Category Archives: SCCM

Deploying OpsMgr 2012 R2 Agents Using ConfigMgr – Part 1

Written by Tao Yang

By reading the title of this article, you may think, this practice is so common, is it worth blogging? Before I started this task, I thought it should be a quick one that I can knock off in 30 minutes. I had to say, I was wrong, I ended up spent few days on it.

Before I get into the details, I’d like to share some background and what I want to achieve. I’ll then go through the steps I took in ConfigMgr 2007 as well ConfigMgr 2012 R2. This is probably going to be too long for one blog post, so I’ll divide it into 2 parts.

I’ll cover the issues that I have experienced when using ConfigMgr 2007 part in part 1. In part 2, I’ll go through how I used the combination of the ConfigMgr 2012 application model and Compliance Settings (DCM) in ConfigMgr 2012 R2 to deploy the OpsMgr 2012 R2 agents.


For the last 9 months or so, I’ve been working on a System Center refresh project. We are in the process of upgrading our existing System Center 2007 infrastructure to System Center 2012 (then we’ve decided to go to R2).

In my employer’s current environment, there are 5 OpsMgr 2007 management groups (1 Dev/Test and 4 Production). Since the supported maximum number of agents per management group has increased from 10,000 to 15,000 in OpsMgr 2012, with the new design for OpsMgr 2012, we are implementing 3 production and 1 Dev/Test management groups. so the agents will be shuffled around, not all agents from a 2007 management group are going to be migrated to the same 2012 management group.

Since ConfigMgr is also going to be migrated to 2012 R2, the OpsMgr 2012 R2 agent needs to be available in both ConfigMgr 2007 and 2012 R2 sites so OpsMgr agents migration can happen either before or after the ConfigMgr client migration. By doing this way, the OpsMgr agent migration is not depended on the result of ConfigMgr migration.


Based my situation, I have the following requirements:

  • I need to upgrade the existing OpsMgr 2007 agents and reconfigure them to point to the appropriate 2012 R2 management group.
  • There are no multi-homing agents in my environment. the Old 2007 management group configuration need to be removed from agents.
  • There are large number of legacy systems that don’t have Windows PowerShell installed. So all scripts need to be written using VBScript.
  • The script must work for both upgrade and fresh install scenarios.
  • Back in 2007, I had to create different programs within the package for 32-bit and 64 bit agents. In this script, I want the script to detect the correct msi to install based on OS architecture.
  • Once the 2012 R2 agent is packaged up, it will be used in various OSD task sequences and become a part of the base SOE.

Install Scripts

There are many good scripts for installing OpsMgr 2012 agents out there. i.e. this one here in particular. I used this script as a starting point and made it more generic. I took out any hardcoded management group configuration (Management Group Name, management server, port) and made them as parameters that need to be passed in. I’ve also made the script to get a list of all management groups that agent is connected to and remove any that is not the new 2012 management group that I want the agent to connect.

I tested the script using a command prompt running under LocalSystem account (this can be done using PsExec.exe, “PsExec.exe –s –d –i cmd”)

This command opens a new command prompt window


and In task manager, I can confirm it is running under local system:


The script ran successfully within the command prompt window under LocalSystem account, the agent was upgraded, new MG configuration is added and the old MG is removed. I then created the package, program in SCCM, and created an advertisement targeting a test collection. After few test runs, I found out the the package only works on Windows Server 2003 or Windows XP machines. any Windows Server 2008 R2 and Windows Server 2012 machines would fail.

Long story short, after I added a logging function within the script, by examining the log, I noticed the script stops right after this line:

Set objMSConfig = CreateObject(“AgentConfigManager.MgmtSvcCfg”)

And this only happens in the more recent Windows OS versions.

I suddenly realised because ConfigMgr 2007 is only 32-bit app, it may have problem calling the 64-bit “AgentConfigManager.MgmtSvcCfg” com object. To prove my guess, I simply created a vbscript with just 2 lines:

Set objMSConfig = CreateObject("AgentConfigManager.MgmtSvcCfg")
Wscript.Echo Err

I then ran it within a 32-bit command prompt window running under LocalSystem account (to simulate the runtime environment in ConfigMgr 2007 client). To do so, again, I used PsExec by using “Psexec.exe –s –d –i C:\Windows\SysWow64\cmd.exe”


and my guess is right:

Here’s the error:

Microsoft VBScript runtime error: ActiveX component can’t create object: ‘AgentConfigManager.MgmtSvcCfg’


If I run this script in 64-bit command window, there are no errors because Err variable equals 0:


So now, I’ve identified the problem being the 64-bit “AgentConfigManager.MgmtSvcCfg” object cannot be called by 32-bit applications. the workaround is fairly simple: I split the original script into 2 scripts. the first script firstly detects the OS architecture and install the appropriate version of MOMAGENT.msi. It then calls the second script to configure the agent using “AgentConfigManager.MgmtSvcCfg” object. The first script detects if itself is running in a 32-bit shell on a 64-bit OS. if so, it would bypass the 32-bit redirection and call the native 64-bit scripting engine cscript.exe using the %Windir%\sysnative\Cscript.exe to execute the second script. So the second script would never be executed within the 32-bit redirection mode.

I’ve named the first script OM12AgentMigration.vbs:

' NAME:    OM12AgentMigration.vbs
' AUTHOR:  Tao Yang
' DATE:    19/11/2013
' Version
' COMMENT: OpsMgr 2012 agent migration script
Option Explicit

'Define variables
Dim objMSConfig, oArgs, OSArch, objWMIService, LogFile, LogFilePath
Dim strInstallCmd, Result, sh, col, arrOSVersion, strOSArch
Dim arrCurrentMGs, arrMGToRemove, iMGToRemoveCount
Dim CurrentMG, strConfigCmd, WinDir, SysnativeDir
Dim item, int64Bit, strPWD, MGCount, arrMGs, MGName, MG
Dim bNewMGAdded, bNewMGExists, bOldMGRemoved, objFSO
Dim MGToAdd, NewMgmtServer, MGToRemove, Port, TempDir
Dim hDefKey, strKeyPath, oReg, arrSubKeys, strSubkey

Const ForWriting = 2
Const ForAppending = 3

'process arguments
Set sh = Wscript.CreateObject("Wscript.Shell")
Set oArgs = Wscript.Arguments

IF oArgs.Count < 2 THEN
	'Quit if no arguments passed in
	Wscript.Quit -1
	MGToAdd = oArgs(0)
	NewMgmtServer = oArgs(1)

If (oArgs.Count = 3 ) Then
	Port = oArgs(2)
	Port = 5723
End If

Set objFSO = CreateObject("Scripting.FileSystemObject")
TempDir = "C:\Temp"

If objFSO.FolderExists(TempDir) = FALSE Then
End If

LogFilePath = TempDir & "\OM12AgentInstall.log"
Wscript.Echo LogFilePath
'delete previous log file
If objFSO.FileExists(LogFilePath) Then
End If

'Create log file
Set LogFile = objFSO.CreateTextFile(LogFilePath, True)

LogFile.WriteLine "OM12AgentMigration.vbs version:"

'Set LogFile = objFSO.OpenTextFile(LogFilePath, ForWriting, True)

strPWD = CreateObject("Scripting.FileSystemObject").GetAbsolutePathName(".")

'Function to determine OS architecture
Function GetOSArch
	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
	Set col = objWMIService.ExecQuery _
	("Select * from Win32_OperatingSystem")
	For Each item in col
		arrOSVersion = Split(item.Version,".")
		If arrOSVersion(0) >= 6 Then
			'OS is Vista / 2008 or higher
			StrOSArch = item.OSArchitecture
			int64Bit = InStr(item.Caption,"x64")
			If int64Bit > 0 Then
				strOSArch = "64-bit"
				strOSArch = "32-bit"
			End If
		End If
	GetOSArch = strOSArch
End Function

'Get OS architecture so we can determine which version of the agent to install
OSArch = GetOSArch
LogFile.WriteLine "OS Architecture: " & OSArch
'Prepare the agent install command
IF OSArch = "64-bit" THEN
	strInstallCmd = "msiexec /i " & CHR(34) & strPWD & "\AMD64\MOMAgent.msi" & CHR(34) & " /qn AcceptEndUserLicenseAgreement=1 /l*v " & TempDir & "\OM12AgentMSI.log"
	LogFile.WriteLine "64 bit OS detected. Installing OM12 R2 agent using command: '" & strInstallCmd & "'"
ELSEIF OSArch = "32-bit" THEN
	strInstallCmd = "msiexec /i " & CHR(34) & strPWD & "\i386\MOMAgent.msi" & CHR(34) & " /qn AcceptEndUserLicenseAgreement=1 /l*v " & TempDir & "\OM12AgentMSI.log"
	LogFile.WriteLine "32 bit OS detected. Installing OM12 R2 agent using command: '" & strInstallCmd & "'"

'Determine the command to execute the OM12AgentConfig.vbs script
WinDir = sh.ExpandEnvironmentStrings( "%WinDir%" )
SysnativeDir = WinDir & "\Sysnative"

If objFSO.FolderExists(SysnativeDir) = FALSE Then
	strConfigCmd = WinDir & "\System32\Cscript.exe " & CHR(34) & strPWD & "\OM12AgentConfig.vbs" & CHR(34) & " " & MGToAdd & " " & NewMgmtServer & " " & Port & " " & LogFilePath
	strConfigCmd = WinDir & "\Sysnative\Cscript.exe " & CHR(34) & strPWD & "\OM12AgentConfig.vbs" & CHR(34) & " " & MGToAdd & " " & NewMgmtServer & " " & Port & " " & LogFilePath
End If

'Install agent
Result =,0,True)
If Result <> 0 Then
	LogFile.WriteLine "Failed to install OM12 R2 agent."
	Wscript.Quit -1
	LogFile.WriteLine "Successfully installed the OM12 R2 agent."
End if

LogFile.WriteLine "Start configuring the OM12 R2 agent."
LogFile.WriteLine "Calling OM12AgentConfig.vbs using command: " & strConfigCmd
'Wscript.Echo strConfigCmd
Result =,0,True)

The second secript is named OM12AgentConfig.vbs:

' NAME:    OM12AgentConfig.vbs
' AUTHOR:  Tao Yang
' DATE:    21/11/2013
' Version
' COMMENT: OpsMgr 2012 agent migration script

Const ForWriting = 2
Const ForAppending = 8

'process arguments
Set sh = Wscript.CreateObject("Wscript.Shell")
Set oArgs = Wscript.Arguments

IF oArgs.Count < 4 THEN
	'Quit if no arguments passed in
	Wscript.Quit -1
	MGToAdd = oArgs(0)
	NewMgmtServer = oArgs(1)
	Port = oArgs(2)
	LogFilePath = oArgs(3)

'Create FSO
Wscript.Echo LogFilePath
set objFSO = CreateObject("Scripting.FileSystemObject")
set LogFile = objFSO.OpenTextFile(LogFilePath, ForAppending, True)

LogFile.WriteLine "Start configuring the OM12 R2 agent."
'Configure OpsMgr 2012 agent
LogFile.WriteLine "Creating AgentConfigManager.MgmtSvcCfg object"
Set objMSConfig = CreateObject("AgentConfigManager.MgmtSvcCfg")

'Get the current MG(s)
LogFile.WriteLine "Getting the configuration for the existing management group(s)."
bNewMGExists = FALSE

Set arrCurrentMGs = objMSConfig.GetManagementGroups()
iCount = 0
For each CurrentMG in arrCurrentMGs
	MGName = CurrentMG.managementGroupName
	IF MGName <> MGToAdd THEN
		LogFile.WriteLine "Removing Management Group: " & MGName
		iCount = iCount + 1
		LogFile.WriteLine "Skipping management group " & MGName & ", because it's the same as the MG that to be added."
		bNewMGExists = TRUE

LogFile.WriteLine "Total number of Management Group(s) Removed: " & iCount

'Add New MG
	LogFile.WriteLine "Adding new management group " & MGToAdd & ". Management server: " & NewMgmtServer & ". Port: " & Port
	Call objMSConfig.AddManagementGroup (MGToAdd, NewMgmtServer,Port)

'Confirm the new MG has been added
If Err= 0 Then
	bNewMGAdded = TRUE
	LogFile.WriteLine "New MG " & MGToAdd & " added."
	bNewMGAdded = FALSE
	LogFile.WriteLine "New MG " & MGToAdd & " DID NOT get added."
End IF

'Confirm if the newly added MG is the only MG configured on the agent
bOldMGRemoved = TRUE
Set arrMGs = objMSConfig.GetManagementGroups()
For each MG in arrMGs
	MGName = MG.managementGroupName
	IF MGName <> MGToAdd THEN
		bOldMGRemoved = FALSE

LogFile.WriteLine "bNewMGAdded=" & bNewMGAdded
LogFile.WriteLine "bOldMGRemoved=" & bOldMGRemoved
IF (bNewMGAdded = TRUE AND bOldMGRemoved = TRUE) THEN
	LogFile.WriteLine "OM12 R2 agent installation and configuration successful. reloading the config..."
	Call objMSConfig.ReloadConfiguration
	LogFile.WriteLine "Done."
	Wscript.Quit 0
	LogFile.WriteLine "Error installing / configuring OM12 R2 agent"
	Wscript.Quit -1

When creating the package in ConfigMgr, These 2 scripts need to be copied to the OpsMgr 2012 R2 agent install root folder: SNAGHTML22520a61 The syntax for OM12AgentMigration.vbs is:

cscript /nologo OM12AgentMigration.vbs <Management Group Name> <Management Server FDDN> <Port>

Where the port parameter is optional. when not specified, the default port of 5723 is used. i.e.

cscript /nologo OM12AgentMigration.vbs MYOPSMGRMG

Both scripts log to a log file located at C:\Temp\OM12AgentInstall.log. When the first script executes msiexec, it also generates a msi log located at C:\Temp\OM12AgentMSI.log. I’ve hardcoded the log files path to C:\Temp rather than using the %temp% environment variable because during my testing in my work’s environment, I have noticed the %temp% variable in some of the machines are incorrectly configured and it would cause the script to fail. my script would create the C:\Temp directory if it does not exist.

The OM12AgentInstall.log looks like this: SNAGHTML225046c7 I have also created an uninstall script called OM12AgentUninstall.vbs, which will work on both 32-bit and 64-bit Operating Systems. This script is also placed on the same folder as the other install scripts.

' NAME:    OM12AgentUninstall.vbs
' AUTHOR:  Tao Yang
' DATE:    22/11/2013
' Version
' COMMENT: OpsMgr 2012 agent Uninstall script

MSIGUID64Bit = "{786970C5-E6F6-4A41-B238-AE25D4B91EEA}"
MSIGUID32Bit = "{B4A63055-7BB1-439E-862C-6844CB4897DA}"
Set sh = Wscript.CreateObject("Wscript.Shell")

'Function to determine OS architecture
Function GetOSArch
	Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
	Set col = objWMIService.ExecQuery _
	("Select * from Win32_OperatingSystem")
	For Each item in col
		arrOSVersion = Split(item.Version,".")
		If arrOSVersion(0) >= 6 Then
			'OS is Vista / 2008 or higher
			StrOSArch = item.OSArchitecture
			int64Bit = InStr(item.Caption,"x64")
			If int64Bit > 0 Then
				strOSArch = "64-bit"
				strOSArch = "32-bit"
			End If
		End If
	GetOSArch = strOSArch
End Function

'Get OS architecture so we can determine which version of the agent to install
OSArch = GetOSArch

IF OSArch = "64-bit" THEN
	strUninstallCmd = "msiexec /x " & MSIGUID64Bit & " /qn"
ELSEIF OSArch = "32-bit" THEN
	strUninstallCmd = "msiexec /x " & MSIGUID32Bit & " /qn"

'Install agent
Wscript.Echo "Uninstalling OM12 agent using command: " & strUninstallCmd
Result =,0,True)
If Result <> 0 Then
	Wscript.Quit -1
	Wscript.Quit 0
	Wscript.Echo "Successfully uninstalled the OM12 R2 agent."
End if

The syntax for the uninstall script is straightforward:

Cscript /nologo OM12AgentUnisntall.vbs

Packaging in ConfigMgr 2007

I have shown the package source folder structure in previous screenshot. Because only English version of the agent is required in my enviornment, I have removed all the MST’s for other languages in both amd64 and i386 folders. Each folder should only contain 3 files:

agent folder

Because the management group information is passed into the script as parameters, I don’t have to create separate scripts for each OpsMgr 2012 R2 management groups. I created one package for OpsMgr 2012 R2 agents, and then created one install program for each management group and one generic uninstall program:


With the install program, here’s how I configured it:

The command line is same as what I mentioned above.


Because the script can detect the OS architecture, this program can run on any platform. Also, although the actual size for really small, once the agent start working with the management group, more space is required for the health service stores, downloaded management packs, etc. in my work’s production environment, I checked and the current 2007 R2 agents are using approx. 350MB space. So I specified the estimated disk space to 500MB.


The rest of the program properties are pretty normal:



Note: because this package will be used in OSD task sequences later, I ticked the checkbox as shown above.


Because of the input parameter difference between OpsMgr 2007 agent and OpsMgr 2012 agent, management group information can longer be passed into the MOMAGENT.MSI during the agent installation. The OpsMgr 2012 (R2) agent needs to be configured using the “AgentConfigManager.MgmtSvcCfg” object. Since the ConfigMgr 2007 is only a 32-bit application, the ConfigMgr 2007 agent on a 64-bit operating system cannot call “AgentConfigManager.MgmtSvcCfg”.

By configuring the OpsMgr 2012 R2 agent package this way in ConfigMgr 2007, I have achieved the following goal:

  • Able to install and configure 64-bit OpsMgr 2012 (R2) agent.
  • No need for multiple programs for 32-bit and 64-bit operating systems.
  • No need to update ConfigMgr package source when the OpsMgr management group changes (i.e. adding / removing management groups, modifying management server names agents reporting to, etc.) because these parameters are passed into the script as command line parameter. In ConfigMgr, these information is stored in the site database rather than within the package source. Therefore I will never have to update distribution points when modifying management group information.
  • The script also removes any management groups that are not the one specified in the parameter, therefore no additional steps required to remove the old 2007 MG information off the agent.
  • As best practice and the company standard, an uninstall program is also created.

Note: DO NOT use my approach on multi-homing OpsMgr agents.

Continue on to Part 2….

Management Pack for ConfigMgr 2012 Clients – Testers Wanted!!

Written by Tao Yang

ConfigMgr 2012 Client MP IconI’ve written a OpsMgr management pack to monitor ConfigMgr 2007 clients in the past. The MP was published in this blog. Over the last month or so, as part of a project that I’m working on, I have written a Management Pack to monitor ConfigMgr 2012 Clients via OpsMgr 2012. This MP provides individualised monitoring for ConfigMgr 2012 clients, where the Microsoft ConfigMgr 2012 management pack does not.

To be honest, I wasn’t really happy with the ConfigMgr 2007 Client MP that I wrote almost 2 years ago. I think there are a lot of areas that needs improvement. So when I’m writting this MP for 2012 clients, I started from scratch and completely re-written it.

MP Overview

This MP monitors scenarios listed below:

Detect Non-Compliant DCM baselines assigned to the ConfigMgr 2012 client

I often get requests to write monitors to monitor registry key values, file versions, etc. The DCM component in ConfigMgr is really design to for this purpose. This monitor will alert on ANY Non-Compliant DCM Baselines that are targeted to the ConfigMgr 2012 client. As long as the Configuration Item and DCM baselines are correctly configured, I don’t have to keep writing monitors in OpsMgr to monitor stuff like file versions and registry key values.

Detect missing hardware and software inventory cycle

Using Consecutive Samples monitors to detect if the ConfigMgr clients have missed hardware and software inventory cycle for a long period of time.

Detect failed application deployments on the ConfigMgr 2012 client

This monitor monitors if any applications (new in ConfigMgr 2012) have failed to deploy on the ConfigMgr 2012 client.

Detect failed advertisements on the ConfigMgr 2012 client

This rule is probably the only workflow that I have copied from the previous 2007 version of the MP. It runs on an interval and detects any failed advertisement since the last execution of the rule.

Detect Pending Software Updates on the ConfigMgr 2012 client

This monitor detects if there are any software updates that have passed the deadline for a period of time and still have not been installed (either waiting for service windows or failed to install).

Monitors “SMS Agent Host” service on the ConfigMig 2012 Client

A basic service monitor was created for this service. it is disabled by default.

Another Consecutive Samples monitor was also created and it would only alert of X number of samples. This monitor is enabled by default.

Detect Pending reboot on the ConfigMgr 2012 Client

This monitor detects pending reboot from the following four (4) components:

  • Windows Component Base Servicing (from Vista onwards).
  • Windows Update Agent
  • ConfigMgr 2012 Client
  • Pending File Rename Operations

Detect if business hours and service windows are configured

These monitors detects if the business hours and service windows are configured:



Detect if the client is assigned to the correct ConfigMgr primary site

This monitor is designed to monitor the site code assigned to the ConfigMgr 2012 client. Because each environment is different, this monitor is disabled by default. OpsMgr administrators will need to manually enable it via override. The CorrectSiteCode value will also need to be specified via override in order for this monitor to function properly.

In large ConfigMgr environments, it is very common that there are more than one (1) ConfigMgr hierarchy in the organisation. Sometimes it is very import to make sure ConfigMgr clients are assigned to the correct ConfigMgr primary sites.

Detect if client is able to communicate to a Management Point

In the 2007 version of the MP, I wrote a monitor that sends a HTTP request to the management point every hour. I really didn’t like this monitor and regret that I wrote it this way. I believe it was a bad idea to get all ConfigMgr clients to send HTTP request to the management point, and it generates a lot of alerts (I should have written it as a consecutive samples monitor). Luckily in ConfigMgr 2012 client, there is a new WMI class called “SMS_ActiveMPCandidate” located under “Root\Ccm\LocationServices” namespace. I can simply query this WMI class to find out if the ConfigMgr 2012 client has lost connectivity to the management points. Therefore HTTP request over the network is no longer required.

Detect if the builtin SCCM Client Health Evaluation (CcmEval) has not been executed according to the schedule.

CcmEval is a new component in ConfigMgr 2012 client. this consecutive samples monitor queries registry to detect the execution result of CcmEval scheduled task and alert if it not been executed for a long period of time.

The MP also provides various Agent Tasks that can be executed against ConfigMgr 2012 client (or client agents). i.e.


By design, OpsMgr allows users to trigger an agent task on up to 10 managed objects at once. The figures below illustrates OpsMgr operators can multi-select up to 10 Software Update Agent objects from the state view and trigger the “Software Update Assignments Evaluation Cycle” agent task and task results for each selected node:


Class Diagram

The ConfigMgr 2012 Client class is defined as a local application and each client agent is defined as an application component (as shown below):

ConfigMgr 2012 client Class Diagram

The health state of each client agent is rolled up to the parent class of “ConfigMgr 2012 Client”, as indicated below:


Design Considerations

During the Management Packs development, the following factors have been taken into consideration:

  • The solution is built using Visual Studio Authoring Extension (VSAE). All the management packs are using the OpsMgr 2012 version of the MP schema, which means these management packs are not backwards compatible. They will not work in OpsMgr 2007 management groups.
  • All scripts used in the management packs are written using VBScript. There are no requirements for Windows PowerShell on OpsMgr agent computers to run the workflows within the management packs.
    Various ConfigMgr 2012 Client Agents (DCM agent, Hardware Inventory Agent, Software Update Agent, etc.) are defined as separate local application component object so monitors / rules for these ConfigMgr 2012 Client functions are only applied to the client if these agents are enabled by ConfigMgr client policies.
  • All the data gathered by the workflows (discoveries, monitors, rules) are retrieved locally from the ConfigMgr 2012 client. The management packs do not query any ConfigMgr Site Systems.
  • The top level initial discovery workflows have been designed to target Windows Server Computer class and Windows Client Computer class separately. The discovery for Windows Client Computer class is disabled by default. Therefore by default, this monitoring solution does not monitor ConfigMgr 2012 Clients on Windows Client computers. If it is required, the monitoring for Windows Client computers has to be manually enabled (by enabling the top level discovery via overrides).
  • Wherever is possible, consecutive samples monitors are utilised to reduce the number of possible false alerts in OpsMgr.

Tested Platform

I was only able to test this MP on multiple OpsMgr 2012 SP1 and ConfigMgr 2012 SP1 environments.

I did not test it on RTM version of OpsMgr 2012 and ConfigMgr 2012 as they are not available for me.

Although System Center 2012 R2 RTM is just around corner, I don’t have any R2 Preview environments that I can use to test.

Known Issue

An error will occur when try to create an override to an unsealed management pack that is created in the OpsMgr operational console:


The cause of this issue is the same as my recent OpsMgr Self Maintenance MP: OpsMgr doesn’t like “2012” as part of the ID of the management pack. The workaround is documented in the MP documentation.


All the items provided by this MP are based on my best understanding of ConfigMgr 2012 and it’s clients. To be honest, I haven’t really been too “hands on” with ConfigMgr 2012 since it was released. Therefore I’m really keen to invite the broader System Center community to evaluate and test this MP before I change the version number to

Please do not hesitate to contact me for any bugs and if you think any of the workflows are incorrectly written, or if you have suggestions for additional items. In return to the testing effort from the community, I will publish the finishing piece on this blog.

Note: A friend of mine did suggest me to include the Endpoint Protection clent agent in the MP. I can’t do this at the moment because it is not a requirement for the project. But I will definitely see what I can do in the future release when I have some spare time.

The MP and the documentation can be downloaded below. To help with anyone who’s evaluating the MP, I have documented how and where each workflow retrieves data from the client (either via WMI or registry) in the documentation.

For those who’s willing to help and test this MP, THANK YOU!


ConfigMgr Report: Total Number of Packages Per Distribution Point

Written by Tao Yang

Today I had to create a report in ConfigMgr to list total number of packages that have been assigned to each Distribution Point. The SQL query is rather simple, a one-liner. Here’s the query:

select ServerNALPath, COUNT (PackageID) As PackageCount from v_DistributionPoint group by ServerNALPath order by PackageCount

This query works on both ConfigMgr 2007 and 2012.

ConfigMgr 2007 Report:


ConfigMgr 2012 Report:


Installing SCCM 2012 SP1 Secondary Site with a Pre-Configured SQL 2012 Instance

Written by Tao Yang

Over the last week, I’ve been re-installing my SCCM lab environment to SCCM 2012 SP1. I’m using Windows Server 2012 as the base OS for all site system roles and all database engines and SQL reporting server run on SQL 2012.

I got stuck few days ago when I was building my first secondary site. I was trying to use a pre-installed SQL 2012 Express With SP1 instance for the secondary site database. I followed the instruction that I have previously blogged for SQL Express 2008 R2:

After I installed and configured the SQL express instance for the secondary site, I started the secondary site install (from the parent primary site). However, I was keep getting this error during the prerequisites check:

SQL server sysadmin rights:

Either the user account running Configuration Manager Setup does not have sysadmin SQL Server role permission on the SQL Server instance selected for site database installation, or the SQL Server instance could not be contacted to verify permissions. Setup cannot continue.

Prerequisite check result:




The error suggested that my account does not have sysadmin rights. In fact, both my user account and the site server computer account have sysadmin and dbcreator rights in that SQL 2012 instance.

I then tried few different SQL configurations, including using default instance rather than named instance (CONFIGMGRSEC), and using SQL 2012 Enterprise rather than Express edition, they made no difference. I then installed SQL 2008 R2 Express With SP2 (with exact same configuration in terms of security, collation, using named instance, enabling SQL Server Browser service, etc). and the pre-requisite checks passed and secondary site got successfully installed.

After I compared settings in SQL 2008 R2 and the SQL 2012 Express instance I had installed on another secondary site server, I found the issue:

During SQL 2012 install, the sysadmin rights was not granted to the local system account (NT AUTHORITY\SYSTEM). In SQL 2008 R2, “NT AUTHORITY\SYSTEM” account by default has sysadmin rights. During the prerequisites check, SCCM installs a series of services on the target secondary site server to perform the checks. these services are installed to run under LOCALSYSTEM account. The SQL sysadmin rights check failed because the LOCALSYSTEM account does not have sysadmin rights as it was running under LOCALSYSTEM account. To a degree, the error message is somewhat misleading in my opinion.

i.e. system event log entry for one of the services installed by prerequisites check:


So to fix the issue, I simply gave “NT AUTHORITY\SYSTEM” account the same access in SQL 2012 as in SQL 2008 R2:

sysadmin and securityadmin role:


To summarise, when installing SCCM 2012 SP1 secondary site on a pre-configured SQL 2012 instance regardless which SQL edition is being used, “NT AUTHORITY\SYSTEM” account needs to be given securityadmin and sysadmin rights. If SQL Express is used, there are few additional steps need to be carried out to configure the SQL TCP connection as documented in my previous blog:

Passed MCTS for SCCM 2012 Exam today

Written by Tao Yang

Around 8-9 months ago, a friend of mine gave me a copy of beta version of trainer’s handbooks for Microsoft course 10747A (Administering SCCM 2012) and 10748A (Deploying SCCM 2012). I normally don’t read any Microsoft course materials as I always found better books out in the market.

When I was given these books, there weren’t any SCCM 2012 books available because SCCM 2012 wasn’t even RTM’d at that time. So I started reading these trainer’s handbooks and surprisingly, I found they are actually really good.

With everything else going on at work, all the SCOM stuff I’ve been doing outside of work and with the arrival of my baby girl Rosie in June this year, it took me about 9 months to finish reading these 2 course materials and completed all the labs at home (7 books in total).

So few days ago, I booked the SCCM 2012 exam (70-243) for this morning and I’ve passed the exam. This is probably the exam I’ve prepared for the longest time (now I understand what is like to be a parent Smile).

I’ve also bought the 2 SCCM 2012 books that are currently available:

  • Mastering System Center 2012 Configuration Manager
  • System Center 2012 Configuration Manager Unleashed

I only had time to read couple of chapters of the Unleashed book before the exam. it’s definitely much better and going much in depth than the trainer’s handbook that I’ve been reading. I’m sure I will finish reading it in the near future.

For anyone preparing for the exam, I strongly recommend you go grab a copy of this book.

SCCM 2007 Client Management Pack Updated

Written by Tao Yang

I received an email this morning regarding to the SCCM 2007 Client Management Pack that I wrote few months ago. Someone pointed out it had some issues in the language packs section of the MP. I had a look and realised the does have some orphaned string resources.

A bit background of this MP. I originally wrote this MP for my employer. Before I posted it on my blog, I removed everything that were specfic to my employer (few monitors, application components, relationships, discoveries, etc.). However, I ddin’t delete associated display string resources in here:

I have just updated the MP (and increased the version number to

The updated MP can be downloaded HERE.

I’ll also update the download link on the original post.

My Observation on SCCM Clients BITS Settings

Written by Tao Yang

Yesterday, while we were reviewing the SCCM (2007 R3) client BITS settings at work, we (my team) have some interesting findings with SCCM client’s BITS settings.

We found when the BITS bandwidth throttling settings are configured for a SCCM primary site. SCCM clients get the policy and write the settings into Windows local policy:

SCCM Computer Client Agent BITS Settings:


BITS Settings from SCCM Client’s Windows local policy (Local Policy –>Computer Configuration –>Administrative Templates –>Network –>Background Intelligent Transfer Service (BITS) –>Limit the maximum network bandwidth for BITS background transfers):


As you can see, the SCCM site setting is identical to SCCM client’s local policy. SCCM 2007 Unleashed has explained the client BITS settings. You can read about it on Google Books HERE.

The book did not state and explain the SCCM client actually WRITES the SCCM site’s BITS policy into SCCM client’s Windows local group policy object (GPO). So I did below tests IN ORDER in my home SCCM 2007 R3 AND SCCM 2012 RTM test environments to work out the behaviours of SCCM client and compare SCCM Client’s BITS setting against the above mentioned setting in local policy:

1. SCCM Client BITS setting left as default in SCCM (Not configured).

  • SCCM 2007 Client Computers: BITS policy in local GPO is set to DISABLED!
  • SCCM 2012 Client Computers: Same as SCCM 2007 client computers

2. Enable BITS in SCCM Computer Client Agent setting (In 2007, apply to both clients and BDPs, in 2012, just enable it since there is no BDPs in 2012 anymore.), and define some throttling settings. Then trigger machine policy retrieval on SCCM client computers.

  • SCCM 2007 Client Computers: BITS policy in local GPO is ENABLED in throttling settings are set to as same as SCCM policy.
  • SCCM 2012 Client Computers: Same as SCCM 2007 client computers

3. Change BITS throttling settings in SCCM. Then trigger machine policy retrieval on SCCM client computers

    • SCCM 2007 Client Computers: BITS policy in local GPO updated accordingly.
    • SCCM 2012 Client Computers: Same as SCCM 2007 client computers

4. Change BITS throttling settings in SCCM client’s Windows local policy. Then trigger machine policy retrieval on SCCM client computers.

    • SCCM 2007 Client Computers: local policy remained the same after machine policy retrieval.
    • SCCM 2012 Client Computers: Same as SCCM 2007 client computers

5. Change BITS throttling settings in SCCM again. Then trigger machine policy retrieval on SCCM client computers.

  • SCCM 2007 Client Computers: local policy was updated again according to SCCM client’s BITS policy.
  • SCCM 2012 Client Computers: Same as SCCM 2007 client computers


Based on the tests I have performed. I have come to below conclusions:

  1. When the SCCM client’s BITS policy is not configured, the  BITS throttling settings OS local policy is set to DISABLED, so effectively no BITS throttling is allowed for ALL the apps that uses BITS on the SCCM client computer. (i.e. in our case, VMM agent)
  2. Upon SCCM policy change, SCCM client changes local policy with updated settings once it has retrieved the updated policy via SCCM client’s machine policy retrieval (by default runs every 60 minutes).
  3. The SCCM client’s BITS settings are NOT enforced in local policy. i.e. when local policy is manually updated to be different than SCCM client’s policy, SCCM client does not enforce and update local policy. SCCM clients ONLY write to local policy when the SCCM BITS policy is CHANGED on the primary site.
  4. SCCM 2007 clients and SCCM 2012 clients exhibit same behaviour.

So, please look out if you have other apps that uses BITS and the bandwidth is throttled. SCCM client would update the local policy without you knowing it.

Alternatively, using a domain GPO to set BITS throttling settings seems like a good idea. By doing so, you can target different SCCM clients more granularly (targeting different OUs, using WMI filters and AD groups to set GPO scopes) whereas in SCCM 2007, this setting is unique across all clients in the primary site. Additionally, domain GPO will override local policy so local policy can be ignored.

SCCM 2012 Log Parser: cmtrace.exe

Written by Tao Yang

In my opinion, THE most used utility (other than SCCM console) for any SCCM administrators / engineers would have to be trace32.exe. Back in SMS and SCCM 2007 days, trace32.exe comes with the SCCM Toolkit, which contains a bunch of other tools.

Speaking of my own experience, out of all the tools provided by the toolkit, trace32.exe is the one I used the most.

Now with SCCM 2012, trace32.exe has been replaced by a new tool called cmtrace.exe.

Unlike trace32.exe, cmtrace.exe is actually built-in in SCCM, there is no need to download separate toolkits for it. cmtrace.32 can be found on the SCCM site server, under “<SCCM Install Dir>\tools\” folder. Same as it’s predecessor trace32.exe, cmtrace.exe can be copied / redistributed to other locations / computers alone and use as a log parser.

I have also found that trace32.exe actually does not correct parse SCCM 2012 logs. For example, I’m using both trace32.exe and cmtrace.exe to open execmgr.log from a SCCM 2012 client:





So, if you are working with SCCM 2012, make sure you use cmtrace.exe rather than the good old trace32.exe. And maybe like me, copy cmtrace32.exe to your local machine and use it from there rather than using it on the server.

Installing SCCM 2012 RTM Secondary Site using A Pre-Installed SQL Express 2008 R2 Instance

Written by Tao Yang

Since System Center 2012 was RTM’d few days ago, I have started updating / migrating my home environment. After I migrated my 2 Hyper-V servers from VMM 2008 R2 to VMM 2012, I have started building a brand new SCCM 2012 environment so I can migrate SCCM 2007 to it. My plan is to install a Central Admin site, a child primary site and a Secondary site so I have a simple 3-tier hierarchy like my existing 2007 and 2012 Beta 2 environments.

The Central Admin site and the child primary site installation all went pretty smoothly. But I had some issues when installing the secondary site.

When installing Secondary Site from it’s parent primary, There are two options available for the database:

  1. Install and Configure a local copy of SQL Server Express on the secondary site computer
  2. Use an existing SQL Server instance.

I wanted to install SQL Express myself so I can control where it’s installed to and locations for data, log and backup files. – This is pretty common and most of SQL DBAs would configure to install SQL on a volume other than C:\ and place data / logs / backups on dedicated and separate disks. By using SCCM to install SQL express for you, you don’t get to choose any of this, which can be pretty annoying.

According to Supported Configurations for Configuration Manager, secondary sites supports SQL Server Express 2008 R2 with SP1 and Cumulative Update 4. So I downloaded SQL Server 2008 R2 Express With SP1 with Tools (SQLEXPRWT_x64_ENU.exe) and SQL 2008 R2 Service Pack 1 Cumulative Update 4 and installed them in order on my secondary site site server.

Below is what I have customised during the SQL express install:

  • I configured the location for SQL, SQL instance, data files, log files and backup files the way I wanted it.
  • I selected the SQL instance to use the collation “SQL_Latin1_General_CP1_CI_AS because it is the only collation that SCCM supports.
  • I kept the default secondary site SQL instance name “CONFIGMGRSEC” (this name is what’s used if you choose SCCM to install SQL Express for you).
  • I have given a pre-configured AD group called “ConfigMgr2012 Servers” which contains all SCCM 2012 site servers sysadmin rights in SQL Express.

After the install, I applied CU4 and all went pretty smoothly.

Now, I tried to push Secondary Site install from the primary site. Under SQL Server setting step, I selected “Use an existing SQL Server instance” option and enter the secondary site server’s FQDN under “SQL server fully qualified domain name” and “CONFIGMGRSEC” under “SQL server instance name, if applicable”. After finishing the wizard, the secondary site install failed during prerequisite checks. I got few errors in regards to the SQL collation is not set to SQL_Latin1_General_CP1_CI-AS:


This is very strange because all my SQL instances in this hierarchy are set to this collation, and because of this, the setup did not even get kicked off.

Additionally, I also found the following:

  • On the primary site server, in the ConfigMgrSetup.log under System root, I get the following errors:
    • CSql Error: Cannot find type data, cannot get a connection.
    • *** [08001][17][Microsoft][ODBC SQL Server Driver][DBNETLIB]SQL Server does not exist or access denied.
    • I could use the SQL management studio from Secondary site server to connect to the SQL express instance, but I couldn’t use the SQL management studio from a remote machine to connect to it:


After spending some time troubleshooting, I got it going. Below is what I have done on the SQL Express instance:

1. I’ve assign “ConfigMgr2012 Servers” group (which I created myself and it contains the primary site server’s computer account) “dbcreator” role on top of sysadmin role it already had.


2. I realised by default, after I installed SQL express, TCP/IP protocol is disabled. So I went to SQL Server Configuration Manager, under SQL Server Network Connection —> Protocols for CONFIGMGRSEC—>TCP/IP, enabled it. I also had to configure the ports for this connection:

I removed 0 from “TCP Dynamic Ports” for each IP and added static port 1433 under “TCP Port”


After you enabled TCP/IP and changed the port, you will be prompted that you have to restart SQL server service for the change to take effect, so I restarted the SQL service.

After these steps, the prerequisite checks were passed and the Secondary site installation finished successfully.

In summary below are the steps I took to pre-configure a SQL Express instance for SCCM 2012 secondary site:

  1. Install SQL Express 2008 R2 with SP1 with Tools
  2. Configure SQL express install directory as per my standard (not on C:\ drive)
  3. Configure SQL Express instance name as “CONFIGMGRSEC” as it is default to SCCM secondary site and there’s no reason to change it.
  4. Select “SQL_Latin1_General_CP1_CI_AS” as SQL server collation.
  5. Configure data/logs/backups directory
  6. add primary site server’s computer account (or a group containing primary site server’s computer account) as administrator during install
  7. Apply SQL Server 2008 R2 Service Pack 1 Cumulative Update 4 after SQL Express install
  8. Set a limit for amount of memory SQL express can use.
  9. Reboot secondary site server (just to be safe)
  10. give the parent primary site server’s computer account dbcreator access in SQL Express instance.
  11. Enable TCP/IP for the SQL express instance.
  12. Configure TCP/IP connection port settings.
  13. Restart SQL service.
  14. Initiate Secondary Site install from Primary site (via SCCM console). – Unlike SCCM 2007, secondary site install can no longer be performed by running SCCM setup from secondary site servers.
  15. During setup wizard, choose “Use an existing SQL Server instance”, enter secondary site server’s FQDN and SQL instance name (“CONFIGMGRSEC”). leave site database name and SQL broker port as default.
  16. monitor install status using the SCCM console:



You can also check:

  • C:\ConfigMgrSetup.log on Primary Site server (contains details for Secondary Site install’s prerequisite checks).
  • C:\ConfigMgrSetup.log on Secondary Site server (contains details for the actual setup).

Now, instead of having SQL Express installed and configured by SCCM, I have more control of it so I can align the configuration with my organisation’s standard (if it’s in a real production environment Smile).

In this case, I have my SQL data file located under F:\SQL_Data\Microsoft SQL Server\MSSQL10_50.CONFIGMGRSEC\MSSQL\DATA:


And log files under G:\SQL_Logs\Microsoft SQL Server\MSSQL10_50.CONFIGMGRSEC\MSSQL\Data:


System Center Configuration Manager (SCCM) 2007 Client Management Pack for SCOM

Written by Tao Yang

12/08/2012: This MP has been updated. Please refer to this post for more details of the update. The download link in this post has also been updated.


Over the time, I have seen some issues and challenges for SCCM administrators to effectively and proactively managing SCCM clients.  I have personally seen and experienced some challenging issues. For example:

  • Silent clients due to the SMS agent host service not running.
  • SCCM Clients are reporting to the incorrect site due to the combination of overlapping boundaries and auto site assignment.
  • SCCM Clients missing new functionalities due to Missing SCCM hotfixes (i.e. Power Management in SCCM 2007 R3)
  • Advertisement executions failures
  • SCCM clients unable to connect to Management Points
  • BDP configurations inconsistent (A SCCM client is listed as a BDP on the site server but it is not actually configured as BDP)
  • Newly installed software are not promptly updated in SCCM site database as the hardware inventory only runs weekly by default.

During last year’s Christmas period, some of my employers production servers were assigned to an incorrect SCCM site and as a result, some applications were pushed out to these servers during a change freeze period. We only founded it out after the fact and realised some of these servers were reporting to the wrong SCCM sites for months!

This has triggered me to implement a solution so we can proactively monitor the configurations and activities of SCCM 2007 clients so we are alerted before anything bad happens!

I started writing a SCOM management pack for SCCM 2007 clients. It took me few weeks to cover all the issues that my team is facing. Over the last couple of weekends, I have spent a lot of time to re-write / re-brand it and document it so I can actually post this management pack in my blog.

This management pack provides some proactive monitoring and automations for all of above mentioned issues /challenges. Does this sound interesting to you? If so, please continue reading. The documentation and the management pack download link is at the bottom of this article.

So here are some details of the management pack.


System Center Configuration Manager (SCCM) 2007 Client Management Packs provides basic monitoring of SCCM 2007 clients.

This set of management packs is intended fill the gap of the official Microsoft System Center Configuration Manager 2007 management pack and focus monitoring the SCCM clients in SCCM infrastructures. These managements pack also provides ability to implement customised monitors to monitor the configurations and baselines of SCCM clients in your organisation’s SCCM infrastructures according to your organisation’s standard. i.e.

· Monitors SCCM site assignment, make sure SCCM clients are assigned to the correct primary site in a multi-sites environment.

· Monitors SCCM client versions to make sure all required SCCM client hotfixes are applied.

· Monitors and make sure any SCCM clients that should be configured as Branch Distribution Points (BDP) are actually configured as BDP.

· Make sure SCCM Client cache size is configured according to your company’s standard.

There are 2 separate sealed management packs (.MP) in this set:

· TYANG System Center Configuration Manager 2007 Library

  • Custom Data Source, Probe Action and Write Action modules
  • Custom monitor types
  • SCOM console actions for SCCM clients
  • SCCM client object discovery

· TYANG System Center Configuration Manager 2007 Monitoring

  • Pre-Configured monitors and rules
  • Folders and Views

Management Pack Overview

The System Center Configuration Manager 2007 Client Management Packs not only provides various out-of-box preconfigured monitors / rules, but also provides some custom modules / workflows which allow you to build your own monitors to suit your System Center Configuration Manager 2007 environments. These management packs extends what Microsoft System Center Minotoring Pack For Configuration Manager 2007 SP2 v6.0.6000.3 has to offer for SCCM client monitoring. This includes:

Pre-Configured Monitors and Rules:

· Recreated the SMS Agent Host service monitor and included diagnostic and recovery task to automatically restart the service when it has stopped.

· Checks the availability of Management Point of which the SCCM client connects to via HTTP response. The SCCM Management Point HTTP Response Monitor runs hourly to check the HTTP response of the active MP for the SCCM client and generates alerts if HTTP error responses received over 2 consecutive times.

· Checks the version of SCCM clients and generates alert if the version number is lower than 4.00.6487.2157 (KB977384, prerequisite for SCCM 2007 R3)

· Checks SCCM Clients Advertisement Execution history every 30 minutes. If there were any advertisements have been executed over the last 30 minutes, trigger Hardware Inventory so any newly installed applications will be inventoried and stored in SCCM site database. Additionally, if any failed advertisement executions are found, a Critical alert is generated.

Custom Modules and Monitor Types:

1. SCCM Client Property Value Check 2-State Monitor Type. This monitor type can be used to build monitors to monitor SCCM client properties. (i.e. Monitor any SCCM clients that are not assigned to the correct site or Cache Size is not configured according to your organisation’s standard, etc..)

This monitor type Supports the following Properties:

  • SiteCode (SCCM Client Site Code)
  • Version (SCCM Client version)
  • GUID (SCCM client GUID)
  • ManagementPoint (MP that SCCM client is connected to)
  • ProxyMP (Proxy MP that SCCM client is connected to)
  • InternetMP (Internet MP that SCCM client is connected to)
  • LogsLocation (path to SCCM client log files)
  • CacheLocation (path to SCCM client cache)
  • CacheSize (The maximum size of SCCM client cache folder in MB)
  • HTTPPort (The HTTP Port for SCCM Client)
  • EnableAutoAssignment (if auto site assignment is enabled (true or false)
  • AllowLocalAdminOverride (if the SCCM client allows local admin override (true or false))
  • IsBDP (If the client is a branch distribution point (true or false))

This monitor type Supports the following Comparison Operators:

  • eq (Equal to)
  • ne (Not equal to)
  • gt (Greater-than)
  • lt (Less-than)
  • ge (Greater-than or equal to)
  • le (Less-than or equal to)
  • IsNull (Is Null value)
  • NotNull (Not Null value)

2. Write Action module to initiate SCCM client actions

3. Write Action module to repair SCCM client

4. Other Probe Action modules and Data Source modules that were used by pre-configured monitors and rules.

More Comprehensive Object Discoveries

This SCCM client object discovery in this management pack discovers pretty much every SCCM client properties that are visible in the industry well-known utility SCCM Client Center.

Below is a comparison of the properties that SCCM Client Center can check VS. SCCM Client properties been discovered by this management pack VS. what are been discovered from Microsoft’s official management pack:

SCCM Client Center


System Center Configuration Manager 2007 Client Management Pack v2.0.0.0:


Microsoft Official Configuration Manager 2007 SP2 Management Pack v6.0.6000.3:


SCOM Agent Actions for SCCM Clients

A number of SCCM Client actions have been built into this management pack. The following SCCM client actions can be initiated via SCOM Operations Console and Web Console:

· Discovery Data Collection

· File Collection

· Hardware Inventory

· Machine Policy Retrieval Evaluation

· Software Inventory

· Software Metering Usage Report

· Software Updates Agent Assignment Evaluation Cycle

· Software Updates Scan

· SCCM Client Repair

More information

The detailed guide for this MP can be downloaded HERE.

Management Pack Downloads:

From below link, you can download a zip file which contains:

  1. Sealed version of TYANG System Center Configuration Manager 2007 Library  management pack(.mp)
  2. Sealed version of TYANG System Center Configuration Manager 2007 Monitoring management pack(.mp)
  3. Unsealed version of TYANG System Center Configuration Manager 2007 Monitoring management pack(.xml)

The reason I’m offering the unsealed version of TYANG System Center Configuration Manager 2007 Monitoring management pack is that if you wish to create additional monitors / rules using the workflows in the library MP, you can just build them into the unsealed MP without creating a separate MP (and saves you time to unseal it).

Management Pack Download HERE.

As always, if you have any issues / questions / concerns or suggestions, email me! I’ll try to get back to you as soon as I can (even though recently I’ve been pretty busy at work and in my personal life. And that’s why it took me so long to write a blog article for this management pack!)