Professional Documents
Culture Documents
Top 10 Diagnostics Tips For Client Troubleshooting With SCCM Ver 4 PDF
Top 10 Diagnostics Tips For Client Troubleshooting With SCCM Ver 4 PDF
Follow SolarWinds:
Table of Contents
Introduction............................................................................................................................................6
Using Logs for Troubleshooting – How and Where to Find Relevant Data…......................................13
SolarWinds Patch Manager gives you the ability to patch 3rd party applications using Microsoft WSUS
and SCCM…automatically receive ready-to-deploy patches.
Learn More » Try It FREE »
Follow SolarWinds:
Introduction
Ever hear “My client won’t register!”? If so, this whitepaper will help you quickly fix SCCM issues
and get those users off your back. This paper reviews the TOP 10 SCCM troubleshooting tips:
Follow SolarWinds: 6
#1 How to Telnet to the ports?
Most of us oftentimes get into issues when the client just won’t register, and this is a fairly
common problem. When this is the case, the first thing you need to do is test the ports using a
Telnet client. Because management and software update points are all utilizing a port that’s
watching or looking, including network load balancers, you can use Microsoft Telnet tool to
connect to that port. You can also use a third-party Telnet tool to connect to the port.
• Management points
• Distribution Points
The illustration below shows how a port is tested using Microsoft Telnet session.
Live Webcast:
Command: telnet SCCM-MP 443
SCCM 2012 Insider’s
where Look Hierarchy
Simplification
• SCCM-MP is the Management Point
June 20th, 2012,
• 443 is the port number 1pm CST
In this particular case, the Telnet fails to connect to the port, and throws an error message. REGISTER NOW »
From here you know that either there’s a problem on the client, maybe it’s a firewall, or a
problem between the firewall and the MP, or possibly a problem on the server side. Below is
illustrated using the Microsoft Telnet client from a Windows 7 workstation.
In the event that the connection is successful the box will become blank.
To exit you will use Ctrl ] to view the telnet prompts
Type quit [Enter] and you will be returned to the standard command prompt.
Follow SolarWinds: 7
#2 Using Policy Spy and Client Spy
Policy Spy is one of Microsoft’s free applications within the Configuration Manager console
that allows you to get visibility into what’s inside WMI. As WMI is highly critical to SCCM,
everything is pretty much stored there. If something is wrong with WMI such as inventory not
sending correctly, or advertisements are running over and over again, Policy Spy allows you to
go in and have a look at things within WMI, allowing you to easily troubleshoot by knowing
what’s what.
Client Spy is also a free Microsoft application that is available within the Configuration
Manager console. This application helps you look at problems in your client. Here you can look
at software distribution that is pending; packages that are there or no longer available; and you
can also view your software updates. When a software update is downloaded, you will see
those updates directly in the console.
Follow SolarWinds: 8
Both tools along with several other tools is available from the
System Center Configuration Manager Toolkit V2:
http://www.microsoft.com/en-us/download/details.aspx?id=9257
Follow SolarWinds: 9
#3 WMI Errors Resolved
Most WMI errors can be resolved by repairing WMI. In Windows XP, you can run the
command line which will quickly visualize WMI. In XP there is only one copy of the WMI
repository, whereas in Windows 7, Vista or 2008, there is dual copy of the repository. As a
result, a repair is not normally needed for Windows 7. If anything goes wrong, you can look
back and forth, compare, and correct.
I the case there is a major problem and a repair is required, you may need to reinstall DLLs
and re-register them, and lastly, remove the repository. To do this, you must go into the
Services windows within the Configuration Manager Console, and stop the Windows Manual
Instrumentation Service.
This will prompt you to choose to stop your firewall, SCCM and the SMS Agent Host which can
be stopped before or after. You can simply run the repair from the command prompt for your
XP, you would enter
Follow SolarWinds: 10
Have this run, and within 3 to 4 minutes, your WMI should start back up, and, in case, if it
doesn’t start automatically you need to restart the machine and try it again.
In the case of Windows XP you must stop WMI before removing the repository. For Windows
7 to remove the repository you must use the winmgmt /resetrepository.
Note: This is a destructive action to WMI. The WMI repository will attempt to rebuild itself.
Some applications might not recompile their MOF. If this occurs it could cause problems with
the application. Always validate on test machine before performing it on a production machine.
Follow SolarWinds: 11
#4 Key Error Codes Defined
If you have an error message, and you are trying to determine what it means, don’t go to
Google, Microsoft Forums, MyITForum or other forums, because the error will mean different
things in different applications – Outlook, Exchange, etc. Instead, visit the Custom Error
Website for Microsoft and look down the list.
You can also use Trace32 which includes an error lookup. Simply type in the error code and
get the error definition.
Trace 32 is located in the Configuration Manager toolkit along with Policy Spy and Client Spy.
Follow SolarWinds: 12
#5 Using Logs for Troubleshooting – How and
where to find relevant data
Whenever we opt to troubleshoot a certain error or condition, we always want to look for data
on what happened, where and how. Standard Windows logs can be accessed to obtain this
information; they include:
LocationServices.log
Certificate Information: if in native mode, you can download site signed certifications from the
management points or from the site server.
ClientIDManagerStartup.log
In this registration log, you’ll find errors like ‘Unable to Contact Management Points’ that could
be caused by a certificate error or possibly a port block or you could problems in the registry,
or you might even see WMI errors – for example, unable to open a certain name space.
smscliui.log
Actions performed in the Run Advertised Programs will show here. If your Run Advertised
Programs is blank open this log to determine if information is received. It will also show you if
manually policy refreshed and other actions are kicked off.
Follow SolarWinds: 13
o UpdatesHandler.log and UpdatesStore.log: these logs show compliance
information
Follow SolarWinds: 14
#6 Top 5 Patch Downloading Issues
Resolved
i. Bits Downloading Issues
Did you ever get a call from the network team saying, “Hey, we have a machine or group of
machines pulling down a lot of bandwidth”? What do you do?
First, look at the ClientTransferManager log. Here you can find what is downloading and from
which location. Here you will see a log that says the file is downloading from a file location.
This is an indication that this server is not pulling from the correct location. Pulling over
445/SMB via a File location could cause network congestion.
To troubleshoot, go into the command prompt and run Bits Admin, and this will return an ID
that would match the ID that you find up in your log. This will let you know if there’s a Job
error, provide the job number, and will provide how much is being transferred. With this
information, determine if there is a problem and possibly fix the server or turn it over to the
infrastructure group for them to fix. This allows you at least to begin the troubleshooting of
something that’s not downloading correctly.
Follow SolarWinds: 15
ii. Windows Update Agent Issues
Windows Update Agents will need to be updated manually unless you have an automated tool
to do this. To determine what WUA is on your machine, there are two reports that you can
look at:
Though these reports may give you the WUA version, the version will differ depending on
whether you are running Win 7 or Win 7 Service Pack 1. As a result, you need to keep track
of what OS version you are running. If the WUA version is blank on the report, there’s a
problem on the machine such as the Windows Agent is not running. The latest version for a
given OS can be found here: http://support.microsoft.com/kb/949104. A SQL query to
determine the WUA version can be found here from Microsoft: http://technet.microsoft.com/en-
us/library/bb680319.aspx
To troubleshoot:
o Windows XP: To fix the problem with Windows XP, you can go to the Windows
updates webpage and find out there’s a new version of Windows update. When
you are starting the scanning process to download the update, if there’s a
problem with scanning, then, it may mean there’s possibly a problem with
Windows update service, and that’s the same process SCCM is going to use.
If this is red, it confirms that you have a scanning problem. From here, you need to look at the
Scan Agent. Here we find an error: “CScanAgent::ScanByUpdates - Update Source Policies
not found no scan will be performed, returning E_FAIL_POLICY_NOT_FOUND.”
Follow SolarWinds: 16
A likely problem is the Windows Update Agent Register did not register. The solution is to re-
register the Windows Update Agent.
When there’s a problem with a machine not scanning and it’s throwing all kinds of errors, and
the Windows Update Handler looks all fine except there is a little note at the bottom that says
the search job failed to end; i.e. the search job is not complete. To determine the problem,
look at the UpdatesHandler.log on the client.
Let’s say the software is not downloading at all, or maybe it’s downloading partially, but
everything, including scanning, appears to be working fine.
Follow SolarWinds: 17
Solution: Stop the Windows Update Agent, delete the softwaredownloadfolder (C:\windows),
and restart the Windows Update Agent. This is just one solution. It doesn’t fix everything and
you might need to make sure that any trouble-shooting you do on the Client does not break
anything else.
The symptom of this problem is that the machine that successfully scans but doesn’t download
or install. Other clients have the same problem.
Look up in the WindowsUpdateAgentHandler log. You will get you the information:
A search in the WindowsUpdate log will say the license terms are not available, and it failed to
download the electronic license agreement.
Solution: Go into the WSUS folder, and in the command line, you can run WSUS Utility Set
and it will re-download the client information for your WSUS server.
Confirm that the folder is there, and copy that folder into WSUS. When you click scan, all the
machines will immediately start downloading the file. You will not need to restart any service
Follow SolarWinds: 18
#7 WMI From Primary Machine to Ensure
Connection
There is an automated approach you can use for ensuring connection to your machines. WMI
monitoring tools allow administrators to identify Windows operating system issues, application
issues and other potential issues. There are a lot of free monitoring tools on the market to
help with this. SolarWinds provides a free WMI Monitor tool. It provides customizable WMI
monitoring which you can visualize in a dashboard.
When registering with the site, another site was found and pulled that site’s Trusted Root
Certificate
Follow SolarWinds: 19
If you have a Machine that can’t receive Content or won’t inventory and your log shows,
“Received policy could not be verified” or “Advanced Client rejected the site signed certificate
due to trust-related failure.” This means something is wrong with your site signed certificate.
The view below is what is seen from the Status Messages for a specific system.
Stop the SCCM service. Clear the AllowedRootCAHashCode value, and restart the SCCM
service. This will repopulate the key with the different value. You can determine the correct
value is by finding a working machine inside your hierarchy and locating the number. If this
does not work, then stop the service, kill the hash code value and restart the service. This
might not work because the client cannot register with the MP. In this case, you may need to
uninstall and restart it. Using the ResetKeyInformation=True will force the trusted root key to
reset.
Alternatively, you can run a repair on the CCM setup. Go to the command bar of the file and
then show reset key information to ‘true. What this does is it pulls out the trusted root key. By
doing that, you repair the Client, and put the trusted root key back in.
Follow SolarWinds: 20
#9 Signature Verification Failure
The symptom of this problem is when you run advertise programs, you only get a partially
populated list. For example, you see 15 items when you should see 30. If you look in the
PolicyAgent log, you will see the Signature Verification failed status.
To address this, you can use Policy Spy to get the Advertisement ID and the corresponding
Package ID.
Follow SolarWinds: 21
From there you can open up the Console and locate a package with respect to the Package ID.
Now here lies the problem. This package can only run on specific platforms per the policy.
Let’s say all Win 7 machines are clicked, but then down below you have the Win 7 clicked, but
not the Win 7 SP1. So, now you have a conflict. Your machine doesn’t really understand
which policy to go with. You can go and locate in the different selections and fix that. So if it
says “All Win XP machines”, you need to go and remove anything that says XP Service Pack
One and not Service Pack Three. This will solve the problem and the machine will have just
one policy to apply.
Follow SolarWinds: 22
#10 How to Use SCCM "Right Click" Tools
Right Click Tools are some really helpful and handy tools that considerably speed up the
troubleshooting process, for example, status message, collection membership, machine Client
refresh, and so on. Check out this website for a list of tools I created.
Some key actions that we can perform with right click tools are:
• Reports
• Import Computers/Users
• Status messages
• Collection listing
• Setup/Decommission a DP
• Location collections/Packages/Advertisements
Follow SolarWinds: 23
About SolarWinds Patch Manager
SolarWinds Patch Manager makes the time-intensive, error-prone chore of patching
Microsoft Windows servers and workstations simpler, faster, and more reliable. Patch
Manager allows sysadmins to automate patching applications across tens of thousands of
servers and workstations and receive automatic notifications of new third-party patches from
leading vendors like Adobe®, Apple®, Google®, Mozilla®, and Sun Microsystems®.
Feature Highlights:
• Manages updates dynamically, pushing the right patches to the right machines at the right
time
• Alerts when patches are available from Adobe®, Apple®, Google®, Mozilla®, Oracle®; &
other vendors
• Deploys patches across your Windows® servers & 3rd-party applications in hours – not
weeks
• Uses PackageBoot™ technology to execute custom actions before & after patches are
deployed
About SolarWinds
Follow SolarWinds: 24