SCCM 2012 R2 – Using WUSA (Windows Update Standalone Installer) in an Application

It’s been a little while since my last post, I’ve not long started a new job so things to write about got put on the back burner for a little while.

I needed to install IE11 on some Windows 7 machines that didn’t necessarily have the prerequisite updates. The main thing was the update package couldn’t be downloading all its prerequisites from the internet, because that’s just not professional!

This makes things a little more complicated from an SCCM perspective, since I can’t just go and install IE11 directly, I have to make sure the prerequisites get installed. I had a play around with the IEAK 11 (Internet Explorer Administration Kit), but it didn’t handle the prerequisites particularly well, I had a few failures, then decided to sort the dependencies myself.

This is where WUSA comes in! I built the IE11 application as normal, just calling the IE offline installer executable directly with the ‘/quiet’, ‘/update-no’, ‘/norestart’ and ‘/closeprograms’ switches, then gave it some Windows updates that required as prerequisites as dependencies for the deployment.

This went well, till I ran into some odd failures with some computers. I looked at the logs and WUSA was returning some odd return codes. I went on a bit of a search and found a list of return codes that applied, but none of them matched which annoyed me for a second till I realized that WUSA was returning the codes, but the SCCM AppEnforce.log was logging them as decimal, not the hexadecimal values shown in the knowledge base article!

A quick bit of converting from decimal to hex and I was there. I added the return codes to the deployments and all was well! Here’s the two main ones I ended up using:

2359301 (0x00240005) Success (Installed but the system must be restarted to complete installation of the update).

2359302 (0x00240006) Failure (The update to be installed is already installed on the system). This error highlights that you might have a bad detection rule in place.

2145124330 (0x80240016) Failure (Operation tried to install while another installation was in progress or the system was pending a mandatory restart).

There’s loads more I could have used, but I like to only put the extra return codes in the application when I need to, keep it simple!

SCEP 2012 R2 / FEP 2010 – May Update Manual Download Links (KB3049560)

Another month, another update for the Microsoft Endpoint Protection engine!

Unfortunately, I hoped the ADMX template for managing SCEP 2012 that was mentioned when the update was first released would be available, but it looks like it’s been pulled for some reason. I’ll keep an eye out for it though and hopefully it will mean I don’t have to maintain my own ADMX template for this anymore.

As I’ve done previously, I pulled these download links from SCCM, viewing the Content Information in the update view for KB3049560.

Here’s the update, it appears to be the same for both FEP 2010 and SCEP 2012:
wsus.ds.download.windowsupdate.com/c/msdownload/update/software/crup/2015/05/updateinstall_a4deb3eebd3ac19f8b465097d818708a0e0d87c7.exe

These files are hosted by Microsoft and may disappear at any time!

Have fun!

PowerShell Workflow – Check-Service script

I’ve recently needed to work with some services in a group of computers where only one service can be active at a time. This particular service I needed to work with is a printing service responsible for printing labels in a shared directory. If more than one service is enabled at a time, we get duplicate labels! (It led to a lot of confusion during user testing when a server was rebooted).

To automate the work required to make sure only one service is running when maintenance or other work occurs, I decided to write a script.

The script can be downloaded from here.

I used PowerShell workflow, as this seemed like a good bet for something that would benefit from the parallelism benefits that a workflow provides. The idea for me is to use it as part of a System Center Orchestrator Runbook to run the script on an alert from Operations Manager.

I worked on making the script take parameters for the computers to run against, the service to work on and how many services should be running at any one time.

Hopefully this also helps some people working to learn some of the basics of workflow, I’ll make sure to add some comments in the script to explain parts of it. Some things certainly confused me for a little while till I got things working!

SCEP 2012 R2 / FEP 2010 – February Update Manual Download Links (KB3041687)

UPDATE: The May download links are here.

I recently noticed a few people looking around for the SCEP/FEP February update direct download links.

I pulled these download links from SCCM 2012 R2, viewing the Content Information in the update view for KB3041687.

System Center Endpoint Protection 2012: http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/crup/2015/02/scepinstall_230274d8b20bbe30fb94a287fd82670af0309ea4.exe

Forefront Endpoint Protection 2010: http://wsus.ds.download.windowsupdate.com/c/msdownload/update/software/crup/2015/02/fepinstall_96be19e39aab5c5c7c569a6b143e6e44b72aaec0.exe

These files are hosted by Microsoft and may disappear at any time!

Have fun!

SCEP 2012 R2 – Updated ADMX Template for the February Update – KB3041687

The revised February update for Microsoft Endpoint Protection products is out (KB3041687) and brings with it a couple of changes to registry keys introduced in the first February update.

This update deprecates the DisableGenericReports subkey and adds a new DWORD called SubmitSamplesConsent to the following place:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

This new key will allow configuration of sample submissions to Microsoft for analysis.

I have added these updates to my ADMX template for SCEP 2012 R2, which can be downloaded from GitHub.

Notes from KB3036437

Endpoint Protection may request file samples to be sent to Microsoft for further analysis. By default, Endpoint Protection will always prompt before it sends such samples. There is an option available to send samples automatically. To opt in to automatic sample submission, open the Endpoint Protection UI, click the Settings tab, select the Advanced section, and then click Send file samples automatically when further analysis is required.

Administrators can manage automatic sample submission with additional configuration options through WMI, PowerShell, and Group Policy by using the following registry subkeys:

MAPS Configuration

Registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

DWORD name: SpyNetReporting
DWORD values:

  • 0 – Off
  • 1 – Basic Membership
  • 2 – Advanced Membership

Sample Submission

Registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\SpyNet

DWORD name: SubmitSamplesConsent
DWORD values:

  • 0 (default) – Automatic sample submission disabled. End-users will always be prompted for samples.
  • 1 – Most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
  • 2 – All sample submission disabled. Samples will never be sent and end-users will never be prompted.
  • 3 – All samples will be sent automatically. All files determined to require further analysis will be sent automatically without prompting.

Microsoft Dynamics AX 2012 – Importing and exporting users with PowerShell

Over the past couple of months I’ve occasionally been working with Microsoft Dynamics AX 2012 and moving model and data sets between different environments.

Once of the downsides to this is overwriting the user and role memberships at the destination. To combat this, I had two options, the AX Data Import/eXport Framework (DIXF), or the AX PowerShell module. I think you can guess which one I went for!

Unfortunately the AX module need to be loaded in a wonderfully manual way and there are a lot of features not provided. The cmdlets even have a horrible lack of support for the very things that make PowerShell so great, like pipelining!

Even lacking these things, it’s still PowerShell, so I soldiered on. It took a little while and some features still have to be implemented, but the two scripts allow users to be imported and exported to/from a CSV, which is good enough to release for a first version.

The two scripts can be downloaded from GitHub.

There are also some features I’ll implement if I get the time, such as complete overwrite on import and support for importing/exporting user data from remote servers.

SCCM 2012 R2 – Problems with SCEP 2012 R2 and Group Policy Results

We ran into an issue yesterday with Group Policy Results when using SCEP 2012 R2, the problem exactly follows this particular issue on the TechNet Forums, but appears to affect a couple of extra registry keys.

It’s really unfortunate that this still isn’t fixed in SCCM 2012 R2, having also been an issue in 2012, as the post describes.

To resolve the problem, I used my existing SCEP Group Policy ADMX template in creating a GPO to replicate the default settings pushed out to clients with SCCM, which solves the problem, as the exceptions and settings we push out to standard clients aren’t any different from the Microsoft recommended settings.

In the GPO I had to specify the exclusion settings and also the default threat actions, which are specified in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction

Previously these settings were defined as REG_DWORD, but need to be REG_SZ, as shown below:

ThreatSeverityDefaultAction

Smooth seas don't make good sailors.