SMS 2003 & SCCM 2007: PatchManagement

Showing posts with label PatchManagement. Show all posts

Tuesday, October 5, 2010

WSUS Wiki and troubleshooting WSUS

Read here on the WSUS Team Blog a nice article about troubleshooting WSUS. It references the site http://www.wsuswiki.com/.

This site was created to provide a place for the WSUS community to share information about WSUS, including troubleshooting steps and best practices. The advantages that this site provides over public news groups include:

Content on this site is edited and kept up-to-date. News group postings can get out of date, can contain incorrect information, and are often not corrected.
It is easier for readers to find information on this site than in the news group.
This site captures minor contribution from many users and both aggregates and persists them over time. This body of work grows and gets better over time whereas newsgroups just grow.
It is fun to edit pages and improve on contributions of others. You can not really do that with news groups.

It also references several troubleshooting tips for successful configuration of WSUS.

Check it out.

Wednesday, June 30, 2010

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: June 30, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-041 - Important
* MS10-040 - Important
* MS10-038 - Important
* MS09-040 - Important

Bulletin Information:
=====================

* MS10-041 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx
- Reason for Revision: V1.3 (June 30, 2010): Corrected the registry
key verification for Microsoft .NET Framework 3.5 and
Microsoft .NET Framework 2.0 Service Pack 2.
- Originally posted: June 8, 2010
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.3

* MS10-040 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-040.mspx
- Reason for Revision: V1.1 (June 30, 2010): Added a link to
   Microsoft Knowledge Base Article 982666 under Known Issues in
   the Executive Summary to address the issue where specific
   installations of IIS fail on restart after installing this
   security update.
- Originally posted: June 8, 2010
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.1

* MS10-038 - Important

- http://www.microsoft.com/technet/security/bulletin/ms10-038.mspx
- Reason for Revision: V1.2 (June 30, 2010): Added a link to
Microsoft Knowledge Base Article 2027452 under Known Issues
in the Executive Summary.
- Originally posted: June 8, 2010
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.2

* MS09-040 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-040.mspx
- Reason for Revision: V1.1 (June 30, 2010): Added a link to
Microsoft Knowledge Base Article 971032 under Known Issues in
the Executive Summary.
- Originally posted: August 11, 2009
- Updated: June 30, 2010
- Bulletin Severity Rating: Important
- Version: 1.1

Thursday, June 24, 2010

Windows Update Explained

Source as it is

http://download.microsoft.com/download/a/9/4/a94af289-a798-4143-a3f8-77004f7c2fd3/Windows%20Update%20Explained.docx

How the Software Update Service Works and Why it Matters to You

Published: September 2008

For more information, please see http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx

Contents

Introduction. 1

The Problem with Keeping Computers Up to Date. 1

Windows Update to the Rescue. 2

Windows Update for Individual Computers. 2

Windows Update in Windows Vista. 2

Windows Update in Windows XP. 4

Updating Networked Computers. 6

Windows Server Update Services. 6

Customizing Windows Server Update Services. 6

How Updating Works. 7

Checking for updates. 7

Downloading updates. 7

Installing Updates. 8

Rebooting your computer. 8

Reporting. 8

When the Windows Update Client is Updated. 9

Security Protections in Windows Update. 9

Additional Resources. 10

Introduction

We’ve all heard about or even experienced the havoc that computer viruses and other malicious software can cause to PCs and computer networks. Computer hackers are constantly trying to find ways to attack networks and computers with the intent of committing fraud and other crimes. When they succeed, individuals and enterprises can lose a great deal of time and money. In spite of their high cost and the headaches they cause, many security breaches are easily avoidable. The security fixes are available, but users don’t get them installed quickly enough (or at all).

Have you ever wondered what Microsoft is doing to help? Or did you know that Microsoft® Windows® Update is an important part of the solution, but weren’t sure exactly what it does or how it works. If so, this paper is for you.

For individual PC users, this paper will help you understand how to use Windows Update to keep your PC up to date, not only to help protect it from malicious software, but to keep it functioning at its best. If you’re responsible for networked computers, this paper will help you understand how Windows Update and Windows Server® Update Services (WSUS) can help protect groups of computers.

The Problem with Keeping Computers Up to Date

With Internet usage increasing, it’s more important than ever to keep your PC protected from malicious code. Understanding this, the people at Microsoft have been hard at work to help ensure that your PC continues to function well and that your personal information is very safe. Special teams at Microsoft proactively search for security vulnerabilities in Microsoft software and provide security updates. One of those teams is the Microsoft Security Response Center (MSRC). The MSRC is on call 24 hours a day, 7 days a week and dedicated to identifying, monitoring, resolving, and responding to Microsoft software security vulnerabilities.

In addition to security updates, Microsoft provides other software updates that make your computer run better and give you a better Windows experience. For example, an update may fix an issue with a hardware device, improve the performance of your computer, or deliver improved Windows features.

Downloading and installing the latest software updates, particularly security updates, quickly and consistently on your PC is vital to maintain both its security and its proper functioning. For network administrators, applying updates on computers across your organization—small, medium, or large—is a crucial measure for keeping your systems secure and running properly. Yet doing this manually requires constant time and attention, which many people simply don’t have available for the task. There must be an easier way!

Windows Update to the Rescue

Fortunately, there is an easier way, thanks to Windows Update, a free, built-in service included with Windows. This service helps you keep your PC more secure and reliable as well as compatible with devices and applications. It provides a single location for getting updates and scheduling automatic updating.

Using Windows Update by itself, you get updates for Windows and new or updated hardware drivers. For the other Microsoft software installed on your computer, use Microsoft Update. By turning on Microsoft Update, you get all of the benefits of Windows Update, but you get security and non-security updates for your other Microsoft software, such as Microsoft Office and the Windows Live™ network of internet services. Turning on Microsoft Update is recommended for all Windows PCs. To turn on Microsoft Update, go to http://update.microsoft.com/microsoftupdate.

Windows Update for Individual Computers

It is easy to improve the security and reliability of your PC, and take advantage of the continuous improvements Microsoft makes to Windows. Just use this four-step process:

1. Turn on Windows Update. You probably did this when you set up your new PC by selecting the option to “Help protect Windows automatically.”

2. Use the recommended settings. Windows Update is designed to work automatically and not interrupt you while you’re working on other things. Using the recommended settings, you get all of the benefits from the service, such as quick delivery of very important security updates, and you get them with fewer interruptions.

3. Turn on Microsoft Update. Microsoft Update includes updates for both Windows and other Microsoft products. This makes it easy to keep all your Microsoft software updated. To turn on Microsoft Update, go to http://update.microsoft.com/microsoftupdate.

4. Check Windows Update periodically. You will find a list of lower priority recommended and optional updates that you can choose to download and install. These include driver updates, new product features, and so forth. These updates will keep your PC functioning smoothly.

Windows Update has slightly different settings in the Windows Vista® and Microsoft Windows XP operating systems, as described in the following sections. For more information about Windows Update and its features, see http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx.

Windows Update in Windows Vista

In Windows Vista, you can configure Windows Update settings and view and install updates from Windows Update in your Control Panel. If you go to the Windows Update Web site (http://update.microsoft.com), Windows Update opens automatically.

Getting Help in Windows Vista

Windows Update Help provides complete information and procedures for using Windows Update. To open it, click the Help button in the upper-right corner of the Windows Update control panel.

Figure 1: Windows Update control panel in Windows Vista

To configure or change settings, click the Change settings link in the left navigation pane. The Change settings screen displays.

Figure 2: Change settings screen in Vista

The most secure option is Install updates automatically (recommended). When you choose this option, you don't have to worry that critical fixes for Windows might be missing from your computer if you don’t have time to install them personally. Nor must you worry about Windows Update slowing down your PC’s Internet connection, while it downloads updates, because it operates in the background in a way that won’t interfere with your Internet usage. For more information about how Windows Update behaves during the download and installation process, see “How Updating Works,” later in this paper.

Updates in Windows Vista

Important updates offer significant benefits, such as improved security and reliability. Examples include security and critical reliability updates.

Recommended updates address non-critical problems and help enhance your computing experience. Examples include upgrades to Windows features and less important software updates.

Optional updates are not downloaded or installed automatically. Examples include less critical driver updates and new Windows or Microsoft software.

You can choose to have updates downloaded automatically and then install them manually, or you can choose to both download and install updates manually. In either case, Windows Update still continuously checks for updates automatically and notifies you when important or recommended updates are available. Still, the most convenient and secure option is to make both download and installation automatic.

Even if your PC is configured for automatic updating, you should periodically check that important updates have been installed and also check for Optional updates. To do to this, click the Check for updates link in the left navigation pane of the Windows Update control panel. On the screen that displays, you can review any available updates and install them.

Windows Update in Windows XP

In Windows XP, check for updates from the Windows Update Web site http://update.microsoft.com, and configure automatic updating settings from the Automatic Updates program in Control Panel, shown in the following figure.

Getting Help in Windows XP

For general Windows Update help and support go to http://update.microsoft.com and click Get help and support in the left-hand navigation pane.

To get help for the Automatic Updates program in Control Panel, click How does Automatic Updates work?

Figure 3: Automatic Updates control panel in Windows XP

The most secure option is Automatic (recommended). When you choose this option, you don't have to worry that critical fixes for Windows might be missing from your computer.

Updates in Windows XP

High-priority updates offer significant benefits, such as improved security and reliability. Examples include security and critical reliability updates.

Optional updates are not downloaded or installed automatically. You need to manually view and install these updates from within Windows Update. Examples include less important software updates, drivers, updates to Windows features, and new Windows or Microsoft software.

You also don’t need to worry about Windows Update slowing down your PC’s Internet connection and computer. It is designed to operate in the background and minimize interruptions. For more information about how Windows Update behaves during the download and installation process, see “How Updating Works,” later in this paper.

You can choose to have updates downloaded automatically and then install them manually, or you can choose to both download and install updates manually. In either case, Windows Update still continuously checks for most updates automatically and notifies you when High-Priority updates are available. Still, the most convenient and secure option is to let Windows Update download and install updates automatically.

With Windows XP, you should check the Windows Update Web site regularly because many of the updates that improve your experience with Windows are not installed automatically. To view all of the available updates, first make sure you upgrade to Microsoft Update, and then click the Custom button, as shown in the following figure.

Figure 4: Windows Update Web site for Windows XP

Updating Networked Computers

Windows Update makes it easy to automatically update a home computer or small group of business computers. However, if you are managing a network of 10 or more computers, you may want to manage the update process for computers on your network. By managing the update process, you have more control over which updates are installed and when they are installed.

Windows Server Update Services

Windows Server Update Services (WSUS) is a free add-on for the Windows Server operating system to help network administrators manage updates for computers. By using WSUS with Active Directory® group policy, administrators can fully manage update settings and the distribution of updates for computers on their network. To find out more about using WSUS, go to the Windows Software Update Services (WSUS) Web site http://technet.microsoft.com/en-us/wsus/default.aspx.

Note: Microsoft also provides the System Center Family of business software for fully managing (including updates) desktop computers and servers in medium to large organizations. For more information, see http://www.microsoft.com/systemcenter/en/us/default.aspx.

Customizing Windows Server Update Services

Microsoft provides a complete, programmable, and scriptable API that network administrators and software developers can use to create custom updating behaviors for WSUS. System administrators can use the WSUS API to determine which updates apply to a computer or group of computers, download those updates, and install them with little or no user intervention. Independent software vendors and developers can integrate WSUS features into computer management or update management software to provide a seamless operating environment. For more information, see http://msdn.microsoft.com/en-us/library/bb905331.aspx.

How Updating Works

During the updating process, the Windows Update client operates in the background to download and install updates. (The Windows Update client is the Windows Update component running on your PC.) It does this automatically, according to your settings, and in a “silent” manner that doesn’t disrupt your computer usage. This section describes how Windows Update behaves during the update process.

Checking for updates

The Windows Update client on your PC checks the Windows Update server at Microsoft for the availability of new updates at random intervals, every 17 to 22 hours. The randomization ensures that the Windows Update server is not overloaded with requests for updates all at the same time. The client is very efficient in checking for new updates and searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.

When checking for updates, the Windows Update client evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office.

If the computer is not online at the time you specified to check for updates, then the Windows Update client begins checking every five hours until it successfully finds updates. If more than 30 days have gone by without successfully finding updates, the client will notify you. If you should receive such a notification, you should connect your computer to the Internet, go to the Windows Update Web site, and check for updates.

Downloading updates

Once the Windows Update client determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer.

To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Background Intelligent Transfer Service (BITS) technology which downloads updates using idle bandwidth. This technology ensures that Windows Update downloads only when no other active download is in progress on the computer. This allows you to smoothly carry on day-to-day activities even while updates are being downloaded in the background.

Windows Update also supports pausing and restarting downloads. You do not have to worry if you need to shut down your computer, or if you have lost your Internet connection while an update is downloading. Once the connection is reestablished, the download will continue where it left off.

Installing Updates

When downloading is complete, depending on your Windows Update settings, the Windows Update client either installs the updates automatically, or else it notifies you of the download without performing the installation. You do not need to be logged in to your computer for Windows Update to automatically install updates.

When you install Microsoft software

When you install or reinstall a program, you must reinstall updates that came out after the installation CD or installer was created. For some programs there may be multiple updates available and some updates may require a previously released update to be installed.

When the option to automatically install updates is configured, the Windows Update client tries to install updates as they become available. For example, if updates are available when you begin shutting down your computer, it gives you the option to install the updates before shutting down the computer. Otherwise, it installs them during the time you have specified for updates to be automatically installed. The default time for updates to be automatically installed is 3:00 AM daily.

If your computer is not turned on during the scheduled time for installing updates, the Windows Update client will try to wake up the PC (if the PC was asleep), or wait for the PC to be turned on again. As soon as the PC is running again, it will install the updates.

Rebooting your computer

When the option to automatically install updates is configured, the Windows Update client, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. To reduce the number of computer restarts required, the client attempts to install as many updates as possible together. If you are using the computer, you may be given the option to postpone the restart.

Most updates can be installed automatically without any user intervention. Some updates, however, such as service packs require the user to provide explicit consent. These are not automatically installed. When you install updates manually, be sure to restart your PC if prompted to do so. Otherwise, the PC may not be updated until a restart is performed.

Reporting

The Windows Update client reports back to Microsoft regarding which updates have installed successfully and which, if any, failed to install. This helps the Windows Update team verify the quality of the updates provided by Windows Update. No personally identifiable information (PII) is sent to Microsoft or stored by Microsoft with the report. For more information, read the Windows Update privacy statement online at http://update.microsoft.com/windowsupdate/v6/vistaprivacy.aspx?ln=en-us.

The Windows Update client keeps a log of all the different actions it performed on a particular computer at %windir%\windowsupdate.log. On Windows Vista, this log is available from the Windows Update control panel.

When the Windows Update Client is Updated

From time to time, Microsoft needs to update and enhance the Windows Update service, and that includes updating the Windows Update client software on your PC. If Windows Update is configured to check for updates, it installs a newer version of the Windows Update client automatically, so that it can continue to check for updates. If Windows Update is completely turned off, the client is not updated. If the client doesn’t update automatically then it may not be able to notify you about new updates. For this reason, Windows Update always updates the client automatically before checking for other updates. Given how important it is to maintain the quality of the update service, Windows Update always updates itself when it is turned on, regardless of whether you've chosen the option to have updates automatically installed or to be notified that they are available so that you can manually install them. If you have automatic updating turned off completely, the next time you manually check for updates, you will be prompted to update the Windows Update client before installing any updates.

Security Protections in Windows Update

Windows update implements many security checks and restrictions to ensure that the security of your computer is not compromised. The most critical checks validate the authenticity and quality of the software and updates that are installed on a machine. Some of the ways in which Windows Update maintains the integrity of the updates that get installed are as follows:

1. Windows Update uses the Secure Socket Layer (SSL) protocol to send and receive information. SSL is used to encrypt the information being transferred, prevents hackers from tampering with information being transferred, and verifies that the Windows Update agent is transferring data from an authorized Microsoft server.

2. Each update is individually signed using the Secure Hashing Algorithm (SHA-1). This technology allows Windows Update to confirm that the update has been downloaded correctly and hasn’t been changed by anyone. The update signature is also compared to information in the update metadata that was previously downloaded.

3. Windows Update also checks for the certificate associated with each update. This certificate provides a means for Windows Update to validate the source of each update. Currently Windows Update will only install updates that have certificates issued by Microsoft or other providers that are trusted by Microsoft.

Windows Update has many more internal security checks and controls. For example, Windows Update ensures that any action that can make your machine less secure (like turning off Windows Update) can only be performed by an authorized administrator.

To help keep your PC more secure and reliable, it's a good idea to install new updates as soon as they're available. The easiest way to install updates is to use the Windows Update service and make sure automatic updating is turned on. Now that you know how important—and easy—it is, be sure to check your Windows Update settings today.

Additional Resources

For additional information about configuring and using Windows Update or to find a discussion group, see the Windows Update Home Page. http://www.microsoft.com/windows/downloads/windowsupdate/default.mspx

For help and support, including solutions for top issues with using Windows Update and explanations of error messages, see the Microsoft Update Solution Center. http://support.microsoft.com/ph/6527#tab3

For information about managing Windows Update on an enterprise network, see the Update Management Tech Center.
http://technet.microsoft.com/en-us/updatemanagement/bb259683.aspx

To learn how Microsoft monitors and responds to security issues, see the Microsoft Security Response Center Web site. It offers tools such as an alert service, monthly webcast, blog, and Really Simple Syndication (RSS) feeds to help you stay current with security-related updates and information for Windows. http://www.microsoft.com/security/msrc/default.mspx

To learn about new security updates, find how-to articles and security tips, and get answers to security-related questions, see the Microsoft Security at Home Web site for the free, monthly Security Newsletter for Home Users from Microsoft. http://www.microsoft.com/protect/default.mspx

For a clearinghouse of information and links about protecting your computer, see http://www.microsoft.com/protect/computer/updates/default.mspx.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, Active Directory, the Security Shield logo, Windows, Windows Live, Windows Vista, Windows Server, the Windows logo, and the Windows Update Icon are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Monday, June 14, 2010

Collections based on software updates deployment status in Configuration Manager

ConfigMgr sccm patching status based collections

LastEnforcementMessageID
LastEnforcementMessageName

1 Enforcement started

3 Waiting for another installation to complete

6 General failure

8 Installing update

9 Pending system restart

10 Successfully installed update

11 Failed to install update

12 Downloading update

13 Downloaded update

So in this example we would like to use the status of reboot pending, the WQL query for the collection should look like this:

select 
    SMS_R_SYSTEM.ResourceID,
    SMS_R_SYSTEM.ResourceType,
    SMS_R_SYSTEM.Name,
    SMS_R_SYSTEM.SMSUniqueIdentifier,
    SMS_R_SYSTEM.ResourceDomainORWorkgroup,
    SMS_R_SYSTEM.Client 
from 
    sms_r_system AS sms_r_system    
    inner join SMS_UpdateComplianceStatus as c on c.machineid=sms_r_system.resourceid    
where    
    c.LastEnforcementMessageID = 9

Wednesday, June 9, 2010

It's Microsoft Patch Tuesday: June 2010

Security Patches

MS10-032/KB979559 - Important (2000, XP, 2003, Vista, 7, 2008, 2008 R2): A trio of bugs in the Windows kernel can allow the use of malformed fonts to allow escalation of privileges attacks. It would be a bit hard to sneak a font onto the system without some sort of install privileges anyways, which is why this patch can wait until your next patch cycle. 1.0MB - 4.3MB

MS10-033/KB979902 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This patch addresses a pair of vulnerabilities in Windows’ media subsystem which allows specially crafted media files and streaming content to execute remote code execution exploits. One of the vulnerabilities is less serious that the other, but you should patch your systems immediately all the same. Depending on your system, you may need to install up to four separate patches to address of the issues. 105KB - 4.8MB

MS10-034/KB980195 - Critical (2000, XP, Vista, 7)/Moderate (2003, 2008, 2008 R2): This patch updates the ActiveX kill bits and fixes two bugs in ActiveX that could allow remote code execution attacks. If you allow ActiveX on your desktops (which you shouldn’t, other than for internal sites), install this immediately, otherwise, wait until your next patch cycle. 26KB - 1.0MB

MS10-035/KB982381* - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Five security holes in Internet Explorer 5, 6, 7, and 8 which can allow remote code execution attacks are fixed with this cumulative update. Some of them are rating as “Moderate” but I don’t see any specific combination of IE version and OS that does not make it “critical.” I would install this patch immediately. 3.3MB - 48.4MB

MS10-036/KB983235 - Important (Office XP, Office 2003, Office 2007): COM validation in Office has a bug which can allow remote code execution attacks. Since you should not be allowing COM to be running in Office from outside sources, this is a less risky bug than it could be. Patch your systems on the next scheduled times. 2.9 - 15.5MB

MS10-037/KB980218 - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Another font handling issue is allowing escalation of privileges attacks across all versions of Windows. Like MS10-032, this one can wait until your next regular patch period. 496KB - 1.3MB

MS10-038/KB2027452* - Important (Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac, Excel Viewer, Office Compatibility Pack for Office 2007 File Formats): A whopping fourteen security bugs in the way Microsoft Office opens files are fixed with this patch. The worst can result in remote code execution attacks. Microsoft says this one is “Important” but I call it “Critical” due to the widespread use of Office, and I suggest that you patch immediately. 9.7MB - 332.8MB

MS10-039/KB980218 - Important (InfoPath 2003, InfoPath 2007, Office SharePoint Server 2007, Windows SharePoint Services 2.0): Three problems with SharePoint are fixed with this patch. The issues allow an attacker to perform a variety of attacks, including an escalation of privileges attack if a SharePoint user clicks on a malformed link in SharePoint. This is not a burning issue and the patch can wait until your usual patch time. 2.9MB - 109.3MB

desktop / server MS10-040/KB982666 - Important (Vista, 7, 2003, 2008, 2008 R2): Computers running IIS 6, 7, and 7.5 are vulnerable to a remote code execution attack that will run with full privileges when an attacker sends a malformed HTTP request. Microsoft calls this patch “Important” but I think that understates the issue for servers. I would patch servers immediately, and leave desktops for the regular path cycle. 43KB - 4.0MB

MS10-041/KB981343* - Important (2000, XP, Vista, 7, 2003, 2008, 2008 R2): A problem affecting all versions of the .NET Framework’s handling of signed XML content could allow the data to be altered without being detected. This is a fairly minor issue, so this patch can wait until you do your normal patching. 123KB - 2.2MB

Sunday, May 16, 2010

Configure Proxy Settings Used When Downloading Software Update Files

By default, software update files are downloaded from the Internet using the credentials of the logged-on user and the proxy settings configured for the user in Internet Explorer. The UpdDwnldCfg.exe utility is available on the Configuration Manager 2007 DVD and on every site server. It can be used to modify the server and account credentials used to access the Internet through the following components:

When running the UpdDwnldCfg.exe utility to modify the server and account credentials, the following switches can be used:

/s: Specifies the name of the firewall, proxy server, or ISA server computer, and the port number that is used when downloading software update files from the Internet.
/u: Specifies the user account that is used to connect through the firewall, proxy server, or ISA server.
/clean: Removes the server and account settings previously configured by running upddwnldcfg.exe.

Use the following procedures to modify the server and account settings used when software update files are downloaded from the Internet and to remove the settings previously configured by using the UpdDwnldCfg.exe utility.

To modify the server and account settings used when downloading software update files

On the site server, run <ConfigMgrInstallationFolder>\bin\<platform>\<language>\UpdDwnldCfg /s:<servername>:<port> /u:<username>. For example, for x86 and English (US), run <ConfigMgrInstallationFolder>\bin\i386\00000409\UpdDwnldCfg /s:MyProxy:80 /u:MyAccount.

1. When you run the UpdDwnldCfg command you are prompted to enter the password and confirmation at the command line.

2. The information you enter is stored in HKCU\Software\Microsoft\SMS\VPCache

a. It is stored on the machine you run upddwnldcfg on, not the site server

b. The fact that it is under HKCU indicates it is a per user setting and needs to be run on each machine (terminal server) and for each user who users a console.

3. This is good and bad :

a. You can have different users pointing at different proxy servers if required.

b. You can have each user using their own credentials

c. But you need to run it for each user on each machine.

Confirming Patch download credentials from the patchdownloader.log file

Wednesday, April 28, 2010

Updates : Superseding and Superseded Updates : Complete Story

Superseding and Superseded Updates

Typically, an update that supersedes other updates does one or more of the following:

Enhances, improves, or adds to the fix provided by one or more previously released updates.
Improves the efficiency of its update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new update, so those files are not included in the superseding update's file package.
Updates newer versions of a product, or in other words, is no longer applicable to older versions or configurations of a product. Updates can also supersede other updates if modifications have been made to expand language support. For example, a later revision of a product update for Microsoft Office might remove support for an older operating system, but add additional support for new languages in the initial update release.

Conversely, an update that is superseded by another update does the following:

Fixes a similar vulnerability in the update that supersedes it. However, the update that supersedes it might enhance the fix or modify the applicability to client computers that the superseded update provides.
Updates earlier versions or configurations of products.

On the WSUS console, the WSUS update page clearly indicates those updates that have a superseded or superseding relationship with an earlier version. The Details tab also includes "Superseded by" and "Supersedes" status information for updates, in addition to KB links containing more information about each update.

WSUS does not automatically decline superseded updates, and it is recommended that you do not assume that superseded updates should be declined in favor of the new, superseding update. Before declining a superseded update, make sure that it is no longer needed by any of your client computers. These are three possible scenarios in which you might need to install a superseded update:

If a superseding update supports only newer versions of an operating system, and some of your client computers run earlier versions of the operating system.
If a superseding update has more restricted applicability than the update it supersedes, which would make it inappropriate for some client computers.
If an update no longer supersedes a previously released update because of new changes. It is possible that, through changes at each release, an update no longer supersedes an update it previously superseded in an earlier version.

Expired Updates

An expired update is an update that has been invalidated by Microsoft. An expired update can also be an update that has been superseded by the release of another update (new or revised) that fixes or enhances functionality or applicability offered by the expiring update. In this case, the superseding update should be approved in place of the expired update. An update that is expired can no longer be approved for detection or installation.

Some of the sample such updates

MS10-006 superseded by KB980232
MS10-009 superseded by KB978338
MS10-015 superseded by KB979683

Thursday, April 15, 2010

Deploy Office 2007 SP2 with ConfigMgr 2007

As Microsoft recently released Service Pack 2 for Office 2007 suite, it is a good idea to add the update files to the package so it it can be deploy during the installation.

So, first of all we have to download the SP2 executable file from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=b444bf18-79ea-46c6-8a81-9db49b4ab6e5&displaylang=en (see additional information bellow).

Then, using a command prompt window, extract the content of the package to a folder you can browse to.

Extract (Click the image for a larger view)

Accept EULA and click Continue.

Select a folder to extract the files to.

Browse For File

When the extraction is complete, you should have the following files:

Folder Structure

At this point, you can delete the office2007sp2-kb953195-fullfile-en-us.exe file. Copy the other 9 files to “Updates” folder from your Office 2007 source folder.

Updates folder

Now you only have to update the distribution point/s and the next time Office 2007 will install, it will apply the SP2 update during Office 2007 installation.

Applying Updates

The same steps are valid for Visio and Project 2007.

Microsoft Office Visio 2007 Service Pack 2 (SP2) can be downloaded from here: http://www.microsoft.com/downloads/details.aspx?familyid=78E36742-8BDA-471E-88E6-9B561BB06258&displaylang=en.
Microsoft Office Project 2007 Service Pack 2 (SP2) can be downloaded from here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c126fa4a-b43f-4f7e-a9d4-522e92a6cfee.

Thursday, May 7, 2009

Custom Error Codes for Configuration Manager 2007

Client Custom Error Codes

Error Code	Description
CCM_ERRORCODE(0x 80040200) NAMENOTFOUND2147746304	Name not found
CCM_ERRORCODE(0x 80040201) BADNAMEFORMAT2147746305	Incorrect name format
CCM_ERRORCODE(0x 80040202) SERVICESHUTDOWN2147746306	Service is shutting down
CCM_ERRORCODE(0x 80040203) DATAEMPTY2147746307	No data supplied
CCM_ERRORCODE(0x 80040204) DATATOOLARGE2147746308	Data too large
CCM_ERRORCODE(0x 80040205) INVALIDPATH2147746309	Invalid path
CCM_ERRORCODE(0x 80040206) INVALIDFILE2147746310	Invalid file
CCM_ERRORCODE(0x 80040207) PARSE2147746311	Parsing error
CCM_ERRORCODE(0x 80040208) INVALIDCOMMAND2147746312	Invalid command
CCM_ERRORCODE(0x 80040209) DATATYPEMISMATCH2147746313	Data type mismatch
CCM_ERRORCODE(0x 80040210) INVALIDTRANSLATOR2147746320	Invalid Translator
CCM_ERRORCODE(0x 80040211) INVALIDADDRESS2147746321	Invalid Address
CCM_ERRORCODE(0x 80040212) CONTEXTCLOSED2147746322	Context is closed
CCM_ERRORCODE(0x 80040213) TIMEOUT2147746323	Timeout occurred
CCM_ERRORCODE(0x 80040214) INVALIDNAMELEN2147746324	Invalid name length
CCM_ERRORCODE(0x 80040215) ITEMNOTFOUND2147746325	Item not found
CCM_ERRORCODE(0x 80040216) INVALIDSERVICEPARAM2147746326	Invalid service parameter. The WMI file could be corrupt or there was a manual change to a site control file.
CCM_ERRORCODE(0x 80040217) DATACORRUPT2147746327	Data is corrupt
CCM_ERRORCODE(0x 80040218) INVALIDSERVICESETTING2147746328	Invalid service settings
CCM_ERRORCODE(0x 80040219) GLOBALSERVICENOTSET2147746329	Global service not set
CCM_ERRORCODE(0x 80040220) INVALIDTYPE2147746336	Invalid type
CCM_ERRORCODE(0x 80040221) INVALIDUSER2147746337	Invalid user. An operation for a user that is not logged on is in process or the user account is invalid.
CCM_ERRORCODE(0x 80040222) CANCELLED2147746338	Operation cancelled
CCM_ERRORCODE(0x 80040223) VERSIONMISMATCH2147746339	Version mismatch
CCM_ERRORCODE(0x 80040224) INVALIDMESSAGE2147746340	Invalid message
CCM_ERRORCODE(0x 80040225) INVALIDADDRESSTYPE2147746341	Invalid address type
CCM_ERRORCODE(0x 80040226) INVALIDPROTOCOL2147746342	Invalid protocol
CCM_ERRORCODE(0x 80040227) DISABLED2147746343	Functionality disabled
CCM_ERRORCODE(0x 80040228) INVALIDENDPOINT2147746344	Invalid endpoint
CCM_ERRORCODE(0x 80040229) GETCREDENTIALS2147746345	Failed to get credentials
CCM_ERRORCODE(0x 80040230) LOGONUSER2147746352	Error logging on as given credentials
CCM_ERRORCODE(0x 80040231) TRANSIENT2147746353	Transient error that could indicate a network problem.
CCM_ERRORCODE(0x 80040232) MESSAGENOTSIGNED2147746354	Message not signed
CCM_E_MESSAGENOTTRUSTED(0X 0x80040233)2147746355	Message not trusted
CCM_ERRORCODE(0x 80040234) INTERNALENDPOINT2147746356	Internal endpoint cannot receive a remote message
CCM_ERRORCODE(0x 80040235) PARSE_SYNTAX2147746357	Syntax error occurred while parsing
CCM_ERRORCODE(0x 80040236) LOWMEMORY2147746358	Low memory.
CCM_ERRORCODE(0x 80040237) REPLYMODE_INCOMPATIBLE2147746359	Reply mode incompatible
CCM_ERRORCODE(0x 80040238) PUBLIC_KEY_NOT_FOUND2147746360	Public key not found
CCM_ERRORCODE(0x 80040239) CLIENT_ID_NOT_FOUND2147746361	Client ID not found
CCM_ERRORCODE(0x 80040240) INSUFFICIENTDISKSPACE2147746368	Insufficient disk space
CCM_ERRORCODE(0x 80040241) DATABASE_CONNECT_FAILED2147746369	Failed to connect to database
CCM_ERRORCODE(0x 80040242) STORED_PROCEDURE_FAILED2147746370	Stored procedure failed
CCM_ERRORCODE(0x 80040243) PUBLIC_KEY_MISMATCH2147746371	Public key mismatch
CCM_E_BAD_HTTP_STATUS_CODE (0x 8004027E) 2147746430	Client communication from the management point failed.
CCM_E_EMPTY_CERT_STORE (0x 80040280) 2147746432	A valid certificate was not found in the certificate store.
CCM_E_NO_CERT_MATCHING_CRITERIA (0x 80040281) 2147746433	No valid certificate could be found using the specified certificate selection.
CCM_E_TOO_MANY_CERTS (0x 080040282) 2147746434	More than one valid certificate was located
CCM_E_MISSING_PRIVATEKEY (0x 080040283) 2147746435	The selected certificate does not have a corresponding private key, which is required for successful communication.
CCM_E_MISSING_SUBJECT_NAME (0x 080040284) 2147746436	The selected certificate does not have a Subject Name defined.
CCM_E_UNKNOWN_SEARCH_CRITERIA (0x 080040285) 2147746436	The certificate selection criteria syntax is invalid.
CCM_E_INVALID_SMS_AUTHORITY (0x 080040286) 2147746437	The certificate does not successfully chain to a trusted root certification authority.
CCM_E_MISSING_SITE_SIGNING_CERT (0x 080040287) 2147746438	Cannot locate the required Configuration Manager site server signing certificate for this site.
HandleRemoteSyncSend failed (0x80040309).2147746569	The 'trust failed'. This happens when the client doesn't trust data from the management point.
CForwarder_Sync::Send failed (0x80040309).2147746569	The 'trust failed'. This happens when the client doesn't trust data from the management point.
CForwarder_Base::Send failed (0x80040309).2147746569	The 'trust failed' This happens when the client doesn't trust data from the management point.
CCM_E_LOCATION_MPREFRESHCCM_ERRORCODE(0x80040300)2147746560	Client trying to refresh management point and it is empty.
CCM_E_LOCATION_NOADCCM_ERRORCODE(0x80040301)2147746561	Client is configured to only read Active Directory Domain Services and couldn't find the requested location (site assignment, management point) data.
CCM_E_LOCATION_NOTASSIGNEDCCM_ERRORCODE(0x80040302)2147746562	Client is trying to do something that requires being assigned to a site and it is not assigned. Only called from NAP when trying to refresh the management point.
CCM_E_LOCATION_INTERNALERRORCCM_ERRORCODE(0x80040303)2147746563	Internal error
CCM_E_LOCATION_BADSERVERCERTCCM_ERRORCODE(0x80040304)2147746564	Management point certification is corrupt from client's perspective, which could be due to network corruption or an attacker.
CCM_E_LOCATION_BADCLIENTCERTCCM_ERRORCODE(0x80040305)2147746565	Client certification is corrupt from site system's perspective, which could be due to network corruption or an attacker.
CCM_E_LOCATION_MPUNREACHABLECCM_ERRORCODE(0x80040306)2147746566	Client failed to connect to management point to make a location services request (MPLIST or MPKEYINFORMATION).
CCM_E_LOCATION_PROXYMPREFRESHCCM_ERRORCODE(0x80040307)2147746567	Client is trying to refresh proxy management point and it's empty. May only be called from NAP when trying to refresh the proxy management point.
CCM_E_LOCATION_LOCALMPREFRESHCCM_ERRORCODE(0x80040308)2147746568	Client is trying to refresh local management point and it's empty. Only called from NAP when trying to refresh proxy management point.
CCM_E_LOCATION_MESSAGEFAILEDCCM_ERRORCODE(0x80040309)2147746569	In most cases this indicates that the in band server authorization failed on a client, usually because the trusted root key does not match the management point certificate.

Desired Configuration Management Custom Error Codes

Error Code	Description
0x80040752 E_DCM_DOTNETMISSING	Microsoft .NET Framework 2.0 or later not installed
0x80040756 E_DCM_SDM_REPORTING_FAILED 2147747670	Client failed to report state or status.
0x80040763 E_DCM_CI_INTERNAL_FAILURE 2147747683	WMI corruption or heap corruption
0x80040764 E_DCM_SDM_INTERNAL_FAILURE	WMI corruption, memory corruption, disk corruption
0x80040765 E_DCM_SDM_CLRHOST_LAUNCH_FAILURE	Problem with client installation or.NET Framework 2.0 installation

Inventory Custom Error Codes

Error Code	Description
0x80040900	A valid WMI instance inventoried could not be added to the report. The __Path property may be undefined.

Mobile Device Management Custom Error Codes

Error Code	Description
-2147220846FFFFFFFF80040292	Unable to compute message signature for in-band authentication.
-2147220843FFFFFFFF80040295	Unable to find a valid client authentication certificate for registration.
11520	Mobile device client deployment action failed. Failed to establish ActiveSync or Mobile Device Center connection to the mobile device.
11521	Mobile device client deployment action failed. Invalid client settings file.
11522	Mobile device client deployment action failed. Error determining running directory for DmClientXfer.exe
11523	Mobile device client deployment action failed. Required ActiveSync libraries missing.
11524	Mobile device client deployment action failed. Could not determine processor type of attached mobile device.
11525	Mobile device client deployment action failed. Could not determine base operating system version of attached mobile device.
11526	Mobile device client deployment action failed. Error determining client version for the attached mobile device.
11527	Mobile device client deployment action failed. Error creating client settings .ini file.
11528	Mobile device client deployment action failed. Failed to copy files to the attached mobile device.
11529	Mobile device client deployment action failed. Failed executing the mobile device client installer program on attached mobile device.
11530	Mobile device client deployment action may have failed. Failed reading status information from the mobile device.
11540	Mobile device client deployment action failed. Error determining running directory for the mobile device client installer program.
11541	Mobile device client deployment action failed. Error executing the pre-install command line.
11542	Mobile device client deployment action failed. Error executing the post-install command line.
11550	Mobile device client installation or upgrade failed. Error during removal of the previous client.
11551	Mobile device client installation or upgrade failed. Invalid client settings file.
11552	Mobile device client installation or upgrade failed. Error installing client CAB file.
11553	Mobile device client installation or upgrade failed. Error starting client service.
11554	Mobile device client installation or upgrade failed. Error updating client settings.
11555	Device Client Deployment failed with unknown error.
11560	Mobile device client verification or repair failed. Error during removal of previous client.
11561	Mobile device client verification or repair failed. Invalid client settings file.
11562	Mobile device client verification or repair failed. Error installing client CAB file.
11563	Mobile device client verification or repair failed. Error starting client service.
11564	Mobile device client verification or repair failed. Error updating client settings.
11565	Mobile device client verification or repair failed. Error restoring required files.
11566	Mobile device client privileged certificate installation failed.
11567	Encountered unknown error installing the device client.
11568	Mobile device client setup failed to launch during install.
11570	Mobile device client removal failed. Error using unload.exe to uninstall the existing client.
11571	Mobile device client install/upgrade failed. Error enforcing new client. Mobile device rolled back to old client (if existed before).
11572	Mobile device client rollback failed during unsuccessful upgrade. Error enforcing old client.
11573	Mobile device client failed to perform post cab install actions. Device client installation failed.

Operating System Deployment Custom Error Codes

Error Code	Description
0x80040001	Could not get the client GUID
0x80040101	Network access account is not set
0x80040102	No content location returned for the given package
0x80040103	Could not access package content in the DP
0x80040104	Could not find reference program policy
0x80040105	Could not find CCM_ClientAgentConfig raw policy
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	An invalid image capture path has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	An invalid image file name extension has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	An invalid image file name extension has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	Image capture path is too long
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	An invalid image file name extension has been specified.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	Timeout waiting for PNP to finish initialization.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Task sequence failed in Windows PE
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	An invalid network adapter index has been specified
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	Sysprep is not installed
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Sysprep is invalid
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	Invalid System Partition
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	Machine is joined to a domain
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	Machine is domain controller
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	A default management point has not been assigned for this site.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Certificates for the default management point are not available.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	Package {0} is not available on the specified distribution points.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	Invalid password for media certificate
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	The media certificate does not have an associated private key
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,6)	The certification authority's certificate has not been set for this site.

Remote Tools Custom Error Codes

Error Code	Description
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,1)	Another remote control session is already in progress. Remote Control does not support multiple concurrent remote control sessions.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,2)	Level of access allowed is set to "No Access" in the Remote Tools client agent General tab on the site server or in the Remote Control control panel applet.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,3)	Remote Control Agent was not properly installed on the client.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,4)	No interactive session found on the client.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,5)	Remote computer screen is locked.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,6)	Failed to create the RDP session.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,8)	Remote Tools is disabled.
MAKE_HRESULT(SEVERITY_ERROR,FACILITY_ITF,9)	Failed to launch the Remote Control Agent process.

Software Distribution Custom Error Codes

Error Code	Description
E_FAIL_EXECUTION_PENDING 0x80008001	The program cannot be run now from the client UI because : A restart is in progress. or Software Distribution is paused because of a task sequence running or Another program is currently running NOTE: This error code is only returned to the UI and is not present in status messages.
E_FAIL_DUPLICATE_REQUEST 0x80008002	The program cannot be run again from the client UI because it is already pending, an optional (initiated from the UI) run request already exists for it. NOTE: This error code is only returned to the UI and is not present in status messages.
E_SWDIST_POLICY_NOT_FOUND 0x80002004	The software distribution policy was not found.
E_FAIL_PROGRAM_DISABLED 0x80008004	The program cannot run because it is currently disabled.
E_FAIL_INVALID_POLICY 0x80008005	This error code can be returned on the client if policy cannot be found or the policy is not valid to run or cancel the requested program. NOTE: This error code is currently not sent in status messages.
E_FAIL_INVALID_PROGRAM 0x80008006	The requested program is not currently pending. This error code can be returned on the client if the user attempts to continue or cancel the program that is not currently pending. It can also be returned to the task sequence manager (TSM) when TSM requests download locations for packages that are not referenced by the currently running task sequence. NOTE: This error code is not raised in status messages by Software distribution, but could be raised by task sequence.
E_FAIL_SET_CACHEDCONTENTINUSE 0x80008008	Unable to set the CachedContentInUse flag. Failed to indicate the client cache is currently in use.
E_FAIL_WMI_ERROR 0x80008009	Failed to read data from WMI. The program could not continue because a system restart is in progress or there is already a run request for this program that requires a reboot.
E_FAIL_REQUEST_NOT_FOUND 0x80008011	Used for Task Sequence. Failed to reconnect to Task Sequence job because a request cannot be found with the given job ID. NOTE: Not sent in status message by Software Distribution, but may be used by task sequence.
E_FAIL_ACTIVE_REQUEST_NOT_FOUND 0x80008012	There is no program currently running. This error code is returned to task sequence when there is no run request that is currently running, but task sequence tries to get the currently running request.
E_FAIL_DEPENDENCY_NOT_RUN 0x80008013	This program cannot run because it depends on another program that has not run successfully before. This error code is returned to task sequence manager when a task sequence Install Software Action step cannot be run because the step has a child program which has not been run before.
E_FAIL_USER_REQUIRED 0x80008014	This error code is returned to task sequence manager when an "Install Software" step cannot be run because the software distribution program in this step is targeted to a user, requires user input or is set to run in user context
E_FAIL_SWD_NOT_PAUSED 0x80008015	Failed to notify caller that software distribution is paused because the paused state or paused cookie do not match.
E_FAIL_INVALID_HASH 0x80008017	The content hash string or hash versions are empty or incorrect in the software distribution policy or the hash verification failed.
E_FAIL_CANNOT_RUN_ON_INTERNET 0x80008018	The program cannot run at this time because the client is on the internet.
E_FAIL_EXECUTION_NONFATAL 0x80008100	A non fatal error has been encountered while attempting to run the program. The program execution will be retried if the retry count has not been exceeded.
E_FAIL_BAD_ENVIRONMENT_NONFATAL 0x80008103	A non fatal error occurred while preparing to run the program, for example when creating the program execution environment, making a network connection, impersonating the user, determining the file association information, or when attempting to launch the program. This program execution will be retried if the retry count has not been exceeded.
E_FAIL_PROGRAM_NOT_MONITORED 0x80008105	An error was encountered while getting the process information for the launched program and the program execution will not be monitored.
E_FAIL_BAD_ENVIRONMENT_FATAL 0x8000910A	A fatal error occurred while preparing to run the program, for example when creating the program execution environment, making a network connection, impersonating the user, determining the file association information, or when attempting to launch the program. This program execution will not be retried.
E_FAIL_EXECUTION_FATAL 0x80009101	A fatal error has been encountered while attempting to run the program. The program execution will not be retried.
E_FAIL_INVALID_PROGRAM_OBJECT 0x80009102	An error occurred while creating the execution context. This is error code indicates that an error was encountered while creating the internal execution context object. This is most likely not due to configuration errors, but could be because of low memory conditions, COM failures or other external errors.
E_FAIL_INVALID_CMDLINE 0x80009104	The command line for this program is invalid.
E_FAIL_NO_CONTENT 0x80009106	Failed to verify the executable file is valid or to construct the associated command line.
E_FAIL_NO_SOURCE 0x80008107	Failed to access all the provided program locations. This program may retry if the maximum retry count has not been reached.
E_INVALID_CONTENT_REQUEST_HANDLE 0x80008200	This is an internal error. No content request found with the given handle.
E_NO_SPACE_IN_CACHE 0x80008201	The content download cannot be performed because there is not enough available space in cache or the disk is full.
E_CACHE_TOO_SMALL 0x80008202	The content download cannot be performed because the total size of the client cache is smaller than the size of the requested content.
E_CACHE_IN_USE 0x80008203	The client cache is currently in use by a running program or by a download in progress.
E_NO_DP_FOUND 0x80008204	NOTE: this error code is sent at least in status message 10051. No distribution points were found for the requested content.
E_FAIL_LOCATION_REQUEST 0x80008210	Failed to get content locations.
E_FAIL_JOB_PENDING 0x80008250	The computer restart cannot be initiated because a software installation job is in progress.
E_FAIL_INACCESSIBLE_SOURCE 0x80009108	Failed to access all the provided program locations. This program will not retry.
E_FAIL_INVALID_MSI 0x80009109	Failed to verify that the given file is a valid installation package.

Software Updates Custom Error Codes

Error Code	Description
E_UPDDEPLOY_APPLY_NOT_REQUIREDCCM_ERRORCODE(0x80040708)2147747592	Software Updates Install not required.
E_MONITOR_RESUME_FAILURECCM_ERRORCODE(0x80040709)2147747593	Failed to resume the monitoring of the process.
E_INVALID_CMDLINECCM_ERRORCODE(0x8004070A)2147747594	Invalid command line
E_CREATEPROCESS_FAILURECCM_ERRORCODE(0x8004070B)2147747595	Failed to create process
E_EXECUTION_TIMEOUTCCM_ERRORCODE(0x8004070C)2147747596	Software update execution timeout
E_UPDATE_FAILED_RESULTCCM_ERRORCODE(0x8004070D)2147747597	Software update failed when attempted
E_EMPTY_COMMANDLINECCM_ERRORCODE(0x8004070E)2147747598	Empty command line specified
E_INVALID_INSTALLER_PATHCCM_ERRORCODE(0x8004070F)2147747599	Invalid updates installer path
E_COMPARE_CREATION_TIMESCCM_ERRORCODE(0x80040710)2147747600	Failed to compare process creation time.
E_DEPLOYMENT_NOT_ACTIVECCM_ERRORCODE(0x80040711)2147747601	Software updates deployment not active yet for example, start time is in future
E_UPDDEPLOY_REBOOT_REQUIREDCCM_ERRORCODE(0x80040712)2147747602	A system restart is required to complete the installation.
E_NO_DETECT_RESULTCCM_ERRORCODE(0x80040713)2147747603	Software updates detection results not received yet.
E_UPDATES_USERINSTALL_RESTART_PENDING CCM_ERRORCODE(0x80040714)2147747604	User based install not allowed as system restart is pending.
E_USERINSTALL_NO_UPDATESCCM_ERRORCODE(0x80040715)2147747605	No applicable updates specified in user install request.
E_NOINTERFACE FFFFFFFF80004002-2147467262	No such interface supported
[DCOM belly up] CAgent::CreateJob failed FFFFFFFF8007000E-2147024882	Not enough storage is available to complete this operation.
ERROR_TIMEOUT FFFFFFFF800705B4-2147023436	This operation returned because the timeout period expired.
[Scan fails on x64vista] OnSearchComplete0x80240032[WU]-2145124302	Failed to end search job [SMS] WU client failed Searching for update with error.
WU_E_PT_WINHTTP_NAME_NOT_RESOLVED Same as -ERROR_WINHTTP_NAME_NOT_RESOLVED FFFFFFFF8024402C-2145107924	The proxy server or target server name cannot be resolved.
FFFFFFFF80040692-2147219822	Group Policy conflict
FFFFFFFF80040693-2147219821	Low WUA version
WU_E_PT_HTTP_STATUS_BAD_GATEWAYFF80244021-2145107935	Same as HTTP status 502. The server, while acting as a gateway or proxy, received an invalid response from the upstream server it accessed in attempting to fulfill the request.
-939523070ERROR_OBJECT_ALREADY_EXISTS FFFFFFFFC8000402	Object already exists
[SA fail if SWD not working] createInstance failed for UpdateServiceManager FFFFFFFF80040154-2147221164	Class not registered
FFFFFFFF800705B4-2147023436	This operation returned because the timeout period expired.
ERROR_INTERNET_TIMEOUT FFFFFFFF80072EE2-2147012894	Internet timeout
ERROR_WINHTTP_CANNOT_CONNECT or ERROR_INTERNET_CANNOT_CONNECT FFFFFFFF80072EFD-2147012867	Internet cannot connect
E_INVALIDSTATE_AFTER_APPLY FFFFFFFF80040668-2147219864	Software update still detected as actionable after apply.
E_EXECUTION_TIMEOUT FFFFFFFF8004070C-2147219700	Software update execution timeout
WU_E_PT_WINHTTP_NAME_NOT_RESOLVED - same as ERROR_WINHTTP_NAME_NOT_RESOLVEDFFFFFFFF8024402C-2145107924	The proxy server or target server name cannot be resolved.
ERROR_PATH_NOT_FOUND FFFFFFFF80070003-2147024893	The system cannot find the path specified.
ERROR_FILE_EXISTS FFFFFFFF80070050-2147024816	The file exists
ERROR_ACCESS_DENIED or E_ACCESS_DENIEDFFFFFFFF80070005-2147024891	Access denied
WU_E_PT_WINHTTP_NAME_NOT_RESOLVED Same as ERROR_WINHTTP_NAME_NOT_RESOLVED FFFFFFFF8024402C-2145107924	The proxy server or target server name cannot be resolved.
ERROR_INAVILD_ENVIROMENT FFFFFFFF8004070D-2147219699	Software update failed when attempted.
Install Errors
-Last Install Error FF8024402C WU_E_PT_WINHTTP_NAME_NOT_RESOLVED - same as ERROR_WINHTTP_NAME_NOT_RESOLVED2145107924	The proxy server or target server name cannot be resolved.
Last Install Error FF8007066F ERROR_PATCH_NOT_APPLIED -2147023249	Can sometimes happen when Windows Installer configuration for an installed application is out of sequence for example, Windows Installer thinks it has more patches applied than is really the case (this sometimes used to happen with roaming profiles).
Last Install ErrorFF8007064 ERROR_INSTALL_FAILURE-2147023293	Generic failure code from Windows Installer installs.
Last Install ErrorFF8007F0F4 STATUS_PREREQUISITE_FAILED-2146963212	Generated by update.exe. People seem to be getting this when they try to install a Service Pack while on battery power.
Last Install ErrorFF8007F0F5 WU_E_DM_INCORRECTFILEHASH-2146963211	The WU Agent's metadata store and the policy received by ccmexec could be out of sync.
Last Install Error FF8007F0F6 ERROR INVALID PARAMETER-2146963212	Failed to start the installation of updates because update is not found
Scan Failures
Last Scan ErrorFF80244021WU_E_PT_HTTP_STATUS_BAD_GATEWAY-2145107935	Possible network connectivity issues
Last Scan ErrorFF8024001DWU_E_INVALID_UPDATE-2145124323	An update contains invalid metadata.
Last Scan ErrorFF80004002E_NOINTERFACE-2147467262	No such interface supported
Last Scan ErrorFFC8000402RECORD TOO BIG-939523070	This seems to be a recoverable error, and possibly due to many Scan Service Packages left around when the 2003 ITMU was used. This is NOT the case.
FF8024400A WU_E_PT_SOAPCLIENT_PARSE1097366519818	Needs update
Last Scan ErrorWU_E_SERVICE_STOPFF8024001E-2145124322	Operation did not complete because the service or system was being shut down.
Last Scan ErrorFF8024400DWU_E_PT_SOAP_CLIENT-2145107955	SOAP client found the message was malformed.
Last Scan ErrorFFC800042DRefreshServerUpdateInfo-939523027	WSUS unable to update software distribution folder. Scans fail.
Last Scan ErrorFF80244022WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL-2145107934	HTTP status 503. The service is temporarily overloaded.
Last Scan ErrorFF80240032WU_E_INVALID_CRITERIA-2145124302	The search criteria string was invalid.
Last Scan ErrorFF80240013WU_E_DUPLICATE_ITEM-2145124333	Failed to add file to the FileLocationList.
Last Scan ErrorFF8007041DERROR SERVICE REQUEST TIMEOUT-2147023843	The service did not respond to the start or control request in a timely fashion.
E_FAIL_POLICY_NOT_FOUNDCCM_ERRORCODE(0x80040600)2147747328	Scan Tool Policy not found
E_LOCATION_TIMEOUTCCM_ERRORCODE(0x80040602)2147747330	Out of cache space
E_SCANTOOL_POLICY_REMOVEDCCM_ERRORCODE(0x80040603)2147747331	The ScanTool Policy has been removed so cannot complete Scan Operation.
E_SCANTOOL_NOTFOUND_INJOBQUEUECCM_ERRORCODE(0x80040604)2147747332	The ScanTool was not found in the job queue.
E_FAIL_SCAN_TOOL_REMOVEDCCM_ERRORCODE(0x80040605)2147747333	Scan Tool has been Removed
E_FAIL_OFFLINE_SCAN_HISTORY_NOT_FOUNDCCM_ERRORCODE(0x80040606)2147747334	Scan Tool Policy not found
E_CONTENT_NOT_FOUNDCCM_ERRORCODE(0x80040607)2147747335	Out of cache space
E_INVALID_INSTANCE_TYPECCM_ERRORCODE(0x80040608)2147747336	Out of cache space
E_NO_SPACE_IN_CACHE0x800082012147516929	Out of cache space
E_CACHE_TOO_SMALL0x800082022147516930	Cache size is smaller than requested content's size.
Deployments Agent Specific Errors
E_UPDDEPLOY_APPLY_NOT_ALLOWED CCM_ERRORCODE(0x80040700)2147747584	Install not allowed
E_UPDDEPLOY_DOWNLOAD_NOT_ALLOWED CCM_ERRORCODE(0x80040701)2147747585	Download not allowed
E_ASSIGNMENT_POLICY_NOT_FOUNDCCM_ERRORCODE(0x80040702)2147747586	Assignment policy not available
E_ANOTHER_JOB_IN_PROGRESSCCM_ERRORCODE(0x80040703)2147747587	Only one job is allowed at a time
E_HARDREBOOT_PENDINGCCM_ERRORCODE(0x80040704)2147747588	Only one job is allowed at a time.
2147747589E_PAUSE_STATE_REQUIREDCCM_ERRORCODE(0x80040705)	Pause state required
2147747590E_NO_ACTIVE_JOBCCM_ERRORCODE(0x80040706)	No active job exists (while reconnect called).
2147747591E_JOB_ID_MISMATCHCCM_ERRORCODE(0x80040707)

-------------------
Thanks,
http://sccm07.blogspot.com/

Friday, March 13, 2009

All the Third-Party Solutions for SCCM & SMS

Web Sites:

MyITForum is the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems; it is especially useful for IT professionals working with Microsoft Systems Management Server. (http://www.myitforum.com)

FAQshop endeavors to provide a "one-stop-shop" for systems management questions, answers, and utilities. (http://www.faqshop.com)

SMS Alliance is a consortium of companies that leverage joint resources to strengthen the capabilities and benefits of SMS. Their mission is to provide organizations with the best-of-breed solutions and services to enhance and extend SMS 2003. (http://www.sms-alliance.com)

1E is one of the founding members of the SMS Alliance, 1E is a company on the cutting edge of systems management. It enhances and extends Microsoft management and deployment technologies, delivering advanced automation and reporting across the enterprise. (www.1e.com)

Macrovision Corporation, another founding member of the SMS Alliance, Macrovision Corporation is a recognized leader in software deployment packaging, software installation, and software updating solutions. They offer one of the best software packaging tools with AdminStudio.
(http://www.macrovision.com/)

PS'SOFT, as a founding member of the SMS Alliance, offers extenders for SMS 2003 that focus on IT asset management. They offer a web-based software cataloging system called SMS Software Requests. (www.pssoft.com)

Vintela, another founding member of the SMS Alliance, Vintela offers a seamless solution to extend security and compliance of Microsoft Active Directory to Unix, Linux, and other platforms and applications. They offer solutions that help IT administrators manage Unix, Linux, and MAC systems using SMS 2003. Vintela is now part of Quest Software. (www.vintela.com)

iAnywhere, the last founding member of the SMS Alliance, iAnywhere offers frontline security and management to SMS and provides extensions to manage your enterprise's mobile and wireless devices through SMS. (www.iAnywhere.com)

AppDeploy is the Internet resource to go to when you need to script or repackage an application for distribution. Among other points of interest at the site is a massive library of applications, sorted by application name and vendor name. For each application listed, you'll find a community-based thread discussing the best practices, links, scripts, and challenges met/overcome with working with the application in regard to installation scripting/repackaging.(http://www.appdeploy.com/)

DesktopEngineer is perhaps one of the best resources in the Windows Installer arena. This site offers a wealth of information on Windows Installer technology, techniques, and troubleshooting tips. I have noticed that he is starting to increase the content related to Microsoft's upcoming PowerShell scripting language. (http://www.desktopengineer.com/)

Tools

SMSView is a utility that is used to extend the functionality of the Microsoft Systems Management Server 2003 advanced client. SMSView allows you to perform the following actions on an SMS advanced client: All nonadmin users to view current mandatory assignments and advertisement status, View advertisement history (past 60 days), View current mandatory assignments, Rerun advertisements, Remote operations (remotely view and manage the SMS client), Display hardware/software inventory status, Display management point/proxy management point, Repair the SMS advanced client. (http://www.smsview.com/)

SMS 2003 Monster MOF is a MOF file that contains several new classes of MOF that will improve SMShardware inventory capabilities. The Monster MOF will enhance inventory data without requiring intimate knowledge of the SMS_DEF.MOF file. (www.smsexpert.com)

SMS 2003 Web Remote Tools assist SMS administrators and allow client administration from a web page. (http://www.myitforum.com/articles/19/view.asp?id=8662)

Corey Becht's Right-Click Tools is one of the best set of tools for all SMS administrators. This tool allows you to right click on any collection or individual PC within the SMS Administrator console and initiate hardware inventory, reassign the site code, restart the SMS Agent Host service, rerun advertisements without modifying the advertisement, perform discovery, initiate software inventory, create file collections, monitor software metering usage, refresh machine policies, evaluate policies, update Windows installer sources,change port number, and change cache size.These tools can run per computer resource or for all the members of a collection.(www.myitforum.com/articles/8/view.asp?id=7099)

Microsoft SMS Toolkit 2: Microsoft released a very nice set of tools for SMS called the SMS Toolkit version 2 . It contains the following tools: IIS Lockdown 2.1 Template, URLScan 2.5 Template, Policy Spy, SMS Trace, Advanced Client and Management Point Cleaner, Advanced Client Spy, Policy Verifier, Send Schedule, Management Point Spy, Set Preferred Distribution Point and CAP, Delete Certificate, Patch Management Evaluation, Delete Group Class, Transfer SMS ID, Package Loader, Management Point Troubleshooter, Client Site Assignment Verifier, Site Boundary Tool, Create Secondary Site Tool, Create SMS Address Tool.(www.microsoft.com/smserver/downloads/2003/tools/toolkit.mspx)

Security Logon Audit Tool (SLAT) extends SMS hardware inventory to include user logon information.This data can be used in web reports and queries. The tool includes the following samplereports: Top users for all systems, User logon information for a specific computer, Systems where the last logged-on user is not the top user, Systems where a specific user has logged on SLAT searches the security event log for the 528 event, which is created when user logon events occur and is enabled via Group Policy. (http://www.systemcentertools)

Enhanced System and User Discovery Tools, out of the box, SMS 2003 does a pretty good job of discovering systems from Active Directory. It's not perfect, though—there are a few gaps in its methods. The Enhanced System Discovery tool, assists in filling these gaps. Out of the box, SMS 2003 does not perform Windows NT 4 domain discovery. This tool solves that by enumerating all machines from a list of NT 4 domains, resolving their IP addresses from DNS or WINS, and creating data discovery records for each system. (http://www.systemcentertools/)

BITS Bandwidth Manager is an SMS Installer script that lets you throttle BITS bandwidthon Windows XP SP2 systems. You do not need to manually adjust any settings. The script takes care of the Registry key manipulation for you.(http://www.myitforum.com/inc/upload/11332BITSManager.zip)

1E SMSWakeUp: this WOL product is able to turn on computers after they have been shut down by users. The wake cycle can be triggered on a regular schedule to power up systems in preparation for the workday, or to perform software deployment activities. (http://www.1e.com/)

1E NightWatchman: Since we are talking about waking systems that have been shut down, it maybe a good practice to examine how best to shut down those systems in the first place. Why dowe want to shut down systems? We do this to enforce reboot cycles and to save energy costs. (http://www.1e.com/)

1E SMSNomad Branch: Some offices may not have the server hardware to allow for a Distribution Point (DP). But those offices may have a substantial number of users and/or be separated from the rest of the network by a low-speed or saturated WAN link, which you would rather not send multiple copies of a package across. SMSNomad Branch acts similar to a peer-to-peer network, allowing other computers to become DPs. If one machine is shutdown, another is selected as the DP. Included in this technology is multicast, increasing its efficiency to reduce network traffic on the local network segment. (http://www.1e.com/)

1E OSD Plus Pack: This is an enhancement to the SMS OSD Feature Pack. It allows you to leverage the SMS OSD Feature Pack in offices that do not have DPs. OSD Plus Pack offers similar functionality to SMSNomad Branch, but also has a few other applications bundledwith it: State Migration Editor, which is an interface for the User State Migration Tool, AppMigrator, which allows the automatic reinstallation of applications after OS imaging, PXE Lite, which is a local PXE server to allow deployment of OS images to bare-metalmachines booted from the network PXE server. (http://www.1e.com/)

SMS Companion 2006: This product provides WOL capabilities, similar to 1E's SMSWakeUp, but leverages slightly different technologies behind the scenes. A key difference is that SMS Companion puts systems in hibernation, rather than powering them off. The following are some of the key applications included with this product:Wake-on-Schedule: Allows clients to come out of a hibernation state. Service Windows: Allows you to restrict the SMS inventory and software distributions from happening during specific time periods, to reduce or eliminate user interruptions. Load Balancing: Allows you to reduce peak network and SMS server loading by making sure that the clients use these resources in a controlled manner. (http://www.smsexpert.com/)

Quest Management Xtensions for SMS: Since Windows platforms are not the only systems in an enterprise, you may need a way tomanage other platforms, such as Unix, Linux, and Mac OS X. These management extensions offer that capability for SMS 2003. One of the unique aspects of this product is its support route: first-level support is handled by Microsoft Product Support Services. (http://www.quest.com/quest-management-xtensions-for-sms)