Manually publish the default management point to DNS on Windows Server

It is sometimes useful to publish the default management point in DNS. I use this option when the ConfigMgr agent is unable to locate the management point in Active Directory.

1.In the DNS management console, configure the DNS zone for the site’s default management point, and enter host (A or AAAA) records for the intranet FQDNs of the site systems. (Often done automatically)

3.By using the New Other Records option, click Service Location (SRV) in the Resource Record Type dialog box, click Create Record, enter the following information, and then click Done:

– Domain: If necessary, enter the DNS suffix of the management point, for example

– Service: Type _mssms_mp_<sitecode>, where <sitecode> is the management point’s site code.

– Protocol: Type _tcp.

– Priority: This field is not used because there is only one management point published for each site – the default management point. Internet-based management points are not published to DNS.

– Weight: This field is not used because there is only one management point published for each site – the default management point. Internet-based management points are not published to DNS.

– Port number: Enter the port configured for Configuration Manager 2007/2012 client requests, for example 80 for a mixed mode site and 443 for a native mode site.

– Host offering this service: Enter the intranet fully qualified domain name specified for the site system configured with the default management point site role.

To verify the record do the following from a command prompt:

1.Type nslookup, and then press ENTER.

2.Type set type=SRV, and then press ENTER.

3.Type _mssms_mp_<sitecode>._tcp.<Domain Name>, and then press ENTER

Posted in SCCM 2012 | Leave a comment

Cross Forest Firewall Ports

The following table lists the ports that needs to be open for cross forest client management.

Local Domain Direction Remote Domain TCP UDP
Primary Site server <-> Domain Controller 135 123
139 137
3268 138
3269 389
389 464
445 53
464 88
Primary Site server Database Server <- Management Point 1433 1433
1434 1434
Primary Site Server <-> Distribution Point 135
Upstream Server <- Software Update Point 8530 or 80
8531 or 443
Posted in SCCM 2012 | Leave a comment

Triggering an Orchestrator Runbook from Powershell

Orchestrator is an awesome tool to automate and streamline processes, but as soon you would like to trigger some of those awesome runbooks you have created from outside orchestrator it can get a bit complicated.

In this post I will try to explain how to trigger Runbooks from powershell and how to find the ID’s needed to pass parameters to the runbooks.

First, let us create a simple demo runbook

Configure the Initialize Data activity with 2 Parameters, Servername and IP Address

Then configure the send platform event activity to write the two parameters from Initialize data.

I have slightly modified the powershell script from I wanted the script to be a bit more versatile I therefore changed the way to run the script.



Run the the script like this:



.\StartRunbook.ps1 -server SCORCH01.DEMO.LOCAL -RunbookID 7701910d-73d2-42b4-8c13-295c3b4c726e -Parameters ‘”63cc5247-5332-4819-abb7-338deaf9dd2c” = “TESTVALUE”‘

Finding the IDs needed can be quite a hassle. Here are a few examples:

Finding the Runbook ID

From a VB script.

Change SQLServer and Database variable before running the script



NOTE: Script will return all Runbook IDs

Or simply open the SQL management tool and execute the following query against the database

SELECT UniqueID, Name FROM POLICIES where deleted =’0′ and Name = ‘Demo01’

Finding Parameter IDs

Locate the ID of the Runbook you want to use, open an internet browser and go to your Orchestrator web service address by typing something like this:

http://<SCORCH SERVER NAME>:81/Orchestrator2012/Orchestrator.svc/Runbooks(guid’<RUNBOOK ID>‘)/Parameters



This will bring up some xml similar to the following screenshot.

Locate the names of your parameters in the Initialize activity of the Runbook, then match them with the ID located in the <d:Id m:type=”Edm.Guid“></d:Id> section

You should now be able to trigger the runbook from the script by ruunning the following command:
.\StartRunbook.ps1 -server SCORCH01.DEMO.LOCAL -RunbookID EB9A4EEB-D5BD-4A6E-8125-B1FDDC7132E8 -Parameters ‘”9cfd8f22-2c2d-4eef-8861-ed855dd286ff” = “”,”5ff1d8e1-d6a1-4433-a646-5cddd93a9452″ = “SERVER001″‘

Posted in SCORCH 2012 | Leave a comment

Listing Task Sequence Variables and their values

I often need to know what Task sequence variables has been defined during an OS deployment, to do that I use the following VBS script.

Dim Var, TSEnv 
Set TSEnv = CreateObject("Microsoft.SMS.TSEnvironment") 
For Each Var in TSEnv.GetVariables()
    wscript.echo var & ":" & TSEnv(Var) 

Run the script from a command prompt during a deployment to list the variables and their values.



Posted in Operating System Deployment | Leave a comment

Extracting 3rd party drivers from OS

Often when I create new SCCM OS deployment solutions I need to repeatedly find drivers for numerous computer models and upload them into the SCCM driver repository. The process of finding the driver, extracting the driver and then installing the driver can be quite time consuming. I therefore developed a script to help me extract the third party drivers from a running operating system.

What the script does is to: 1. List all third party installed drivers by using the Dism command 2. Find the drivers in the Windows driver repository 3. Copy the drivers to a destination folder After the script has run, I only need to add the drivers to the SCCM driver repository.
Script Arguments:

-DestinationFolder path to where the drivers will be copied, if not defined the drivers will be copied to folder from where the script was executed
-ExludedClasses Driver classes that will be excluded
-ExludedInfFiles .inf files that will be excluded


“get-drivers 1.3.ps1” -DestinationFolder C:\temp\Drivers -ExludedClasses Printer,CitrixUSBDevices -ExludedInfFiles prnms001.inf,tmlwf.inf,tmtdi.inf,tmwfp.inf

Run from CMD file:

powershell.exe -executionpolicy unrestricted -file “%~dp0get-drivers 1.3.ps1” -DestinationFolder C:\temp\Drivers -ExludedClasses Printer,CitrixUSBDevices -ExludedInfFiles prnms001.inf,tmlwf.inf,tmtdi.inf,tmwfp.inf

NOTE: Always run the script elevated

Download the script here: get-drivers

Posted in Operating System Deployment | Leave a comment

Error installing SCOM 2012 Console

When installing the OpsMgr 2012 console on a computer with .NET 4.0 you might get the following error in Omconsole.log

System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.NotSupportedException: This method explicitly uses CAS policy, which has been obsoleted by the .NET Framework. In order to enable CAS policy for compatibility reasons, please use the NetFx40_LegacySecurityPolicy configuration switch. Please see for more information.

at System.Security.SecurityManager.PolicyHierarchy()

at Microsoft.MOMv3.Setup.MOMv3ManagedCAs.GetPolicyLevel(String policyLevelName)

at Microsoft.MOMv3.Setup.MOMv3ManagedCAs.AddFullTrustForAssembly(Session session)

— End of inner exception stack trace —

at System.RuntimeMethodHandle._InvokeMethodFast(IRuntimeMethodInfo method, Object target, Object arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeType typeOwner)

at System.RuntimeMethodHandle.InvokeMethodFast(IRuntimeMethodInfo method, Object target, Object arguments, Signature sig, MethodAttributes methodAttributes, RuntimeType typeOwner)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture, Boolean skipVisibilityChecks)

at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object parameters, CultureInfo culture)

at Microsoft.WindowsInstaller.CustomActionProxy.InvokeCustomAction(Int32 sessionHandle, String entryPoint)

MSI (s) (D4:90) [12:58:59:140]: NOTE: custom action _AddCodeGroup.6C283D0A_50A8_439C_BDF9_0BA55C19F3FE unexpectedly closed the hInstall handle (type MSIHANDLE) provided to it. The custom action should be fixed to not close that handle.

CustomAction _AddCodeGroup.6C283D0A_50A8_439C_BDF9_0BA55C19F3FE returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

MSI (s) (D4:54) [12:58:59:188]: User policy value ‘DisableRollback’ is 0

MSI (s) (D4:54) [12:58:59:188]: Machine policy value ‘DisableRollback’ is 0

Action ended 12:58:59: InstallFinalize. Return value 3.


1. Backup “C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config” file

2. Modify the file with the following (If it doesn’t exist, add it to the file):


<NetFx40_LegacySecurityPolicy enabled=”true”/>


3. Save the file

4. Install the OpsMgr 2012 Console

5. Remove the section from the machine.config file and save it.

Posted in SCOM 2012 | Leave a comment

Changing the SCUP Database location

When installing and configuring System Center Update Publisher 2011 (SCUP), the SCUP database is automatically added to the %LOCALAPPDATA% folder, this means that only the person who installs SCUP will have access to the SCUP Console. To resolve this issue, the database must be moved to a location where all users of the SCUP console has access. This post explains how.

1. Logged in as the user who installed SCUP 2011, Go to “%LOCALAPPDATA %\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000”

2. Copy the scupdb.sdf to a location where all users who will be using the SCUP console has access.

3. Open “C:\Program Files (x86)\System Center Up-dates Publisher 2011\Scup2011.exe.config” file in an Elevated Notepad:

4. Insert the Bold text:

Before Change

<applicationSettings> <Scup.Properties.Settings> <setting name=”SSCEDataFile” serializeAs=”String”> </value> </setting> </Scup.Properties.Settings> </applicationSettings>

After Change

<applicationSettings> <Scup.Properties.Settings> <setting name=”SSCEDataFile” serializeAs=”String”> <value><NEW PATH></value> </setting> </Scup.Properties.Settings> </applicationSettings>

5. Save the file

Posted in SCCM 2012 | Leave a comment

Triggering SCCM agent actions

Here are some tips on how to execute SCCM agent actions without using the SCCM Agent GUI.

First a list of all the actions and the ScheduleID associated with the actions.

Application Global Evaluation Task {00000000-0000-0000-0000-000000000123}

MSI Product Source Update Cycle {00000000-0000-0000-0000-000000000107}

Hardware inventory {00000000-0000-0000-0000-000000000001}

Hardware inventory {00000000-0000-0000-0000-000000000001}

Software inventory {00000000-0000-0000-0000-000000000002}

Data Discovery Report {00000000-0000-0000-0000-000000000003}

File Collection {00000000-0000-0000-0000-000000000010}

Machine Policy Retrieval & Evaluation {00000000-0000-0000-0000-000000000021}

Machine policy evaluation {00000000-0000-0000-0000-000000000022}

Refresh default MP {00000000-0000-0000-0000-000000000023}

Refresh location services {00000000-0000-0000-0000-000000000024}

Request timeout value for tasks {00000000-0000-0000-0000-000000000025}

Request user assignments {00000000-0000-0000-0000-000000000026}

Evaluate user policies {00000000-0000-0000-0000-000000000027}

Software metering usage reporting {00000000-0000-0000-0000-000000000031}

Request software update source {00000000-0000-0000-0000-000000000032}

Refresh proxy manamgement point {00000000-0000-0000-0000-000000000037}

Cleanup policy {00000000-0000-0000-0000-000000000040}

Validate assignments {00000000-0000-0000-0000-000000000042}

Certificate maintenance {00000000-0000-0000-0000-000000000051}

DP: Peer DP status report {00000000-0000-0000-0000-000000000061}

DP: Peer DP pending status check {00000000-0000-0000-0000-000000000062}

Evaluate software update assignment {00000000-0000-0000-0000-000000000108}

State message upload {00000000-0000-0000-0000-000000000111}

Clean state message cache {00000000-0000-0000-0000-000000000112}

Sofware update scan {00000000-0000-0000-0000-000000000113}

Software update deployment re-eval {00000000-0000-0000-0000-000000000114}

Out-Of-Band management scheduled event {00000000-0000-0000-0000-000000000120}

The actions can be remotely executed on a client by using the following syntax

Note: Change the variables in Bold


Schid = “<SCHEDULEID>” sMachine = “<COMPUTERNAME>” Set WMItarget = GetObject(“winmgmts://” & sMachine) Set WMICCM=GetObject(“Winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\” & sMachine & “\root\ccm”) set SMSCli = WMICCM.Get(“SMS_Client”) set oParams = SMSCli.Methods_(“TriggerSchedule”).inParameters.SpawnInstance_() oParams.sScheduleID = Schid set res = WMICCM.ExecMethod(“SMS_Client”, “TriggerSchedule”, oParams)


$ComputerName = “<COMPUTERNAME>” $ScheduleID = “<SCHEDULEID>

$SmsClient = [wmiclass]”\\$ComputerName\root\ccm:SMS_Client”



WMIC /Node:<COMPUTERNAME> /namespace:\\root\ccm path sms_client CALL TriggerSchedule “<SCHEDULEID>” /NOINTERACTIVE

Posted in SCCM 2012 | Leave a comment

Join Domain Permissions

An AD Service account is needed for joining a computer to a domain during an unattended OS installation. The service account password will often be in clear text in the unattend.xml file, it should therefore only be granted the absolute minimum of permissions.

1. Create a new user account that will be used for Joining computers to the domain, in this case I will call it SVC-JoinDomain

2. Open properties on the OU where computers will be joined to. Go to the security tab and click the Advanced button. Then click Add.

Note: If a computer object already exist in AD the service account must be granted access to the OU where the computer is located.

3. Enter the service account name and click OK

4. In the apply to dropdown make sure that “This object and all decendant objects” is selected

select the following permissions:
Read All Properties

Write All Properties

Read Permissions

Modify Permissions

Create Computer Object (NOTE: NOT SHOWN IN SCREENDUMP)

Delete Computer Object (NOTE: NOT SHOWN IN SCREENDUMP)

5. Change the apply to drop down to “Decendant computer objects”

Select the following Permissions:
Change Password

Reset Password

Validated write to DNS host name

Validated write to service principal name

Posted in Operating System Deployment | Leave a comment

Create Dynamic Group with Health Watchers

When creating a dynamic group in OpsMgr 2007 R2 containing computer objects. Then only the Computer object class will be added to the group. To add the Health Watchers to the dynamic group do the following:

Create the dynamic group

1. Create the dynamic group by going to Authoring, right click Groups and select Create a new group 2. Enter a Name for the group and click the New button to create a new Management Pack, or select an existing management pack by using the drop down menu.

3. Click Next to Explicit members 4. Click the Create/Edit Rules… button on the Dynamic members page

5. Create your dynamic rule by selecting the class in the drop down window, Click Add, select the operator and type in the value. Click OK to confirm your selection

6. Click Next to the Dynamic members page 7. Click Next to the subgroups page 8. Click Create to the Excluded members page The group has been created, verify that the group has members by right clicking the group and selecting View Group Members

Modifying the Management pack

1. Go to Administration and select Management Packs 2. Find the management pack you selected/created earlier, right click the MP and select Export Management Pack 3. Select where to export the MP to. 4. Click OK to the export confirmation box 5. Browse the MP in an explorer and open the exported MP in a text editor (I use notepad). 6. Search for <MembershipRules>. The membership rules make up the dynamic group. 7. Now we need to add the code to include the health watchers. Open up watchers.xml available at and copy the xml code.

Here is the code:



8. Paste this code after the first </MembershipRule> and before </MembershipRules> then save the file

IMPORTANT: Copy the <MonitoringClass>xxxx</MonitoringClass> line from the MP code to the corresponding line in the watcher.xml code. Do the same for the <RelationshipClass>xxxx</RelationshipClass> line.

9. Save the MP xml file and re-import the MP in OpsMgr by Right clicking Management packs in the OpsMgr Console and selecting Import Management Packs 10. In the Import Management packs window click Add and select Add from disk

11. Click Yes to the Online catalog Connection window. 12. Select the MP file and click Open 13. Click Install in the Import Management Packs Window 14. Close the Import Management Packs window 15. Go back to your group and verify that the watcher icon appears in the list. (NOTE: it might take a few minutes for the Watcher Icon to show up in the list)

Posted in SCOM 2007 | Leave a comment