SCCM 2012 SP1 CU1

Cumulative Update 1 is now available from Microsoft, and it fixes, amongst other things, the obnoxious problem with the MicrosoftPolicyPlatformSetup.msi file that prevents client installs from working out of the box.

Luckily, the install is quite simple, after you download the hotfix, begin by extracting the hotfix, then launch the executable.











During the setup, SMS services will shutdown and be unavailable, so be sure to schedule an outage if your company policy dictates it.  The whole process only takes about 5 to 10 minutes.



These packages, which we selected during the installation, are automatically created for you, with programs ready for deployment.

Deploying the updates


After verifying the update is successful, and testing each of the packages, you’re ready to roll it out to your environment.

To do that, I’ve created 3 collections, and then just set mandatory advertisements to each of them.  I turned off client notifications and set the program to “rerun if failed previous attempt”.  From that point, it was mostly just monitoring.

Here are the collections, ready for import into your environment.



Java as an Application in SCCM 2012

The new application model in SCCM 2012 quickly became one of my favorite features, and has remained so across every deployment I work on. With its comparatively advanced deployment and detection methods, it is extremely useful for applications of all sorts, even those that require frequent updates.
In SCCM 2007, everytime a new version of Java or Adobe Reader came out, you’d have to create a new package and advertisement, and then turn around and update all of your task sequences. This was at best tedious. Sure, there are tools like SCUG that can help with this, but they are not always available to all organizations, and they had their own problems and limitations.
By making use of the new application model, administrators can much more easily keep up on these updates.

Source Files:

Begin by downloading the bits:

The 64-bit version is for 64-bit browsers. So you’ll probably still need the 32-bit version for 64-bit Windows.

Get the MSI:

Launch the executable. Once the splash screen appears, the files will have been extracted. Navigate, for the 32-bit version to


and for the 64-bit version to


Copy the files to your source location for SCCM packages.

Make the transform:
Next, use Orca to edit any custom settings you need. Some of the most common ones can be found under the Property table. In this example, I’ve changed AUTOUPDATECHECK, JAVAUPDATE, and JU all to 0 to prevent any kind of updating. I’ll also change IEEXPLORER and MOZILLA to 1 to enable java in browsers.

You may have other changes to make, such as a custom install location, all of those kinds of changes can be made into a transform with Orca.  Once finished, I then save the custom transform in the application source directory and create it in SCCM.


Deployment Type:

Be sure to edit the installation method to include your new custom transform file:

msiexec /i “jre1.7.0_17.msi” TRANSFORMS=custom.mst /q

Now, you can set this application to supersede the previous version of Java you are using.  Or, if this is the first version of Java your placing into SCCM, then you can use this method to keep your Java clients up to date.  When a new version comes out, build it this way and have it supersede the old version.  You’re now one your way to automating that much more of your environment.

You may also want to look into removing old versions of Java if you’re trying to get old versions out of your environment.


Uninstalling Java Versions

Need to uninstall Java on a series of machines?  Either because, you need to do a fresh install, or updates are failing?  Or maybe your client is a public school system that has a mandate to remove all JRE 6 versions because of security issues?  …yeah that’s the one.

Remove JRE 6

wmic product where "name like 'Java(TM) 6%%" call uninstall /nointeractive

That’s the script that went into my package that I recently finished running on about 15,000 systems or so.  If you’d like to remove them all, you can do that too.

Remove all Java

wmic product where "name like 'Java%'" call uninstall /nointeractive 



Setting up a SPN for SQL

Kerberos authentication uses an identifier called the “Service Principal Name” or SPN.  Basically, the SPN acts as a domain or forest unique identifier of some instance in a server resource.  There can be an SPN for a web service, for an SQL service, or for an SMTP service.  There can also be multiple web service instances on the same physical computer that has a unique SPN.

This becomes abundantly clear at almost every client I install SCCM for.  Most DBAs seem to stick with the well-established best practice of running the SQL services under seperate domain accounts, and rightly so.  And most companies seem to want to grant service accounts the least privileges needed: another best practice indeed.  As a result, the SPN can fail to be created for the SQL instance for ConfigMan:


Why does this happen?  By default, if you run the SQL Server service under the LocalSystem account, the SPN is automatically registered and Kerberos authentication interacts successfully with the computer that is running SQL Server.  However, if you run the SQL Server service under a domain account or under a local account, the attempt to create the SPN can often fail in most cases because the domain or local accounts do not have the rights to set their own SPNs. When the SPN creation is not successful, it can prevent you from using Kerberos authentication when connecting to the SQL server instance.  If this were done with a domain administrator account as the SQL Server service account, the SPN would be successfully created because the domain administrator-level credentials that you must have to create an SPN are present.

Most people will opt not to use a domain administrator account to run the SQL Server service and therefore, you must manually create an SPN for your computer that is running SQL Server if you want to use Kerberos authentication when you connect to it.  The SPN you create must be assigned to the service account of the SQL Server service on that particular computer.  The SPN cannot be assigned to the computer container unless the computer that is running SQL Server starts with the local system account.  There must be one and only one SPN, and it must be assigned to the appropriate container.  Typically, this is the current SQL Server service account.

To configure the SQL Server service to create SPNs dynamically, follow these steps:
1. Click Start, click Run, type Adsiedit.msc, and then click OK.

2. In the ADSI Edit snap-in, expand Domain [DomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= AccountName, and then click Properties.

3. In the CN= AccountName Properties dialog box, click the Security tab.

4. On the Security tab, click Advanced.

5. In the Advanced Security Settings dialog box, make sure that SELF is listed under Permission entries.If SELF is not listed, click Add, and then add SELF. 

6. Under Permission entries, click SELF, and then click Edit. 

7. In the Permission Entry dialog box, click the Properties tab.

8. On the Properties tab, click This object only in the Apply onto list, and then make sure that the check boxes for the following permissions are selected under Permissions:
Read servicePrincipalName
Write servicePrincipalName

9. Click OK three times, and then exit the ADSI Edit snap-in.

To Create an SPN from the command line:

1. Open a Command Prompt or PowerShell from and account with Domain Admin priveleges

2. Type 

 setspn -A MSSQLSvc/server:instance domain\account 


3. After the command completes, type 

  setspn -Q MSSQLSvc/server:instance 

to verify the SPN is successfully created and present.



A Runbook to Update the Review Activity of a Service Request

Lately, I’ve been working in Service Manager a lot.  One of the shortcomings of the product is that the self-service portal is just that: self-service.  My current client wants to have the ability for an administrative assistance to put in a request for new hardware or software on behalf of their boss.  Sounds simple enough.  But additionally, the admin person should remain the affected user so that they can see the progress of the ticket and follow up if there are any hangups.  So, obviously, the review activity can’t be for the line manager :-/

I wasn’t able to easily find anything that performed this task perfectly, so I created a request offering where a user selects another user from a query list of users, and that person is put in as an affected configuration item.  The runbook then adjusts the review activity to be for the selected user’s manager.  Here’s what I came up:


We start out in the typical way by getting the Guid from the service request and dumping it into a variable.


Next, we’ll have to get the actual service request, and any associated information with it.


The next step will get the relationship between the user in the service request, and their active directory account.  The object Guid field is set to the SC Object Guid from the previous step, “Get Service Request.”


Now that the get relationship step has grabbed all the users, we need to exclude all of the users that are not the user that gets selected in the request offering.

For the link between the get relationship task and the get user task, set the exclude filter to exclude anything with the “Assigned To User”, “Affected User”, and “Created By User” relationship class.



The next Get Object task gets the actual user that was selected and all the associated information.


The next step will get the user and all info from AD.


The next activity is slightly out of order: we need to get the info for the particular request activity, so we’ll do that here.  Use a get relationship step to get the related review activity from the previous get object step that got the full service request.


This next step gets the actual review activity to be updated.


Now, we’ll align the manager of the AD user with its equivalent SCSM object.


Since the manager needs to be input as a reviewer, we’ll create it as a related object here.


Now that the manager is created as a related object, the relationship can be defined and the manager inserted as a reviewer.


Lastly, we update the title of the review activity so that someone looking at it can know what they’re approving.

The runbook is now complete and ready to be called by Service Manager.  Once you’ve performed a sync and the runbook shows up, make a template for it, and insert it into your service request template.

RBA template

In the RBA template, make sure the object ID is selected to be passed to Orchestrator.


Insert the RBA into the activities of the Service Request template.

When building the Request Offering, be sure to use the query list for selecting the user.  If you have this as a string that the user types in, it will not work, as you cannot attach a string as an affected configuration item:


Add the user as an affected configuration item, so that the runbook is able to parse it properly.

Publish your RO and you are ready to test.  You’ll notice that the requesting user will remain the affected user, but the reviewer will be the manager of the person you are requesting it for.  You’ll also notice that the review activity is updated with the name of the person you selected in the request offering.