Removing Symantec Outlook Add-in using SCCM

Hi guys,

This week I have been looking into an issue a customer of mine has been experiencing with the Symantec Outlook Add-in crashing repeatedly and causing Outlook to crash too which is a poor user experience.

In order to resolve this issue we decided that the best solution was to simply remove the Add-in from the Symantec Endpoint Protection installation. However, this was complicated by the fact that the Symantec Add-in was already installed on all of the workstations and the Add-in is an optional component of the installation and not a seperate application listed in programs and features.

Looking in Program and Features then choosing to modify the Symantec Endpoint Protection installation shows me that currently the feature is installed…

And I want it to change to having the feature removed…

New Installations

As always I took a two stage approach to resolving this issue, firstly to modify the installation process for Symantec Endpoint Protection so that any workstations that need to install Symantec (primarily during OSD) were not deployed with the issue. Then I will target a remediation process to the existing workstations, this saves freshly deployed workstations having to run the fix post-deployment and also should result in the number of unmediated systems only ever decreasing as new systems will not be introduced to the environment.

The resolution for the new installations was a simple process of adding the following additional lines to the end of the SetAid.ini file which is included in the Symantec Endpoint Protection source files. This simply instructs the MSI installer which components to install, and setting the OutlookSnapin to 0 means that the component we want to exclude is skipped.

After updating the INI file I had to redistribute the content to the Distribution Points. I then tested this on a workstation and confirmed that the changes were successful.

Now I know I will not have any additional systems with the Outlook Add-in enabled I can start to resolve the issue on all of my existing workstations.

Existing installations

As we are using SCCM to deploy Symantec Endpoint Protection we already had an application which would perform the installations and I have already modified this application so that new installations will not have the Outlook Add-in enabled. As the application is an MSI type, simply re-running the application on the workstations will modify the existing installation to the desired state.

In order to correctly identify if the workstations needed to re-run the installation I needed to modify the Detection Method for the application to identify if the Outlook Add-in was NOT installed as well as Symantec Endpoint Protection was installed. The existing application only detected if Symantec Endpoint Protection was installed, so I need to modify this.

Unfortunately SCCM does not currently have the capability to identify if a file/folder/reg entry does NOT exist as part of a detection method. It is only capable of identifying if these components exist. However, it is possible to run scripts to perform the installation which means that as long as I can write a script to perform the detection I need then I should be able to successfully identify these systems.

SCCM can run PowerShell, VBS and Jscript for the Detection Method and as I am more proficient in PowerShell I chose this option. The question now though was what criteria should I be querying?

To identify this I simply ran Process Explorer on a workstation whilst I manually performed the installation of the Outlook Add-in on a test workstation. Analysing the actions of the MSIEXEC process showed me that new files were created in the C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.770.0000.105\Bin\ during the installation, specifically a file called OutlookSessionPlugin.dll.

I also know that in order to identify applications that are installed on a Windows workstation I can check the registry for an entry under the hive HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ and looking on a test workstation I can see that the MSI code is {713C5DAE-75BA-4DCA-B328-F96B129DCFD5}

Now that I know what the criteria for a ‘correct’ installation is I can write a PowerShell script which will detect the criteria and return the correct results to SCCM. This code is:

$FilePath = "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.770.0000.105\Bin\OutlookSessionPlugin.dll" 
$RegPath = "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{713C5DAE-75BA-4DCA-B328-F96B129DCFD5}" 
If ((!(Test-Path $FilePath)) -and (Test-Path $regPath)) {Write-Host "Installed"} 
Else{} 

I then ran this manually on a test workstation both WITH and WITHOUT the Outlook Add-in and confirmed that the script results the correct results. I was then able to paste this script into the Detection Method for my application in SCCM.

Now I simply need to test my updated application to ensure that I get the desired results. To do this I deployed the application as ‘available’ to a collection containing my two test workstations, one with and one without and Outlook Add-in.

Monitoring the AppDiscovery.log I can then see that on my workstation without the Add-in the application is successfully detected, but on my workstation with the Add-in installed the application is not detected.

Clicking ‘Install’ forced the SCCM client to commence the installation of Symantec Endpoint Protection. Once complete the application is successfully detected.

Now I have tested the updated SCCM application I am now confident to deploy the application as Required to all of my workstations and complete the task.

Building an SCCM Technical Preview lab

In this modern age of desktop management the rate of change in the management tools is more frequent than ever before.

In order to stay ahead of the curve with SCCM I find it essential to always have an SCCM site stood up using the Technical Preview release I order to test the new features that Microsoft release on a regular basis.

In this post I am going to walk you through the process I follow whenever I need to standup a new SCCM Technical Preview site.

Install SQL

Firstly I need to install SQL on the allocated server. The highest version currently supported by SCCM is SQL 2017, so this is what I will be installing following the process below:

Mount the SQL ISO file and execute setup.exe

Select to install a new stand-alone installation

Choose to install SQL in Evaluation, or enter a product key if you wish to use this environment for more than 180 days

Review and accept the license terms if agreeable

Because I want to ensure we have the latest hotfixes and security updates, select to use Microsoft Update

I can see a warning telling me that the Windows firewall does not have the SQL ports enabled for remote access. In this scenario this is acceptable as all SQL traffic will be hosted on this single server

The only feature is required for SCCM is the ‘Database Engine Services’ so I select this

Leave the instance configuration as the default configuration

In the Server Configuration section I need to change the SQL Server Database Engine to run using the local SYSTEM account, all other options can left as per the default configuration (be aware that the SQL Collation is a critical dependency for SCCM. In SQL 2017 the default collation is the required value of SQL_Latin1_General_CP1_CI_AS but previous versions of SQL had a different default collation so double check this and modify if appropriate)

Add any SQL Server Administrators that are required. I also like to change the default Data Directories to a drive other than C as this is SQL best practise, although probably in a small test environment this is probably not as important

I can now review the options I have chosen through the wizard and click Install

And eventually the installation will complete

Preparing the Server

I can now start to install and configure the various components that SCCM features rely upon for functionality. My preferred method for performing these tasks is the awesome ConfigMgr Prerequisites Tool written by Nickolaj Andersen and available for download at the Microsoft TechNet gallery https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd

Firstly launch the tool select to install the prerequisites for a Primary site

Now because I am going to be installing the Management Point and Distribution Points on the same server we need to navigate to Roles and select Management Point then Install

Then the same for the Distribution Point role

Now I need to install the Windows ADK. To do this navigate to ADK and click on load. This will query the Microsoft download servers and determine what the latest version of ADK is available for download

As you can see Windows 10 1903 is the latest available at the time of writing. Select this and click Install

Then because Microsoft have now split the main ADK and the WinPE components into two seperate downloads I will also need to select the option with ‘WinPE add-on’ and click Install

Now I need to install WSUS on the server so I can performing testing of the Software Updates component of SCCM so I navigate to WSUS, leave the option as SQL Server and click

Now that the WSUS installation is complete I need to complete the post-installation options of WSUS. To do this navigate to Post-Install and click configure. I will need to manually create the folder for WSUS content outside of the tool and input ‘localhost’ for the server name

Now I need to change the SQL memory configuration, in order to do this I need to provide the tool with the location of the SQL instance where we will be installing SCCM. To do this I need to navigate to Settings enter ‘localhost’ for the server name and click connect

I can now navigate to SQL Server, leave the default database memory configuration of 8GB and click configure

I have now completed all of the pre-requisites for SCCM so I can now proceed to installing SCCM

Installing SCCM

Firstly it is necessary to download the latest Technical Preview build from the Evaluation Center and extract the contents. At this time the latest build available for download is 1907 which we will later upgrade to 1909 through the In-Console upgrade process

https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview

After having extracted the files for the latest Technical Preview it is necessary to navigate to the following location C:\SC_Configmgr_SCEP_TechPreview1907\SMSSETUP\BIN\X64 and then run setup.exe

Leave the default to install a Configuration Manager primary site

Accept the three EULAs

Select a location to download the SCCM pre-requisite files

Select any additional languages for the server

And then select any additional languages for the client

Enter a three character site code, a site name and a location to install SCCM

Then modify any SQL settings as necessary. (For the options we have chosen so far in this tutorial this is not necessary)

Modify the SQL file locations if necessary

And select the SMS provider server name

Select to only use HTTP for client-server communications

Leave the selection to install the Management Point and Distribution Point on this server

Accept to send usage data to Microsoft (this is non-optional in Technical Preview)

Install the Service Connection Point on the local server

Review and confirm the options we have selected

The setup wizard now performs a pre-requisite check and I can see the following screen indicating that I am ready to click Begin Install

The installation will then commence and eventually will complete

This completes the initial installation of SCCM

Updating SCCM

Now I have our SCCM Technical Preview site up and running I want to upgrade it to the latest version so I can see all of the cool new features that Microsoft are working on.

To do this I first need to launch the SCCM console and navigate to Administration > Upgrades and Servicing and I should see the latest technical preview version listed as ready to install. CLick on the Install Upgrade Pack in the ribbon bar

Note – It may take a while for the latest update to show in the console and the status to be Ready to Install. This is because the Service Connector Point may take some time to communicate with Microsoft and download the update. Clicking on the ‘Check for Updates‘ button will force to process to initiate immediately

I can then see the types of updates that are included in the Upgrade Pack, click

Select any features I want to enable and click Next. I can always enable these features later if not selected now

I can then select if I want to upgrade my clients with or without validating on a test collection

Connecting SCCM to Upgrade Analytics

In my last post I detailed the process for deploying Upgrade Analytics and how to use SCCM to configure workstations to upload their telemetry data for processing in Upgrade Analytics.

Now we have this data available to us in Upgrade Analytics I am going to walk through the process of connecting SCCM to import the available Upgrade Analytics data back into the SCCM console. Doing so enables administrators to create SCCM collections based on the Upgrade Analytics data, and then in turn create deployments to remediate issues that have been identified with apps/drivers etc. that are currently blocking in-place upgrades of Windows 10 to the desired build.

Obviously a pre-requisite to following this guide is to have fully deployed Upgrade Analytics according to my previous blog post.

Create Azure AD Web Application

The first stage of connecting SCCM to our existing Upgrade Analytics instance is to create an Azure AD Web Application which will then, in turn, be used to grant SCCM read permissions to the instance.

Firstly, navigate to http://portal.azure.com and logon with your Azure AD credentials. Then navigate to the exiting Azure Active Directory instance and select ‘App registrations’.

Now click ‘New Application Registration’ and complete the details as below:

  • Name – Free text but call this something easily identifiable
  • Application Type – Select Web app / API
  • Sign-on URL – Does not need to be a valid URL (as we won’t be redirecting users to this address), but must be in a valid URL format with http:// or https:// as a prefix

And click ‘Create’

The Application will then be created and the details presented in the console

Now click ‘Settings’ then ‘Keys’ to be prompted to create a new Key. Complete the name of a new key (maximum 16 characters) and select the length of duration for the key.

Click ‘Save’

Important – At this stage you will now be presented with the key in the form of a 43 character text string. I have deliberately not screenshotted my key, but this is the only time you will be able to read the key so ensure you copy this key now and store in a secure manner. Also, note the Expiry date (although this can be retrieved later).

Also collect the Application ID and App ID URL from the key properties screen.

Grant the New Application permissions to Upgrade Analytics

Now we have successfully created our Azure AD application we need to grant to the required permissions so it can access the data stored in Upgrade Analytics.

To perform this, within the Azure Portal browse to Resource Groups and select the Resource Group that contains the Upgrade Analytics solution

Under ‘Add a role assignment’ select ‘Add’ and complete the presented screen as below, then click ‘Save’.

Note: It is required to assign the permissions at the Resource Group level as later in the process SCCM will need to create a

Configuring SCCM to connect to Upgrade Analytics

Now we have created our new Azure AD app and granted it the correct permissions we are ready to connect SCCM to Upgrade Analytics.

In the SCCM Console browse to Administration-Cloud Services-Azure Services.

Then right-click on ‘Azure Services’ and select ‘Configure Azure Services’. Complete the presented wizard as shown below.


Then ensure ‘AzurePublicCloud’ is selected and click ‘Import’

You will then need to complete the presented screen with all of the details listed below and click ‘Verify’

  • Azure AD Tenant Name – Free text field but name it something easily identifiable
  • Azure AD Tennant ID – This is the directory ID of your Azure AD instance. This can be found by browsing the properties screen of Azure AD
  • Application Name – Free text field but name it something easily identifiable
  • Client ID – This is the App ID previously obtained
  • Secret Key – This is the Key previously obtained
  • Secret Key Expiry – Ensure the same date is selected as the key expires
  • APP ID URL – This is the previously collected value

Provided everything verifies successfully click ‘OK’ and then ‘Next’ in the wizard

Ensure that the correct Subscription, Resource Group and Windows Analytics workspace are selected and click ‘Next’

Review the settings and click ‘Next’

Once the wizard completes click ‘Close’. We can now see that the Upgrade Analytics Connecter is listed in Azure Services

Now if we switch to the Monitoring – Upgrade Readiness node in the SCCM console we can see the data is displayed

This completes the configuration of connecting SCCM to Upgrade Analytics

Decommission SCCM Distribution Point

Hi all, as discussed in my previous blog post I have been tasked with replacing a clients Distribution Point servers. In that blog post I explained the process for commissioning the new DP servers and in the this post I will document the process for decommissioning the old DP servers.

Fortunately the process is decommissioning old Distribution Point servers is simple. All we need to do is to remove the server from SCCM and then shutdown the server, so lets go through the steps

  • Locate the server in SCCM console– Open the SCCM console and navigate to Administration -> Site Configuration -> Servers and Site Systems. Left click on the server you want to delete and confirm in the Site System Roles pane that the system only has the Distribution point and Site system roles (in this example we are going to be deleting the server sccmdp.testlab.com) untitled

 

  • Delete the server from SCCM – Right click on the server to be removed and chose the ‘Delete’ option. You will then receive a confirmation dialogue, simply click yes to confirm the deletion
  • untitled2

 

  • Confirm deletion – You will now see that the old server no longer exists in the SCCM console Untitled3.png

 

At this stage I would wait at least one hour before continuing, this will allow for all downloads already in progress to complete and clients should no longer receive this Distribution Point as an available location for downloading content

  • Shutdown Server – Simply shutdown the Operating System by click on the Start button and choosing the option to shut down untitled4

Complete – it really is that simple!

Commission new SCCM Distribution Point server

Hi all, in today’s post I am going to explain a task that one of my customers asked me to undertake on their behalf. They currently have multiple dedicated Distribution Points in their existing SCCM environment running Windows Server 2008 R2 and wish to migrate these servers to Windows Server 2016 servers.

In this guide we will be using the latest version of SCCM, at the time of writing this is SCCM Current Branch – Build 1610.

At a high level the steps we will be performing are:

  1. Preparing the server
  2. Adding the new server to the SCCM console
  3. Verify Installation
  4. Assign and obtain content from new Distribution Point

Note: It is possible to perform an in-place upgrade of the OS on a DP, but in this guide we will be standing up a new DP server. In a separate blog post I will explain the process for decommissioning the old DP’s which would need to be performed to complete my task.

1. Preparing the new server:

  1. Install the Operating System – In this guide we will be using Windows Server 2016, but the process will be the same for other Server OS’s
  2. Ensure the new server is named appropriately – it is not possible to use the same host name so make sure you give the new server a new name. Note: In this guide we will name our new server SCCMDPcapture
  3. Assign a second disk to the server – This step isn’t essential but it is considered good practice to keep the Windows installation and the SCCM Content Library on separate partitions at least to ensure no possible conflicts. In this guide we will assign the new disk the letter Dcapture2
  4. Domain join the new server – it is not essential for the server to be joined to the same domain at the SCCM site server but there must be a trust relationship between the 2 domains if not. In this guide we will use the domain testlab.comcapture3
  5. Install latest updates on Server – As always, I would recommend taking this opportunity to ensure the new server is fully patched per your organizations patching policy                                                   capture4
  6. Install the Distribution Point pre-requisites – Using Server Manager, install the required Roles and Features for the distribution Point role. These are as follows (as documented on Microsoft TechNet here )untitleduntitled2untitled3untitled4
  7. Add the SCCM site server to local admins – The SCCM site server account needs to be added to the local administrators group on the new server, this can ether be the account itself or a group containing the site serveruntitled5
  8. Create NO_SMS_ON_DRIVE.SMS file – Later in this guide we will provide a drive letter for SCCM to use to create the Content Library, however if this drive then becomes full then the library will start using available space on the server other drives. It is not desirable for the Content Library to spill onto the same drive as the Operating System so to prevent this a file should be created in the root of C: named NO_SMS_ON_DRIVE.SMS with no content (more information on this process can be found on the TechNet site here)

OK, so we have now prepared our server and are now ready to add the SCCM Distribution Point role

2. Adding the new Distribution Point to SCCM console

  1. Open the SCCM console – Open the SCCM console from any server and ensure that you logon using an account that has permissions to create new site servers (‘Full Administrator’ will have this ability)
  2. Navigate to Servers and Site System Roles – Once in the SCCM console then navigate to Administration -> Site Configuration -> Servers and Site System Rolesuntitled6
  3. Create Site System Server – From the ribbon bar select ‘Create Site System Server’ and enter the FQDN of our new Distribution Point Server. Also, select the required site for the Distribution Point to reside untitled6
  4. Specify Internet proxy server – Our Distribution Point server will not be contacting the Internet directly so there is no need to specify a proxy server here untitled7
  5. Specify roles for this server – Here is where we specify the role we will be adding to our new server, obviously we want to chose Distribution Point untitled8
  6. Specify distribution point settings – In the page I recommend selecting the ‘Install and configure IIS if required by Configuration Manager’ option as this will verify that ISS is configured correctly for the role. Configure any other settings as required in your environment untitled9
  7. Specify drive settings for this distribution point – On this page we need to change our ‘Primary content library location’ and ‘Primary package share location’ to the D drive, this ensures that both package types will be created on the D drive initially. Unfortunately it is not possible to disable the Secondary locations so SCCM will attempt to use another drive once the Primary location drive gets below the 50Mb specified but the NO_SMS_ON_DRIVE.SMS file we created earlier stops this from consuming space on the C drive and filling the OS drive untitled10
  8. Specify settings to configure a pull distribution point – We will not be using a pull Distribution Point in this guide so leave this option disabled untitled11
  9. Specify settings to install operating systems by using PXE boot – In this guide we will not be configuring PXE booting for out new Distribution Point. This can be configured later if required untitled12
  10. Specify multicast settings for operating system deployment – In this guide we will not be configuring multicast for out new Distribution Point. This can be configured later if required untitled13
  11. Specify the content validation settings – On this page we are going to enable the content validation feature but leave the default schedule of every Saturday at 12am. This will ensure that the content on the DP’s is validated on a regular basis untitled14
  12. Specify the boundary groups to associate with this site system – This page allows for assigning this new Distribution Point to a specific Boundary Group meaning only clients in the Boundary group can obtain content from the Distribution Point. If a Boundary Group is not specified then the content is available to all clients regardless of their Boundary Group. We will use the default Boundary group untitled15
  13. Complete wizard – The summary and progress pages are then displayed. Simply skip through these

We have now completed the installation of our new Distribution Point so we are in a position to proceed with verifying the installation and ensuring content can be assigned to it successfully

3. Verify Installation

Now that we have installed our new Distribution Point we need to ensure that the installation was successfully and content can be assigned

  1. Check Distribution Point Status – in the SCCM console browse to Monitoring -> Distribution Status -> Distribution Point Configuration Status. Our new Distribution Point should now show in the list and have a green tickuntitled16

Note: In my lab the Distribution Point initially displayed with a red cross. This was because SCCM tries to distribute the 4 SCCM client packages to all DP’s in the hierarchy. Unfortunately, the site server attempts this before the installation of the DP role is complete so initially the packages failed. SCCM does automatically attempt to retry failed packages every 30 mins, and the client packages succeeded on the first retry

2. Check file structure on the Distribution Point – On our new Distribution you should now see a folder structure on the D drive as below

  1. untitled17

After performing these check I am happy that the DP installation has been verified and is ready for use

 

4. Assign and obtain content from new Distribution Point

Now we have created the new Distribution Point we need to verify that clients can use it as a download location to ensure it is operational. To do this we will assign an application to the DP and then check the download logs from a client to ensure it is using our new DP as the source location

  1. Assign content to Distribution Point – Using the SCCM console I am going to distribute the content of an existing Application to my new DP. To do this, navigate to Software Library -> Application Management -> Applications, select the desired application and click Distribute Content from the ribbon bar. You will then need to complete the wizard, ensuring to select the new Distribution Point on the ‘Specify the content destination’ page untitled18
  2. Verifying content distribution – I can first see that the content is being processed as the pie chart shows yellow for my only Distribution Point Untitled19.png
  3. Eventually the status will change to success and the pie chat will show as green, this may take some time for larger applications Untitled20.png
  4. Verify using log file (optional) – I can also verify the successful distribution of the application source files from the distmgr.log file on the SCCM site server. This is not necessary if the distribution is successful but if errors are encountered this is the log file that will assist with diagnosing the issue Untitled21.png
  5. Download content from client – Now we know the content is available on our new Distribution Point we can start a client download by manually executing the application on a workstation and checking the DataTransferService.log file to ensure the new DP is being used as the source location untitled22

This now proves that the new DP is serving content to clients successfully so we can continue to assign any additional content to the Distribution Point and be sure that clients will be able to access the content successfully.