Apply monitors or rules to a specific group of machines

November 14, 2013


We want to apply a rule or monitor to only a specific group of machines. How do we do that ?

Seems like a common question, let’s try.

First some symantics :

What I remember :

Rules : can generate alerts, can be used for collection data sets, can be used for historical reporting.

Monitors : can be used to generate a “state” of a component, have 3 states ( ok, bad and warning ), can create an alert when a state changes.

Okay, nice now back to the question, how to exclude a group of machines from a specific monitor or rule ?

Step 1 : create a group containing the machines you want

Now modify the required monitors. In this case we only want to monitor the scheduled tasks on the ts Servers.

Disable the monitor for all classes.

Now create an override for the newly created group.

Now if we check the health explorer for a member of the group.

Now if we check for a non-member.

Okay , that’s wat we wanted.


Update Configuration Manager 2012 SP1 client with Cumulative Update 3

October 2, 2013

Hi all,

Today I’m going to talk about the Cumulative Update 3 of Configuration Manager 2012 SP1 and how to install the updated client to all Configuration Manager Clients. As you all might know this CU3 fixes some issues with Configuration Manager. For a detailed list, I recommend you to read the following Microsoft documentation:

First of all the CU3 should be installed on the primary site server.

The installation generates a couple of packages that should be appropriately deployed:

–          Package to update the console
–          Package to update the server
–          Package to update clients (x86)
–          Package to update clients (x64)

The focus today is on  the client update and how to get it installed throughout the environment.


We first have to look at the different deployment scenario’s:

–          Upgrade existing Configuration Manager Client (example for x86 clients)

1. Create a collection called All x86 Systems with client using the following query:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.SystemType = “x86-based PC”

This collection has a limiting collection called “All Systems with Client”, this collection was created previously

2. Deploy the x86 client update to the “All x86 Systems with Client” collection using a required deployment

The same can be done for x64 clients

–          Integrating CU3 client with Operating System Deployment

In previous versions of SCCM when a cumulative update was installed, the update was added to the client installation source. Which means that the original client package only needed an update distribution points to include the update + add an additional parameter to the Setup Windows & Configmgr step in the task sequence.

Now the update is stored elsewhere, so a new client package should be created which contains the original client installation source and the cumulative update (.msp file)

1. Create an empty folder in your datastore where packages, applications, etc. are stored (eg. \\[fileserver]\DSL\Microsoft\SCCM_Client\2012_CU3\ML\MSI)

2. Copy the content from the installation folder of SCCM (eg. D:\Program Files\Microsoft Configuration Manager\Client into the new folder

3. Create an extra folder. Eg. Patches

4. Copy the contents of the folder where the update was installed (eg. D:\Program Files\Microsoft Configuration Manager\hotfix\KB2882125\Client) into the Patches folder

5. Create a package in Configuration Manager with the newly created folder as source (\\[fileserver]\DSL\Microsoft\SCCM_Client\2012_CU3\ML\MSI), No need to create a program for this package.

6. Copy the package to the distribution points available within your environment

7. Edit the task sequence where you want to apply the updated version of the Configuration Manager Client. Edit the existing “Setup Windows & Configuration Manager “ step and point it to the newly created package

8 Fill in the following command line at the installation properties field:



This is for the x86 client Operating Systems being deployed, for the x64 operating systems this is the right command line:


From now on clients being deployed with the edited task sequence will receive the latest version of the Configuration Manager Client

For future updates, the same way of working can be used.

Hope this helps!



CM 2012 Wake on LAN – Right click tools

January 4, 2013


First of all our best wishes for the new year.

Today was my first day back after almost 2 weeks off and I immediately had something interesting at my customer.

They wanted to use the Wake On LAN feature of Configuration Manager 2012, that’s why I have installed the right click tools for the Configuration Manager 2012 Console. More information about the right click tools can be found here:

Installing the right click tools didn’t work because Configuration Manager 2012 is installed on the D: partition, so I manually copied all folders in the right place

After copying the right click tools new options are available for every computer. The option I’m interested in at the moment is Wake On LAN (marked in yellow on the following screenshot)


When this option is clicked a messagebox appears which states that sending the WakeUp to the specific computer succeeded, but if I look at the computer doesn’t wake up at all.


When using the Wake On LAN feature of Altiris Deployment Server for example the Wake On LAN did succeed. So I started to examine the differences between both. After using some network tracing tools like WireShark I saw that the Wake On LAN functionality provided by the right click tools for Configuration Manager 2012 did a broadcast to and the Wake On LAN from Altiris performed a broadcast to the broadcastaddress of the VLAN where the client was located (eg. After some more digging in I found out that the switches dropped all traffic with destination

So what I needed to do was editing the Wake On LAN functionality of the right click tools to make sure the VLAN broadcast address was targeted, now I will describe how I did that.

First I looked at the console extension XML to see what commandline was started when I clicked Wake On LAN from the Configuration Manager 2012 console. The XML is located in the installation directory of Configuration Manager: D:\Program Files\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions\ed9dee86-eadd-4ac8-82a1-7234a4646e62.

<ActionDescription Class=”Executable” DisplayName=”Wake On LAN” MnemonicDisplayName=”Wake On LAN” Description=”Send Wake on LAN signal to system”>






          <Parameters> “C:\Program Files\SCCMConsoleExtensions\SCCMAction.vbs” ##SUB:Name## W ##SUB:ResourceID## ##SUB:__Server## ##SUB:__Namespace##</Parameters>



The area marked in boldshows what script is started when Wake On LAN is clicked, so I’ve opened this script.

 Sub WakeOnLAN

    On Error Resume Next

     Set objSMSWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strSiteServer & “\” & strNameSpace)

    Set colMACAddress = objSMSWMIService.ExecQuery(“SELECT * FROM SMS_G_System_NETWORK_ADAPTER_CONFIGURATION WHERE ResourceID='” & strResourceID & “‘ AND IPAddress IS NOT NULL”)

    For Each instance in colMACAddress

        strMACAddress = instance.MACAddress

        strWOLAddress = (Replace(instance.MACAddress,”:”,””))

         WshShell.Run chr(34) & strCurrentPath & “WOL.exe” & chr(34) & ” ” & strWOLAddress,0

        strWOLSent = strWOLSent & vbCrLf & strMACAddress


     ResultMsg = MsgBox(“Wakeup sent to the following MACs for ” & strComputer & vbCrLf & strWOLSent,64,strVersion)


End Sub

It is clear that the WOL.exe is started with the parameter strWOLAddress (which is the Macaddress without colons (:)).

WOL.exe doesn’t support entering the VLAN broadcastaddress so I searched for another exe-file that was able to do that. I found an alternative mc-wol.exe which was able to handle the broadcastaddress. More information about mc-wol.exe:

First of all I copied mc-wol.exe to the folder C:\Program Files\SCCMConsoleExtensions where all the rest of the scripts, exe-files,… are located. This will make sure the new exe can be used from the Configuration Manager console.

Next thing to do was getting the subnet from the specific resource from Configuration Manager. That was rather easy because the Wake On LAN sub in SCCMAction.vbs contains the functionality to retrieve information from Configuration Manager. Just adding the intelligence to retrieve the IP address did the trick. Afterwards splitting the IP address and replacing the last part with 255 (eg. IP: –>

Final thing to do is building up the new commandline using mc-wol.exe instead of the default wol.exe.


Sub WakeOnLAN

    On Error Resume Next

     Set objSMSWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strSiteServer & “\” & strNameSpace)

    Set colMACAddress = objSMSWMIService.ExecQuery(“SELECT * FROM SMS_G_System_NETWORK_ADAPTER_CONFIGURATION WHERE ResourceID='” & strResourceID & “‘ AND IPAddress IS NOT NULL”)

    For Each instance in colMACAddress

        strMACAddress = instance.MACAddress

strIPAddress = instance.IPAddress(0)

strIPSplit = split (strIPAddress,”.”)

strIP = strIPSplit(0) & “.” & strIPSplit(1) & “.” & strIPSplit(2) & “.255”

       WshShell.Run chr(34) & strCurrentPath & “mc-wol.exe” & chr(34) & ” ” & strMACAddress & ” /a ” & strIP

        strWOLSent = strWOLSent & vbCrLf & strMACAddress


     ResultMsg = MsgBox(“Wakeup sent to the following MACs for ” & strComputer & vbCrLf & strWOLSent,64,strVersion)


End Sub


Save the new SCCMAction.vbs and try again.

Now the VLAN broadcast address will be targeted and the computer will be able to perform Wake On LAN.

Hope this helps.



CM2012 Role Based Administration: Computer Import Manager

October 25, 2012

Hi there,

At a customer where I went a few weeks ago there was a need of an extra Configuration Manager 2012 role which only had the rights to import computers. It struck me that there was no default role provided which provided the necessary rights.

This security role would then be assigned to someone who would import the computers to run OSD.

This is the way I’ve done it.

– First of all I imported the Computer Import Manager role under the form of an .XML file which can be found here. The .XML file can be downloaded at the bottom of that webpage.

– The default behavior of this role is to only allow computer import in the All Systems collection. If the OSD task sequences are targeted to other collections then the All Systems collections this behavior should be extended so the user is able to import computer to other collections. This is done by editing the newly created security role and under Collection add the Modify resource right like shown below. Click Apply and OK.

– When the console is now opened with a user that has this Computer Import Manager role associated, the console looks as follows:

When the same role also needs the rights to delete computers from collection , just add the additional right: Collection –> Delete Resources in the same way the previous rights were added.

After all modifications I’ve exported the Computer Import Manager security role so I can just reuse it at other customers when needed.

Hope this helps.



Authenticate SCOM console on a proxy

September 27, 2012

When going to client environments I often face this issue: internet access is only possible when authenticating against a proxy. Now, this is especially a problem when you want to be able to download management packs using the SCOM console, or at least check whether you are up-to-date.

Following a hint of my collegue Thomas Vuylsteke (see his excellent blog at, I quickly found the “proxy configuration” page on MSDN, stating that it is possible to configure proxy utilization in the .exe.config file:

This is actually a quick fix:

On SCOM 2012, open C:\Program Files\System Center 2012\Operations Manager\Console\Microsoft.EnterpriseManagement.Monitoring.Console.exe.config

Add the following code:

<defaultProxy enabled="true" useDefaultCredentials="true">
<proxy usesystemdefault="True" />

The bottom of your config-file should look like this:

En now it is possible to use the online catalog!

A quick fix for a nasty issue! I didn’t test it yet for the SCOM 2007 R2 console, but I’m pretty sure it will also work for that version.

UPDATE: apparently, the quotes didn’t pass very well in this blog post. I updated it so now you should be able to copy-paste the code.

UPDATE2: I confirmed that this works with non-MS proxy servers.

Import computers in ConfigMgr database

September 24, 2012

Hi there,

This is a script that we’ve developed to easily import computers in the SCCM database. The script can be run from any device that is able to launch the underlying WMI queries at the SCCM 2007 / Configuration Manager 2012 server.

In a GUI the user can input all the information that is needed to import a computer.

You can clearly see the site code at the top of the GUI. The script also lists all available collections that are present in SCCM. The user can choose from these collections to add a computer.

Now the computername and MAC-address can be entered. Also the collection where the computer must be imported can be selected (by default the computer will only be imported into the All Systems collection). After entering all the information the Import button must be pushed and then you should see output similar like this.

You can see that the computer is successfully imported in the Deploy Windows 7 ENT x64 collection.

You can also import a computer with a computer variable, so the computer is immediately ready for deployment depending on this variable. Just fill in the name of the variable and the value. Be sure to doublecheck the spelling of the name and value because otherwise additional editing will be needed afterwards.

On this screenshot you can see that the computer (TESTPC_002) is imported in the Deploy Windows 7 ENT x86 collection with a computer variable DEPARTMENT with value IT. This can be checked afterwards in the SCCM console.

If you have an opinion about this script or you have questions about how we made it, feel free to put a comment here.

For code samples you can also place a comment



PS: We are working on a script that imports the computer both in the ConfigMgr database and the MDT database (with selection of appropriate roles). This is quite handy in a situation where the MDT integration (with database) has been setup. More news on that later.

Error when uninstalling a SCOM agent

September 14, 2012

Several customers of mine have come across SCOM agents that cannot be uninstalled. This can be triggered by uninstalling an agent manually or when you want to upgrade the agent to 2012. This can occur with SCOM 2007 RTM, SP1 or R2 agents. I haven’t come across this issue on SCOM 2012 yet, but you never know!

In this case, I wanted to uninstall an agent using add/remove programs:

When trying to uninstall the agent, I stumbled across the following issue:

The patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify this is a valid Windows Installer patch package.

 What does this mean? You probably installed some agent patch on this server, may this be a seperate KB or a cumulative update. The problem is, when uninstalling the agent, the uninstaller looks where the install files for this cumulative update are located. To find out which patch was installed, open the registry editor regedit.exe.

If it is a SCOM 2007 pre-R2 agent, go to HKEY_CLASSES_ROOT\Installer\Products\C9A0067E2876122489E4BA987C08CDD2\Patches

If it is a SCOM 2007 R2 agent, go to: HKEY_CLASSES_ROOT\Installer\Products\7779052F1B26F94BAD9C107B86962A2\Patches

If it is a SCOM 2012 agent, go to: HKEY_CLASSES_ROOT\Installer\Products\9D603783EC87E0E49B25825AC08C3BEE\Patches

(thanks for pointing out the location for SCOM 2012!)

Open the Multi-String Patches. In my case, I saw the following 3 lines:

By removing the contents of this REG_MULTI_SZ:

I was able to uninstall the agent. Problem solved!

[EDIT 11-October-2012]I just discovered that Microsoft released a KB for this issue!