KB3209501 Update for SCCM 1610

KB3209501 Update for SCCM 1610

by | Dec 15, 2016 | Fixes, How To, Patch Releases, SCCM

How to update to KB3209501 for Microsoft SCCM 1610

If you’re experiencing issues with Microsoft SCCM 1610, the recently released update KB3209501 might just be the fix you need. This update resolves various problems related to Configuration Manager version 1606 to version 1610 upgrade, Software Center, BITS for Windows Express Update Files, Task Sequences, and more. In this article, we’ll guide you through the process of updating SCCM 1610 to KB3209501, step-by-step.

KB3209501 FAQs

Question Answer

What is KB3209501?

 KB3209501 is an update for Microsoft SCCM 1610 that was released in December 2016. It fixes various issues with SCCM 1610.

What issues does KB3209501 fix?

 KB3209501 fixes issues such as the SMS Agent Host process using 100% of available CPU time, Task sequence deployments failing, and more.

How do I update to KB3209501 for Microsoft SCCM 1610?

 To update to KB3209501, open your SCCM console, navigate to Administration > Cloud Services > Update and Servicing, and follow the steps.

Should I install updates in preproduction prior to production?

 It is always good practice to install any updates in preproduction prior to production.

Is KB3209501 installation time-consuming?

 Yes, KB3209501 installation may take some time to finish, so be prepared to be patient.

 Update to KB3209501

So now that you know what KB3209501 fixes now just follow the below tasks to update your SCCM environment.

Open your SCCM console and navigate to Administration, Cloud Services and highlight Update and Servicing

KB3209501 Installing

Next, highlight update KB3209501, then right click and choose Run Prerequisite Check.

KB3209501 prerequisite check

Give the prerequisite checks sometime to complete.

KB3209501 checking prerequisites

Keep refreshing the console to see when it has completed.

KB3209501 prerequisite passed

Once the KB3209501 prerequisite checks have passed, again highlight the update and then right click and choose Install Update Pack.

KB3209501 Install

You are now presented with the Configuration Manager Updates Wizard. Select whether you want to ignore any prerequisite check warnings if you received them or not and then click Next.

KB3209501 Install 2

On the Client Update Options tab, you can select to update without validating against your preproduction environment before updating your production environment. As this is one of our many labs, I have chosen to go ahead without validating. While this is a lab, not everyone can has his luxury, so remember It is always good practice to install any updates in preproduction prior to production.

KB3209501 Install 3

On the License Tab page, confirm you accept the license terms and privacy statement and then click Next.

KB3209501 Install 4

Confirm what is shown is on the Summary Tab is correct and then click Next.

KB3209501 Install 5

The installation will no be performed in the background, so on the Completion Tab click Close.

KB3209501 Install 6

As you can see, KB3209501 is installing in the background. For my lab, it did take some time to finish so prepare to be patient.

KB3209501 Installing

Updating SCCM 1610 to KB3209501 is a straightforward process that can help you resolve a range of issues and improve the overall performance of your Configuration Manager environment. By following the steps outlined above, you can ensure a smooth and successful update. Don’t forget to install updates in pre-production first to avoid potential conflicts

MICROSOFT’S December 2016 PATCH RELEASES

MICROSOFT’S December 2016 PATCH RELEASES

by | Dec 14, 2016 | Deployment, Fixes, Patch Management, Patch Releases, Risk, SCCM, Security

MICROSOFT’S December 2016 PATCH RELEASES

patch tuesday aliens

Microsoft have released 12 new Patch Tuesday releases for deployment this month of December.

See how you can remove the risk of patch deployment by adding SnaPatch to your SCCM patching infrastructure?

MS16-144 – Critical

Cumulative Security Update for Internet Explorer (3204059)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS16-145 – Critical

Cumulative Security Update for Microsoft Edge (3204062)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.

MS16-146 – Critical

Security Update for Microsoft Graphics Component (3204066)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-147 – Critical

Security Update for Microsoft Uniscribe (3204063)
This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS16-148 – Critical

Security Update for Microsoft Office (3204068)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

MS16-149 – Important

Security Update for Microsoft Windows (3205655)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application.

MS16-150 – Important

Security Update for Secure Kernel Mode (3205642)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).

MS16-151 – Important

Security Update for Windows Kernel-Mode Drivers (3205651)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.

MS16-152 – Important

Security Update for Windows Kernel (3199709)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows kernel improperly handles objects in memory.

MS16-153 – Important

Security Update for Common Log File System Driver (3207328)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.

MS16-154 – Critical

Security Update for Adobe Flash Player (3209498)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

MS16-155 – Important

Security Update for .NET Framework (3205640)
This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.

Now that you have made it this far, a quick shameless plug for our software portfolio. 🙂

SnaPatch – Patch Management Addon for Microsoft’s SCCM.

SnapShot Master – Take control of your virtual machine snapshots, works with both Hyper-V and Vmware.

Azure Virtual Machine Scheduler – Save money and schedule the shutdown and power on of your virtual machines within Microsoft’s Azure Cloud.

Azure Virtual Machine Deployer – Deploy VMs to Microsoft’s Azure cloud easily, without the need for powershell.

Filtering Users and Groups using Azure AD Connect

Filtering Users and Groups using Azure AD Connect

by | Dec 8, 2016 | Azure, How To

Filtering Users and Groups using Azure AD Connect

OOOOH the Cloud

Microsoft’s Azure AD Connect allows you to sync your on-prem AD to your Azure AD / Office 365.  If you leave all the settings as default, then AD Connect will happily sync all your AD objects. This is fine for some, however many large organisations do not want to sync their entire environment. There are options to filter the objects by selecting specific OU’s, but sometimes this isn’t granular enough. Another option is to select a group and filter based on its memberships – but this is considered “pilot” mode and should not be used in a production environment. Personally, this is my preferred method, it’s easy to setup and you can add or remove users and groups to this “sync” group whenever you wish – but who am I to argue with Microsoft.

So if you can’t filter based on OU, and you don’t want to go against Microsoft’s “best practice”, what other options do you have?

Well, you need to look use the “Synchronization Rules Editor”.

The rules editor allows you to create filter rules, to either filter in or filter out the AD objects you want to sync.

In the below example I will show you how to filter out Users and Groups from syncing.

The rules editor uses the AD Attributes of the object to determine whether or not to sync them. By attributes, I mean these…

Azure AD Connect

If you have Exchange in your environment then you will have the extensionAttribute 1 – 15 in your schema. I tend to use these attributes, but you may decide to use any that suits.

OK, so what I want to achieve is to only sync the users or groups that have the extensionAttribute1 set to “Sync to Azure”. Any object without this value will not get synced.

First, lets modify the attribute for 1 user and 1 group.

Open AD Users and Computers and click View, and make sure the Advanced Features option is ticked. Without this option you won’t see the attributes tab.

Azure AD Connect 2

Find a test user and open the properties, then click on the Attribute Editor tab.

Scroll through and find the extensionAttribute1 and click Edit. Set the value to Sync to Azure.

Repeat the process for a Group.

OK, now that we’ve set the attribute on both a user and group object, launch the Synchronization Rules Editor.

Azure AD Connect 4

We will now create two rules, one to filter users, and another to filter groups.

Ensure the Direction is set to Inbound and click the Add new rule button.

Give the rule a descriptive name and provide a description. I suggest something useful so when you come back in 3+ months it will make sense to you.

  1. Set the Connected System to your domain.
  2. Set the Connected System Object Type to User
  3. Set the Metaverse Object Type to Person
  4. Set the Link Type to Join
  5. Set the Precedence to 50 (or any value lower than the lowest value – if you haven’t created any other rules, then 50 will be fine).
  6. Click Next

Azure AD Connect 5

Click the Add Group button, and then the Add Clause button.

Azure AD Connect 6

Set the Attribute to the attribute you selected as the “filtering attribute”. In our example, it’s extensionAttribute1.

Set the Operator to NotEqual

And enter the value to look for, which in our example is “Sync to Azure”.

Click Next.

Azure AD Connect 7

Click Next on the Join Rules window, as it’s not used with this rule.

Azure AD Connect 8

In the Transformations section, click Add transformation

  1. Set the FlowType to Constant
  2. Set the Target Attribute to cloudFiltered
  3. In the Source field, enter true
  4. Leave all other settings and click Add

Azure AD Connect 9

The new rule should now appear at the top of the list.

Azure AD Connect 10

OK, so that’s the Users rule done. Let’s move onto the Groups rule.

The groups rule is a little tricker, so instead of trying to create it from scratch, we’ll use the existing one.

Select the In from AD – Group Join rule and click Edit.

Azure AD Connect 11

Click Yes to the message – which will disable the existing rule and create a copy for us to work with.

Azure AD Connect 12

Give the rule a name and description.

Set the Precedence to 55.

Click Next

Azure AD Connect 13

In the Scoping Filter section, select both of the existing clauses and click Remove Clause.

Azure AD Connect 14

Once all the Clauses have been removed, click Add Clause.

Azure AD Connect 15

Set the Attribute to the attribute you selected as the “filtering attribute”. In our example, it’s extensionAttribute1.

Set the Operator to Equal (with the user rule we set it to NotEqual, but here we use the Equal operator).

And enter the value “Sync to Azure”, or whatever value you are using.

Click Next.

In the Join rules, ensure the Source Attribute is set to objectGUID and the Target Attribute is sourceAnchorBinary.

Click Next.

Azure AD Connect 16

Leave the settings as default in the Transformations window and click Save.

Azure AD Connect 17

If you receive an expression warning, click Yes to continue saving the rule.

You should now have two rules in your rule set.

Azure AD Connect 18

OK, now that we’ve made our rules, we need to kick off a full sync.

Open up a PowerShell console, and enter: Start-ADSyncSyncCycle -PolicyType Initial

Once the sync finishes, log into the Azure or 365 portal and have a look under the Users and Groups sections.

As you can see, only my two test users have been synced

Azure AD Connect 19

And in the groups, only my two test groups are synced too.

Azure AD Connect 20

While you are here, please take the time to check out our software products for Azure, VMWare, Hyper-V and SCCM.

Azure VM Scheduler tasks not running

Azure VM Scheduler tasks not running

by | Dec 7, 2016 | AVMS, Azure, Cloud Computing, Errors, Fixes, How To, Schedule

Troubleshooting Azure VM Scheduler (AVMS) Task Issues

If your scheduled AVMS tasks aren’t running as expected, don’t worry — this guide will walk you through common issues and how to resolve them quickly.

Error 1: Proxy Authentication Required

Check the AVMS log file located at:

C:\Program Files (x86)\SMIKAR Software\AVMS\avms.log

Look for entries similar to the following:

01/11/2016 11:23:46 AM Attempting to ADD-azureaccount using account XXXX@XXXX.onmicrosoft.com
01/11/2016 11:23:46 AM Failed to ADD-azureaccount using account XXXX@XXXX.onmicrosoft.com - error user_realm_discovery_failed: User realm discovery failed: The remote server returned an error: (407) Proxy Authentication Required.

This typically means your on-site proxy server requires authentication. The AVMS console works under your domain account (which has proxy access), but the scheduled task runs under the system account — which usually doesn’t.

To fix this:

  • Open Control Panel → Task Scheduler
  • Find the AVMS task, right-click, and choose Properties
  • Change the user from System to a domain account with proxy permissions

Azure VM Scheduler Tasks

Azure VM Scheduler Tasks Properties

Your scheduled task should now run successfully using this authenticated user.

Error 2: Email Notification Hang

Check the log again for an incomplete sequence like this:

01/11/2016 12:46:56 PM Started code block to Stop VMs
01/11/2016 12:46:56 PM Adding servers to array for email
01/11/2016 12:46:56 PM email form created notifying task has started

If the log halts here, it’s likely due to an issue with your email notification settings. Confirm that:

  • Your SMTP server address, port, and credentials are correctly configured in AVMS
  • Firewall or outbound rules aren’t blocking mail traffic

Alternatively, you can disable email notifications if you don’t need them — but note that you won’t receive job start/complete alerts.

Need More Help?

Still having issues? Contact support@smikar.com or visit our AVMS page for more resources.

Upgrade SCCM 1610 – A Comprehensive Guide

Upgrade SCCM 1610 – A Comprehensive Guide

by | Nov 24, 2016 | Features, Fixes, How To, SCCM

How to upgrade SCCM 1610​

SCCM 1610

Microsoft has recently released SCCM 1610, the much-awaited upgrade to their System Center Configuration Manager. This upgrade includes new features and enhancements in Office 365 management, application management, Windows 10, client management, end-user experience, and new functionality for customers using Intune with SCCM. In this article, we will discuss how to upgrade to SCCM 1610 and its new features and enhancements.

A quick overview of these enhancements are;

  • Windows 10 Upgrade Analytics integration allows you to assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.
  • Office 365 Servicing Dashboard and app deployment to clients features help you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.
  • Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.
  • Cloud Management Gateway provides a simpler way to manage Configuration Manager clients on the Internet. You can use the ConfigMgr console to deploy the service in Microsoft Azure and configure the supported roles to allow cloud management gateway traffic.
  • Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.
  • Enhancements in Software Center including customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.
  • New remote control features including performance optimization for remote control sessions and keyboard translation.

and if you use SCCM with Microsoft’s Intune you get the following new features;

  • New configuration item settings and improvements now only show settings that apply to the selected platform. We also added lots of new settings for Android (23), iOS (4), Mac (4), Windows 10 desktop and mobile (37), Windows 10 Team (7), Windows 8.1 (11), and Windows Phone 8.1 (3).
  • Lookout integration allows to check device’s compliance status based on its compliance with Lookout rules.
  • Request a sync from the admin console improvement allows you to request a policy sync on an enrolled mobile device from the Configuration Manager console.
  • Support for paid apps in Windows Store for Business allows you to add and deploy online-licensed paid apps in addition to the free apps in Windows Store for Business.

SCCM 1610 FAQs

Question Answer

What is SCCM 1610?

 SCCM 1610 is the upgrade to Microsoft’s System Centre Configuration Manager.

What new features are included in SCCM 1610?

 SCCM 1610 includes new features and enhancements in Office 365 management, Windows 10, application management, client management, end user experience, and new functionality for customers using Intune with SCCM.

What is Windows 10 Upgrade Analytics integration?

 Windows 10 Upgrade Analytics integration allows you to assess and analyze device readiness and compatibility with Windows 10 to allow smoother upgrades.

What is the Office 365 Servicing Dashboard?

 The Office 365 Servicing Dashboard is a feature that helps you to deploy Office 365 apps to clients as well as track Office 365 usage and update deployments.

What is the Software Updates Compliance Dashboard?

 The Software Updates Compliance Dashboard allows you to view the current compliance status of devices in your organization and quickly analyze the data to see which devices are at risk.

What is the Cloud Management Gateway?

 The Cloud Management Gateway provides a simpler way to manage Configuration Manager clients on the Internet. You can use the ConfigMgr console to deploy the service in Microsoft Azure and configure the supported roles to allow cloud management gateway traffic.

What is Client Peer Cache?

 Client Peer Cache is a new built-in solution in Configuration Manager that allows clients to share content with other clients directly from their local cache with monitoring and troubleshooting capabilities.

What are the enhancements in Software Center?

 The enhancements in Software Center include customizable branding in more dialogs, notifications of new software, improvements to the notification experience for high-impact task sequence deployments, and ability for users to request applications and view request history directly in Software Center.

What are the new remote control features?

 The new remote control features include performance optimization for remote control sessions and keyboard translation.

What new features are available if you use SCCM with Microsoft’s Intune?

 If you use SCCM with Microsoft’s Intune, you get new configuration item settings and improvements, Lookout integration, Request a sync from the admin console improvement, and support for paid apps in Windows Store for Business.

How do you upgrade to SCCM 1610?

 To upgrade to SCCM 1610, you need to follow several steps, including checking to see if SCCM 1610 has downloaded, enabling the Fast Ring, forcing a check for the update, and downloading and installing the SCCM 1610 update.

Upgrade to SCCM 1610

Now to upgrade your SCCM to version 1610, follow the following steps;

Check to see if SCCM 1610 has downloaded.

Open your SCCM console, and go to Administration, expand Cloud Services, then Updates and Servicing.

no sccm 1610

As in the picture above, you can see that the update to SCCM 1610 has not downloaded as yet. You can choose to right click and check for updates, but as Microsoft are slowly rolling out this update over the next few weeks it may not download. If you cannot wait for it to download itself, you can force the update to do so by running the following Powershell script located here https://gallery.technet.microsoft.com/ConfigMgr-1610-Enable-046cc0e9

Download SCCM 1610 Fast Ring

If you have waited quite sometime and SCCM 1610 hasn’t downloaded, then you need to download the EnableFastRing.Exe to do this for you. Once downloaded. launch the file and extract the powershell script and follow these steps.

SCCM 1610 Fast Ring

  • Launch an elevated command prompt
  • Run PowerShell
  • Run the EnableFastUpdateRing1610.ps1 script
    • EnableFastUpdateRing1610.ps1 where SiteServer refers to the CAS or standalone primary site server
  • Force a check for the update.
    • If you are upgrading from version 1602 or higher go to Administration, Overview, Cloud Services, Updates and Servicing and click “Check for Updates”.  You may need to try “Check for Updates” more than once if the package is not downloaded on the first try.
    • If you are upgrading from version 1511, restart the SMS_Executive.
  • The new 1610 Update should now be available in the Configuration Manager Console.

Download SCCM 1610 update

Now that Fastring has been enabled, go back to your SCCM console and right click the Updates and Servicing node and click check for updates.

sccm-1606-check-for-updates

Give SCCM sometime to start the download of SCCM 1610. Refresh the console to see the status and then proceed to install when downloaded.

sccm 1610 downloading

 SCCM 1610 Downloaded

Now hopefully your SCCM 1610 update has downloaded and is now available in your console.

sccm 1610 downloaded

Select the Configuration Manager 1610 update, right click and choose Run prerequisite check.

sccm 1610 prerequisite check

SCCM will now check your environment is ready for the upgrade to SCCM 1610.

sccm 1610 prerequisite checks

Let SCCM complete the check, refresh the console to see when it has completed.

 sccm 1610 prerequisite check complete

SCCM 1610 Update Installation

Now that the prerequisites have been checked and passed, you can now start to install the upgrade to SCCM 1610. Right click the update and choose Install Update Pack.

sccm 1610 install update pack

SCCM 1610 Update Installation – General Tab

The General Tab starts off the installation of the SCCM 1610 update. Click Next when you are ready to install.

sccm 1610 update 1

SCCM 1610 Update Installation – Features Tab

On the Features tab, you can select which options you wish to install. Click Next when ready to proceed.

sccm 1610 update 2

SCCM 1610 Update Installation – Client Update Options Tab

Next is the Client update options Tab, you can choose on this tab to upgrade without validating or validate the upgrade in a pre-production collection. As this is one of our lab environments, I have chosen to upgrade without validating. If this is your production environment, it always pays to be mindful of any upgrades, SCCM included so it may be worth you choosing the other option and validating the upgrade against a test collection.

Choose the option you wish and click Next.

sccm 1610 update 3

SCCM 1610 Update Installation – Licensing Terms Tab

Accept the license terms and privacy statement and click Next.

sccm 1610 update 4

SCCM 1610 Update Installation – Summary Tab

On the Summary Tab, confirm the options you have chosen are correct and then click on Next to continue.

sccm 1610 update 5

SCCM 1610 Update Installation – Progress Tab

The update to SCCM 1610 will now install.

sccm 1610 update 6

SCCM 1610 Update Installation – Completion Tab

Hopefully all went with your installation of SCCM 1610 and you should see a screen similar to the one below. Click now on Close and SCCM will continue updating in the background.

sccm 1610 update 7

SCCM 1610 Update Installation – Update Log

To view the installation logs, go to your C Drive of your SCCM server and locate the ConfigMgrSetup.log. If you have Trace32 installed, double click the log file to see the installation status.

sccm 1610 update log

Refreshing the console shows that the SCCM 1610 update is installing. Depending on your infrastructure, this could take some time.

sccm 1610 update 8

Monitor the SCCM 1610 upgrade – Installation Status

You can additionally monitor the status of the installation of SCCM 1610 in your console. Go to the Monitoring tab, then Updates and Servicing Status where you can see the updates you have applied. Highlight the Configuration Manager 1610 update and right click and chose show status.

sccm 1610 update 9

sccm 1610 update 10

Also, the cmupdate.log contains more details of the installation progress.

sccm 1610 update 11

You should see after quite sometime that your SCCM version is now showing as version SCCM 1610

sccm 1610 installed

You can finally go and party like its 1999. Dont forget since you are here, to check out our many software products that help make an Administrators life easy.

sccm 1610 finally upgraded