Microsoft System Center Configuration Manager 2007 – NAP (Network Access Protection)

Microsoft System Center Configuration Manager 2007 – NAP (Network Access Protection)


NAP (network access protection). To be honest in regards to NAP and SCCM there is not much you need to know. If you don’t know what NAP is or how it work’s I recommended you read up on it.

It’s also worth noting NAP will ONLY work with SCCM installed on Windows Server 2008 and above (although it can be configured on Server 2003 SCCM) the NAP server must be 2008.

Let me start with a VERY basic overview of NAP and also what it does.

Let’s look at the diagram below. You have just purchased the best, most expensive, secure firewall known to man. Nobody from the outside is getting through the firewall to cause havoc on your network.

But what about Mr Joe Bloggs, who went home, got a virus and Monday morning comes in and happily plugs his laptop on to the network…..You’re firewall isn’t much good now.

NAP allows you to control those machines which do not comply with your NAP policy to be “quarantined” in a remedial network.

For example your nap policy might require the user has windows firewall turned on, and has the latest updates/antivirus updates.

IF it does not have this it is placed in to a remedial network with limited access, only access to servers which will allow the client to update to comply with your NAP policy.

Once it comply’s with your NAP policy it is allowed access to the production network.

Let’s now look very briefly how you would configure it in SCCM

Scroll down to Network Access Protection and right click > new policy

In this example, I’ve selected the update (we created in an earlier blog).

Setting “as soon as possible” is not always wise. You need to allow time for clients to process the update before you enforce it.

Review and click finish

We have now created a NAP policy. The above policy works with NAP to this update MUST be present before being allowed on to the network. If it’s not then (depending on your NAP setup) it will be placed on a different subnet allowing it access to a WSUS server to obtain the update. Once present it will be allowed on to the production subnet.

That’s that!, I chose not to go through all the steps required for configuring a NAP environment, that is outside the scope of this exam, but if you have done previous exams (70-642 for example, or even the exchange exams) it will cover NAP in-depth as well as how to configure a NAP environment.

Microsoft System Center Configuration Manager 2007 – Remote Tools & WOL (Wake On Lan)

The ability to “remotely” control a client’s PC is one of the major benefits to any helpdesk or organisation. No longer is the need there to drive to the client site, you can do it from the comfort of your own desk/home/bed!

SCCM has a number or remote monitoring tools available to you as the administrator, and we will look at covering those off as well as the below in this blog:

  • Enabling remote tools
  • Enabling WOL (Wake on lan)
  • Using remote tools
  • Leveraging WOL in your environment
As always, lets make sure the remote tools client agent is enabled

A few options you want to be careful of here. “Ask for permission when an administrator tries to access clients”. Remember if this is selected it means if you wish to remotely control a remote server someone will need to click the “allow” box in front of the server. Whilst it might seem like a good idea for client’s, I personally would chose to deselect this option and simply alert the client when you have remote control (which will be found in the notification tab)

Here we choose which users can use the remote tools from the SCCM console

Here we can set the notification options for the client (when requesting/when you have) remote control

Choose whether to allow remote assistance or not

Likewise the same with remote desktop

Now we have these enabled and configured, lets browse to a collection

Right click the workstation and let’s see what remote tools we have available to us

As you can see we have a fair few. In this example I will send a request for remote assistance

If we switch over to the client PC this is the alert they receive

From our side of things (the SCCM console) this is our view once the user accepts our request. As you can see we are in view only mode at the moment

You can chat with the user in the chat box

Now we need to take control select “take control”

The user receives the following

From our side we are alerted we are now in control

Allowing us to troubleshoot the problem

In another example, I can right click and select to bring up the clients event viewer. (Very handy).

That is pretty much that for remote tools, they are all fairly self-explanatory!

Moving on to WOL (Wake on lan). You have to remember there are a few steps you need to make sure are covered off BEFORE enabling it in SCCM.

  1. Wake on lan is enabled in the BIOS
  2. Wake on lan is enabled on the network card properties (from within the OS)
Once these are OK, we can move to SCCM and enable it from SCCM.
Select your site and right click > properties

Select the wake on LAN tab

Enable WOL

You will be alerted to the below: (click OK for now)

View the advanced settings and make any changes you need to

WOL is now enabled (click OK)

We now need to install the out of band service point site

Once installed double click to make sure the settings are how you want them

Review and click finish

If we right click and select properties we are able to adjust any of those settings now

The final step is to enable WOL in the “advertisements”. For example installing VLC, we will enable SCCM to send a magic packet to wake up the client and install VLC

Simply select enable wake on LAN

And that’s that. A relatively simple and small blog, but an important one, especially if you can’t install software during the day and choose to do it out of hours, WOL will be very beneficial.

Microsoft System Center Configuration Manager 2007 – Desired Configuration Management

DCM allows you to monitor your client machines to make sure the clients are fully compliant and running the correct configuration you wish to enforce.

For example, with Adobe Reader there is a registry key you can add to help improved the optimisation. You can use DCM to check the client machines to make sure the registry setting is set to enabled (as this helps improve end user experience). If it find cases where clients are running with the registry key disabled it can alert you.

We will look at covering in this blog:

  • The client agent
  • Baseline & Configuration Items – Elements you wish to monitor
  • Reports & Compliance – Allow you to report on the above captured data
  • Preconfigured Baselines

Let’s get started then, navigate to the client agents folder and let’s make sure DCM client agent is enabled.

There really aren’t too many settings, apart from the schedule you wish DCM to run. Like most default option’s its set to 7 days.

Now let’s navigate to the DCM component and expand this.

You will notice by default there are not set configuration items or baselines. Which means we will need to create our own.

Before I do this, I’m going to flick over to MRPCX02 and create a new registry key with a value of 5 in the VLC folder <hklm\software\videolan\>

This is the registry key DCM will be scanning for

Right click configuration items and select NEW>Application configuration item

Enter a name, and chose a category (there are a couple of pre-defined categories) for making it easier to search, in this instance I will create a new group.

If you have access to the .MSI you can chose for DCM to scan for the MSI first before (to make sure the program is installed/should be installed).

In this case I will assume it is always installed.

On the next window we can chose to select the item we wish to scan for. Select Registry Key

Enter the location of the registry key

You will see I’ve made a mistake in the screen shot below (It should read: software\VideoLAN\VLC\test)

We’ve now added the registry key successfully. Select next

The next part is where we configure what the setting of the registry value should be. Select Registry (you can see there are many options for monitoring IIS/AD etc..)

Enter the value of the registry setting

We’ve now added the value, we also need to now validate this (what happens when it discovers this key)

Click validation

In this case if the value does not match 5 then alert with a warning

You can now choose which systems this is compatible with

Finally review the settings and click finish

We now have our new configuration item

We can now define our base line policy (to which clients should ad-hear to).

Select new configuration baseline

Fill out the below applicable to you (I’ve chosen to associate this with the XPClient group I created above)

On the next page you will see the various different options we can use to define if a client is compliant.

In our case we will use the third option down

Select the configuration item we created

Once complete click next

As a side note we don’t just need to select one option. We could also chose DCM to check certain updates are installed

Review the settings and click finish

Now we have our baseline, we need to assign this to a collection. In this example I will assign to the XP Systems collection.

Select assign to a collection

Select the baseline you wish to use

Choose the schedule you wish to use

Now we have defined our baseline we need to be able to report on it. If we click on to reports you will see a number of pre-defined reports for compliance

Select a report to run

And fill out the required details

Obviously as the elapsed time has yet to run it will show no results but you get the idea..

Finally I’ll show you a handy little download from Microsoft.

This configmgr pack contains a number of pre-defined base lines.

Install as usual

Now what we will do is import this .cab file in to SCCM

Right click > Import Configuration Data

Add the .cab file

This show’s us the items it will be importing

Click finish to start the import

Now if we refresh the DCM folder, we will see these pre-defined baselines and configuration items


Configuration Items

It’s always handy to have a browse through the settings of these pre-defined items just to get a better understanding of “how they work”.


Microsoft System Center Configuration Manager 2007 – Software Metering

In this short blog we will be looking at software metering and usage.

Wouldn’t it be nice to see if the user’s who have requested some expensive piece of software are actually using it and need it, as oppose to just “wanting it” because someone else does!

We start with the client agent (like normal), and making sure the software metering client agent is enabled

By default the schedule is set to a week (to retrieve the information from clients). You can change this to suit

Once enabled client side let move down to the software metering section under computer management

You will see there are a number existing software metering rules in place for a range of default programs. As you can see all of them are set to disabled by default

Lets enable software metering for the default rule “notepad.exe”

Right click > properties, and we can take a look at what this rule is actually made up of.

We specify a file name, version, and also the usual security permissions

Now we have a brief idea of what “goes in” to a software metering rule lets create our own.

This rule will meter the usage of Microsoft Word (any version)

I’ll leave the default security settings

We now have our software metering rule.

Now we have our rule we need to report on it, let’s drop down to reports, we will see there are a number of pre-defined software metering reports.

In this example i’ll use the below pre-defined report

Select “run”

And fill out the required details

As we’ve only just created this rule there is no data (remember it run’s once a week by default) but you get the idea of where to find this information when you need it.

Microsoft System Center Configuration Manager 2007 – Deploying Software Updates

A major part of any IT infrastructure is to make sure that all your clients are patched and full up to date. SCCM makes our lives easier (and if you’ve used WSUS – Windows Server Updates Services before) – you will seem the similarities (as SCCM works with WSUS).

This should be a fairly short blog (although as you’ll see the waiting for the SCCM server to pull down / query all the available updates will take the most time!).

We will look at covering:

  • The WSUS Installation – as SCCM works WITH WSUS
  • Software Update Client Agent & Site Role
  • Deployment Templates
  • Deployment Packages
  • Updating Computers

Before we go any further, if you haven’t already you will need to download WSUS. In this example I will be installing WSUS 3.0 SP1 (and then applying SP2).

Once you have the installable download from Microsoft, run the installation and follow the installation wizard. When you get to the part regarding IIS (personally) I always chose to install to a NEW IIS website. It just helps with maintaining and also if any corruption should occur you are only effecting this, and not additional sites which all run under the default website.

Also please make a note of the ports used for this new IIS instance as you will need to update SCCM later with them!

*Remember make a note of the below ports*

Now we have completed the WSUS installation, we can move back over to the SCCM console and complete the required configurations steps within here.

Like with most other SCCM “features” we need to make sure the agent is enabled. Browse to Client Agents and make sure the Software Updates Client Agent is enabled.

You will see we have a couple of other configurable options within here, whether or not to force installations to clients as well as hiding the deployments from the end user.

We can chose a schedule for “re-evaluation” deployments. I.E if an update has previously been installed but can no longer be found.

Now we have configured the agent settings, we need to add in a new site system point.

Right click and select “software update point”

Follow the usual installation and select finish

Now let’s go in to the properties of the newly installed site role.

Remember when I said to make a note of the IIS port numbers, this is where we need to enter those two port numbers (as they are not using the default IIS ports).

We will be directly synchronising from Microsoft Update. We can also choose whether or not to create reporting event. (E.g do you want to see what is going on with the client – the installation progress/update progress). It’s up to you but I would recommend in this case selecting create all WSUS reporting events.

By default updates are synchronised every 7 days, depending on your environment you can chose longer or shorter, but 7 days is all we require for now

Next we can select which type of updates we wish to sync.

We can also pick for which products we wish to synchronise. There is no point sync’ing all the products (Exchange/IAG etc.) if we are only Server 2003/SQL 2005 and XP/office

Again, save yourself some time and space and only sync the required languages. Simply deselect any you don’t require.

Now we have configured this part. Let’s run a synchronisation with Microsoft. Browse to Software updates > Update repository > Right click > Run Sync

You will notice there is only one folder listed within the update repository at the moment

Here’s where you may as well go and do something else…Personally I left mine for a day as if you check the sync log you will see just how time consuming and how many updates will be processed

When this finally finishes, refresh the console and you will now see folders of all those updates you ticked during configuration.

We can then drill down in to all updates

And if we look at all those for XP we can see it lists Unknown and Total as 4 (in the majority of the cases) as SCCM currently does not know the status.

You will also see Deployed is: No

Before we can deploy the updates, we need to create a deployment template. Browse to Deployment Templates and select New

Follow the wizard as below

Select which collections you wish to include in this template

In this example I’ll be deploying to all XP machines

I will choose to hide the notifications

As well as choosing not to restart if required

I don’t have MOM running so can ignore this but these are the same settings as covered in a previous blog

If you have boundaries setup you can chose to not install or download the updates from the local distribution point.

Not applicable for this lab but if you still have an older SMS environment (2003) you can choose to deploy to them.

Review the settings and click Finish

We can now go back to the list of updates available. Right click a single update (or select multiple updates), and right click > Update list

We will now create a new update list

Choose the name, and package source (I’ve created a folder in c:\sourcefiles\updates)

Choose a distribution point (in our case we only have the one)

Choose to download the software from the internet (or if the SCCM server has not “outside world” access, you can choose to download from a secure share on your network)

Again select the languages you need

Select any additional security

Review and click finish

If we now check the update lists you will see the new list we have created

If we right click on here we can now deploy the software updates

Name the deployment

Chose the existing template (we created earlier)

choose when to deploy the updates, and if a deadline is required/WOL is requires.

If you are using NAP you can chose to include this as a requirement

Review and Finish

You may think it should appear in packages (where we deployed adobe and VLC from) but if you check it’s not listed

This is because it is actually listed under deployment management. If you drill down you will see the new deployment package located in here.

If we right click > properties, we can see all of the configuration options we have just configured.

And finally, once the update has been deployed if we refresh the console we should now see it showing as deployed to one workstation (I only have MRPCXP01 powered on at present).

Microsoft System Center Configuration Manager 2007 – Operating System Deployment

Now were talking!.. Operating system deployments. I’m warning you now this is a fairly long blog, not because it’s particularly difficult but because there are many different parts which make up the overall “OS deployment”.

Ideally you need to be fairly familiar with WinPE (Windows Pre Installation Environment), .WIM file formats (Microsoft format for windows imagine management), and PXE booting, if you have never touched on them it will be worth your while having a quick 10 minute read up on each.

What types of images are we going to be working with then?

  • Boot Image
  • Install Image
  • Capture Image
We will be covering off task sequences (which is how and in what order items are completed). As well as the PXE site system role (for those machines in your environment which PXE boot).
As I said above, it’s not too complex just many parts. Let’s get straight in with enabling the PXE service point. We should be more than familiar with adding site system roles now so add the PXE service point as below

Select yes

Define the options you wish to use. (You may or may not want to set a password). You may not want to respond to requests on all network interfaces. It’s up to you

Again the below are fairly self-explanatory

Click finish

Now we can navigate to the OSD (Operating System Deployment) menu.

Before we start rolling out operating systems, we need to define a package to INSTALL the SCCM client. Otherwise we will be rolling these images out and won’t be able to manage them!

As the SCCM agent is a defined package already we can easily add this (I won’t explain to much as we covered packages in the last blog).

Now we’ve added the SCCM client package, if we navigate to boot images you will see by default we have an x86 and x64 version.

Right click > properties to change any of the default settings.

If you wished to add a new boot image you would simply select “Add boot image” then follow the wizard

Now we have our boot image, we need to supply an operating system. (Once the system boots it needs to be able to install an OS)

Browse to the sources folder (in this case I’m using the windows vista CD)

Fill out any required details

If you right click > properties you can again edit any of the settings you just entered

Now we need to supply the operating system install package. I have the vista OS copied to a folder, and in the below example I’m simply browsing to the CD stored locally. At present we can now boot, find an OS but we need to know the location of the installation packages…

IF you have any special or required drives to be installed, you can supply these by right clicking drivers and creating a new driver location

Once it has searched the location for drivers it will now try to import these

Type a name for these drivers

Select the location you wish these drivers to be added to

You can chose to inject the drivers in to the boot images if required

Once the drivers have been imported we can then continue.

Next we come to a task sequence. This is where we specify what actually happens and in which order

Right click > new task sequence, and we will select install an existing image package

As usual fill out all the required details

Select the required boot image

Select the operating system image

Choose if you wish the computer to be joined straight on the domain or simply a workgroup.

If you wish to capture any user/network or windows settings you can do so

In this case I won’t be

I don’t wish to install any updates for now

On the next page include the SCCM client agent as a package to be installed

Click finish and close

If you right click > properties you can see we now have lots of additional options and also the option to specify variables should something not complete successfully.

Finally we need to advertise this (like we did with the software deployments).

It’s the same as in the last blog so I won’t go in to detail again….

PLEASE PLEASE PLEASE make sure you choose to access the content from the server. If you download it, when the client formats the drive during the OS deployment well guess what there goes all the files needed to complete the deployment!

Now we have our sequence, if you wanted to create standalone media for this (say for an engineer to take out in to the field) right click and choose which ever option you require

All fairly self-explanatory!

Using the same method as above (creating a task sequence) we will now build and then capture the OS image. We are effectively building it then sucking in all the information to create an operating system image. You will see every step is exactly the same as above with exception to the end where you actually do the capture.

Here is the difference, we now specify a location for the .wim file to be created

You can then click finish to complete the capture above.

There we have it, how to deploy an operating system via SCCM. Wasn’t too hard after all was it!

Microsoft System Center Configuration Manager 2007 – Software Distribution Practical

Back to getting hands on with SCCM in part 2 of Software distribution (the practical) blog.

I’ll get straight in to it as we’ve got a fair amount to cover in this blog, but I’m going to cover off the various elements which make up software distribution as a whole:

  • Distribution Point
  • Packages
  • Programs
  • Advertisements
  • Branch Distribution Points
Let make sure before we go any further that the client is configured for software distribution. Right click Advertised Programs Client Agent Properties from within client agents.

If this is not already enabled then lets enable it

We don’t have to worry too much about the notification at this point, you will see this later on and can change accordingly.

Now we know the client side should be OK, we need to check server side is OK as well.

Make sure we have the ConfigMgr distribution point set as a standard distribution point.

This is also where you can chose which remote computers can become branch distribution points.

If you using SCCM within a protected boundary, you can adjust the settings within the ConfigMgr site system options, as well as changing the account used.

For example you may wish to include only a certain subnet, or existing site boundary. In our case we only have the one site so this does not matter.

I’ now going to create a new shared folder called SourceFiles (c:\sourcefiles). I’m going to use this directory to start storing all the files required for app deployment and operating system deployment (to be covered later).

Make sure the computer has full access to this share

Expand software distributions, and you will be presented with two sub folders. Packages and Advertisements.

Right click and select new Package

We will now start to create a package we wish to deploy. In this example I am using Adobe Reader to deploy

On the second page select the location the .exe or .msi file is located

One quick check it’s worth making is the software distribution properties is set to store packages on the same drive you wish to use

You can also specify additional options but for this example we can ignore them and leave the default.

Back to the new package wizard, we wish to access the folder via the ConfigMgr share. This is a hidden share created by default

We can now set the priority, again leave these default. You can also chose to automatically down the content or chose to manually do this and manually publish to distribution sites.

Leave the MIF section as default

Click next and then Finish.

We’ve now created our first package.

If you right click  > properties you can adjust any items if required.

In the navigation pane (once refreshed) you will see your newly created package.

Access account is fairly standard, don’t worry about these.

Now we have our package, we need to create a program (remember the diagram in the last blog?) The program is contained within the package.

The program is the .exe or .msi which is going to run.

Quickly skip over to to find out the command line switches..

Even though we have specified to hide alerts, sometimes (and some .exe’s) don’t have the suppress alerts packaged with them. We can chose to make sure the program run’s hidden

Once it’s run if it needs a restart what action would you like to take?

Fill out any additional details. (size/what clients it can run on/maximum run time)

Now we can chose when we want this to run

We have many additional options (again I’m leaving these as default). We don’t need to run a program first before installing. But we could have a package which for example removes a certain application before installing this application.

If you have a licence key associated with the software you can enter it in here.

If for example SCOM is monitoring the server or workstation you can chose to ignore alerts/disable alerts from SCOM whilst this is running.

Click OK and Finish

We now have a program

Next step is to “send” this program to the distribution point

As we only have the one server we can only select MRSCCM02

Click OK then Finish.

If you now browse to that hidden file share I mentioned earlier:

You will see a new folder (we only have one package so far)

Within this folder we have the adobe reader .exe

We now need to advertise this to our clients. Right click > New > Advertisement

Click browse to select the package

Select the collection you wish to deploy (advertise) to

We can specify when we wish to advertise this

We can chose when we want to either schedule or just select to assign as soon as possible

Do w wish to allow system restarts outside of maintenance windows? What should the program re-run policy be?

If you are over a slow link (to remote office’s) you will want them to download from the distribution point, but in your head office you will want to “stream” the application (and by that I mean the client will simply run it from MRSCCM02 as oppose to downloading it locally).

Do we wish the user to interact at all?

We can leave the default security rights for now

Click OK and Finish

We now have our advertisement setup.

We can chose to re-run this advertisement or even disable the program (which will then try to remove it from clients)

Now we need to check to see how this deployment is getting on. Browse to System status

We can see the program has been installed on the distribution point successfully. (Note: the program hasn’t been installed, this just means the program is available and ready for installation to clients).

If we now click on advertisements, you will see the files haven’t actually be advertised out to clients yet (it can take sometime).

Once it starts to advertise to clients you can right click > view messages and here we can see the status

We can now see both XP machines have been received and the program has been started

Checking the logs again shows it’s now running using the command line switch we specified

Now if we hadn’t chosen to hide the notifications this is the alert the user would see:

The user can then chose if they wish to have the software installed

Now I actually got bored of waiting for adobe reader to install, so I quickly published VLC player as I knew this was a small and easy install.

As you can see, I set to advertise every 5 minutes and install each time (hence why we have 18 installations….)

Viewing the XP machine we can now see on the desktop

Finally if we check the start menu, there’s our newly advertised program

There we have it. I’ll admit it’s been a fairly long blog this one but when you think about it, it’s not actually that difficult. Just remember the package must contain a program (the “WHAT”). You then need to define the schedule of the advertisement, and which collection it is being advertised to (the “WHEN” and “WHO”).

Microsoft System Center Configuration Manager 2007 – Software Distribution “Theory”

Let’s start with the basics – What is it?

Software distribution is a way of automating and in general making your life as a system admin easier. Do you really want to go round 100 client machines – USB Key in hand installing a new program? – I for one would rather click “deploy” and those 100 machines have the new software package deployed to them.

There’s three main types – MSIEXEDIFF

This means any program you can run can be distributed!

As I’m sure many of you will have been involved with various installations over the years, MSI installation is generally the easiest. Especially if you deploy via GPO or logon script. Most MSI files have all the relevant switches included (switches include making the installation run silently – so the user doesn’t notice).

EXE files (Executable files) – tend to be more difficult mainly due to the fact some are almost legacy built which means they don’t include the various command line switches required to hide the installation from the user (or to not request a reboot after installation).

DIFF or difference are for those custom deployments. If you take a system state view before and after installation you can then see all those changes (reg key changes) etc which have been made during the installation. You will then package all those changes and deploy. You can see this is a more complex and usually the most difficult way of deploying packages.

The image below is a good reference point. I’ve tried to define the three main sections (Package which contains the program), the Advertisement and the Collection. (We will cover these later don’t worry). I’ve tried to make them as simple as possible – to try and break them down in to the below questions:

What – What do I want to deploy package?

When – When do I want to deploy the package?

Who – Who do I want to deploy the package to?

It’s the combination of these three items which make the change event – change event being new software installed.

An example using the above could be:

I want to deploy CuteFTP (what) during the day at 2PM (when) to only those machine’s with 2GB ram running windows vista (who).

Below we can see a spectrum of the different packages.

MSI – most install switches are contained within. Don’t require user input and tend to be the easiest option.

EXE – may or may not have the relevant switches – BUT can be very limited.

DIFF – Multi step process – Series of reg keys to see which are copied and which are not. Overall a difficult method.

One website you will find come in VERY handy is

This website tends to have the most popular packages listed along with all their command line switches (for example VLC player).

Keep in mind, within SCCM 2007 – packages DON’T have to just be software installations. Packages can be anything…deployment of a reg key, deployment of files you name it you can do it.

The benefit over (say GPO deployments) is you can keep track and can see via the SCCM console exactly which machines you’ve deployed to have received the package successfully and those which have failed. This saves you having to go over and over, checking gpresult and trying to find out why it’s not installed for certain users/machines.

Microsoft System Center Configuration Manager 2007 – Reports & Dashboards

Well I hope you’ve got your SQL hat’s on….as we will be briefly looking at SQL queries in this blog, as well as reporting and reporting dashboards

Before we go any further we need to install the reporting server component

Right click > New Roles

Select Next

We now want to select “reporting point”

Leave the default values as is (but make a note of the URL below)

Select Next, and then Finish

Now we can take a look at the reports which are installed by default. You will see there are around 330 pre-installed reports, covering pretty much every basic report you will need.

We are going to pick one (in this example number 239) software recently used

Right click > Run and it will ask you to select a computer. In this example I’ll use MRPCXP02

Select Display and you can see those executable files which have been most recently run

If you select the little arrow (before the computer name) it will open a new window where you can drill right down in to the computer and find out all sorts of information regarding the setup / hardware / software.

We will now create a new report to show us all those clients with Microsoft Word installed. Right click > New Report

Fill out a name and the category we will be using is Software – files.

Click “Edit SQL Statement”

This brings us to the SQL part of this blog. Now depending on how you are with programming languages/SQL language the SQL Statement may or may not make much sense to you.

Basically it’s saying in this report we will select ALL entries from the v_R-System table where the value Netbios_Name0=Computername

I’ll admit, it’s not easy to see what you are doing here, and what are all those V_ entries?

Well they are different views. Let me explain more….If we open up SQL management Studio and drill down in to the database, you will if we right click views > new view > and select the views tab

The view we will be dealing mostly with (and which most reports link to in some way) is the v_R_System view which contains all the system information for all those end points with agents on them.

Click Add.

We’ve now added the view to our workspace. (if you’ve used access before this again may seem familiar).

If we look through the System View we will find some common values we will want to use. In this example we will list the username and computer name

At the very top of the view you will notice the Resource ID column. This is a common column throughout the views, and allows us to link these views together to produce reports which query multiple views.

If we right click execute SQL query we will see the below output

Simply showing us the last logged on user to the clients. Fairly straight forward. Now let’s add another view to this.

Right click > add Table

Select the views tab again, and this time select v_GS_SoftwareFile

This is the view which has all the information regarding software file information

What we are now going to do is link the two ResourceID columns to create a link between the two tables

In the SQL output window you can see the SQL code is getting pretty complicated now

From the v_GS_SoftwareFile table select FileName, FileVersion and FilePath and in the filter for FileName enter: =winword.exe

If we execute the SQL statement now we see the below

It’s also given us the complex SQL code we require to produce this. Here’s where doing it this way (via SQL studio) helps make our lives a little easier. We can link tables, select the values we want then simply copy and paste the output in to SCCM.

Paste the output in to the SQL Statement field, and we now have a working SQL statement (which we know will work) as oppose to trying to either:

  1. Type it out for ourselves
  2. Use SCCM to try and create the statement

We can specify how often we wish this report to update

If we wish to link this report to another report, or computer

In this example we will link this to computer details. Computer Name Column (simply means where you want that little arrow to be displayed) which opens up additional information for the client

Leave the security settings as is

Finally click finish to create the report

There we have it, our own report.

Right click > Run and you will see the report produces exactly what we want. Very handy if you are ever asked “can you show me all machines with XP or 512mb ram” etc..

Now remember I said to make a note of that URL when we installed the reporting component?

Well let’s browse to that URL:

You will see all the reports are available for users to run. This means you don’t need to give user’s access to the SCCM MMC in order to view reports. (Later on we will cover security/allowing certain groups access to certain reports)

The user can then find the newly create report and run it


Again click the little shortcut arrow to bring up additional details

That’s reports covered off, which is handy, but what about those situations where it would be nice to have say 4 reports open at once?

This is why we create a dashboard. Within the dashboard we can specify many reports to view allowing us easy access to view information at a single glance.

By default there are no dashboards, so let’s create one

Name the dashboard, you can also choose to limit the cell height if required

Select next, and this is where we will define what information is shown within the dashboard.

In this example I only really need two columns one will be displayed on the right one on the left. So change the value in Rows from 2 to 1

Click the first line and select the properties button (hand with a bit of paper under it)

Find the report you wish to use

Select the second entry and click properties to find the second report you wish to use

In this example I’m showing all XP systems with word installed, as well as all clients operating systems and which services packs are installed

Click finish

We can now see our newly created dashboard

Let’s run the dashboard and see what’s displayed

As you can see, on the left we have which XP systems have word installed, and on the right all those clients which have an operating system installed and which service pack

Select the little arrow to view more information (I’ve clicked the arrow next to Microsoft Windows XP Professional). This shows us both MRPCXP02/03 have XP SP3 installed

And there we go, another section covered off. I think most people will find this useful and will certainly use reports and dashboards in their own environment mainly for time saving.

“I wonder which machines out there have 1GB ram”. Now all it takes is a few clicks and you know…

Microsoft System Center Configuration Manager 2007 – Queries & Query Based Collections

Why is this useful?

Well say you have 100 PC’s in your environment. Some are XP, some are Vista, Some have office 2007, some office 2003. If you want to deploy updates or software you may only want to target (for example) those Vista machines with office 2007. Being able to use a query based collection means we can specifically target those machines.

Let’s start by taking a look at the built in queries.

You will notice each one of these queries matches up to an existing collection (as mentioned in the previous blog).

What we are going to do is create our own, to show us only those XP systems with Microsoft Word installed on them.

Firstly right click Queries and select new > query

I’ll name the query “All XP systems with Word Installed”.

For Object type select system resource and then select “Edit Query Statement”

We will be selecting a simple value so click select

From attribute class select “software files” and attribute select file name. Click OK to return to the above window

Now we are back on the new query page select “value”.

You will see there are already hundreds of file names populated from the inventory’s which have already been run against the systems. We need to find winword.exe from the list

Click OK to the above, and we now have a fairly simple criteria for the query. Select OK

Now we’ve create our new query, right click properties and from here we can see the query statement which gets run

If you are familiar with SQL (and the SQL language) then you will start to see similarities, as guess what…..the SCCM language is pretty similar to SQL.

Now let’s RUN the query we’ve just created and we should see the below.

Here we can see the only system with winword.exe on it is MRPCXP02.

This gives us a quick way to find out information, but what about if we want to deploy software to this machine? well this is where we have to use a query based collection.

What I’m going to do in this example, as we already have an XP collection, is simply create a “sub collection” or child collection contained within the All Windows XP Systems collection.

Right click > New > Collection

Name the new collection

On the next window select the little yellow cylinder icon, and here we find ourselves on the query rule page we have just looked at.

Fill out the information as we did previously, and select “limit to collection” (and make sure you select All Windows XP Systems”

Click OK to return to the new collection wizard, and we can now see there is a new membership rule.

click Next and Finish

and we’ve now created our first query based collection. IF you refresh the view you will see within “All Windows XP Systems” we now have a new entry

If we go in to this new collection we can now see the MRPCXP02, and as we have saved this collection (come later blogs) when I show you software distribution, this will now enable us to push software to just machines which match this criteria.

%d bloggers like this: