#Sysctr #SCCM create IP-ranges per AD-site the easy way

Yesterday there was a chat on Twitter about the usage of IP-Range vs. AD-Site based boundaries for System Center Configuration Manager 2012 SP1.

There is an easy way to get the best of both worlds. It relies on the proper configuration of IP-Subnets in the Active Directory Site Configuration (well, that should be configured properly anyway!)




If you have your subnets configured, then switch to the SCCM Console to Administration, Hierarchy Configuration, Discovery Methods and open the Properties of the “Active Directory Forest Discovery”

Here you can enable “Automatically create IP address range boundaries for IP subnets when they are discovered




To keep the boundaries up to date, you can even run this discovery on a schedule.

When the discovery is run, you will find the IP-Ranges in your boundaries


You can then select all IP-Ranges of one site and put them into a boundary group by right clicking the selected IP-Ranges.


Hope it helps someone.




#SCCM #SCEP Suspend SCCM2012 SP1 Endpoint Protection #SysCtr

If you ever come into a situation where you need to stop the running System Center Endpoint Protection 2012 SP1,  you will find out that there is no way to stop the service. Neither in the GUI nor the service Microsoft Antimalware Service (MsMpEng.exe) itself.

After searching a while I found the solution in this thread:

You need two tools, which will help you (not only in this case!): psexec and Process Explorer.

Copy both tools to a folder on the system and start an elevated command promt.

1. Run the command:

%yourpath%\psexec.exe –s –i %yourpath%\procexp.exe  *


*where %yourpath% is the path you saved the tools in

2. After accepting two EULAs (only for the first time) Process Explorer will show up. Search for a process called “MsMpEng.exe” and double click it. Switch to the “services” tab.


3. Click on “Permissions” and give Full Control rights to the Administrators group.


After OKing every window you can open or refresh your services.mmc and you will be able to stop the Microsoft Antimalware Service.



As soon as you start the service again, the permissions will be set back to the original settings.


#ConfigMgr Speed up AD-Group discovered Client Push Installation #SCCM

Imagine the following situation:

You have to deploy SCCM a well controlled and step by step. You want to use (automatic) push installation.

This can be done by putting the PCs you want into AD-groups and throw some GPOs at them, to add an ConfigMgrPush Account to local admins for example.

Then Active Directory Group Discovery has to be set up to discover items in the selected AD-Group.

Now, when you put in a PC to this AD-Group, it will be discovered in a short time (5 Minutes in standard delta discovery settings).

After discovery, SCCM will try to push the client to the new PCs but it fails, because the ConfigMgr push account is not a local admin. This happens, because a reboot is needed for the PC to be aware of new group memberships and applying the GPO.

You now can wait until every PC is rebooted, or do the following:


Create a collection for PCs without an installed client:


Add a new query rule


Click “Show query language” and paste the query (delete linebreaks after inserting)

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select SMS_R_System.ResourceId from  SMS_R_System where SMS_R_System.Client = 1) and (SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Workstation 6.1")     





Now that you have created the collection, it´s time for some Powershell and psexec.

Download psexec and place it somewhere on your SCCM Server, e.g. c:\psexec

Create a powershell script that gets all members of the “no client” Collection, refreshes PC AD-Group Membership and forces a gpupdate:

$SiteServer = ‘localhost’

# Replace  YSC with your SiteCode

$SiteCode = ‘YSC’
$CollectionName = ‘All Windows 7 PCs without installed Clients’
#Retrieve SCCM collection by name
$Collection = get-wmiobject -NameSpace "ROOT\SMS\site_$SiteCode" -Class SMS_Collection | where {$_.Name -eq "$CollectionName"}
#Retrieve members of collection
$SMSClients = Get-WmiObject -ComputerName $SiteServer -Namespace "ROOT\SMS\site_$SiteCode" -Query "SELECT * FROM SMS_FullCollectionMembership WHERE CollectionID=’$($Collection.CollectionID)’ order by name" | select Name
#Try to Refresh AD-Goup Membership and force gpupdate for every collectionmember
ForEach ($SMSClient in $SMSClients){
write-host "Next Client:" $SMSClient.Name
$hostname = $smsclient.name

c:\psexec\psexec.exe \\$hostname -s cmd /c "klist -li 0x3e7 purge"
c:\psexec\psexec.exe \\$hostname -s cmd /c "gpupdate /force"

If the script runs successfully, you will get an output like


To get this working, the account running the script needs to have the right to access the client PC!

Now that the group policy is applied, the ConfigMgr Push Account can install the client.

To go even further you could schedule this task, or even better, let Orchestrator do the job.





#ConfigMgr Client install BITS Error on Windows 7 #SCCM


Today I struggled with one of 160 Windows 7 Clients I installed the SCCM-Client through push installation.

On this one machine ccmsetup.log was showing

“ BITS job creation failed with 80200014. Unable to check BITS version    ccmsetup    07.08.2013 16:45:25    4420 (0x1144) “


After searching a while and trying to repair BITS, setting registry keys etc. the finally working tipp came from this Technet thread:

Try installing ccmsetup manually with the parameter /BITSpriority:low:

ccmsetup.exe /BITSpriority:low

This finally did the trick in my case.

Refresh Active Directory Group Membership of PC without reboot


If you ever tested stuff that is based on AD-Groups for Computers – like GPO Software deployment – you have experienced that the PC “knows” its new group membership only after a reboot or after seven days of waiting….

After searching a while I found a way to get membership changes without reboot:

Open a command promt in the system user context and purge the kerberos tickets to get new ones, e.g. with the great tool psexec :

a) Download psexec

b) open an elevated command promt, navigate to the folder you downloaded psexec to and start psexec with the paramter “-s” to start the session on the local PC in system user context:

psexec –s cmd


c) run “klist –li 0x3e7 purge


d) the Keberos tickets get renewed and the new group membership is also populated Smiley


On Windows 7 and beyond/Server 2008 and beyond klist is coming with the OS, on Windows XP/Vista/Server 2003 you have to get klist form the Windows Server 2003 Resource Kit Tools.


Thanks to Darren for sharing this great tipp!

#SCCM 2012SP1 – Component Server not uninstalling

tl;dr: restart SMS_SITE_COMPONENT_MANAGER service through Configuration Manager Service Manager


After uninstalling a SUP from a Site Server, the Component Server Role was not disappearing from the roles-listing of the old site system.

After searching a while I found this blogpost for the 2007 SCCM environment. It also works in an 2012SP1 environment:

1. In your SCCM Console open Monitoring and choose site status.

2. look for a component server an right click it. Select Start –> Configuration Manager Service Manager

3. In the service Manager, expand a working server and navigate to SMS_SITE_COMPONENT_MANAGER

4. Select SMS_SITE_COMPONENT_MANAGER and right click it. Select query. After a short time you will get the recent service status.

5. now you can stop the service: right click it and select stop service

6. query the service again

7. start the service: rights click and start service

8. Take a look in your site administration: the Component Server role should be gone

Hope that helps Smiley

#Mindmanager 2012 – Save File on network drive very slow–solution

If you are unsing MindManager 2012 and experience problems with saving files on a network drive, this might be the solution:


Sometimes MindManager searches for a Sharepoint site while saving mindmaps. If you don´t have Sharepoint, MindManager sometimes gets a timeout – that´s why MindManager hangs for minutes…

Here is how to solve it:

First, check your installed version:

Click on File –> Help. There you see the version installed



If you are not on version 10.2.404 or later, go donwload it at the Mindjet Website.

After you installed it, open Mindmanager once, so it can build the registry settings for the current user needed.

Be sure to close Mindmanager before editing the registry setting, otherwise MindManager will overwrite your setting.

open regedit.exe and navigate to


change the key “EnableDmsSupport” to 0



After the change, MindManager will not longer try to find a Sharepoint site.

Be aware that you have to change this for every user on this machine, as the key is to find in HKEY_CURRENT_USER


Hope that helps Smiley