Asset Management with SCSM and SCCM -> SAFE with Provance -> The 80<->20 Story

May 22 2010 Published by Sam under Tech Tips

It is a known principle that 20% of challenges have an 80% negative impact on the business/technological Environment.

clip_image002

The converse is 20% of value add processes have an 80% positive impact on the business/technological environment.

clip_image004

In this blog we will be Stepping Away From the Environment (Thanks to my mate Andrew Craig)!!

We will look at the

- People side of Asset Management

- How System Center Configuration Manager addresses the technological challenges

- How the Provance Asset Management completes the story in System Center Service Manager

People side of Asset Management:

Asset Management begins and ends with people and ultimately can cost or add value to a business. I will step away from technology, and revisit my first job as a shop assistant; for this is where my first lesson in Asset management began; the Annual stock takes.

The dreaded stock take was the best opportunity for the shop to evaluate the stock levels and get the most accurate figure for its profit or loss on stock.

Damaged goods = financial offset for tax = lost revenue

Missing goods = lost revenue

Hidden goals = discounted sales = lost revenue = new people policies and procedures

With the introduction of technology (bar code readers for the life cycle of stock) and Just In Time stock ordering technology, the retail industry has minimized this loss. The dreaded stock take still goes on to validate the accuracy of the technology and provide visibility into goods missed by the technology tools.

The above retail story is the same challenge faced by the IT industry when it comes to true Asset Management.

System Center Configuration Manager’s role:

In my IT support and Consultancy journey I have often come across the myth that your CMDB and Asset Management challenges will be addressed with SCCM.

I agree partially and will add the statement that SCCM only plays a part in this process. Our IT assets have a life cycle

- They are born (ordered and received) – Financial Management 10% = People

- Grow up and may lose their way(Configured Networked and Managed) – Configuration Management (SCCM) 80% = Technology

- Go to technology paradise camp – Asset Disposal Processes and Financial management 10% = People

Provance and System Center Service Manager:

The most challenging part of true Asset Management is the 20% people part. The illustration below tells the story of how it all begins and ends with the Asset register. The technology part is the CMDB and the automation of the Asset Inventory processes using system management tools like System Center Configuration Manager to feed System Center Service Manager (Your new CMDB repository).

clip_image006

Here are four Reasons Why Asset Management is a Prerequisite for Creating a CMDB (Thank you to Peter Salfi from Provance for discussing and sharing your thoughts with me) .

­ The “dots” need to be identified before you start connecting them.  Build an Asset Registry first.  Focus on identifying and understanding “what” you have to work with before worrying about how they need to come together to form a service.

­ An IT Asset Management program allows you to maximize the use of what you have.  The appropriate mix of people, processes and technologies provides the necessary foundation for comprehensive and accurate asset information.  Once in place, the necessary relationships to define services that drive client-centric value and operational-centric efficiencies can be established.

­ Building a CMDB is a journey, not a destination.  Starting with a CMDB is impossible.  A fundamental core set of data that you can rely on is needed first.  Evolve from an Asset Registry to a CMDB.  Building a CMDB from scratch cannot be done easily, if at all.

­ Starting with Asset Management is the responsible thing to do.  Without a reliable starting point, building a CMDB will be time consuming, labour intensive and costly.  Establish a proper roadmap to assure your organization takes the right steps in the appropriate sequence to save on effort and expense.

· Microsoft is committed to including IT Asset Management capabilities as part of SCSM.

· Provance IT Asset Management Pack is the only native IT Asset Management solution Microsoft SCSM developed using the Service Manager common platform.

· Provance IT Asset Management Pack allows IT Asset Managers, Software Asset managers, IT Service Managers and IT Operations Managers in Organizations using SCSM to:

­ Take control of IT costs;

­ Improve IT Service management; and

­ Reduce security and compliance risks.

· Supporting ITIL, and the MOF 4.0, Provance IT Asset Management Pack strengthens the IT effectiveness of enterprises and government organizations at every level of the Microsoft Core IO model.  Provance IT Asset Management Pack accomplishes this by:

­ Being Native to SCSM;

­ Providing Software Asset Management;

­ Providing IT Asset Life Cycle management

­ Enhancing ITSM; and

­ Leveraging SCSM.

· Provance IT Asset Management Pack

­ Identifies overspending on unused software and compliance risks;

­ Allows contractual, organizational and financial details associated with IT assets to be viewed and managed within the System Center CMDB;

­ Improves decision support with supplemental costs, contract and organizational information.

· For Microsoft Solution Specialists and Technology Specialists, Provance IT Asset Management Pack fulfills customer demand for IT Asset Management and increases the competitiveness of Service Manager.

· For Solution Integrators and Partners of Microsoft Infrastructure solutions, Provance IT Asset Management increases the competitiveness of Microsoft System Center and creates additional engagements and consulting opportunities.

­ Solution Integrators, in working with Provance IT Asset Management Pack, can configure and customize it, using existing knowledge of Microsoft applications and technologies.

Remember you need the 20% of your people commitment and processes to deliver on the rest of the 80% true business value through Asset Management.

Visit the System Center Service Manager site http://www.microsoft.com/systemcenter/en/us/service-manager.aspx

Provance site

http://www.provance.com/

No responses yet

MMS 2010-> The European Volcanic route to Microsoft System Center Service Manager

Apr 29 2010 Published by Sam under Tech Tips

This year’s event promised to be the best of all MMS due to the number of product releases and the opportunity to experience delivery of the vision from MMS 2008.

In this blog I will share

  • How I finally made it to Las Vegas following the Volcanic eruption in Iceland
  • Service Manager 2010 updates and what it means to organizations

How I made it to Las Vegas:

  • Originally scheduled to fly out of London Heathrow Saturday 17th April
  • Flight cancelled – no way to leave the UK
  • Sunday Night caught the ferry to Dublin (Ireland) – All flights cancelled. Met our guide to Dublin on the train (Amy – thank you for all your assistance and yes we are still going to Vegas)
  • Monday news flash – Full schedule of flights announced for Tuesday
  • Tuesday – checked out of the Arlington Hotel (the one on Dame street)
  • All flights cancelled – checked back into the same hotel different room lower volcanic rate
  • Wednesday in our favourite coffee spot in Dublin – news flash flights available from London Heathrow
  • Secured flight for Las Vegas on British Airways – scheduled for Thursday to Las Vegas (gets to Las Vegas for 18:50 local – I might make the closing party)
  • Back on the ferry to the UK Wednesday night, scheduled to arrive in Holyhead (technically Wales) at 00:20 Thursday.
  • Quick detour via Worcester to freshen up for the flight. Train to Paddington and then Heathrow
  • Made the Party in Vegas with an extra bonus!!!
  • Checked into Bob Muglia’s suite at the Palazzo for one night – What a view!! (49th floor this room rocks thank you Stephanie!!!)
  • Now time for some geek stuff — Something about this Service Manager thing…..

      image image image image image

Service Manager Updates:

My number one objective for this year’s MMS 2010 was to attend Service Manager Deep Dive session on April 23rd.

The latest entry in the System Center suite, System Center Service Manager 2010 , went RTM on 23rd April 2010. I believe Service Manager delivers on the service enabled, process led and user focused story of the dynamic IT initiative. As a platform for integration, organizations with investments in Active Directory, SCCM and or Operations Manager gain an immediate business benefit by leveraging the configuration items provided by these investments to create a unified view of these investments.

 

Key takeaways from the Service Manager session

  • Step away from the tools – Focus on getting the organizations processes aligned to ITIL and MOF
  • Know your IT Service Management Goals
  • Organization wide coverage – Requires buy in from all stakeholders including your prime customers – End users
  • Business driven approach to implementation – “this is an enabling technology not a process creator/enforcer”

I am playing catch up with the sessions delivered during the week of MMS due to the Volcanic eruption. I fulfilled my goal of attending MMS this year; well I made the after party.

The Service Manager Deep dive session was worth the trip and I believe it is not about arriving at the destination but how well you travel. The Service Manager journey has began!!!

 

 

 

 

4 responses so far

SCCM Installation/Deployment -> Easy as A B C D – What! no screen shots?

Jul 10 2009 Published by admin under Tech Tips

You have the DVD and a project deadline now where do you start?

The aim of this article is to provide a general process for deploying a new SCCM site. This process can also be applied to an upgrade (I always view upgrades as an opportunity to improve, so much the same as a new site).

This is a supplement to the extensive resources available and as a result, does not aim to repeat the online documentation and training material available. I will place links to other resources I found useful in, planning and successfully deploying SCCM sites.

We will first cover the tasks to consider and perform before you start the installation (do this before clicking setup.exe and Next Next …..)

Active Directory Tasks

Schema Extension and AD publishing security rights for your site:

This process is recommended if you are deploying SCCM to an Active Directory environment. Ensure you engage with the department/team that owns Active directory schema extension as early as possible. Typically schema extensions require careful planning and have wider implications outside SCCM deployments.

The detailed steps are covered in the online documentation (How to Extend the Active Directory Schema Using ExtADSch.exe). A summary of what is required is:

  • Run the schema extension utility from the installation media – Requires a user with schema admin rights
  • Use ADSIEDIT.MSC (available from the Operating System support files) to create the System Management container under the target domain partition that the SCCM site would be installed in.
  • Create a group for the site server computers that would host the provider role (e.g. DomainX\SCCM Site provider servers).
  • Grant the new group rights to the System Management container and all its child objects. A group is recommended for easy of administration and will mean that, new site servers only need to be added to the group to complete future delegation.
  • Note that if you are using groups as described above a reboot of the site server would be required to complete the group membership process.
  • I would also recommend creating a separate group for site system servers (e.g. SUP servers, Distribution point servers). This would give you better flexibility in configuring security at the operating system level

The above would prevent one of the more common AD publishing errors seen in SCCM post site install. This would also impact your client deployments as correct registration of SCCM objects in AD aids in the site discovery and assignment process.

Boundary – Site Scope Tasks

One of the critical areas of your SCCM site is the configuration of site boundaries. Site boundaries basically tell your clients whether they belong to your site or not from the network layer. It is critical that you work with your network team to understand how subnets are assigned to your clients.

Failing to plan and configure site boundaries properly would impact your client deployment (discovery and assignment post installation). Though AD sites can be used, I would only recommend its use in the following scenarios:

  • The AD sites are configured to support SCCM (e.g. remote offices have dedicated AD sites)
  • The SCCM admin is aware of changes to AD sites or is the same person making the changes (In this case a process can be setup to keep SCCM in sync with any changes)

Our experience shows that using Subnets gives the SCCM admin more control and is a better practice. In some cases your SCCM site may span multiple domains and also include DMZ clients/workgroup clients.

Before installing your sites, get a list of all the subnets in use for all clients within the scope of deployment.

  • Work with your network admin team – they have better insights into VLAN configurations etc
  • Check with the DHCP admin – This would give you a logical view of your IP network configuration
  • Remember that the clients subnet mask plays a critical role in which subnet the client actually belongs to (evaluation is done on the client side not your SCCM site)
  • Use the description field in SCCM boundaries to document boundary information.

Using subnets takes a bit of time to setup but will save you a lot of pain in the long run.

Create Groups – Security Tasks

I am in favour of careful planning to reduce the amount of times I have to repeat a task. One of the big challenges in SCCM is role based security out of the box. I know this is coming in SCCM Vnext (saw the demo at MMS 2009). In the meantime here is the budget version of how to achieve a form of role based security.

  • Create AD groups in advance for the roles of the users who would access your SCCM console.
Example Groups Description
DomainX\SCCM Global Admins Full access to the SCCM site
DomainX\SCCM Full Admins Full admin rights except site settings – Boundaries etc
DomainX\SCCM Report Viewers Permissions to only view reports
DomainX\SCCM Report Admins Permissions to create Reports
DomainX\SCCM SUM Admins Software update permissions only
  • The first task you should perform after the installation is, copy the rights of the user who installed the site. In my scenario, I use the SCCM Global Admins group.
  • Take time to configure the permissions for the other groups which you create to reflect the roles of users accessing the console (Takes time, however this should be a one off exercise)
  • Setup a process to add users to the groups as and when access is required.
  • Get yourself a coffee/tea or cold drink.

Deployment steps – No screen shots

This section provides high level steps to follow and should act as a to do list in your SCCM deployment.

Central Site – Reporting only

This is deploying a site that would act as a repository/roll up site for your hierarchy (the old Central site concept from SMS 2003)

  • Install SCCM
  • Remove the management point role
  • Enable and configure the reporting point and or SRS reporting point roles
  • Configure Object security permissions

Primary (Deployment) Site – Clients assigned

  • Install SCCM
  • Configure SCCM Object permissions
  • Configure the following properties – Tasks, alerts and status systems (maintenance tasks)
  • Configure site boundaries
  • Prepare Site Systems – Operating system installation of roles like Distribution points etc
  • Assign site system roles – SCCM site configuration
  • Configure site communications – for environments where you have a hierarchy of SCCM sites (Senders etc)
  • Attach sites – Doing this in advance would reduce network traffic associated with site attachments
  • Enable resource discovery (AD discovery methods, network discovery etc) and client installation methods (configure accounts to be used for push installations etc)
  • Enable SCCM features one at a time; start with inventory

Useful links:

Infrastructure Planning and Design Guides

Configuration Manager Documentation Library

No responses yet

SMS2003 to SCCM Agent Migration –> Why Should I pimp My Old Agent

Apr 01 2009 Published by admin under Tech Tips

Introduction

I am a great fan of the program “pimp my ride”. This is a TV program where the producers take an old car and upgrade/rebuild it to a luxury standard car with a few “extras”.

Now you may ask what does this have to do with SMS 2003 to SCCM agent migration? The answer is, this is similar in my view to what you do when you perform an in-place upgrade on the agent.

In this article I explain and expand on an approach and process to get a new luxury agent without using the “pimp my ride” approach (a.k.a in-place upgrade). NB I know on good authority that a lot of work was put into the in-place upgrade and it works. This is just an approach that looks at the alternative method of addressing the same task. We also build on the software distribution approach to the agent upgrade.

The prescribed approach is based on the notion that why upgrade your old car with parts from a new car, when you can scrape the old one and just use the new one as is?

Background

In this process we assume you already have an SMS 2003 infrastructure with SMS 2003 agents deployed. We also assume you have a new installation of an SCCM site. The process focuses on using software distribution to upgrade the SMS 2003 agent to an SCCM agent in a side by side migration scenario.

Summary of process

  1. Create a source folder for the upgrade files
  2. Create a software distribution package to copy the source files to a local directory on all clients
  3. Create a software distribution advertisement which initiates the upgrade process
  4. The upgrade process cleanly removes the old agent including the certificates, then initiates a new installation of the SCCM agent. The agent is also assigned to the new SCCM site in the process.

Detailed steps

Required Software and Utilities:

  • Client installation files from the SCCM site (to reduce size remove non required language files from the pre-requisite files) -\\%SiteServerName%\SMS_%sitecode%\Client
  • The following from the SMS2003 Toolkit – ccmclean.exe and delcert.exe
  • Custom batch file to uninstall SMS2003 (includes old cert deletion) and install SCCM client – (See sample script)

SCCM Site prerequisites:

  • Create site boundaries – subnets recommended
  • Set site to manual approval of clients
  • Set site to only accept SCCM clients

image

SMS2003 Site prerequisites:

  • Create Copy Source Package and Programimage
  • Create a package source folder (e.g., SMS-SCCM-Migrate) with a subfolder called sources
  • Copy the required upgrade files to the sources subfolder (including CCCMClean and Delcert) and place the script in the root folder
  • Program command line %systemroot%\system32\cscript.exe copySources.vbs – CopySources.vbs is a custom script written by Joe Erskine

See end of article for Script

    You need to modify the parameters in the batch file (e.g., your MP FQDN etc)
  • The migration process does not return a program successfully run under the SMS2003 site. Confirmation of success is when the client reports into the SCCM site for approval.
  • Use the fallback status point reports to track status of installation.

image

This approach has an additional benefit in that your agent health can be validated by the initial software distribution to copy the source file to the client.

Copy Sources:

‘==========================================================================

‘ VBScript Source File

‘ NAME:  copySources.vbs

‘ AUTHOR: Joe Erskine


‘ DATE:  18/07/2006

‘ VERSION: 1.0

‘ COMMENT: SMS script to copy sources files. Set path for destination in strTargetPath and place
‘  fiels/folders to be copied to location in a sub-folder called SOURCE in the package source directory
‘  E.g. If package source is C:\Test, place this script in C:\Test and files/folders to transfer in C:\Test\Source

‘ USAGE: cscript copySources.vbs

‘==============
‘Version Control
‘===============

‘Ver #:
‘Modified By:
‘Date Modified:
‘Details:
‘===================
‘End Version Control
‘===================
‘==========================================================================

Option Explicit
On Error Resume Next

‘======================
‘User Defined Variables
‘======================

Dim strTargetPath ’<- Path to copy files/folders to, Created if it doesn’t exist
Dim strWinDir  ’<- Windows Installation Directory

‘Get the Windows Installation Directory path
strWinDir = fGetWindowsDirectory()

‘<- If you need to copy to Windows directory then use:
‘ strTargetPath = strWindir & “Your Path Here”
‘ E.g. strTargetPath = strWindir & “\System32\MyFiles”

strTargetPath = “C:\Install\SMS-SCCM-Migrate\”
‘==============
‘Global Objects
‘==============

Dim objFS
Dim objItem
Dim objFolder
Dim objShell
Dim objNetwork
Dim colItems
Dim strScriptPath
Dim strCacheRoot
Dim strSource
Dim intError : intError = 0
Dim strComment

Const FOR_READING = 1
Const FOR_WRITING = 2
Const FOR_APPENDING = 8
Const CMD_MINIMIZED = 2
Const CMD_WAIT = True
Const OVERWRITE_EXISTING = True

‘=====
‘START
‘=====

strScriptPath = Left(WScript.ScriptFullName,_
Len(WScript.ScriptFullName) – Len(WScript.ScriptName))
strSource = strScriptPath & “Source”
strCacheRoot = Left(strScriptPath,(Len(strScriptPath)) – 1)

strComment = “SMS Source Files Transfer Script” & vbNewLine
strComment = strComment _
& “************************************************************” & vbNewLine
strComment = strComment & “Start Time:” & vbTab & Now & vbNewLine
strComment = strComment & “Source Folder:” & vbTab & strSource & vbNewLine
strComment = strComment & “Target Folder:” & vbTab & strTargetPath & vbNewLine
strComment = strComment _
& “************************************************************” & vbNewLine

Set objFS = CreateObject(“Scripting.FileSystemObject”)
Set objShell = CreateObject(“WScript.Shell”)
Set objNetwork = CreateObject(“WScript.Network”)

If objFs.FileExists(WScript.ScriptFullName) Then objFs.DeleteFile(WScript.ScriptFullName)

WScript.Echo strScriptPath
WScript.Echo strCacheRoot

If Len(strTargetPath) > 0 Then
If objFS.FolderExists(strTargetPath) Then
Else
‘Target folder doesn’t exists so create it
strComment = strComment & “Creating Folder:” & vbTab & strTargetPath & vbNewLine
objShell.Run “%comspec% /c MD ” & “”"” & strTargetPath & “”"”,CMD_MINIMIZED,CMD_WAIT
WScript.Sleep 2000
If Not objFS.FolderExists(strTargetPath) Then
intError = intError + 1
strComment = strComment & “ERROR: Unable to create target folder -> ” & strTargetPath & vbNewLine
End If
End If

If intError = 0 Then
If Right(strTargetPath,1) = “\” Then
Else
strTargetPath = strTargetPath & “\”
End If

Set objFolder = objFS.GetFolder(strSource)
For Each objItem In objFolder.Files
If objFS.FileExists(strTargetPath & “\” & objItem.Name) Then
strComment = strComment & “ERROR: Target file already exists -> ” _
& strTargetPath & “\” & objItem.Name & vbNewLine
strComment = strComment & vbTab & “- Skipping move operation” & vbNewLine
Else
strComment = strComment & “Moving -> ” _
& objItem.Path & vbNewLine
WScript.Echo objItem.Path
Err.Clear
objFS.MoveFile objItem.Path,strTargetPath
If Err <> 0 Then
strComment = strComment & vbTab _
& “  – ERROR: ” & Err.Number & Err.Descripton & vbNewLine
intError = intError + 1
End If
End If
Next

For Each objItem In objFolder.SubFolders
If objFS.FolderExists(strTargetPath & “\” & objItem.Name) Then
strComment = strComment & “ERROR: Target folder already exists -> ” _
& strTargetPath & “\” & objItem.Name & vbNewLine
strComment = strComment & vbTab & “- Deleting target folder” & vbNewLine
objFS.DeleteFolder(strTargetPath & “\” & objItem.Name)
Else
strComment = strComment & “Moving -> ” _
& objItem.Path & vbNewLine
WScript.Echo objItem.Path
Err.Clear
objFS.MoveFolder objItem.Path,strTargetPath
If Err <> 0 Then
strComment = strComment & vbTab _
& “  – ERROR: ” & Err.Number & Err.Descripton & vbNewLine
intError = intError + 1
End If
End If
Next
Set objFolder = Nothing
Else
intError = intError + 1
End If
Else
strComment = strComment & “ERROR:” & vbTab _
& “No Target path specified” & vbNewLine
End If

strComment = strComment _
& “************************************************************” & vbNewLine
strComment = strComment & “Exit Code:” & vbTab & intError & vbNewLine
strComment = strComment & “************************************************************”

Call fLogEvent(strComment)

Set objShell = Nothing
Set objFS = Nothing
Set objNetwork = Nothing

WScript.Quit(intError)

‘===
‘END
‘===

‘==========
‘Functions
‘=========

‘******************************************************************************
‘* Name:  fLogEvent(strventInfo)
‘* Function: Write Script run time log to the Application Event Log
‘******************************************************************************

Function fLogEvent(strEventInfo)
objShell.LogEvent 4,strEventInfo,”\\” & objNetwork.ComputerName
End Function
‘******************************************************************************
‘* Name:  fGetWindowsDirectory()
‘* Function: Returns a string with the Windows Installation directory
‘******************************************************************************

Function fGetWindowsDirectory()
Dim colItems
Dim objItem
Dim objWMIService
Dim strValue

Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\.\root\cimv2″)

Set colItems = objWMIService.ExecQuery(“Select * From Win32_OperatingSystem”)

For Each objItem in colItems
strValue = objItem.WindowsDirectory
Next

Set objWMIService = Nothing

fGetWindowsDirectory = strValue
End Function

No responses yet

SMS and SCCM Patch management –> An automated security update rollback process

Mar 01 2009 Published by admin under Tech Tips

Introduction

SMS and SCCM give us the ability to build a process for full automated patch deployment. A healthy site with healthy clients generally leads to a “smooth” automated patch deployment process.

One of the first challenges I faced as an SMS/SCCM administrator, was answering the change management question “what is the rollback process for patch deployment?”  The only answer available is manual rollback (all hands on deck). This presents a major challenge if you do not have resources readily available during an emergency rollback scenario. Why not use your automated patch deployment tool to address this challenge.

In this article, I provide a method for rolling back security patches in line with Microsoft best practices. This process only applies to patches deployed to windows server 2003, Windows XP and below operating systems. I am working on updating the process for Vista and Windows Server 2008.

Background to process

This link provides the background to this rollback process Removing Windows software updates in the wrong order may cause the operating system to stop functioning.

The recommend method for rolling back patches is to remove patches in the reverse order of installation. This recommendation is based on the fact that most patches update the same DLLs etc. So in a scenario where 3 patches update the same DLL,

  • Install Patch 1 (DLL updated to V1 backup original DLL for rollback)
  • Install Patch 2 (DLL updated to V2 backup V1 DLL for rollback)
  • Install Patch 3 (DLL updated to V3 backup V2 DLL for rollback)

Removing patch 2 will return the DLL to V1 and lose the update made by patch 3. So how do we keep the system consistent and not lose other updates? . The answer is to rollback all patches and redeploy without the unwanted patch(es). Another challenge is, can this be automated?

In order to achieve the above, we first need to establish the original order of deployment and create an automated rollback deployment using SMS/SCCM software distribution.

Summary of process

  1. Query the client for all patches deployed and list by installation date time order.
  2. All patches for the latest date listed to be removed (in general deployments would be for same day and not across multiple days)
  3. Run spuninst.exe for the patch(es) to remove in the reverse order from the %SystemRoot%\$NtUninstall[KBArticleNumber]$\
  4. Steps 1 to 3 achieved with a VB script delivered as a standard software distribution package advertisement
  5. Initiate rollback by advertising to SMS/SCCM clients in scope using a collection

Script and Sample Screenshots

The script supplied is set to log only mode (need to change the test mode parameter to 1 for it to be in live mode). Both modes would create a hotfixundo.log file on the C:\ drive. Script kindly written by Gavin Woodall.

Copy the script to notepad and save as hotfix_undo_Live.vbs (or to any preferred name). In my case I have a package called Patch Rollback – Live. The Data Source is a package directory called Patch_Rollback (store the vbs script here and reference during package creation)

image image

Create a program for the package using the following command line : cscript %scriptname% (in my case %scriptname% = Hotfix_undo_live.vbs). Ensure that the program is set to run whether or not a user is logged on for non interactive deployments/advertisements.

image image

Create an advertisement for the package. Do not leave on a recurring schedule!!! – This would remove all patches from the targeted clients.

image

SMS 2003 Process: After each rollback create a new program (by default you will not be able to use the same program again if it has successfully run on a client). I create a new program every month just to be sure.

SCCM Process note: SCCM overcomes the SMS 2003 limitation because programs can be rerun even when successful

image

Copy Below to notepad and save as hotfix_undo_live.vbs (change testmode to 0 to make live)

‘ Script to enumerate last applied hotfixes, and rollback

on error resume next
const forappending = 8
const forwriting=2
const forreading=1
Const dictKey  = 1
Const dictItem = 2

‘ **********set to 0 to get out of testmode**********
testmode=1
‘ ***************************************************

Logpath=”C:\hotfixundo.log”

Set fso = createObject(“Scripting.FileSystemObject”)
set windir=fso.GetSpecialFolder(0)
call stamplog(“*************************************************************”)
call stamplog(“Starting process, windows directory is “&windir.path)

lastdate=”"
‘ enumerate subfolders, check date.
For Each Subfolder in windir.SubFolders
if instr(lcase(subfolder.name),”$ntuninstall”)<>0 then
if lastdate=”" then
lastdate=subfolder.datecreated
end if
if datediff(“d”,lastdate,subfolder.datecreated)>1 then
lastdate=subfolder.datecreated
end if
end if
Next

call stamplog(“Latest date found for uninstall folder is “&lastdate)
‘ loop again, creating a list of directories to be targeted.

set list = CreateObject(“Scripting.Dictionary”)

call stamplog (“Processing the following directories:”)
For Each Subfolder in windir.SubFolders
if instr(lcase(subfolder.name),”$ntuninstall”)<>0 then
if datediff(“d”,lastdate,subfolder.datecreated)<1 and datediff(“d”,lastdate,subfolder.datecreated)>=0 then
list.add subfolder.datecreated,subfolder.path
call stamplog(subfolder.path)
end if
end if
Next

‘ sort dictionary
sortdictionary list,dictkey

‘ loop through list, shell out to run spuninst for each directory, last first
for each location in list
call stamplog(“Launching “& list.item(location)&”\spuninst\spuninst.exe”)
err.clear
if testmode=0 then
run list.item(location)&”\spuninst\spuninst.exe /quiet /passive /norestart”
else
call stamplog(“***TESTMODE – Uninstall NOT run***”)
end if
next
call stamplog(“Finished at “&date&” “&time)

‘ Stamp line of text to specified logfile
sub stamplog(text)
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set objTextFile = objFSO.OpenTextFile _
(logpath, Forappending, True)
objtextfile.writeline(text)
wscript.echo (text)
objTextFile.Close
end sub

‘ Run function
Function Run (ByVal cmd)
Dim sh: Set sh = CreateObject(“WScript.Shell”)
Dim wsx: Set wsx = Sh.Exec(cmd)
If wsx.ProcessID = 0 And wsx.Status = 1 Then
‘ (The Win98 version of VBScript does not detect WshShell.Exec errors)
Err.Raise vbObjectError,,”WshShell.Exec failed.”
End If
Do
Dim Status: Status = wsx.Status
WScript.StdOut.Write wsx.StdOut.ReadAll()
WScript.StdErr.Write wsx.StdErr.ReadAll()
If Status <> 0 Then Exit Do
WScript.Sleep 10
Loop
Run = wsx.ExitCode
End Function

‘ Runs an internal command interpreter command.
Function RunCmd (ByVal cmd)
RunCmd = Run(“%ComSpec% /c ” & cmd)
End Function

‘ Sort function
Function SortDictionary(objDict,intSort)
‘ declare our variables
Dim strDict()
Dim objKey
Dim strKey,strItem
Dim X,Y,Z

‘ get the dictionary count
Z = objDict.Count

‘ we need more than one item to warrant sorting
If Z > 1 Then
‘ create an array to store dictionary information
ReDim strDict(Z,2)
X = 0
‘ populate the string array
For Each objKey In objDict
strDict(X,dictKey)  = CStr(objKey)
strDict(X,dictItem) = CStr(objDict(objKey))
X = X + 1
Next

‘ perform a a shell sort of the string array
For X = 0 to (Z – 2)
For Y = X to (Z – 1)
If StrComp(strDict(X,intSort),strDict(Y,intSort),vbTextCompare) > 0 Then
strKey  = strDict(X,dictKey)
strItem = strDict(X,dictItem)
strDict(X,dictKey)  = strDict(Y,dictKey)
strDict(X,dictItem) = strDict(Y,dictItem)
strDict(Y,dictKey)  = strKey
strDict(Y,dictItem) = strItem
End If
Next
Next

‘ erase the contents of the dictionary object
objDict.RemoveAll

‘ repopulate the dictionary with the sorted information
For x=(z-1) to 0 step -1
‘    For X = 0 to (Z – 1)
objDict.Add strDict(X,dictKey), strDict(X,dictItem)
Next

End If

End Function

Additional Notes:

Every security update has a Removal information section listed under Security Update Deployment. So for MS09-001 you would find below for the XP operating systemhttp://www.microsoft.com/technet/security/Bulletin/MS09-001.mspx

Removal Information

Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility located in the %Windir%\$NTUninstallKB958687$\Spuninst folder

No responses yet

ITMU to SCCM Patch management –> A process approach

Feb 25 2009 Published by admin under Tech Tips

Introduction

Having worked extensively with ITMU in SMS 2003 for datacenter patch management of servers, I welcomed the new architecture promised for SCCM.

If you are using ITMU now and are new to SCCM here is a high level summary of the patch management components:

  • SCCM Clients are scanned using the clients Windows Update Agent (WUA)
  • WSUS used as the scan catalog known as a SUP (basically WSUS dedicated to SCCM and no more 5MB local catalog downloads to all clients)
  • Download and execute option now does a scan before and, only downloads required updates
  • Security updates are categorized as in native WSUS and now have the ability to deploy non security updates including service packs.
  • Status of patch deployment is provided near real-time (well every 15 minutes by default) by state messages; no longer uses advertisement reports and hardware inventory . I have an earlier blog that shows you how you can get basic information collected using hardware inventory.

Below is a link to a very good whitepaper providing extensive details.

Configuration Manager Software Updates Management Guidance – Migration from ITMU.doc

My aim in this article (blog) is to give you a field view of what it means to translate these changes into existing processes. In a nutshell going from reading about it to using it.

SCCM SUM Reduces Wizard Screens?

A statement I have read many times about SCCM is, it reduces the old ITMU wizard screens from 18 to about 7. I disagree and will quantify it with, only if you use the power and flexibility of the templates under deployment management.

If you are like me, the first thing you do with a new version of a product is to make it work like the old one (how many people turned the WK3 interface into W2K?).

My attempt at an ITMU to SCCM translator below should hopefully ease some of your pain.

ITMU to SCCM translator

SMS 2003 ITMU SCCM Software Updates Management (SUM)
ITMU Scan Tool Software updates scan agent
Recurring ITMU Scan Tool Advertisement Software updates scan agent schedule – WUA scan using SUP (SCCM dedicated WSUS)
Advertisements Deployments
Packages (one to one relationship with selected patches) Deployment Packages (selected patches not linked to one package; will search all packages on the DP and download from any package)
Advertisement Start time Deployment Deadline
Expiring Advertisements Use maintenance window on targeted collection with Recurrence set to None. TIP:
Advertisement Start Time = Deployment Deadline = Maintenance Windows start.
Expiry time = Maintenance Window End

Useful and New to SCCM

Now lets take a closer look at the SUM components and sample patch management process.

Summary of the steps for a sample process:

  1. Create a search folder to group security updates
  2. Create an empty collection with no members (to be used for the deployment templates)
  3. Create a deployment template (I create two; 1 for Patch Only and 1 for Patch with Reboot)
  4. Create a folder for storing the source files for packages
  5. Create an update list (e.g. Select required patches for your deployment), specify download updates to create the package.
  6. Drag the update list onto the deployment template to create the deployment (Deployment type will be determined by the template in this case)
  7. Create a maintenance window for the collection to be targeted
  8. Modify the Deployment by changing the collection specified (inherited from the template) and also the deadline date and time.

Detailed steps:

Update Repository: this is where the software updates are displayed and categorized. Shows all software updates depending on what you have selected under the SUP (WSUS) configuration.

image

  • Search Folders: allow you to group software updates logically for ease of selection when creating deployment packages. In my example I have a master search folder for all Security patches and one folder for every year from 2003 – 2009. Use a search criteria on Bulletin ID using % so for 2009 would be MS09%

imageimage

  • Create an empty collection: I am a great fun of place holder collections. I use them as a safety check before targeting the real collections. In this case I created a collection called   image with no members (safe to ignore the warning).
  • Create deployment templates: Now this is where the wizard pages reduction takes place. Right click the deployment templates node and select new deployment template. Once created, using the template significantly reduces the number of wizard screens. I created two, one with suppressed reboots and, the other without.

imageimage

image image

image image

  • Create a package source folder: I typically create top level folder for all packages and then sub-folders for categories of packages. In this example process we will use a subfolder called “Security_Updates”

image

  • Create an update list: Using the “All Security updates” search folder as an example select the security updates required for the SUM package. Selection is now much better as you can use the shift key, and the control key, to block select security updates.

image image

Select download updates during the creation of the update list. You can create a new package or select an existing page. NB be sure to specify a new subdirectory as part of the UNC to the package directory. If you do not specify a subdirectory all updates are placed in the root folder (near impossible to tidy up when you delete a package)

image

image image

  • Create a deployment (replaces advertisements in the ITMU deployment process):Drag and drop the update list onto a deployment template. In this example we use the patch only template. Notice that the collection used is the place holder we created and selected for our template. In addition the suppress restart and any other general properties are inherited from the template. This is the magic of the wizard reduction I mentioned. Modify the settings to required deployment deadline and target collection

image image

Monitor the deployment using the new Software Updates category reports.

No responses yet