Windows 10 data slurping

Windows 10 data slurping and how to limit it.

https://www.theregister.co.uk/2018/12/13/windows_10_carry_on_slurping/

Repairing SCCM Client WMI issues.

Occasionally clients will develop a problem with their WMI which impacts the operations of the SCCM client.  For example Application Deployment Evaluation Cycle will not respond or trigger the check / update.

The giveaway is a sea of red in the DcmWmiProvider.log with errors such as

Not found (Error: 80041002; Source: WMI)

At this point you can deduce that your WMI information is corrupted and needs to be rebuilt.

Another symptom is the inability of the SMS Agent Host (ccmexec) service to stop in a timely way.  It will try but then hang in a pending stop state.  This is annoying since this needs to be stopped before the Windows Management Instrumentation (Winmgmt) service can be stopped.

You may need to force the ccmexec service stop to proceed.

To do that,

sc queryex ccmexec

this output the process ID (PID) reference.  Force it down with

taskkill /f /PID <PidReference>

Personally I find it easier to manage the services in the services.msc applet.

Stop the Windows Management Instrumentation (Winmgmt) service.  This is not that easy to do because it will restart immediately.  It may need disabling for a short period while folder operation is done.

delete or rename the C:\Windows\System32\Wbem\Repository folder

Then restart the the Winmgmt service and the ccmexec service.

At this point you have caused chaos because, well, there's no WMI data at all ! :)

The SCCM Client will freak and run a repair operation to try and right itself while writing a log called repair-msi-<GUIDstring>.log It may get a 1603 error in which case it may retry until it gets a 0.  I've seen 1603 on the first attempt and 0 on the second.

After that the SCCM client tries to rebuild its world and get all its apps assignment polices - slowly.  On the machine this process occurred on it was about 3 hours with an end of day shutdown and a start of day boot up, and a forced restart on the ccmexec service.  Eventually normal service was resumed and the apps it was supposed to apply, did so.

SCCM Queries

This post is just a reminder on how to create Queries in SCCM.  AKA Queries for Dummies
Queries can be used to query the client inventory database and return results which match query parameters.
Status Message Queries, as the name suggests, query the status message logs to retrieve the occurrence of events with the SCCM system.

Often admins will query the database directly.  The Queries and Status Message Queries areas provide GUI interfaces for new queries and can show the generated Windows Management Instrumentation Query Language (WQL) code that is generated.

This item is about how to use the GUI interfaces to create a functioning query.

Queries

Right click under Monitoring/Overview/Queries and click Create Query

So far with the few queries I've created I have not needed to change the Object Type from System Resource.

Set a limiting collection if you have a particular set of objects in a collection to query

Enter a Name and Comments and click Edit Query Statement

Click Edit Query Statement and wait for the GUI interface to load.

Click the button with a yellow sun icon to add a class.

Click Select and them choose the Class and Attribute you are interested in.  For example try System Resource as the class and Name as the attribute

Do the same again but this time choose the Last Logon User Name attribute

Now you have two pieces of information that will be obtained.

Next you set the Criteria - click the Criteria tab

Click the yellow sun button to add a Criteria

In Criteria Properties select how the value will be set in the Criterion Type.  Will be fixed or will you get the query to prompt for a value?  For this example try prompt

Next Click System and select the Attribute Class as System Resource and Attribute as Name.

Back on the Criterion Properties set the operator.  For this example choose "is equal to"

Prompt will be set to <prompted value>

Click the OKs and run the query.  Enter a machine name and the query will return the last user logged on.

Sharp eyes among you may realise that this is similar (but the other way round) to one of the built in queries "Systems by Last Logged on User"

Now you've got a default query and a shiny new one all of your own!  From here you should be able to experiment and obtain the data you need.

Status Message Queries (SMQ)

Find these under Monitoring\System Status\Status Message Queries.  There are numerous built in ones but we want our own nice shiny ones !

Half the trick here is identifying what kind  of SMQ you are looking for.  One possible way of doing this is to mimic the operation that you want to query a status for, and then find the example of that SMQ by running the built in All Status Messages SMQ for the last hour.  Once you've identified the type of SMQ you're interested in it becomes easier to set the criteria of the query.

The main take away from this example is the technique of limiting the time window within which you want the query to run. e.g. you only want to know about a certain type of event that happened 7 days ago between 13:00 and 16:00.

Right click Status Message Queries and click Create Status Message Query

Click Edit Query and enter a Name and a comment

On the general tab use the yellow sun button to add any additional Class\Attributes.  By default there are three class \ attribute types of Status Messages <All> , Status Message Strings <All>, Status Message Properties <All>

Click the Criteria tab

Use the yellow sun button to add a criteria

Select Prmopted Value from the Criterion Type dropdown

Click Select and choose a Message Class and attribute.  For this example choose Status Messages \ Message ID

Leave the operator as "is equal to"  and Prompt will be automatically set to <prompted value>

The next two criteria enable you to choose the time windows you are interested in.

Add a criteria for a prompted value of Status Message\Created On.  Set the operator to "is greater than or equal to".   This causes a prompt for the earliest (the furthest back in time) date and time you are interested in.

Notice the criteria are automatically ANDed in the criteria window.

Next Add a criteria for a prompted value of Status Message\Created On.  Set the operator to "is less than or equal to".   This causes a prompt for the latest (the most recent in time) date and time you are interested in.

Click the OKs and Nexts and run the query by right clicking it and clicking Show Messages

You will get three items that you must enter data for:
The Message IS
The latest date/time
The earliest date/time

Click OK and check out the results!  Go query dude!  No really, go and learn how to query databases properly.  You know you should.  Maybe the Show Query Language button will give you some clues?

App-V 5, SCCM and Duplicate Connection Groups

Out in the real world, we began to see machines with multiple duplicated connection groups (CGs).  The duplicate CGs were not causing any problems in themselves because only one of them was globally published but they did make things look very messy.  It is quite disconcerting to list the connection groups (-all) and get back a list where several have exactly the same name. 

So how does this occur?

SCCM manages CGs in the virtual environments (VEs) section of the SCCM console.  When a VE is modified or a machine is added/removed to/from a package collection which is related to an item in the VE, SCCM fairly quickly begins to ripple out that change to the clients.  If the machine is logged off, the CG exists but is not in use, or the CG is not pre-existing, then the CG is created without issue.

However, if the CG exists already and is in use, then SCCM is unable to immediately affect the change.  In this case SCCM appears to create a new CG anyway and then tag it in the HKLM\Software\Microsoft\AppV\Client\PendingTasks using a text string item called PublishGroup with the GroupID_VersionID as the identifier.

If the CG remains in use SCCM will create another unpublished CG and write the PendingTasks key everytime the Application Deployment Evaluation Cycle runs.

If the CG is closed, the PendingTasks item is applied if the Microsoft App-V Client is restarted or the client is rebooted.

Reproduced on
Windows 10 Enterprise 1703
SCCM Client v5.00.8412.1000

Reflection X App-V launch error

An App-V 5 Micro Focus Reflection Desktop Pro 16.1.430 sequence may cause a launch error in the Reflection X application

Rxcs.exe - System Error 

The program can't start because ATMCRYPTO.dll is missing from your 

computer. Try reinstalling the program to fix this problem. 

This is followed by:

Error: NOT FOUND X Client Manager Object 

A procmon run appeared to show that the exe was not locating some dll resources in the locations that it was checking.

The resolution was achieved by copying some dll files to the same folder as the exe during the sequencing process.

Carry out the following file copies from
C:\Program Files (x86)\Micro Focus\Reflection
To
C:\Program Files (x86)\Micro Focus\Reflection\R14
atmcrypto.dll
atmcryptonf.dll
atmtls.dll
atmtlsnf.dll

Carry out the following file copies from
C:\Windows\SysWOW64
to
C:\Program Files (x86)\Micro Focus\Reflection\R14

atl100.dll
FM20enu.DLL
FM20.DLL
mfc100chs.dll
mfc100.dll
mfc100deu.dll
mfc100cht.dll
mfc100enu.dll
mfc100esn.dll
mfc100rus.dll
mfc100jpn.dll
mfc100fra.dll
mfc100ita.dll
mfc100kor.dll
mfc100u.dll
mfc120cht.dll
mfc120chs.dll
mfc120deu.dll
mfc120.dll
mfc120jpn.dll
mfc120ita.dll
mfc120enu.dll
mfc120fra.dll
mfc120esn.dll
mfc120rus.dll
mfc120kor.dll
mfcm120u.dll
mfcm120.dll
mfc120u.dll
mfcm100u.dll
mfcm100.dll
msvcp120.dll
msvcp100.dll
msvcr100.dll
vcomp100.dll
vcomp120.dll
vccorlib120.dll
msvcr120.dll

If correcting an existing package, the sequence can be opened in update mode whereupon it is possible locate the relevant files by their date stamp corresponding to the time of the sequence extraction.  They can then be copied to the C:\Program Files (x86)\Micro Focus\Reflection\R14 folder during the update monitoring phase.

This Micro Focus support link describes a similar but not identical problem.
https://support.microfocus.com/kb/doc.php?id=7022796

MSOffice components

Do not sequence Reflection on a machine which has Microsoft Office installed.  Some of the installation components are lower version VBA files.  Sequencing on a machine with an Office install can cause required items to be ommitted from the package which can then fail to open session files with macros if Office is not installed on the client.

Excel 32-bit vs 64-bit memory usage

https://support.microsoft.com/da-dk/help/3066990/memory-usage-in-the-32-bit-edition-of-excel-2013-and-2016

Remote Windows Service Administration using SC produces OpenService FAILED 5: error

Attempting to administer a Windows Service on a remote computer using the SC command may produce an unexpected error

[SC] OpenService FAILED 5:

Access is denied.


This can occur where a remote command window has been created using PSEXEC and SC commands are issued to control or query a Windows Service e.g.

sc query "Target Windows Service Name"


The cause is the original permissioning of the service during installation uses SSDL text strings which denies access to "over the network" admin attempts.

An example of such a SSDL string is:
D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;NU)

Check the MsiLockPermissionsEx Table of the MSI responsible for installation to verify the SSDL string presence.

Administering the service can properly be carried out via a locally logged on (or over RDP) session at the target computer.

This situation was discovered from this post
https://serverfault.com/questions/762824/remote-service-query-sc-exe-query-fails-with-access-is-denied-for-one-servic

History of application streaming

 

Excellent article with a brief history of application streaming and virtualization by Tim Mangan

https://www.tmurgent.com/TmBlog/?p=2134

Perfmon options

perfmon /rel Lets you review your computer’s reliability and problem history (the same result as right-clicking the Monitoring Tools node in Performance Monitor and selecting View System Reliability). 

perfmon /report Collects performance data for 60 seconds and then generates and displays a system diagnostics report. 

perfmon /res Opens the Resource Monitor (the same result as right-clicking the Monitoring Tools node in Performance Monitor and selecting Resource Monitor). 

perfmon /sys Opens the Performance Monitor in stand-alone mode (the Sysmon.ocx ActiveX control). 

An additional option, /comp, allows for comparison overlay between two open instances of Performance Monitor. 

Note that these options are for use with Perfmon.exe but not for use with Perfmon.msc. 

from
https://technet.microsoft.com/en-us/library/ff723776.aspx

Windows 10 AppX apps may not inter-operate with AppV 5 apps as expected

Scenario

App-V package of software that used image file formats, copied the files to %TEMP% before using the prevailing FTA to launch the assigned app.  For operational reasons the %TEMP% folder in the App-V package needed to be virtualised.  In this case, on Windows 10, the application for displaying images was the built in AppX app "Photos". 

Fault

In the above scenario "Photos" was unable to display the image in the virtualised %TEMP% folder. It is theorized that the AppX app Photos was unable to "see" inside the App-V bubble as conventional apps can.

Workaround

If the user changed the FTA for the file extension to MSPaint (a conventional windows app) then paint would correctly launch, see the image file in the virtual %TEMP% folder and display it.

What is it Han Solo says.......?

Windows 10 1703 changes the virtual registry staging......

http://blog.fslogix.com/app-v-1703-virtual-registry-and-containers

App-V Office Add-in fails to load. Sorry, we couldn't find.........

In some situations App-V Microsoft Office Add-ins can fail to load and also cause a particular type of error message to be generated.  This effect has been seen with COM add-ins crashing Excel at launch and failing to load in Powerpoint.  If attempts are made to activate the add-in via the COM Add-in manager, then an error can appear similar to:

Microsoft Powerpoint
Sorry, we couldn't find C:\Users\username\Application Data\Microsoft\Powerpoint\.  Is it possible it was moved, renamed or deleted?


If this occurs, evaluate the sequencing method being used and how the normal installation behaves when the Add-in is first launched with Excel or Powerpoint.  With the Mekko Graphics add-in, a license dialog is initialized at first launch.  It is this which appears to result in this type of error.

For the Mekko Graphics sequence the correct approach was to launch Excel and Powerpoint during sequencing.  Then edit the sequence to apply the following modifications:

The following keys MUST be set to Merge
MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Excel\Addins
MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Excel
MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\PowerPoint\Addins
MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\PowerPoint
MACHINE\SOFTWARE\Microsoft\Office\Excel\Addins
MACHINE\SOFTWARE\Microsoft\Office\Excel
MACHINE\SOFTWARE\Microsoft\Office\PowerPoint\Addins
MACHINE\SOFTWARE\Microsoft\Office\PowerPoint

The following files must be removed from the sequence
Package\Root\VFS\Common AppData\Knowledge Management\Mekko Graphics\mekko.lic
Package\Root\VFS\Common AppData\Knowledge Management\MekkoGraphics\MGConfig

The merge settings allow the add-in to co-exist with other add-in type packages that may exist in the connection group.  Deleting the license files allows "normal" operation of the add-in.  Repair / Reset works ;-)

App-V 5 App not launching / eventlog error

An App-V application fails to launch.  The following error appears in the App-V event log

Process 22004 failed to start due to Registry Staging subsystem failure. Package ID {187e5d55-af22-459e-bf2f-4ce9d9f7cbf5}. Version ID {cce01d5d-2ff0-4ae7-81bd-ce4ffa3d4936}. Error: 0x7D800D2A-0x3F1

Repair operations will not resolve this.

To fix this problem remove all the packages and connection groups associated with the application which is failing to launch.  Allow the deployment system to re-apply the App-V packages.

App-V 5 App not launching / repair error code 040000002C

If this key, associated with a users SID, is incorrectly formed then App-V apps may not launch for the user and app-v repair commands return an error code 040000002C

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Virtualization\LocalVFSSecuredUsers

S-1-5-21-1529150018-825634664-3829716540-1086429
REG_SZ
C:\users\default\AppData\Local\Microsoft\AppV\Client\VFS

This is incorrect they key should have the correct value of:
%USERPROFILE%\AppData\Local\Microsoft\AppV\Client\VFS

Changing the data value and rebooting resolves the issue.

The cause of the key change to the incorrect key is unknown at the time of posting.

This fix was derived from the information in this post:

http://www.applepie.se/app-v-5-and-publishing-error-code-040000002c

Windows 10 Physical to Virtual on VirtualBox

Converting a Windows 10 physical build to virtual (P2V) is quite tricky.  Typically without the procedure below boot attempts will end in
FATAL: no bootable medium found! System Halted
or
FATAL: INT18: BOOT FAILURE

It can be done using the following procedure.

Turn off Bitlocker and decyrpt the drive.  I'm not sure this is necessary but it was part of my successful procedure.  I decrypted the drive in an attempt to solve the problems which the video below actually solves.

manage-bde -protectors -disable c: -rebootcount 9   (to turn off the PIN prompt)
manage-bde -off c:       (to decrypt drive)
mange-bde -status c:    (to check status)

Use Disk2VHD to convert the physical machine drive to a VHD file.

Obtain Windows 10 boot / install media to access the repair options.  An ISO image is best.

Create a VM in virtual box.
Connect the VHD to an IDE controller.
Connect the Windows 10 boot / install media ISO to an virtual optical drive.
Set the optical to boot first.

Boot to the Win 10 Install / Repair media and follow the instructions in the video to repair the UEFI partition.

Physical to Virtual P2V With VirtualBox
https://www.youtube.com/watch?v=6wVJUimaq2U

Once the partition is repaired shut the machine down.
Set the Hard Drive to be the first boot device and Enable EFI on the system motherboard settings.

BOOT to virtual Windows 10 :)

Install the VirtualBox tools

Sychronize/update the machine account password with the domain.  The physical machine you've virtualised will not logon to the domain after this.

Take the snapshot.

Remember to synchronize/update the machine account password again before age expires.  This is set by GPO but is usually 30 60 or 90 days.  If the VM changes it's password with the domain after the limit is reached, then the older snapshot will no longer logon to the domain.  You may have to start all over again.  Put a reminder in your calendar !

App-V 5.x User Scripts not working

Attempting to use App-V user start process scripts on a stand alone Windows 7 computer with local user accounts results in an error of

The application failed to launch
This may be due to a network failure
Error code: 0x0DF01725-00000534

Annoyingly, on Windows 10 (Anniversary) there is no visible or logged error at all, the app just fails to launch, even though the log acknowledges (4004 event) that the script has been called.

The workaround is to use domain accounts not local accounts.

Thanks to Dan Gough for posting this
http://packageology.com/2014/03/user-scripts-broken-app-v-5-0-sp2-local-accounts

timeout

timeout is a batch file command which produces a visible countdown in a batch file command window.

keywords
wait sleep pause

Enabling the Windows 10 Native App-V Client

The Windows 10 Native App-V Client is not enabled by default.

Attempting to start the Microsoft App-V Client services produces an error:

Windows could not start the Microsoft App-V client on Local Computer.  For more information, review the System Event Log.  If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code <error code here>.

You can enable the client by entering the powershell command

Enable-AppV

Group Policy can be used:
Open the device’s Local Group Policy Editor.
Navigate to Computer Configuration > Administrative Templates > System > App-V.
Run Enables App-V Client and then select Enabled on the screen that appears.
Restart the device.



There is also a reference to this problem here:

https://blogs.technet.microsoft.com/appv/2014/09/03/support-tip-the-app-v-client-service-fails-to-start-and-logs-event-id-7024/

Hide a drive in Windows Explorer

To hide drives in Windows Explorer set a registry key as shown below or use this group policy to set the required keys.

HKLM –> Software –> Microsoft –> Windows –> CurrentVersion ->Explorer
or
HKCU –> Software –> Microsoft –> Windows –> CurrentVersion ->Explorer

NoDrives DWORD decimal setting as follows.

A: 1, B: 2, C: 4, D: 8, E: 16, F: 32, G: 64, H: 128, I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192, O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288, U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432, All: 67108863

Add values to select multiple drives.

To hide drives in Windows Explorer set a registry key as shown below or use the group policy to set the required keys.

Automatic Uninstall of Packages

A common method of application deployment is to configure a collection to query an AD group and treat the members as members of the collection.

Logically if a resource is no longer in a group then the software should be removed.  This allows the AD group to be an accurate indicator of the number of installations.

In SCCM, installation deployments override uninstall deployments.  This fact can be used to easily make an uninstall configuration arrangement which can be incorporated into the standard for the setup of the original deployment configuration.  Of course, it can also be be applied retrospectively if necessary.

The install deployment is deployed to the install collection.  Any collection membership method can be used.  The uninstall deployment is deployed to the uninstall collection.  The uninstall collection members is set to a very wide collection such as All Workstations but it also includes an exclude of the install collection.

calling SCCM actions

Codes for triggering SCCM client actions

Application Deployment Evaluation Cycle
Discovery Data Collection Cycle
File Collection Cycle
Hardware Inventory Cycle
Machine Policy Retrieval Evaluation Cycle
Software Inventory Cycle
Software Updates Deployment Evaluation Cycle
Software Updates Scan Cycle
User Policy Retrieval Evaluation Cycle

Trigger Codes:

{00000000-0000-0000-0000-000000000001} Hardware Inventory
{00000000-0000-0000-0000-000000000002} Software Inventory
{00000000-0000-0000-0000-000000000003} Discovery Inventory
{00000000-0000-0000-0000-000000000010} File Collection
{00000000-0000-0000-0000-000000000011} IDMIF Collection
{00000000-0000-0000-0000-000000000012} Client Machine Authentication
{00000000-0000-0000-0000-000000000021} Request Machine Assignments
{00000000-0000-0000-0000-000000000022} Evaluate Machine Policies
{00000000-0000-0000-0000-000000000023} Refresh Default MP Task
{00000000-0000-0000-0000-000000000024} LS (Location Service) Refresh Locations Task
{00000000-0000-0000-0000-000000000025} LS (Location Service) Timeout Refresh Task
{00000000-0000-0000-0000-000000000026} Policy Agent Request Assignment (User)
{00000000-0000-0000-0000-000000000027} Policy Agent Evaluate Assignment (User)
{00000000-0000-0000-0000-000000000031} Software Metering Generating Usage Report
{00000000-0000-0000-0000-000000000032} Source Update Message
{00000000-0000-0000-0000-000000000037} Clearing proxy settings cache
{00000000-0000-0000-0000-000000000040} Machine Policy Agent Cleanup
{00000000-0000-0000-0000-000000000041} User Policy Agent Cleanup
{00000000-0000-0000-0000-000000000042} Policy Agent Validate Machine Policy / Assignment
{00000000-0000-0000-0000-000000000043} Policy Agent Validate User Policy / Assignment
{00000000-0000-0000-0000-000000000051} Retrying/Refreshing certificates in AD on MP
{00000000-0000-0000-0000-000000000061} Peer DP Status reporting
{00000000-0000-0000-0000-000000000062} Peer DP Pending package check schedule
{00000000-0000-0000-0000-000000000063} SUM Updates install schedule
{00000000-0000-0000-0000-000000000071} NAP action
{00000000-0000-0000-0000-000000000101} Hardware Inventory Collection Cycle
{00000000-0000-0000-0000-000000000102} Software Inventory Collection Cycle
{00000000-0000-0000-0000-000000000103} Discovery Data Collection Cycle
{00000000-0000-0000-0000-000000000104} File Collection Cycle
{00000000-0000-0000-0000-000000000105} IDMIF Collection Cycle
{00000000-0000-0000-0000-000000000106} Software Metering Usage Report Cycle
{00000000-0000-0000-0000-000000000107} Windows Installer Source List Update Cycle
{00000000-0000-0000-0000-000000000108} Software Updates Assignments Evaluation Cycle
{00000000-0000-0000-0000-000000000109} Branch Distribution Point Maintenance Task
{00000000-0000-0000-0000-000000000110} DCM policy
{00000000-0000-0000-0000-000000000111} Send Unsent State Message
{00000000-0000-0000-0000-000000000112} State System policy cache cleanout
{00000000-0000-0000-0000-000000000113} Scan by Update Source
{00000000-0000-0000-0000-000000000114} Update Store Policy
{00000000-0000-0000-0000-000000000115} State system policy bulk send high
{00000000-0000-0000-0000-000000000116} State system policy bulk send low
{00000000-0000-0000-0000-000000000120} AMT Status Check Policy
{00000000-0000-0000-0000-000000000121} Application manager policy action
{00000000-0000-0000-0000-000000000122} Application manager user policy action
{00000000-0000-0000-0000-000000000123} Application manager global evaluation action
{00000000-0000-0000-0000-000000000131} Power management start summarizer
{00000000-0000-0000-0000-000000000221} Endpoint deployment reevaluate
{00000000-0000-0000-0000-000000000222} Endpoint AM policy reevaluate
{00000000-0000-0000-0000-000000000223} External event detection

Reference
https://blogs.technet.microsoft.com/charlesa_us/2015/03/07/triggering-configmgr-client-actions-with-wmic-without-pesky-right-click-tools/



keywords
trigger

Win32 Error Codes

It's a very long list.

https://msdn.microsoft.com/en-us/library/cc231199.aspx

SCCM Versions

https://www.systemcenterdudes.com/sccm-2012-version-numbers/

Release Dates

https://en.wikipedia.org/wiki/Microsoft_System_Center_Configuration_Manager

keywords
SCCM Version Versions