SCCM 2012: dynamic app install Policy download failed

I had an issue the other day with an application not installing that I had been installing for a long time through the UDI wizard with the MDT Integration with SCCM 2012.  Suddenly it had stopped installing and I got the below error in the SMSTS.log.

Make sure the application is marked for dynamic app install Policy download failed, hr=0x80004005. The operating system reported error 2147500037: Unspecified error

While this error can be caused by symbols such as a comma or ampersand in the application name for me it was because I had changed the application name to a more user-friendly name which in turn broke the UDI as it doesn’t dynamically update application names.  I simply went into the UDI and removed and re-added the application and it started working again.

 

 

“You need to install additional updates” error message when you try to start Lync 2013

The above error is fairly well documented by Microsoft but thought I would post about it anyway just in case someone comes across the same issue as me.  I had pushed updates out to machines through SCCM and then started getting a handful that Lync/Skype for Business started reporting that Lync had become Skype for Business and that KB3039779 needed to be installed.  Evidently, a few machines we had received a newer update which upgraded them but didn’t have this older update.  Simply pushing out the missing KB3039779 to the machines missing the update resolved the issue.  Update is located here for anyone curious https://www.microsoft.com/en-us/download/details.aspx?id=47056

Filtered GPO’s are broken

I was updating a logon script today and realized that for some reason it wasn’t applying to the machine.   I ran rsop and gpresult but neither one showed the policy or the logon script.  The gpo was filtered to a specific group of users and the user was clearly a member of the group so I was befuddled what was going on.  I finally found a Security update KB 3159398 for Group Policy that came out in June that while fixing a dangerous man-in-the-middle attack breaks filtering if Domain Computer group does not have read permissions to the OU.  Follow the below steps to fix and your gpo will be working like normal.

  1. Open up the gpo in group policy management and click the delegation tab.
  2. Click Add and type in domain computers.capture
  3. Set permissions to read as is the default.capture2
  4. Enjoy your fixed GPO’s!

Link to Microsoft Security update and known issues below.

https://support.microsoft.com/en-us/kb/3159398

 

 

 

NVMe drivers

Just a quick note incase someone else is having this issue.  I was working on using SCCM to image a Dell 7710 laptop and it has a Samsung M.2 PCIe NVMe SSD which I couldn’t seem to ever find  the right storage drivers to get it to see the hard disk.  It was a one time deal so I resorted to having the onsite tech manually load the machine (which was an endeavor in itself as he had to find the right storage driver to load windows 10 and if you wanted to do windows 7 you had to have USB 3.0 drivers slipstreamed into the windows installer). Upon trying to image another machine pxe would stop part way and display the below error message.

File: \Windows\system32\DRIVERS\nvme.sys

Status: 0xc0000359

Info: Windows failed to load because a critical system driver is missing, or corrupt

Turned out just like it says nvme drivers I had loaded caused it to completely not load the pxe boot image which I hadn’t seen occur before in adding drivers to a boot image.  Pretty straight forward but figured it might help someone that gets this error especially if you didn’t add the drivers or forgot that you had added them.

Mail-enable already created distribution group.

Today I had an AD administrator create a distribution group and add all the members to it in Active Directory.  They needed it enabled in Exchange so I thought easy just go into the EAC (Exchange Administrative Center) and add an existing group.  This was the case in Exchange 2007 and 2010 but not in 2013.  In order to add an existing group so you don’t have to recreate it from the EAC and add all the users back you go into EMC (Exchange Management Console).  Then once in Powershell type in the command belowmail-enable.

Enable-DistributionGroup -Identity “groupnameinAD” -Alias “groupname”
-DisplayName “displayname"

 

 

Creating a scheduled task without being administrator

Good morning, I was working on a scheduled task that would run on a user’s PC and start a particular application when the user logged into their machine and it had to run as the user in particular logging in.  What I discovered was that if the user wasn’t administrator on the box I would get an access denied in both PowerShell and schtasks.

scheduledtask

What I figured out was that if you choose to run the task at logon (I assume this probably applies to at startup as well) it requires administrative rights but if you schedule the task as an hourly, daily, weekly, etc. task it doesn’t require administrative rights to create it.  Now this requires that what the task is running itself doesn’t need administrative rights but in my case it does not.

scheduledtask2

Now you may be asking yourself why didn’t he simply create a scheduled task through group policy.  Well, the reason for that is I wanted it to target a specific computer collection in SCCM that targeted only laptops.  I could have done it with a GPO and even filtered the GPO with WMI filtering and accomplished the same thing but the application is pushed out through SCCM and I wanted everything that went with it targeted to that collection.  Maybe slightly more work on my part but good to know nonetheless.

Quickly fix Windows is not Genuine from different Windows versions.

I had an issue today with an old KMS server that some machines had been talking to getting shut down and then the machines months later complaining that they couldn’t find the KMS server.  I  then removed the KMS server’s DNS entries and prevented it from publishing them to dns which had been missed before.  That isn’t the purpose of this post though so if you need more info the below two links help out a lot.

How to remove a KMS Server from your Infrastructure

Additional info for Server 2008 only.

Back to the purpose of my post was when I get tickets for activations (as I have over the past few days) I wanted an easy script to run slmgr, remove the product key, input, and activate the new key.  We use MAK keys in our environment so just for the few machines that were set up for KMS a simple script sounded like an easy way to take care of them. Problem is I run Windows 10 and the machines I was trying to fix were Windows 7. SLMGR.vbs is version specific so although I probably could have copied one off a windows 7 machine I came up with the below solution to work on any version of Windows.  To accomplish this I used our old friend psexec which creates a session runs each slmgr command locally on their machine and outputs the result after prompting for a machine name.  A really simple script but maybe someone will find this useful.  Don’t forget to put psexec in the same directory you run the script from.  Happy Friday 🙂

set /p machinename=Input the PC Name:%=%
PsExec.exe \\%machinename% cscript %SystemRoot%\System32\slmgr.vbs /upk
PsExec.exe \\%machinename% cscript %SystemRoot%\System32\slmgr.vbs /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
PsExec.exe \\%machinename% cscript %SystemRoot%\System32\slmgr.vbs /ato