Upgrade guide for SCCM 2012 R2 (With known issues)

Johan Arwidmark has created a nice guide outlining the upgrade process from SCCM 2012 SP1 to R2/MDT 2013. This blog post also contains a few known issues with R2 and potential workarounds. A great read for those about to upgrade!



Loopback Group Policy processing

If you have ever worked with RDS or Citrix you are certain to have come across the need for Loopback processing for GPO’s. There’s a slew of websites that explain how the processing works however this blog post does a great job of explaining Replace vs. Merge mode, making it visual with the explanation (albeit with some dated graphics :P)


Create Prestage Content Failure and UAC

If like me, you don’t typically execute the SCCM Administrator Console with “Run as Administrator” option I think you are generally in good company. Day to day administration does not require you to elevate the admin console so rarely do I do so.

Today I needed to create prestaged content for a Distribution Point located on the other side of a pretty high latency, low bandwidth WAN connection to China.  (Cannot get a sizable Software Updates Package to successfully send to this DP, after several attempts, but that’s another story)

As I do every day I launched the Admin console (without elevation).  I navigated to the offending Software Updated package and walked through the “Create Prestage Content File” wizard.  Shortly after the process began, it failed.

After reviewing the {SCCMInstalDirectory}\AdminConsole\AdminUILog\PrestageContent.log I received the following error:

Creating prestaged content file failed due to user not having sufficient rights.

The obvious next step for me was to close and reopen the console as an administrator and viola, the process completed without error.

Forcing an Endpoint Protection Scan on an individual computer

One of the many great new features on SCCM 2012 (SP1) is new Fast Channel/Client notification that among other things allows you to trigger a Endpoint Protection operation such as Full Scan.

You can read all the fascinating details here:

There is a small “gotcha” however to be aware of to ensure you don’t accidentally trigger an operation on many or all of your devices if you are only targeting one.  Yikes!

Consider the following scenario:
You have a device that is reporting repeat malware infections. In turn, you wish to force a Full Scan on that device in an attempt to clear up the malware issues so you go to your Configuration Manager Administrator Console and navigate to Assets and Compliance>Devices.  You enter the computer name in the Search field and click Search.  You then right click the device and sele… wait a minute… the “Endpoint Protection” option is missing from the context menu (as well as the ribbon)?


Before you call Microsoft to help troubleshoot why this option isn’t available rest assured its nothing you are doing or not doing.  This is by design (although for the life of me I can’t think of why other than there may have been an oversight or some underlying code that forces this limitation?)

Well what to do?  The good news is there IS still a very valid way of triggering an operation on a single device.  You must navigate to the Device Collections node and locate any collection that would contain the device you are seeking.  You may notice that simply selecting any collection (including All Systems) brings the “Endpoint Protection” option to the ribbon.


This is useful if you wish to trigger the operation on the entire collection.  To trigger for the individual machine however select Show Members from the ribbon with the collection selected.


This will open a new node in the console showing all members of the collection.  Click to select the machine you are wanting to target from the list.  You will notice the Endpoint Protection option still in the Ribbon.  DO NOT CLICK IT.  If you look carefully you will see that this option still only appears in the “Collection” category on the ribbon.  Clicking this will indeed trigger the operation on every machine in the collection.


Unlike many areas of the Admin Console, when you select an Item, the available options for that item appear on the Ribbon.  This is not the case for Endpoint Protection.  You must right-click the individual device and select Endpoint Protection from the context menu.


You will be prompted to click OK prior to the action being initiated.  This confirmation dialog also shows you how many devices will be targeted.


Although this method is certainly acceptable for triggering an Endpoint Protection action, you can see how one may overlook that the ribbon is still in the Collection context if not paying close attention.

Now start scanning!!