Let’s say we want to advertise an update to Adobe Reader only to clients with outdated versions (anything older than 10.0.1).
- Create a new collection.
- Edit the membership rules.
- Click on Edit Query Statement.
- At the bottom press “Show Query Language”.
- Paste the following:
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Adobe Reader %" and SMS_G_System_ADD_REMOVE_PROGRAMS.Version != "10.0.1"
Make edits to match the DisplayName and Version according to the results you want.
You’re good to go.
You may get the following error message when trying to generate reports:
“The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map.”
To solve that, add the ASP Role Service to IIS in addition to ASP.net.
After installing SCCM I noticed that IIS was not populated with the different websites needed to run ConfigMgr properly.
I took me hours to figure out until I found the ConfigMgr Toolkit
. Run the MP Troubleshooter, it will solve the issues.
Of course MS could fix that easily but that must be too much to ask for.
Deployment guru Johan Arwidmark has a pretty interesting article about adding a boot menu to WDS. But it’s about Windows Server 2008 R2. If, like me, you need info about Windows Server 2008, follow his step-by-step until step 7.
- At step 7, open the Windows Deployment Services console, right click on your server, then click on Properties.
- Go to the Boot tab.
- Change the boot images to the following:
- Go back to Johan’s step 8.
I came across a couple of issue while test-driving Sophos Antivirus Enterprise.
Here are the correct steps to deploy Sophos to Windows machines (XP, Vista and 7):
- Create a GPO named Disable UAC with the following settings and apply it to your hosts (Computer Configuration):
Computer Configuration (Enabled)/Policies/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control/Policy Setting
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Elevate without prompting
User Account Control: Detect application installations and prompt for elevation Disabled
User Account Control: Run all administrators in Admin Approval Mode Disabled
- Create a GPO named Remote Registry Service with the following settings and apply it to your hosts (Computer Configuration):
Computer Configuration (Enabled)PoliciesWindows SettingsSecurity SettingsSystem ServicesRemote Registry (Startup Mode: Automatic)
Allow NT AUTHORITY\Authenticated Users Read
Allow NT AUTHORITY\Authenticated Users Start, Stop, Pause and continue
Allow CONTOSO\Domain Admins Full Control
Allow CONTOSO\Domain Users Read
Allow CONTOSO\Domain Users Start, Stop, Pause and continue
- Create a GPO named Sophos Firewall Exceptions with the following settings and apply it to your hosts (Computer Configuration):
Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile
Windows Firewall: Allow inbound file and printer sharing exception Enabled
Windows Firewall: Allow inbound remote administration exception Enabled
Windows Firewall: Define inbound port exceptions Enabled
Define port exceptions:
Windows Firewall: Define inbound program exceptions Enabled
Define program exceptions:
- Run the following command in your logon script: “netsh firewall set service type=FILEANDPRINT mode=ENABLE”
You should now be able to deploy Sophos Antivirus seamlessly.
There is an interesting article at TechRepublic about GNZ or Global Name Zones in Windows Server 2008.
For the record, in the Windows Support Tools, you can find the browstat.exe utility (browstat status from a command line) that allows you to check which computer is the Master Browser and then to troubleshoot that mess that is slowing down your LAN.