How to Execute SQL Query in SCCM to Retrieve Deployment and Application Information

 

If you're working with SCCM (System Center Configuration Manager) and need to pull detailed information about applications, deployment types, and associated content IDs, you can use SQL queries to directly access the SCCM database. Below is a SQL query designed to extract the deployment types and application details, including their associated content information.

This blog will walk you through how to execute the following SQL query and explain its components.

SQL Query for SCCM:

SELECT

    app.DisplayName AS ApplicationName,

    dt.DisplayName AS DeploymentTypeName,

    dt.PriorityInLatestApp,

    dt.Technology,

    DT.ContentId

FROM

    dbo.fn_ListDeploymentTypeCIs(1033) AS dt

INNER JOIN

    dbo.fn_ListLatestApplicationCIs(1033) AS app

    ON dt.AppModelName = app.ModelName

WHERE

    (dt.IsLatest = 1)

    AND (DT.ContentId LIKE '%Content_d1714238-1d5f-4b16-aaa2-385c37218c41%'

         OR DT.ContentId LIKE '%Content_e134865c-8b44-4b02-8e1f-de53e05ccc18%')

ORDER BY

    ApplicationName

Conclusion:

This SQL query is useful for retrieving detailed information about applications and their deployment types, particularly when troubleshooting or analyzing deployment configurations in SCCM. Using SQL queries like this helps SCCM administrators gain deeper insights into the deployment structure and content associations.

Troubleshooting MDT Integration with Multiple Primaries and Editing the Microsoft.BDD.CM12Actions.mof File

 

Introduction

Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager (SCCM) are powerful tools commonly used together for operating system deployments. However, when integrating MDT with SCCM, especially in environments with multiple primary site servers, issues can arise in task sequences. One such issue occurs when editing the Microsoft.BDD.CM12Actions.mof file to change the site service, leading to errors in MDT integration and task sequence execution.

In this blog, we will explore the challenges faced when MDT integration doesn’t install correctly, particularly in environments with multiple primary sites. We will walk through the process of editing the Microsoft.BDD.CM12Actions.mof file and recompiling it, while also troubleshooting common errors related to the configuration.

Understanding the Issue

MDT task sequences rely on SCCM to deploy operating systems. When there are multiple primary site servers in an SCCM environment, MDT needs to be properly configured to communicate with the correct management point. The Microsoft.BDD.CM12Actions.mof file plays a critical role in defining the SCCM site and management point for MDT to use during deployment.

The problem arises when this file is edited to point to a specific primary site server, but MDT is still unable to perform tasks correctly. This may be due to several reasons such as improper changes to the MOF file, conflicts between multiple primary sites, or issues with the management point that MDT is trying to communicate with.

Step 1: Edit the Microsoft.BDD.CM12Actions.mof File

In environments with multiple primary sites, the Microsoft.BDD.CM12Actions.mof file must be edited carefully to ensure MDT uses the correct site server for its communication. Here's how to do it:

1. Locate the MOF File
   The Microsoft.BDD.CM12Actions.mof file is located in the AdminConsole\bin folder of your SCCM installation. The path typically looks like this:

<ConfigMgr_Install_Directory>\AdminConsole\bin

Replace <ConfigMgr_Install_Directory> with the actual directory where your SCCM is installed, which by default is:

C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin

2. Open and Edit the File
   Open the Microsoft.BDD.CM12Actions.mof file using a text editor (e.g., Notepad++). In the file, find the line where the SMS provider or site service is listed. It should look like this:

Provider="sms:<SMSProvider_FQDN>"

3. Replace the SMS Provider with the Correct Primary Site
   Since there are multiple primary sites in your environment, replace the <SMSProvider_FQDN> with the Fully Qualified Domain Name (FQDN) of the primary site server that you want MDT to use. For example:

Provider="sms:PrimarySiteServer.FQDN"

4. Save the MOF File
   After making the necessary changes, save the file.

Step 2: Recompile the MOF File

After editing the Microsoft.BDD.CM12Actions.mof file, it must be recompiled to apply the changes. Follow these steps:

1. Open an Elevated Command Prompt
   Run Command Prompt as an administrator to have the necessary privileges.
2. Navigate to the Directory
   Use the cd command to navigate to the folder where the Microsoft.BDD.CM12Actions.mof file is located:

cd <ConfigMgr_Install_Directory>\AdminConsole\bin

3. Compile the MOF File
   Run the following command to recompile the MOF file:

mofcomp Microsoft.BDD.CM12Actions.mof

This command will compile the MOF file and apply the changes to the WMI repository. If successful, you will see a confirmation message.

Conclusion

MDT integration with SCCM is a powerful tool for deploying operating systems, but it can encounter issues when there are multiple primary sites. Editing the Microsoft.BDD.CM12Actions.mof file to update the site service is an essential step in ensuring proper communication. However, if not done carefully, it can lead to issues such as task sequences not being available or MDT failing to communicate with the correct site server.

By following the steps outlined in this blog and troubleshooting common errors, you can ensure a smooth integration of MDT with SCCM, even in environments with multiple primary sites. Always test your changes thoroughly and check the relevant logs to diagnose and resolve any issues.

Troubleshooting and Installing SCCM Clients with PKI Certificates

 

Introduction:

In this blog post, we will go through several important steps to help with SCCM (System Center Configuration Manager) client management, including clearing old configurations, removing certificates, and installing the SCCM client using PKI certificates. We will also cover starting and stopping services, handling the Windows firewall, and ensuring a proper configuration when working with SCCM clients.

Step 1: Stop the SCCM Client Service (ccmexec)

The first step in the cleanup process is to stop the ccmexec service, which is the core service for the SCCM client. This will prevent the client from attempting to run while we perform our cleanup operations.

To stop the ccmexec service, run the following command in an elevated Command Prompt:

net stop ccmexec

This will stop the service temporarily and ensure no background operations are running while you perform the necessary cleanup steps.

Step 2: Delete the SMSCFG.INI File

The SMSCFG.INI file holds important configuration information for the SCCM client. Deleting this file can help resolve issues where the client is incorrectly configured or when you want to reset the client’s configuration to its default state.

Run the following command to delete the file:

del c:\Windows\SMSCFG.INI

This will remove the configuration file. It will be re-generated the next time the SCCM client is initialized.

Step 3: Remove the SCCM Certificate from the SMS Store

In certain cases, you may need to delete the certificate from the SMS certificate store (this could happen when you are troubleshooting issues with certificates or when you want to reset the certificates). To remove the certificate, you can use the certutil command.

Run the following command to delete the certificate from the SMS store:

certutil -delstore SMS SMS

This command deletes the certificate from the SMS store. Be cautious when using this, as it removes the certificate needed for secure communication between the client and the server.

Step 4: Restart the SCCM Client Service (ccmexec)

After performing the cleanup steps, you need to restart the ccmexec service to reinitialize the client. You can do so using the following command:

net start ccmexec

This will start the SCCM client service again, and the client will begin communicating with the SCCM server once more.

Step 5: Start the Windows Firewall Service (if it's stopped)

If the Windows Firewall service is stopped, it can cause communication issues between the SCCM client and the server. To ensure the firewall is running, you can start the service (if it's stopped) by running:

net start mpssvc

This command starts the Windows Firewall service (mpssvc), ensuring that the necessary firewall rules are applied, and the client can communicate over the required ports.

Step 6: Install SCCM Client Using PKI Certificates

If you're setting up the SCCM client and need to configure it to use PKI (Public Key Infrastructure) certificates, you can use the CCMSetup.exe command. This command installs the SCCM client while ensuring that it uses PKI certificates for secure communication with the management point.

Here is the command you will use:

CCMSetup.exe /mp:YOURMP /UsePKICert

• /mp:YOURMP: Replace YOURMP with the fully qualified domain name (FQDN) of your Management Point (MP). The MP is a key component in the SCCM infrastructure that communicates with the client.
• /UsePKICert: This flag tells the client to use PKI certificates for secure communication.

When this command is executed, it will install the SCCM client on the machine and ensure that the client communicates securely with the management point using the certificates issued by your PKI infrastructure.

Conclusion

By following these steps, you can troubleshoot SCCM client issues, remove old certificates, reset configurations, and install a new SCCM client using PKI certificates. These operations are crucial for maintaining a healthy SCCM infrastructure and ensuring secure communication between clients and servers.

SCCM SQL Query Online device by Management Point

 SCCM SQL Query Online device by Management Point

select srl.SiteCode, srl.ServerName, srl.InternetEnabled, srl.Shared, srl.SslState,

SUM(brs.OnlineStatus) AS OnlineClients, bs.ReportTime from SysResList srl

inner join BGB_Server bs ON srl.ServerName = bs.ServerName

inner join BGB_ResStatus brs ON bs.ServerID = brs.ServerID

where RoleName='SMS Management Point'

group by srl.SiteCode, srl.ServerName, srl.InternetEnabled, srl.Shared, srl.SslState, bs.ReportTime

 SCCM SQL Query Client device count by Management Point

Select Substring(br.AccessMP,1,(PATINDEX('%.%',br.AccessMP)-1)) as Management_Point, 

Count(Substring(br.AccessMP,1,(PATINDEX('%.%',br.AccessMP)-1))) as Total_Clients

from

v_R_System sd join BGB_ResStatus br on sd.ResourceID=br.ResourceID 

Where PATINDEX('%.%',br.AccessMP) > 0

Group By Substring(br.AccessMP,1,(PATINDEX('%.%',br.AccessMP)-1))

Order By Count(Substring(br.AccessMP,1,(PATINDEX('%.%',br.AccessMP)-1))) Desc

SCCM Configuration Baseline to Initiate Available Task Sequence

 PowerShell Script Monitor

Function Get-RegistryValue12 {

        param (

            [parameter(Mandatory=$true)][ValidateNotNullOrEmpty()]$Path,

            [parameter(Mandatory=$true)][ValidateNotNullOrEmpty()]$Name

        )

        Return (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name

    }

$compliance = "Compliant"

$Registry = "HKLM:\SOFTWARE\SOFTWARE\WOW6432Node\Notepad++"

$name = "InstallerLanguage"

$value = Get-RegistryValue12 -path $registry -name $name

$Ver = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").currentBuild

If ($Ver -like '1033')

{

$compliance = 'Non-Compliant'

}

$compliance

PowerShell Script Remediation

Function Execute-TaskSequence {

    Param (

        [parameter(Mandatory = $true)]

        [string]$Name

    )

    Try {

        Write-Host "Connecting to the SCCM client Software Center..."

        $softwareCenter = New-Object -ComObject "UIResource.UIResourceMgr"

    }

    Catch {

        Throw "Could not connect to the client Software Center."

    }

    If ($softwareCenter) {

        Write-Host "Searching for deployments for task sequence [$name]..."

        $taskSequence = $softwareCenter.GetAvailableApplications() | Where-Object { $_.PackageName -eq "$Name" }

        If ($taskSequence) {

            $taskSequenceProgramID = $taskSequence.ID

            $taskSequencePackageID = $taskSequence.PackageID

            Write-Host "Found task sequence [$name] with package ID [$taskSequencePackageID]."

            # Execute the task sequence

            Try {

                Write-Host "Executing task sequence [$name]..."

                $softwareCenter.ExecuteProgram($taskSequenceProgramID,$taskSequencePackageID,$true)

                Write-Host "Task Sequence executed."

            }

            Catch {

                Throw "Failed to execute the task sequence [$name]"

            }

        }

        Else {

            Write-Host "No Deployments found matching name = [$name]!"

            exit 100

        }

    }

}

Execute-TaskSequence -name "Custom Task Sequence"

SCCM Collection Optimization using PowerShell Script

 SQL Query to Get the current collection evaluation schedule

Select

CG.CollectionName,

CG.SITEID AS [Collection ID],

CASE VC.CollectionType

WHEN 0 THEN ‘Other’

WHEN 1 THEN ‘User’

WHEN 2 THEN ‘Device’

ELSE ‘Unknown’ END AS CollectionType,

CG.schedule, case

WHEN CG.Schedule like ‘%000102000’ THEN ‘Every 1 minute’

WHEN CG.Schedule like ‘%00010A000’ THEN ‘Every 5 mins’

WHEN CG.Schedule like ‘%000114000’ THEN ‘Every 10 mins’

WHEN CG.Schedule like ‘%00011E000’ THEN ‘Every 15 mins’

WHEN CG.Schedule like ‘%000128000’ THEN ‘Every 20 mins’

WHEN CG.Schedule like ‘%000132000’ THEN ‘Every 25 mins’

WHEN CG.Schedule like ‘%00013C000’ THEN ‘Every 30 mins’

WHEN CG.Schedule like ‘%000150000’ THEN ‘Every 40 mins’

WHEN CG.Schedule like ‘%00015A000’ THEN ‘Every 45 mins’

WHEN CG.Schedule like ‘%000100100’ THEN ‘Every 1 hour’

WHEN CG.Schedule like ‘%000100200’ THEN ‘Every 2 hours’

WHEN CG.Schedule like ‘%000100300’ THEN ‘Every 3 hours’

WHEN CG.Schedule like ‘%000100400’ THEN ‘Every 4 hours’

WHEN CG.Schedule like ‘%000100500’ THEN ‘Every 5 hours’

WHEN CG.Schedule like ‘%000100600’ THEN ‘Every 6 hours’

WHEN CG.Schedule like ‘%000100700’ THEN ‘Every 7 hours’

WHEN CG.Schedule like ‘%000100B00’ THEN ‘Every 11 Hours’

WHEN CG.Schedule like ‘%000100C00’ THEN ‘Every 12 Hours’

WHEN CG.Schedule like ‘%000101000’ THEN ‘Every 16 Hours’

WHEN CG.Schedule like ‘%000100008’ THEN ‘Every 1 days’

WHEN CG.Schedule like ‘%000100010’ THEN ‘Every 2 days’

WHEN CG.Schedule like ‘%000100028’ THEN ‘Every 5 days’

WHEN CG.Schedule like ‘%000100038’ THEN ‘Every 7 Days’

WHEN CG.Schedule like ‘%000192000’ THEN ‘1 week’

WHEN CG.Schedule like ‘%000080000’ THEN ‘Update Once’

WHEN CG.SChedule = ” THEN ‘Manual’

END AS [Update Schedule],

Case VC.RefreshType

when 1 then ‘Manual’

when 2 then ‘Scheduled’

when 4 then ‘Incremental’

when 6 then ‘Scheduled and Incremental’

else ‘Unknown’

end as RefreshType,

VC.MemberCount

from

dbo.collections_g CG

left join v_collections VC on VC.SiteID = CG.SiteID

order by

CG.Schedule DESC

Powershell Script to update the evaluation schedule

# site code.

$sitecode = '123'

# name of server hosting the sms provider.

$provider = 'ServerName'

# create a recuring interval token with a cycle of x days.

# the start time will be randomised, but always on the hour.

function new-token($days = 1) {

  $class = gwmi -list -name root\sms\site_$sitecode -class sms_st_recurinterval -comp $provider

  $interval = $class.createinstance()

  $interval.dayspan = $days

  $interval.starttime = get-date (get-date '1/1/2016').addhours((get-random -max 24)) -format yyyyMMddHHmmss.000000+***

  return $interval

}

# get the names of all collections enabled for incremental updates.

function get-incremental() {

  $collections = @()

  gwmi -name root\sms\site_$sitecode -class sms_collection -comp $provider | %{

    $collection = [wmi]$_.__path

    if ($collection.refreshtype -band 4 -and $collection.collectionid -notlike 'sms*') {

      $collections += $collection.name

    }

  }

  return $collections

}

# configure the refresh cycle for an array of collections.

# set $type to 2 for periodic refresh only, and 6 for incremental and periodic.

# set $days to the number days between each periodic refresh.

function set-schedule([array]$collections, $type, $days) {

  $collections | %{

    if (! ($collection = gwmi -name root\sms\site_$sitecode -class sms_collection -comp $provider -filter "name = '$_'")) { return }

    $collection.refreshtype = $type

    $collection.refreshschedule = new-token $days

    #$collection.psbase()

    $collection.put() | out-null

  }

}

# disable incremental updates.

# i.e. enable periodic updates only, with a refresh cycle of 1 day.

function disable-incremental([array]$collections) {

  set-schedule $collections 2 7

}

# enable incremental updates.

# i.e. enable incremental and periodic updates, with a refresh cycle of 7 days.

function enable-incremental([array]$collections) {

  set-schedule $collections 6 7

}

#To retrieve the name of all collections enabled for incremental updates:

#get-incremental

#To disable incremental updates on all collections listed in a file named disable.txt, and enable periodic updates with a daily cycle:

disable-incremental (get-content "C:\Temp\Collection.txt")

#To enable incremental and periodic updates on all collections listed in a file named disable.txt, with a weekly periodic refresh cycle:

#enable-incremental (get-content enable.txt)

Intune Blocking Store App and allow them updated

 Below configuration profile will help to block the store app 

Administrative Templates\Windows Components\Store

Turn off the Store application (User) and set Enabled

Administrative Templates\Start Menu and Taskbar

Do not allow pinning Store app to the Taskbar (User) and set Enabled

Regardless of how you are blocking or allowing the Microsoft Store, remembering that the store needs to be available to allow for apps from Microsoft Intune to be deployed, we should at least configure devices to allow for updates

Administrative Templates\Windows Components\Store

Allow apps from Microsoft app store to auto update

You can also use the remediation script to allow store app auto update

Detection Script

$Path = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"

$Name = "AutoDownloaded"

$Value = 4

Try {

    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name

    If ($Registry -eq $Value){

        Write-Output "Compliant"

        Exit 0

    } 

    Write-Warning "Not Compliant"

    Exit 1

} 

Catch {

    Write-Warning "Not Compliant"

    Exit 1

}

Remediation Script

Write-Host "Required Auto Update"

$store = "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore"

If (!(Test-Path $store)) {

    New-Item $store

}

Set-ItemProperty $store AutoDownloaded -Value 4