Follow SolarWinds:

Top 10 Diagnostics Tips for Client Troubleshooting with SCCM Matthew Hudson, SCCM MVP

Follow SolarWinds:

Table of Contents Introduction............................................................................................................................................6

How to Telnet to the Ports.....................................................................................................................7

Using Policy Spy and Client Spy …………............................................................................................ 8

WMI Errors Resolved………………………………………………..........................................................10

Key Error Codes Defined……………………........................................................................................12

Using Logs for Troubleshooting – How and Where to Find Relevant Data…......................................13

Top 5 Patch Downloading Issues Resolved.........................................................................................15

WMI from Primary to Machine to Ensure Connection..........................................................................19

Certificate Errors Resolved …..............................................................................................................21

Signature Verification Failure...............................................................................................................23

SolarWinds Patch Manager gives you the ability to patch 3rd party applications using Microsoft WSUS and SCCM…automatically receive ready-to-deploy patches. Learn More » Try It FREE »

Follow SolarWinds: 6

Introduction Ever hear “My client won’t register!”? If so, this whitepaper will help you quickly fix SCCM issues and get those users off your back. This paper reviews the TOP 10 SCCM troubleshooting tips:

1. How to telnet to the ports 2. Using Policy Spy and Client Spy 3. WMI errors resolved 4. Key error codes defined 5. Using logs for troubleshooting, how and where to find relevant data 6. Top 5 patch downloading issues resolved 7. WMI from primary to machine to ensure connection 8. Certificate errors resolved 9. Signature verification failure 10. How to use SCCM "right click" tools

About the Author: Matthew Hudson Matthew has worked in the IT industry for over 20 years with greater than 13 years in higher education and recent experience in the private sector. As an SCCM MVP, Matthew has presented, and contributed on the topic Configuration Manager. You can read more of Matthew’s work on the following sites: SCCM Blog: http://sms-hints-tricks.blogspot.com/ SCCM Tools Website: http://www.sccm-tools.com

Follow SolarWinds: 7

#1 How to Telnet to the ports? Most of us oftentimes get into issues when the client just won’t register, and this is a fairly

common problem. When this is the case, the first thing you need to do is test the ports using a

Telnet client. Because management and software update points are all utilizing a port that’s

watching or looking, including network load balancers, you can use Microsoft Telnet tool to

connect to that port. You can also use a third-party Telnet tool to connect to the port.

Test ports using Telnet client:

• Management points

• WSUS/Software update points

• Network Load Balancer

• Distribution Points

The illustration below shows how a port is tested using Microsoft Telnet session.

Command: telnet SCCM-MP 443

where

• SCCM-MP is the Management Point

• 443 is the port number

In this particular case, the Telnet fails to connect to the port, and throws an error message.

From here you know that either there’s a problem on the client, maybe it’s a firewall, or a

problem between the firewall and the MP, or possibly a problem on the server side. Below is

illustrated using the Microsoft Telnet client from a Windows 7 workstation.

In the event that the connection is successful the box will become blank. To exit you will use Ctrl ] to view the telnet prompts

Type quit [Enter] and you will be returned to the standard command prompt.

Live Webcast: SCCM 2012 Insider’s

Look Hierarchy Simplification

June 20th, 2012,

1pm CST

REGISTER NOW »

Follow SolarWinds: 8

#2 Using Policy Spy and Client Spy Policy Spy is one of Microsoft’s free applications within the Configuration Manager console

that allows you to get visibility into what’s inside WMI. As WMI is highly critical to SCCM,

everything is pretty much stored there. If something is wrong with WMI such as inventory not

sending correctly, or advertisements are running over and over again, Policy Spy allows you to

go in and have a look at things within WMI, allowing you to easily troubleshoot by knowing

what’s what.

Client Spy is also a free Microsoft application that is available within the Configuration

Manager console. This application helps you look at problems in your client. Here you can look

at software distribution that is pending; packages that are there or no longer available; and you

can also view your software updates. When a software update is downloaded, you will see

those updates directly in the console.

Follow SolarWinds: 9

Both tools along with several other tools is available from the System Center Configuration Manager Toolkit V2: http://www.microsoft.com/en-us/download/details.aspx?id=9257

Follow SolarWinds: 10

#3 WMI Errors Resolved Most WMI errors can be resolved by repairing WMI. In Windows XP, you can run the

command line which will quickly visualize WMI. In XP there is only one copy of the WMI

repository, whereas in Windows 7, Vista or 2008, there is dual copy of the repository. As a

result, a repair is not normally needed for Windows 7. If anything goes wrong, you can look

back and forth, compare, and correct.

I the case there is a major problem and a repair is required, you may need to reinstall DLLs

and re-register them, and lastly, remove the repository. To do this, you must go into the

Services windows within the Configuration Manager Console, and stop the Windows Manual

Instrumentation Service.

This will prompt you to choose to stop your firewall, SCCM and the SMS Agent Host which can

be stopped before or after. You can simply run the repair from the command prompt for your

XP, you would enter

Follow SolarWinds: 11

Have this run, and within 3 to 4 minutes, your WMI should start back up, and, in case, if it

doesn’t start automatically you need to restart the machine and try it again.

In the case of Windows XP you must stop WMI before removing the repository. For Windows

7 to remove the repository you must use the winmgmt /resetrepository.

Note: This is a destructive action to WMI. The WMI repository will attempt to rebuild itself.

Some applications might not recompile their MOF. If this occurs it could cause problems with

the application. Always validate on test machine before performing it on a production machine.

Follow SolarWinds: 12

#4 Key Error Codes Defined If you have an error message, and you are trying to determine what it means, don’t go to

Google, Microsoft Forums, MyITForum or other forums, because the error will mean different

things in different applications – Outlook, Exchange, etc. Instead, visit the Custom Error

Website for Microsoft and look down the list.

Microsoft Custom Error Website

You can also use Trace32 which includes an error lookup. Simply type in the error code and

get the error definition.

Trace 32 is located in the Configuration Manager toolkit along with Policy Spy and Client Spy.

Follow SolarWinds: 13

#5 Using Logs for Troubleshooting – How and where to find relevant data

Whenever we opt to troubleshoot a certain error or condition, we always want to look for data

on what happened, where and how. Standard Windows logs can be accessed to obtain this

information; they include:

LocationServices.log

This shows information on:

Download Location: all the distributed sites you can talk to

AD Site: Determine if your machine is on the correct AD site

Certificate Information: if in native mode, you can download site signed certifications from the

management points or from the site server.

ClientIDManagerStartup.log

Use this log when faced with the situation where

o the system is installed and it’s not registering

o the client is in the console but you can’t manage it

In this registration log, you’ll find errors like ‘Unable to Contact Management Points’ that could

be caused by a certificate error or possibly a port block or you could problems in the registry,

or you might even see WMI errors – for example, unable to open a certain name space.

smscliui.log

SMS Client User Interface

Actions performed in the Run Advertised Programs will show here. If your Run Advertised

Programs is blank open this log to determine if information is received. It will also show you if

manually policy refreshed and other actions are kicked off.

Software update logs

o ScanAgent.log: Pertains to all scanning information, and information on missing

patches, and WSUS

o UpdatesDeploymenet.log: Pertains to download information of updates whether

they are downloading correctly, and from where

Follow SolarWinds: 14

o UpdatesHandler.log and UpdatesStore.log: these logs show compliance

information

o WUAHandler.log: As Windows Updates Agent is being used for software

updates, information on WUD can be seen here

o WindowsUpdate.log: If the Windows Update Agent can’t scan correctly, and if it

has problem detecting something, it will sometimes refer you to WindowsUpdate

log. Even though you are using SCCM to scan and patch, you need to go ahead

and check this log.

Follow SolarWinds: 15

#6 Top 5 Patch Downloading Issues Resolved

i. Bits Downloading Issues

Did you ever get a call from the network team saying, “Hey, we have a machine or group of

machines pulling down a lot of bandwidth”? What do you do?

First, look at the ClientTransferManager log. Here you can find what is downloading and from

which location. Here you will see a log that says the file is downloading from a file location.

This is an indication that this server is not pulling from the correct location. Pulling over

445/SMB via a File location could cause network congestion.

To troubleshoot, go into the command prompt and run Bits Admin, and this will return an ID

that would match the ID that you find up in your log. This will let you know if there’s a Job

error, provide the job number, and will provide how much is being transferred. With this

information, determine if there is a problem and possibly fix the server or turn it over to the

infrastructure group for them to fix. This allows you at least to begin the troubleshooting of

something that’s not downloading correctly.

Follow SolarWinds: 16

ii. Windows Update Agent Issues

Windows Update Agents will need to be updated manually unless you have an automated tool

to do this. To determine what WUA is on your machine, there are two reports that you can

look at:

o Scan 1 – Last scan states by collection

o Scan 2 – Last scan states by site

Though these reports may give you the WUA version, the version will differ depending on

whether you are running Win 7 or Win 7 Service Pack 1. As a result, you need to keep track

of what OS version you are running. If the WUA version is blank on the report, there’s a

problem on the machine such as the Windows Agent is not running. The latest version for a

given OS can be found here: http://support.microsoft.com/kb/949104. A SQL query to

determine the WUA version can be found here from Microsoft: http://technet.microsoft.com/en-

us/library/bb680319.aspx

To troubleshoot:

o Windows XP: To fix the problem with Windows XP, you can go to the Windows

updates webpage and find out there’s a new version of Windows update. When

you are starting the scanning process to download the update, if there’s a

problem with scanning, then, it may mean there’s possibly a problem with

Windows update service, and that’s the same process SCCM is going to use.

o Windows 7: With Windows 7, the Troubleshooter will pop up, if there is a

problem and it will go through the process of reloading the DLLs and

troubleshooting the issue. Windows 7 can help along with this.

The recommended approach is to push out a Windows Update agent as a package.

iii. Windows Update Handler Issues

If this is red, it confirms that you have a scanning problem. From here, you need to look at the

Scan Agent. Here we find an error: “CScanAgent::ScanByUpdates - Update Source Policies

not found no scan will be performed, returning E_FAIL_POLICY_NOT_FOUND.”

Follow SolarWinds: 17

A likely problem is the Windows Update Agent Register did not register. The solution is to re-

register the Windows Update Agent.

When there’s a problem with a machine not scanning and it’s throwing all kinds of errors, and

the Windows Update Handler looks all fine except there is a little note at the bottom that says

the search job failed to end; i.e. the search job is not complete. To determine the problem,

look at the UpdatesHandler.log on the client.

iv. Client Refuses to Download Patches

Let’s say the software is not downloading at all, or maybe it’s downloading partially, but

everything, including scanning, appears to be working fine.

Follow SolarWinds: 18

Solution: Stop the Windows Update Agent, delete the softwaredownloadfolder (C:\windows),

and restart the Windows Update Agent. This is just one solution. It doesn’t fix everything and

you might need to make sure that any trouble-shooting you do on the Client does not break

anything else.

v. WSUS Policy Missing

The symptom of this problem is that the machine that successfully scans but doesn’t download

or install. Other clients have the same problem.

Look up in the WindowsUpdateAgentHandler log. You will get you the information:

Received ‘SuceededWithErrors’ code from WUS during search. Check windowsUpdate.log in

Windows directory.

A search in the WindowsUpdate log will say the license terms are not available, and it failed to

download the electronic license agreement.

Solution: Go into the WSUS folder, and in the command line, you can run WSUS Utility Set

and it will re-download the client information for your WSUS server.

Confirm that the folder is there, and copy that folder into WSUS. When you click scan, all the

machines will immediately start downloading the file. You will not need to restart any service

Follow SolarWinds: 19

#7 WMI From Primary Machine to Ensure Connection

There is an automated approach you can use for ensuring connection to your machines. WMI

monitoring tools allow administrators to identify Windows operating system issues, application

issues and other potential issues. There are a lot of free monitoring tools on the market to

help with this. SolarWinds provides a free WMI Monitor tool. It provides customizable WMI

monitoring which you can visualize in a dashboard.

#8 Certificate Errors Resolved

Listed below are some common reasons why certificate errors occur in Native Mode. Keeping

a check on these, to prevent errors from happening in the first place.

• Site Server Signing Certificate renewed late

• IIS certificate renewed incorrectly

• Client moved from one hierarchy to another

When registering with the site, another site was found and pulled that site’s Trusted Root

Certificate

Follow SolarWinds: 20

If you have a Machine that can’t receive Content or won’t inventory and your log shows,

“Received policy could not be verified” or “Advanced Client rejected the site signed certificate

due to trust-related failure.” This means something is wrong with your site signed certificate.

The view below is what is seen from the Status Messages for a specific system.

To fix this problem you can:

Stop the SCCM service. Clear the AllowedRootCAHashCode value, and restart the SCCM

service. This will repopulate the key with the different value. You can determine the correct

value is by finding a working machine inside your hierarchy and locating the number. If this

does not work, then stop the service, kill the hash code value and restart the service. This

might not work because the client cannot register with the MP. In this case, you may need to

uninstall and restart it. Using the ResetKeyInformation=True will force the trusted root key to

reset.

Alternatively, you can run a repair on the CCM setup. Go to the command bar of the file and

then show reset key information to ‘true. What this does is it pulls out the trusted root key. By

doing that, you repair the Client, and put the trusted root key back in.

Follow SolarWinds: 21

#9 Signature Verification Failure

The symptom of this problem is when you run advertise programs, you only get a partially

populated list. For example, you see 15 items when you should see 30. If you look in the

PolicyAgent log, you will see the Signature Verification failed status.

.

To address this, you can use Policy Spy to get the Advertisement ID and the corresponding

Package ID.

Follow SolarWinds: 22

From there you can open up the Console and locate a package with respect to the Package ID.

Now here lies the problem. This package can only run on specific platforms per the policy.

Let’s say all Win 7 machines are clicked, but then down below you have the Win 7 clicked, but

not the Win 7 SP1. So, now you have a conflict. Your machine doesn’t really understand

which policy to go with. You can go and locate in the different selections and fix that. So if it

says “All Win XP machines”, you need to go and remove anything that says XP Service Pack

One and not Service Pack Three. This will solve the problem and the machine will have just

one policy to apply.

Follow SolarWinds: 23

#10 How to Use SCCM "Right Click" Tools

Right Click Tools are some really helpful and handy tools that considerably speed up the

troubleshooting process, for example, status message, collection membership, machine Client

refresh, and so on. Check out this website for a list of tools I created.

Some key actions that we can perform with right click tools are:

• Deploy packages to a set of DPs

• PSEXEC commands on remote systems

• Reports

• Import Computers/Users

• Add computers to collection or collections to computer

• Wake up machine (WOL)

• Status messages

• Collection listing

• Setup/Decommission a DP

• Location collections/Packages/Advertisements

• Machine policy refresh

Follow SolarWinds: 24

About SolarWinds Patch Manager SolarWinds Patch Manager makes the time-intensive, error-prone chore of patching

Microsoft Windows servers and workstations simpler, faster, and more reliable. Patch

Manager allows sysadmins to automate patching applications across tens of thousands of

servers and workstations and receive automatic notifications of new third-party patches from

leading vendors like Adobe®, Apple®, Google®, Mozilla®, and Sun Microsystems®.

Feature Highlights:

• Manages updates dynamically, pushing the right patches to the right machines at the right

time

• Alerts when patches are available from Adobe®, Apple®, Google®, Mozilla®, Oracle®; &

other vendors

• Deploys patches across your Windows® servers & 3rd-party applications in hours – not

weeks

• Uses PackageBoot™ technology to execute custom actions before & after patches are

deployed

• Performs enterprise-wide discovery & instantly identifies rogue, unauthorized, &

unpatched computers

About SolarWinds

SolarWinds (NYSE: SWI) provides powerful and affordable IT management software to

customers worldwide - from Fortune 500 enterprises to small businesses. The company works

to put its users first and remove the obstacles that have become “status quo” in traditional

enterprise software. SolarWinds products are downloadable, easy to use and maintain, and

provide the power, scale, and flexibility needed to address users’ management priorities.

SolarWinds’ online user community, http://thwack.com, is a gathering-place where tens of

thousands of IT pros solve problems, share technology, and participate in product

development for all of the company’s products. Learn more today at http://solarwinds.com.

For additional information, please contact SolarWinds at 866.530.8100 or e-mail

sales@solarwinds.com.

To locate an international reseller near you, visit

http://www.solarwinds.com/partners/reseller_locator.aspx