myITforum and Windows IT Pro Forums

 Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working

Author Message
jdomeier

  • Total Posts : 159
  • Scores: 0
  • Reward points : 33570
  • Joined: 4/12/2006
  • Status: offline
Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Sunday, March 05, 2017 8:57 AM (permalink)
0
Hello all..
This is for the Software Compliance Settings people out there and I'm scratching my head on a Configuration Item CI and Baseline I have test deployed to a small number of pilot systems of 200 in my organization. I am trying to find all of the instances or path locations from where the java file called ??accessibility.properties is located at because one of our software applications is either changing this file if it finds it and appends certain stuff to it so when the other application that normally uses this file with the additional stuff causes that application not to function.  This is really bad for us...  So instead of adding this file to the current software inventory list, and since software inventory is unreliable and takes forever to complete in some case, I wanted to use CI and Baseline to retrieve these locations.  I set up a CI and Baseline and deployed it to some systems that we know have this file and originally it came back with a lot of results from the 200 test systems like 900+ path locations of this file which is really important! and what we wanted to see..  I have this baseline CI running once a day and it seemed to work for a couple of days until I ran the report and noticed the numbers were decreasing and noticed the Baseline had 50% of the systems as failures and some systems as compliant when looking at the baseline via the sccm 2012 console view.  This originally ran good and now today I checked the report and only 1 system showed up..  I know the software compliance settings gurus are wanting to know how I set up the CI Baseline.. and since I can't place any files in this post, I'm wondering How I can share the info with you all.. Its really a simple CI.. Find this file from the C:\  search sub folders, Information,  deployed once a day, etc.  The weird thing about this is that I can run a powershell script that invokes a wmi action I think its called, on these list of 200 with the deployment id which is a long string of characters and the report slowing builds up again like I jumpstarted it..  But I don't know what is causing it to fail???  I am using the software Compliance setting features on different CIs I made and are working nicely, on other different types of checks like registry keys values, file existences, resetting software updates compliances (Patches reporting in correct numbers) - Thanks to Sherry Kissinger on that one.. Nice..
Is there log files or status IDs, message IDs, anything that I could search on why its not reporting in?  It is like it runs once and then it doesn't re run the same baseline CI again and falls out of the database???  Please help me..  I love this Software Compliance Settings feature in sccm 2012.  It really is awesome the more I use it..
 
We just updated our SCCM 2012 with the 1610 update back in Jan 2017, in case some were wondering what version of sccm 2012 I'm at..
 
Thanks
Jerry
 
 
#1
    skissinger

    • Total Posts : 5126
    • Scores: 504
    • Reward points : 195100
    • Joined: 9/13/2001
    • Location: Sherry Kissinger
    • Status: offline
    Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Monday, March 06, 2017 9:01 AM (permalink)
    0
    I don't have anything clever or obvious to suggest, but perhaps if you reply here with more information, maybe someone here can spot an obviously missing comma or something.  :)
    So your CI is a single test, looking c:\ for ??accessibility.properties.  What's the "what means compliant" ?  You don't mention.  I'm 'guessing' that 'what means compliant' is "instances, no instances should be reported" ?  If that's not it, what do you have?
    Since you mention your baseline is daily, is that baseline something you made which has only this CI in it? (I'm not saying that's good or bad, just gathering information).
    If you use Roger Zanders Client Center, or if you rdp into a box and manually go look at the Compliance Settings tab in the control panel on a box which has 'dropped out' of reporting, it errored out?  or it just didn't run?  When you are RDP'd into a box, you can usually look at a local report; it might tell you more.  Another thing you could do would be trigger an eval while you are looking, and then go read the log files; and see what it's whining about.
     
    mofmaster@myitforum.com
    My Blog
    Microsoft MVP 2007-2015 - ConfigMgr
     
    #2
      jdomeier

      • Total Posts : 159
      • Scores: 0
      • Reward points : 33570
      • Joined: 4/12/2006
      • Status: offline
      Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Monday, March 06, 2017 10:16 AM (permalink)
      0
      Attention: The 5th line down was added automatically  on this forum when I tried to highlight the date in Red.. Sorry.. Maybe Rod Trent could fix that?
      The Compliance Rule Guts:
      Rule Type: Value
      Property: Date Modified
      The setting must comply with the following rule section.... Equals the date is 2/24/1970 2:37:13PM?  [/style]I figured I wanted all the files information of Date Modified to a Date that I know is not existent because I don't know if there is a file that is older than 1970? :-)
      Report Noncompliance if this setting Instance is not Found is checked..
      Noncompliance severity for reports is set to Information.  I hope that is what you wanted...
       
      I'll try the other tips you noted on the failed ones to see If I see anything.. Are the log files the DCMAgent.log and the DCMReporting.log files only or are there other ones I need to check? 
      Sherry you asked if the Baseline only has the CI in it and Yes it does. [/style]
       
      Also is there a way inside this forum I can do a copy and paste? or attach a jpg file?  Or not?
       
      Thanks
      Jerry 
        
       
      [/style]
      [/style]
      [/style]
      [/style]
      <message edited by jdomeier on Monday, March 06, 2017 10:22 AM>
       
      #3
        skissinger

        • Total Posts : 5126
        • Scores: 504
        • Reward points : 195100
        • Joined: 9/13/2001
        • Location: Sherry Kissinger
        • Status: offline
        Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Monday, March 06, 2017 12:52 PM (permalink)
        0
        On the client, after running something on a client and you are trying to track down an error, another log to look at is DCMWmiProvider.log
         
        mofmaster@myitforum.com
        My Blog
        Microsoft MVP 2007-2015 - ConfigMgr
         
        #4
          jdomeier

          • Total Posts : 159
          • Scores: 0
          • Reward points : 33570
          • Joined: 4/12/2006
          • Status: offline
          Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Monday, March 06, 2017 2:13 PM (permalink)
          0
          An Update on the failures.. I checked the deployment status of the CI/Baseline and the Error ID: 0x80070005, Description: Access Denied Error Category: Discovery
           
          inside the DCMWMIProvider.log file.. errors: CPermissionWMIProvider::ExecQueryAsync - Failed (0x800070005)
          Failed to Process blah blah blah.
          Also looked inside the Configuration Manager applet in the control panel on the failed system ran the evaluate and it errored out.. and Viewed the report and Errors erros everywhere.. 
          Compliance State: Error
          Non Compliance Severity: Critical
           
          However, on the same pc, it ran other CIs/baselines fine.. that I created in the past and these are working..
           
           
           
          #5
            skissinger

            • Total Posts : 5126
            • Scores: 504
            • Reward points : 195100
            • Joined: 9/13/2001
            • Location: Sherry Kissinger
            • Status: offline
            Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Monday, March 06, 2017 2:53 PM (permalink)
            0
            is this an "application" or "operating system" type CI (in the list of Configuration Items, there's a column for type)
            If it is an "application" type, when you look at the CI, there will be a tab for "Detection Methods".  what's in there?
            fyi, 0x800070005 generally simply means "access denied".  Since a CI usually runs as "SYSTEM" one would "assume" that NT Authority\System would have the rights to do whatever it is you are asking it to do, but perhaps in your case, in your environment, that isn't the case, in certain situations?
            I know you are trying to "fix" the existing CI.  But... "what if" you were to make a WHOLE new CI, and a WHOLE new Baseline to hold that CI, and target just this ONE box.  Take it slow; test individual pieces of it... like if you KNOW that file is exactly specifically in c:\program files\blah\blah, look for it in that one location, without the 'include subfolders'; and just see if it'll detect how you think it should detect when looking in one, absolutely positively you are sure location.  If it works, then change it to c:\program files\blah, + subfolders; and retest.  then retest at c:\program files, etc. etc.  Sometimes that's how it works--you have to piece meal it out, and look at the individual slices until you find where it "fails", and THEN you can make some guesses on what is causing the failures.
             
            mofmaster@myitforum.com
            My Blog
            Microsoft MVP 2007-2015 - ConfigMgr
             
            #6
              jdomeier

              • Total Posts : 159
              • Scores: 0
              • Reward points : 33570
              • Joined: 4/12/2006
              • Status: offline
              Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Monday, March 06, 2017 3:08 PM (permalink)
              0
              Type: Operating System
              How do I create the CI as an Application?
              I'll re create a new CI with a new Baseline and deploy to the problem system and see what happens there. It's just weird that it was working at first when I created the CI/Baseline.. DOH!
               
               
              A different Topic of the Baseline's Change Revision -  I noticed that the Revision Number whenever you add or edit something inside the CI changes to a newer number like from 1 to 2 or 3 - 4 etc..  There's a setting that says always use the latest.. That does not work well for me I've noticed too, but that's a different story.. 
               
              Thanks for the quick replies...
               
               
               
              #7
                skissinger

                • Total Posts : 5126
                • Scores: 504
                • Reward points : 195100
                • Joined: 9/13/2001
                • Location: Sherry Kissinger
                • Status: offline
                Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Tuesday, March 07, 2017 4:54 PM (permalink)
                0
                If you 'choose' to create an application type ci, it's when you are first creating the CI.  there's a checkbox.  it's pretty much a one-time chance to do so.
                regarding revisions: my guess is that it's doing exactly what it's supposed to be doing--it's just that you are trying to edit, test, edit, test, all within a short span of time--and ConfigItems and Baselines have some built-in don't-kill-your-hierarchy stages behind the scenes.  what I usually do, is when I edit a CI, I also go Edit the Baseline that CI is inside, and just add a period or something to the description.  Just so that the Baseline version ALSO increments (not just the CI version).  that way, when I'm testing at a client, and hitting policy refresh over and over and over again (because I'm impatient) I can tell when I REALLY got the update by seeing the version change on the control panel applet tab, for the baseline.  the trick is of course to edit the baseline after editing the CI.
                mofmaster@myitforum.com
                My Blog
                Microsoft MVP 2007-2015 - ConfigMgr
                 
                #8
                  jdomeier

                  • Total Posts : 159
                  • Scores: 0
                  • Reward points : 33570
                  • Joined: 4/12/2006
                  • Status: offline
                  Re:Software Compliance Setting in SCCM 2012 - Baseline and Configuration Item not working Wednesday, March 08, 2017 10:54 AM (permalink)
                  0
                  Sherry K - An update..
                  Removed the CI s and Baselines for this file lookup... Recreated a New CI as Application and Baseline and retried the same rules to look at the C:\ drive and subfolders..... redeployed to the one failed one and still failed.  I updated the CI to point to the path location of this file, pointed to the updated revision, deployed it to a different failed system and it worked!!  I'm thinking whatever system account it is using does not have access to search the C:\???  Have you ever heard of that?  We have a sccm service account that has certain local admin rights.. Just wondering if you ever had to or even can run a CI as a certain authenticated user with local admin rights?  I suspect it would need to be written in some sort of script?
                   
                  Another question is what account is used to scan for the software Inventory people use in their sccm environment because that account can scan for .exe files located on the root of C:\  if that account can retrieve that information then why can it not work in the CI? Are there 2 different accounts being used here?
                   
                  By the way have you tried what I'm trying to in your own environment? I know you have plenty of spare time on your hands right?. :-)
                  Thanks
                  Jerry
                  <message edited by jdomeier on Wednesday, March 08, 2017 11:00 AM>
                   
                  #9
                    Online Bookmarks Sharing: Share/Bookmark

                    Jump to:

                    Current active users

                    There are 0 members and 1 guests.

                    Icon Legend and Permission

                    • New Messages
                    • No New Messages
                    • Hot Topic w/ New Messages
                    • Hot Topic w/o New Messages
                    • Locked w/ New Messages
                    • Locked w/o New Messages
                    • Read Message
                    • Post New Thread
                    • Reply to message
                    • Post New Poll
                    • Submit Vote
                    • Post reward post
                    • Delete my own posts
                    • Delete my own threads
                    • Rate post

                    2000-2017 ASPPlayground.NET Forum Version 3.9