         Wscript.Echo "Port name: " & objPort.Name         Wscript.Echo "Port number: " & objPort.Port         Wscript.Echo "Port enabled: " & objPort.Enabled         Wscript.Echo "Port built-in: " & objPort.BuiltIn         Wscript.Echo "Port IP version: " & objPort.IPVersion         Wscript.Echo "Port protocol: " & objPort.Protocol         Wscript.Echo "Port remote addresses: " & objPort.RemoteAddresses         Wscript.Echo "Port scope: " & objPort.Scope     Next     Wscript.Echo Next 	 

List ICMP Settings


Lists ICMP settings for the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set objICMPSettings = objPolicy.ICMPSettings  Wscript.Echo "Allow inbound echo request: " & _     objICMPSettings.AllowInboundEchoRequest Wscript.Echo "Allow inbound mask request: " & _     objICMPSettings.AllowInboundMaskRequest Wscript.Echo "Allow inbound router request: " & _     objICMPSettings.AllowInboundRouterRequest Wscript.Echo "Allow inbound timestamp request: " & _     objICMPSettings.AllowInboundTimestampRequest Wscript.Echo "Allow outbound destination unreachable: " & _     objICMPSettings.AllowOutboundDestinationUnreachable Wscript.Echo "Allow outbound packet too big: " & _     objICMPSettings.AllowOutboundPacketTooBig Wscript.Echo "Allow outbound parameter problem: " & _     objICMPSettings.AllowOutboundParameterProblem Wscript.Echo "Allow outbound source quench: " & _     objICMPSettings.AllowOutboundSourceQuench Wscript.Echo "Allow outbound time exceeded: " & _     objICMPSettings.AllowOutboundTimeExceeded Wscript.Echo "Allow redirect: " & objICMPSettings.AllowRedirect 	 

List Remote Administration Settings


Lists remote administration settings for the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set objAdminSettings = objPolicy.RemoteAdminSettings Wscript.Echo "Remote administration settings enabled: " & _     objAdminSettings.Enabled Wscript.Echo "Remote administration addresses: " & _     objAdminSettings.RemoteAddresses Wscript.Echo "Remote administration scope: " & objAdminSettings.Scope Wscript.Echo "Remote administration IP version: " & objAdminSettings.IPVersion 	 

List Standard Profile Properties


Demonstration script that connects to and returns information about the Windows Firewall standard profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy Set objProfile = objPolicy.GetProfileByType(1)  Wscript.Echo "Firewall enabled: " & objProfile.FirewallEnabled Wscript.Echo "Exceptions not allowed: " & objProfile.ExceptionsNotAllowed Wscript.Echo "Notifications disabled: " & objProfile.NotificationsDisabled Wscript.Echo "Unicast responses to multicast broadcast disabled: " & -     objProfile.UnicastResponsestoMulticastBroadcastDisabled 	 

Modify an ICMP Setting


Demonstration script that modifies a Windows Firewall ICMP setting for the current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  Set objICMPSettings = objPolicy.ICMPSettings objICMPSettings.AllowRedirect = TRUE 	 

Modify a Firewall Property


Demonstration script that modifies Windows Firewall properties for the current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile  objPolicy.ExceptionsNotAllowed = TRUE objPolicy.NotificationsDisabled = TRUE objPolicy.UnicastResponsestoMulticastBroadcastDisabled = TRUE 	 

Open a Closed Port


Opens closed port 9999 for the Windows Firewall current profile.
Set objFirewall = CreateObject("HNetCfg.FwMgr") Set objPolicy = objFirewall.LocalPolicy.CurrentProfile Set colPorts = objPolicy.GloballyOpenPorts  Set objPort = colPorts.Item(9999,6) objPort.Enabled = TRUE 	 

Restore the Default Settings


Restore the Windows Firewall default settings.
Set objFirewall = CreateObject("HNetCfg.FwMgr") objFirewall.RestoreDefaults()
 
Enjoy
Paddy

DTS-------> SMS data transfer service

DTS-------> SMS Data Transfer Service

Wednesday, September 3, 2008

These are the reports available in SCCM for Patch Management

These are the reports available in SCCM for Patch Management

 
Software Updates - A. Compliance

Software Updates - B. Deployment Management


Software Updates - C. Deployment States

Software Updates - D. Scan

Software Updates - E. Troubleshooting

Software Updates - F. Distribution Status
 
Enjoy,
Paddy

SCCM 2007 Software Updates Reports

Software Updates Reports

Software Updates - A. Compliance

The reports in the Software Updates - A. Compliance category provide the scan results for software update compliance on client computers. More specifically, these reports provide information about what software updates are required, installed, or not required on clients. The following software updates reports are in this category:

  • Compliance 1 - Overall Compliance
    This report returns the overall compliance for the set of software updates in a specific update list and collection. The Collection ID and Update List ID are required parameters. You can drill into report "Compliance 8 - Computers in a specific compliance state for an update list <secondary>" to view the computers in the compliance state.
  • Compliance 2 - Specific software update
    This report returns the overall compliance data for a specified software update. The Collection ID and Update Title, Bulletin ID, or Article ID are required parameters. You can drill into report "Compliance 7 - Specific software update states <secondary>" to view the count and percentage of computers in each state for the update.
  • Compliance 3 - Update list (per update)
    This report returns the overall compliance data for software updates defined in an Update List. The Update List ID and Collection ID parameters are required. You can drill into report "Compliance 7 - Specific software update states <secondary>" to view the count and percentage of computers in each state for the update.
  • Compliance 4 - Deployment (per update)
    This report returns the overall compliance data for software updates defined in a deployment. The Deployment ID and Collection ID parameters are required. You can drill into report "Compliance 7 - Specific software update states <secondary>" to view the count and percentage of computers in each state for the update.
  • Compliance 5 -Updates by vendor/month/year
    This report returns the compliance data for software updates released by a vendor during a specific month and year. The Collection ID, Vendor, and Year parameters are required. To limit the amount of information returned, you can filter on the Update Class, Product, or Month parameters. You can drill into report "Compliance 7 - Specific software update states <secondary>" to view the count and percentage of computers in each state for the update.
  • Compliance 6 - Specific computer
    This report returns the software update compliance data for a specific computer. The Computer Name parameter is required. To limit the amount of information returned, you can filter on the Vendor and Update Class parameters.
  • Compliance 7 - Specific software update states <secondary>
    This report returns the count and percentage of computers in each compliance state for the specified software update. For best results, start with a compliance 2 - 5 report, and then drill into this report to return the count of computers in each compliance state. You can drill into report "Compliance 9 - Computers in a specific compliance state for an update <secondary>" to view the computers in the specific state for the update.
  • Compliance 8 - Computers in a specific compliance state for an update list <secondary>
    This report returns all computers that have a specific compliance state for the set of software updates in an update list. For best results, start with "Compliance 1 - Overall Compliance" to return the count of computers in each compliance state, and then drill into this report to return the computers in the selected compliance state. You can drill into report "Compliance 6 - Specific computer" to view the compliance data for the computer.
  • Compliance 9 - Computers in a specific compliance state for an update
    This report returns all computers in a specific compliance state for a software update. For best results, start with a compliance 2 - 5 report, drill into "Compliance 7 - Specific software update states <secondary>" to return the count of computers in each compliance state, and then drill into this report to return the computers in the selected compliance state. You can drill into report "Compliance 6 - Specific computer" to view the compliance data for the computer.

Software Updates - B. Deployment Management

The reports in the Software Updates - B. Deployment Management category provide information about the software update deployments. The following software updates reports are in this category:

  • Management 1 - Updates required but not deployed
    This report returns all vendor-specific software updates that have been detected as required on clients but that have not been deployed to a specific collection. The Collection ID and Vendor parameters are required. To limit the amount of information returned, you can specify the software update class.
  • Management 2 - Updates in a deployment
    This report returns the software updates that are contained in a specific deployment. The Deployment ID parameter is required. For each software update, you can drill down to report "States 5 - States for an update in a deployment <secondary>" to view the states for the specific software update.
  • Management 3 - Deployments that target a collection
    This report returns the deployments that have targeted a specific collection. The Collection ID parameter is required. You can drill down to report "Management 2 - Updates in a deployment" to view the software updates in the selected deployment.
  • Management 4 - Deployments that target a computer
    This report returns the deployments that have targeted a specific computer. The Computer Name parameter is required. You can drill down to report "Management 2 - Updates in a deployment" to view the software updates in the selected deployment.
  • Management 5 - Deployments that contain a specific update
    This report returns the deployments that contain a specific software update. The Update parameter is required. You can drill down to report "Management 2 - Updates in a deployment" to view the software updates in the selected deployment.
  • Management 6 - Deployments that contain an update list
    This report returns the deployments that were created using a specific update list. The Update List ID parameter is required. You can drill down to report "Management 2 - Updates in a deployment" to view the software updates in the selected deployment.
  • Management 7 - Updates in a deployment missing content
    This report returns the software updates in a specified deployment that do not have all the associated content retrieved, preventing clients from installing the update and achieving 100% compliance for the deployment. The Deployment ID parameter is required. You can drill down to report "Management 8 - Computers missing content <secondary>" to view the computers that require the software update files.
  • Management 8 - Computers missing content <secondary>
    This report returns all computers that require a specific software update contained in a specific deployment that is not provisioned on a distribution point. For best results, start with "Management 7 - Updates in a deployment missing content" to return all software updates in the deployment that do not have all the associated content retrieved, and then drill into this report to return all computers that require the software update.

Software Updates - C. Deployment States

The reports in the Software Updates - C. Deployment States category provide information about the evaluation and enforcement states on client computers for software update deployments. The following software updates reports are in this category:

  • States 1 - Enforcement states for a deployment
    This report returns the enforcement states for a specific software update deployment, which is typically the second phase of a deployment assessment. For the overall progress of the software update installation, use this report in conjunction with "States 2 - Evaluation states for a deployment." The Deployment ID parameter is required. You can drill down to report "States 4 - Computers in a specific state for a deployment <secondary>" to view all computers in the state.
  • States 2 - Evaluation states for a deployment
    This report returns the evaluation state for a specific software update deployment, which is typically the first phase of a deployment assessment. For the overall progress of the software update installation, use this report in conjunction with "States 1 - Enforcement states for a deployment." The Deployment ID parameter is required. You can drill down to report "States 4 - Computers in a specific state for a deployment <secondary>" to view all computers in the state.
  • States 3 - States for a deployment and computer
    This report returns the states for all software updates in the specified deployment for a specified computer. The Deployment ID and Computer Name parameters are required. You can drill into the Status Message Details page for any software update that contains an Error Record ID value.
  • States 4 - Computers in a specific state for a deployment <secondary>
    This report returns all computers in a specific state for a software update deployment. For best results, start with "States 1 - Enforcement states for a deployment " or "States 2 - Evaluation states for a deployment" to identify the states for the deployment, and then drill into this report to return all computers in the specific state. You can drill down to report "States 7 - Error status messages for a computer <secondary>" to view the status messages for the computer.
  • States 5 - States for an update in a deployment <secondary>
    This report returns a summary of states for a specific software update targeted by a specific deployment. For best results, start with "Management 2 - Updates in a deployment" to return the software updates contained in a specific deployment, and then drill into this report to return the state for the selected software update. You can drill down to report "States 6 - Computers in a specific enforcement state for an update <secondary>" to list the computers in the state.
  • States 6 - Computers in a specific enforcement state for an update <secondary>
    This report returns all computers in a specific enforcement state for a specific software update. For best results, start with " Management 2 - Updates in a deployment" to return the software updates contained in a specific deployment, drill into "States 5 - States for an update in a deployment <secondary>" to return the states for the selected software update, and then drill into this report to return all computers in the selected state.
  • States 7 - Error status messages for a computer <secondary>
    This report returns all status messages for a given Update or Deployment on a specific computer for a given status message. For best results, start with "States 1 - Enforcement states for a deployment" or "States 2 - Evaluation states for a deployment" to identify the states for the deployment, drill into "States 4 - Computers in a specific state for a deployment <secondary>" to return all computers in the specific state, and then drill into this report.

Software Updates - D. Scan

The reports in the Software Updates - D. Scan category provide information about computers in a specific scan state.

Note
Scan reports do not contain any information from clients that have not submitted any scan status. To see client computers that have not submitted scan status, see the report States 2 - Evaluation states for a deployment.

Note
If an SMS 2003 client sends scan results through hardware inventory, the client will appear as an SMS 2003 client in a separate section of these reports. To see the detail information about scan status for these SMS 2003 clients, go to the Software Distribution - Advertisement report category and check run a report that will show the status of the advertisement you use for your Inventory Tool for Microsoft Updates scanning.

The following software updates reports are in this category:

  • Scan 1 - Last scan states by collection
    This report returns the count of computers in each of the compliance scan states returned by client computers in a specific collection during their last scan for software updates compliance. The Update Source ID and Collection ID parameters are required. You can drill down to report "Scan 3 - Clients of a collection reporting a specific state <secondary>" to view the computers in a specific state.
  • Scan 2 - Last scan states by site
    This report returns the count of computers in each of the compliance scan states returned by client computers assigned to a specific site during their last scan for software updates compliance. The Update Source ID and Site Code parameters are required. You can drill down to report "Scan 4 - Clients of a site reporting a specific state <secondary>" to view the computers in a specific state.
  • Scan 3 - Clients of a collection reporting a specific state <secondary>
    This report returns the computers in a specific collection that returned a specific state during their last scan for software updates compliance. For best results, start with "Scan 1 - Last scan states by collection" to return the count of computers in each scan state, and then drill into this report. You can drill down to report "States 7 - Error status messages for a computer <secondary>" to view the status messages for the computer.
  • Scan 4 - Clients of a site reporting a specific state <secondary>
    This report returns the computers assigned to a specific site that returned a specific state during their last scan for software updates compliance. For best results, start with "Scan 2 - Last scan states by site" to return the count of computers in each scan state, and then drill into this report. You can drill down to report "States 7 - Error status messages for a computer <secondary>" to view the status messages for the computer.

Software Updates - E. Troubleshooting

The reports in the Software Updates - E. Troubleshooting category provide information about scan and deployment errors that occur on client computers. The following software updates reports are in this category:

  • Troubleshooting 1 - Scan errors
    This report returns the count of computers for each error that occurred during the last scan for software update compliance on client computers. The Update Source ID and Collection ID parameters are required. You can drill down to report "Troubleshooting 3 - Computers failing with a specific scan error <secondary>" to view a list of computers that returned the specific scan error.
  • Troubleshooting 2 - Deployment errors
    This report returns the count of computers for each deployment error that occurred on client computers. The Deployment ID parameter is required. You can drill down to report "Troubleshooting 4 - Computers failing with a specific deployment error <secondary>" to view a list of computers that returned the specific deployment error.
  • Troubleshooting 3 - Computers failing with a specific scan error <secondary>
    This report returns all computers that have returned a specific scan error. For best results, start with "Troubleshooting 1 - Scan errors" to return the count of computers for each error that occurred during the last scan for software update compliance, and then drill into this report and then drill into this report.
  • Troubleshooting 4 - Computers failing with a specific deployment error <secondary>
    This report returns all computers that have returned a specific deployment error. For best results, start with "Troubleshooting 2 - Deployment errors" to return the count of computers for each deployment, and then drill into this report.

Software Updates - F. Distribution Status

The reports in the Software Updates - F. Distribution Status category provide distribution status data for SMS 2003 clients that are targeted in a software updates deployment. The following software updates reports are in this category:

  • Distribution 1 - Advertisement Status for SMS 2003 clients
    This report lists all software distribution advertisements for the selected update. For each advertisement, it also shows the advertisement state and count of machines in that state. This report also covers additional advertisement states available for software update advertisements. The Type and Update Title, Bulletin ID, or Article ID parameters are required. You can drill down to report "Distribution 2 - SMS 2003 clients with a specific update advertisement state" to view the computers in the state.
  • Distribution 2 - SMS 2003 clients with a specific update advertisement state
    This report shows a list of computers that are in a specific state of an advertisement. This report also covers additional advertisement states available for software update advertisements. The Advertisement ID and Distribution Status parameters are required. You can limit the results by specifying a value for the Update Distribution Status parameter. You can drill down to report "Advertisement status messages for a particular client and advertisement" to shows the status messages reported for the computer and advertisement.Enjoy,

    Enjoy,
    Paddy

 

Clients Connecting over VPN Cannot Install Software Updates or Run Advertisements

Clients Connecting over VPN Cannot Install Software Updates or Run Advertisements
 

Solution

There are two possible solutions to this scenario. Select the solution that best meets your business requirements:

  • If the VPN connection is fast and reliable enough that you want these clients to be considered as if they are connected directly to the intranet at their assigned site, configure a fast boundary. This will help ensure that they can always install advertisements and software update deployments available at their assigned site when they are connected over the VPN. Consult the VPN administrator to obtain a list of possible addresses for clients when they connect over the VPN, and use this information to create a fast network boundary with these addresses. Make sure that you are informed of any VPN scope changes so that you can modify the associated boundary information.
  • If the VPN connection is not fast or reliable but selected software update deployments and advertisements are critical for VPN clients, reconfigure the software update deployments and advertisements. Configure them with the option to download content and run locally instead of the default option to not install when clients are connected within a slow network boundary. However, this can result in other clients also installing this content when they are roaming to another site if they fall back to asking their default management point for content.
 
If the VPN connection is not fast or reliable but selected software update deployments and advertisements are critical for VPN clients, reconfigure the software update deployments and advertisements. Configure them with the option to download content and run locally instead of the default option to not install when clients are connected within a slow network boundary. However, this can result in other clients also installing this content when they are roaming to another site if they fall back to asking their default management point for content.

SCCM 2007 Client General Issues

 
Configuration Manager Client General Issues
 
Folowing are the General issues with SCCM Client issues from Microsoft Web site...This section provides general troubleshooting information to help you resolve issues when managing clients in Configuration Manager 2007, which are not specifically related to installation, assignment, or mixed or native mode.

For more information about client deployment in Configuration Manager 2007, see Planning and Deploying Clients for Configuration Manager 2007.

If Configuration Manager 2007 clients are successfully installed and assigned to a site but fail to download policy, a likely reason is that either the site has no default management point or clients cannot locate it.

Solution

Make sure that a default management point is configured for the site. For more information, see How to Configure the Default Management Point for a Site.

Clients find their default management point using one of the following service location requests:

  • Active Directory Domain Services (if the schema is extended for Configuration Manager 2007)
  • DNS (if Configuration Manager 2007 is configured for DNS publishing)
  • Server locator point
  • WINS (mixed mode only)

Ensure that one of these mechanisms is available to clients. For more information, see Configuration Manager and Service Location (Site Information and Management Points).

Configuration Manager 2007 helps to ensure that each Configuration Manager 2007 client is uniquely identified. If a duplicate hardware ID is identified, by default Configuration Manager 2007 automatically creates a new client record for the duplicate record. This setting allows you to easily upgrade or deploy clients that might have duplicate hardware IDs, without requiring manual intervention. However, with this setting, a computer that has been re-imaged or restored from backup will have a new record created, which results in all previous information about that client being no longer available for reporting purposes.

An alternative configuration is to require the administrator to manually reconcile all conflicting records when they are detected. This setting results in affected clients being unmanaged and no longer displaying in collections, but displaying in the Conflicting Records node. These clients will remain unmanaged until the administrator resolves the conflict.

For more information, see the section "Managing Client Identity" in What's New in Client Deployment for Configuration Manager.

Solution

When a new record has been created, you cannot get back previous data for the client, but you can reconfigure Configuration Manager so that it does not automatically create new records in the future.

If clients are unmanaged and missing from collections, check the Conflicting Records node so that you can manually reconcile the records by merging them, creating a new record, or blocking the new record.

For more information about how to configure the site-wide setting and how to manually resolve conflicting records, see How to Manage Conflicting Records for Configuration Manager Clients.

If you view the following reports and they do not contain client data, ensure that clients are assigned to a fallback status point:

  • Client Assignment Detailed Status Report
  • Client Assignment Failure Details
  • Client Assignment Status Details
  • Client Assignment Success Details
  • Client Deployment Failure Report
  • Client Deployment Status Details
  • Client Deployment Success Report
  • Issues by incidence detail report for a specific collection
  • Issues by incidence summary report for a specific collection
  • Issues by incidence detail report for a specific site
  • Issues by incidence summary report

Solution

Assign a fallback status point to Configuration Manager 2007 clients, and view the reports from the site in which the fallback status point is installed.

Note
SMS 2003 clients do not use these reports.

For more information, see the following:

Additionally, if you are deploying a high number of clients at the same time, there might be a delay in processing all the state messages sent from the fallback status point to the site. In this scenario, wait for the data to appear and consider configuring the throttling settings on the fallback status point. For more information about the throttling settings, see Determine If You Need to Configure Throttle Settings for the Fallback Status Point in Configuration Manager.

Error conditions reported by clients might be displayed using standard Microsoft Windows error codes, without a description of the error. Or they might use error codes that are specific to Configuration Manager 2007.

Solution

For information about how to map these error codes to an error description, see http://go.microsoft.com/fwlink/?LinkId=103419.

If Configuration Manager 2007 clients fail to obtain software updates from Configuration Manager and they have an Active Directory Group Policy setting configured for software update point based client installation, a likely reason is that the Active Directory Group Policy object is incorrectly configured.

The software updates feature automatically configures a local Group Policy setting for the Configuration Manager 2007 client so that it is configured with the software update point source location and port number. Both the server name and port number are required for the software updates client to find the software update point.

If an Active Directory Group Policy setting is applied to computers for software update point client installation, this overrides the local Group Policy setting. Unless the value of the setting is exactly the same (server name and port), the Configuration Manager 2007 software updates feature will fail on the client.

The following entries appear in the software updates log file WUAHandler.log:

[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server and Policy ENABLED]LOG

Solution

The software update point for client installation and software updates must be the same server, and it must be specified in the Active Directory Group Policy setting with the correct name format and with the port information (for example, http://server1.contoso.com:80 if the site system server is not configured to use a fully qualified domain name and is using the default Web site).

For more information, see How to Install Configuration Manager Clients Using Software Update Point Based Installation.

When you switch the Configuration Manager 2007 client to a different site mode while the installation of Background Intelligent Transfer Service (BITS) is pending a restart, the client computer might not be able to send hardware inventory files to the management point. Entries similar to the following will appear in DataTransferService.log on the client computer:

DTS::AddTransportSecurityOptionsToBITSJob - Failed to QueryInterface for IBackgroundCopyJobHttpOptions. BITS 2.5+ may not be installed properly.

Solution

Restart the computer, and then reinstall the Configuration Manager 2007 client software.

When you uninstall a Configuration Manager 2007 site without first deselecting the option Enable Software Update Point Client Installation on the Software Update Point Client Installation Properties dialog box, the client will remain published as a software update in Windows Server Update Services (WSUS). If you then reinstall a Configuration Manager 2007 site with a newer client version and publish the client to WSUS, both client versions will be published.

Solution

Clear the check box Enable Software Update Point Client Installation in the General tab of the Software Update Point Client Installation Properties dialog box before uninstalling a Configuration Manager 2007 site. You can also use the WSUS console to remove published software updates.

For more information, see How to Install Configuration Manager Clients Using Software Update Point Based Installation.

Client resynchronization is triggered when the state message system believes that data is missing from a client computer. When a high number of resynchronizations occur, this might cause a backlog of state messages that adversely affects the performance of the fallback status point server and of the Configuration Manager 2007 site server.

To identify whether clients are undergoing resynchronization, use the following SQL query to discover how many clients have resynchronized in the last seven days:

select count(*) from v_ClientMessageStatistics where LastResyncIssuedTime > DateAdd( day , -7 , GetUTCDate())

For information about creating queries, see How to Create a Query.

Solution

Wait for the backlog to clear. Alternatively, consider changing the default throttle interval on the fallback status point to limit the number of state messages sent to the site server. For more information, see Determine If You Need to Configure Throttle Settings for the Fallback Status Point in Configuration Manager.

Manually approving and blocking (or unblocking) a client is not supported from sites other than the client's assigned site. These options are not available when you right-click clients from sites higher in the hierarchy than their assigned site.

Solution

Perform these actions from the client's assigned site. For more information, see the following:

When Configuration Manager 2007 site systems are configured with a fully qualified domain name (FQDN) that is a CNAME (DNS alias) rather than the computer name registered in Active Directory Domain Services, the CNAME must be configured with a Kerberos service principal name (SPN) whenever Windows authentication is used. For example, Windows authentication is required in the following scenarios:

  • Users initiate content download from distribution points on site systems configured with CNAMEs, and the content is not configured for anonymous access.
  • The site is in mixed mode and configured with the option Automatically approve computers in trusted domains (recommended), and the management point site system is configured with a CNAME.

When Windows authentication fails in the preceding scenarios, the client records an HTTP 401 error in the log files Datatransferservice.log (for content download failures) and ccmexec.log (for automatic approval failures).

Note
If you see these 401 errors, even if the CNAME SPN is registered, it might be configured incorrectly. Re-register it using the procedure in the following solution.

Solution

For all site systems configured to use a CNAME, register the SPN using the Windows Setspn tool with the following syntax:

Setspn –A HTTP/CNAME_FQDN computername

The Setspn tool is included in Windows Server 2003 Support Tools. You can install Windows Server 2003 Support Tools from the Support\Tools folder of the Windows Server 2003 startup disk. By default, the support tools install in the folder C:\Program Files\Support Tools.

For more information about using SPNs with IIS, see the following article that explains how to use SPNs when you configure Web applications that are hosted on IIS 6.0: http://go.microsoft.com/fwlink/?LinkId=94785.

Important
If you have configured a network load balancing (NLB) management point with a CNAME, do not use this procedure for the cluster name. Instead, follow the instructions in the following topic: How to Configure an SPN for NLB Management Point Site Systems.

If clients assigned to the site can install software updates and run advertisements when they are directly connected to the intranet but not when they are connected over a virtual private network (VPN) connection, this is likely to be a configuration issue related to boundaries and the software update deployment or advertisement configuration.

If you haven't defined the VPN scope used by these clients as a boundary for their assigned site, the VPN connection will be considered to be within a slow network boundary. You will also see this issue if you have defined the VPN scope as a boundary but it is configured as a slow network boundary rather than a fast network boundary. In either of these scenarios, if software update deployments or advertisements are configured to not install for clients connected to a slow network boundary (the default configuration), VPN clients will not be able to access this content until they are connected directly to the intranet (on a defined, fast network boundary).

Solution

There are two possible solutions to this scenario. Select the solution that best meets your business requirements:

  • If the VPN connection is fast and reliable enough that you want these clients to be considered as if they are connected directly to the intranet at their assigned site, configure a fast boundary. This will help ensure that they can always install advertisements and software update deployments available at their assigned site when they are connected over the VPN. Consult the VPN administrator to obtain a list of possible addresses for clients when they connect over the VPN, and use this information to create a fast network boundary with these addresses. Make sure that you are informed of any VPN scope changes so that you can modify the associated boundary information.
  • If the VPN connection is not fast or reliable but selected software update deployments and advertisements are critical for VPN clients, reconfigure the software update deployments and advertisements. Configure them with the option to download content and run locally instead of the default option to not install when clients are connected within a slow network boundary. However, this can result in other clients also installing this content when they are roaming to another site if they fall back to asking their default management point for content.

For more information about configuring boundaries, see Planning Configuration Manager Boundaries and New Boundary Dialog Box.

For more information about when roaming clients fall back to accessing content at their assigned site from remote sites, see About Client Roaming in Configuration Manager and Example Roaming Scenarios for Configuration Manager: Simple.

When a client computer requests a user policy and finds that no policy updates are available, the message Validation data missing or invalid is generated in the log file PolicyAgent.log.

Solution

None. This is a benign error message and will not interfere with the operation of a Configuration Manager 2007 site.

If the Configuration Manager 2007 client is installed using the DISABLECACHEOPT=TRUE installation property, the user is unable to change the size of the temporary program download (cache) folder. However, the Amount of disk space to use (MB) item in the Advanced tab of the Configuration Manager Properties dialog box displays the value of 0, regardless of the size the folder has been set to.

Solution

There is currently no solution or workaround for this issue.

After client installation and at every restart of the client, the following is logged in the file CCMexec.log:

Error registering hosted class '{E67DBF56-96CA-4e11-83A5-5DEC8BD02EA8}'. Code 0x80040154

For more information about client log files, see Log Files for Managing Configuration Manager Clients.

Solution

This log entry does not identify a problem with the client and can be safely ignored.

Enjoy,

Paddy

 

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server and Policy ENABLED]LOG

 

If Configuration Manager 2007 clients fail to obtain software updates from Configuration Manager and they have an Active Directory Group Policy setting configured for software update point based client installation, a likely reason is that the Active Directory Group Policy object is incorrectly configured.

The software updates feature automatically configures a local Group Policy setting for the Configuration Manager 2007 client so that it is configured with the software update point source location and port number. Both the server name and port number are required for the software updates client to find the software update point.

If an Active Directory Group Policy setting is applied to computers for software update point client installation, this overrides the local Group Policy setting. Unless the value of the setting is exactly the same (server name and port), the Configuration Manager 2007 software updates feature will fail on the client.

The following entries appear in the software updates log file WUAHandler.log:

[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server and Policy ENABLED]LOG

Solution

The software update point for client installation and software updates must be the same server, and it must be specified in the Active Directory Group Policy setting with the correct name format and with the port information (for example, http://server1.contoso.com:80 if the site system server is not configured to use a fully qualified domain name and is using the default Web site).

For more information, see Microsoft web site help How to Install Configuration Manager Clients Using Software Update Point Based Installation.

 
 
Enjoy,
Paddy