How to Install the SCCM Admin Console on a System without the Installation Media

I'm using the Microsoft Office 365 virtual lab and want to install it on another VM I created.  Unfortunately, this doesn't contain the install media to run the consolesetup.exe.

After some digging on the system, the installer can be found on the SCCM server or other sources could be another computer with the console installed and has been updated.

The directory where the files are found:  "C:\Program Files (x86)\ConfigMgr10\AdminconsoleSetup"




In the directory, you'll find some GUID named folders.  They will contain the "Adminconsole.msi" or the Console Update.

Depending on which source you get it from, you may have more than one folder containing the "Adminconsole.msi".  Install using the newest created date.

After installing the console, run the latest console update from searching the same directory to avoid the console from prompting to update on first launch.  

HP Conexant Audio Driver Vulnerability

HP has released a new driver package update to fix the security vulnerability.  The debugging has been left on and is essentially logging every keystroke.

If the MicTray.log file exits in C:\Users\Public, it can potentially vulnerable.  It should be best to update it if you're unsure.  On most machines, I've see this file on, it was blank.

Here's the official link from HP that includes the driver packages to download if your systems is listed as the affected.

https://support.hp.com/in-en/document/c05519670

For G3 and newer generation models it seems this is applicable, haven't seen the other models or newer G4s in our environment to need this.

ftp://ftp.hp.com/pub/softpaq/sp80001-80500/sp80323.exe


Extract the files using 7zip or running the installer, using the command line "Setup.exe -S" to install silent will do it.  It doesn't reboot the system but will require a reboot.

You should script this to delete the MicTray.log during the driver update.

After updating, the driver details should be relatively recent.

SCCM - Intel AMT Vulnerability Report

Here's the Intel guide to mitigating this risk

Intel-SA-0075 Mitigation Guide

1. Unprovision Client - Using their tool Intel ACUConfig Download

ACUConfig.exe UnConfigure


2. Disable or Remove the Service (should also end the process in the script)
sc config LMS start=disabled
sc delete LMS

Here's a report to find the AMT version and Provisioning State

It doesn't include the syntax for the report generated at the bottom

https://communities.intel.com/docs/DOC-5763

Count of Versions

SELECT COUNT( v_GS_AMT_AGENT.AMT0) as "Count", v_GS_AMT_AGENT.AMT0 FROM v_GS_AMT_AGENT INNER JOIN v_R_System ON v_GS_AMT_AGENT.ResourceID = v_R_System.ResourceID Group by v_GS_AMT_AGENT.AMT0 order by v_GS_AMT_AGENT.AMT0 Report for AMT version and Provisioning State less than 3

Includes model and processor to easier identify what files to download

SELECT v_R_System.Name0, v_GS_AMT_AGENT.AMT0, v_GS_AMT_AGENT.ProvisionState0, v_GS_COMPUTER_SYSTEM.Model0, v_GS_PROCESSOR.Name0 AS Expr1 FROM v_GS_AMT_AGENT INNER JOIN v_R_System ON v_GS_AMT_AGENT.ResourceID = v_R_System.ResourceID INNER JOIN v_GS_COMPUTER_SYSTEM ON v_R_System.ResourceID = v_GS_COMPUTER_SYSTEM.ResourceID INNER JOIN v_GS_PROCESSOR ON v_R_System.ResourceID = v_GS_PROCESSOR.ResourceID WHERE (v_GS_AMT_AGENT.ProvisionState0 < 3) ORDER BY v_GS_AMT_AGENT.ProvisionState0, Model0

Windows Update for WannaCrypt Ransonware

The security monthly updates to use are below for the affect systems.

According to MS, Windows 10 is not targeted.

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

While this vulnerability is listed as MS17-010, the bulletin for this will fall under the bulletin for the security update.

MS17-008 is the bulletin for the Security Monthly Updates.

KB4012212 for Windows 7, 2008 R2
KB4012213 for Windows 8.1 and 2012 R2

Windows 2008 non-R2 is 4018466 released this month which supersedes MS17-010 (KB4012598) from March 2017.

Released are other updates for out of support OS in the screenshot below for XP, 2003, etc.

Query All Deployed Updates in SCCM

Here’s a query I created to create a report of all updates being deployed in Update Lists.

This will pull the Deployment Name, Article ID, Bulletin ID, Update Title, Collection Name, Date Created, IsDeployed, IsExpired, and IsSuperseded.

This will show expired and superseded, you can modify hide them.

This works on SCCM CB, probably not needed as much if you use ADR but can give you a report of what’s currently being deployed.

SELECT     v_CIAssignment.AssignmentID, v_CIAssignment.AssignmentName, v_UpdateInfo.ArticleID, v_UpdateInfo.BulletinID, v_UpdateInfo.Title, 
                      v_CIAssignment.CollectionName, v_CIAssignment.CollectionID, v_UpdateInfo.DateCreated, v_UpdateInfo.IsDeployed, v_UpdateInfo.IsExpired, 
                      v_UpdateInfo.IsSuperseded
FROM         v_UpdateInfo INNER JOIN
                      v_CIAssignmentToCI ON v_UpdateInfo.CI_ID = v_CIAssignmentToCI.CI_ID INNER JOIN
                      v_CIAssignment ON v_CIAssignmentToCI.AssignmentID = v_CIAssignment.AssignmentID
ORDER BY v_CIAssignment.AssignmentID, v_UpdateInfo.ArticleID

Windows 10 Compatibility Pack for SCCM 2007

MS has released a compatibility pack for Windows 10 for SCCM 2007.  This will add Software Distribution, Software Updates, and Desired Configuration Manager functions from the client side as well as few others, additional information can be found in the link below.

https://support.microsoft.com/en-us/kb/3044077

Software Distribution worked prior to the hotfix but the Software Updates Agent did not.  If you have installed the current SCCM client before hotfix, this is the error that shows up in the WUAHandler.log.

WU Agent Version too low (6.2.10586.420), needs to be at least: 7.1.6001.65

After installing the hotfix on the site servers and deploying to the Windows 10 client, it will update  the client to version, 4.00.6487.2239.   

The only component to show being upgraded was the Software Updates Agent.

Once that is installed, trigger the Software Updates scans and it should start applying the patches after the detection.  The hotfix should be deployed to all clients regardless of OS.

Back a few months before this was release, we were already planning on a Windows 10 image and used Enterprise edition.  That is not officially supported because SCCM 2007 cannot deploy the feature updates.  That would have to happen from the system with WUA enabled.

SCCM 2007 does not seem to pull in new OS software updates newer than 2015 versions like Server 2016 as mentioned in the article only supports LTSB 2015 so you're pretty much forced to upgrade at some point.

Plink and Citrix Netscalers

Our global Citrix infrastructure contains multiple Netscalers load balancers situated worldwide.  However not all regions run the same apps.  The issue is our US call center does a shift change and cannot access a published application due to being directed to the wrong application portal page from the load balancer.  The resource they are trying to use doesn't have access to it from our EU and AS NS.

First, I'm not experienced with Citrix and Netscalers but been tasked to perform the documented steps when escalations come in.  There's a script already to run on a schedule that our EU team has done but I didn't ask to see their script and some times it still slips through.

I wrote this script to be used in Powershell ISE and you must have Plink downloaded. 

The first command is loaded into a variable and the Do While loop is to run the command again until the variable is null.  Most instances it runs the commands 3 to 4  times.  I've tested it on all the NS that this works right after the last deletion a sh command via Putty to verify doesn't show anything. 


$route =./plink.exe -ssh nsroot@host -pw PASSWORD "sh persistentSessions ""
Do {./plink.exe -ssh nsroot@host -pw PASSWORD "clear persistentSessions ""} while (!$route)