Reinstalling a Management Point on a Secondary Site

I recently ran into an issue where one of my SCCM 2012 SP1 (Cu3) secondary sites that is hosted on a Hyper-V server had a corrupt management point after a power failure in the facility.

The SMS_MP_CONTROL_MANAGER showed the following errors when the site server came back online:


Since this site system is a Secondary Site I could not simply remove the role and re-add it (A management point is a requirement for a Secondary Site).  I decided to try the following before delving into reinstalling the Secondary Site.

This is an HTTP based Management Point so I first flipped it to HTTPS, which triggers a reinstall of the MP:


As you might expect, this results in a failure since IIS is not configured to support SSL.  This is fine as it is only a temporary measure.


I then flipped it BACK to HTTP, which once again triggers a reinstall of the MP:


My Management Point is now successfully reinstalled and no longer reporting errors.


Quick and painless!  🙂

Disclaimer: I have no idea if this is a “supported” process from Microsoft so you should research your issue thoroughly and contact MS Support if needed.


SCCM 2012 Content Library Explained

A great post by Yvette OMeally on the System Center Configuration Manager Team Blog that explains the new Content Library in SCCM 2012. This is a must read for admins who are new to 2012!

Create Prestage Content Failure and UAC

If like me, you don’t typically execute the SCCM Administrator Console with “Run as Administrator” option I think you are generally in good company. Day to day administration does not require you to elevate the admin console so rarely do I do so.

Today I needed to create prestaged content for a Distribution Point located on the other side of a pretty high latency, low bandwidth WAN connection to China.  (Cannot get a sizable Software Updates Package to successfully send to this DP, after several attempts, but that’s another story)

As I do every day I launched the Admin console (without elevation).  I navigated to the offending Software Updated package and walked through the “Create Prestage Content File” wizard.  Shortly after the process began, it failed.

After reviewing the {SCCMInstalDirectory}\AdminConsole\AdminUILog\PrestageContent.log I received the following error:

Creating prestaged content file failed due to user not having sufficient rights.

The obvious next step for me was to close and reopen the console as an administrator and viola, the process completed without error.

Forcing an Endpoint Protection Scan on an individual computer

One of the many great new features on SCCM 2012 (SP1) is new Fast Channel/Client notification that among other things allows you to trigger a Endpoint Protection operation such as Full Scan.

You can read all the fascinating details here:

There is a small “gotcha” however to be aware of to ensure you don’t accidentally trigger an operation on many or all of your devices if you are only targeting one.  Yikes!

Consider the following scenario:
You have a device that is reporting repeat malware infections. In turn, you wish to force a Full Scan on that device in an attempt to clear up the malware issues so you go to your Configuration Manager Administrator Console and navigate to Assets and Compliance>Devices.  You enter the computer name in the Search field and click Search.  You then right click the device and sele… wait a minute… the “Endpoint Protection” option is missing from the context menu (as well as the ribbon)?


Before you call Microsoft to help troubleshoot why this option isn’t available rest assured its nothing you are doing or not doing.  This is by design (although for the life of me I can’t think of why other than there may have been an oversight or some underlying code that forces this limitation?)

Well what to do?  The good news is there IS still a very valid way of triggering an operation on a single device.  You must navigate to the Device Collections node and locate any collection that would contain the device you are seeking.  You may notice that simply selecting any collection (including All Systems) brings the “Endpoint Protection” option to the ribbon.


This is useful if you wish to trigger the operation on the entire collection.  To trigger for the individual machine however select Show Members from the ribbon with the collection selected.


This will open a new node in the console showing all members of the collection.  Click to select the machine you are wanting to target from the list.  You will notice the Endpoint Protection option still in the Ribbon.  DO NOT CLICK IT.  If you look carefully you will see that this option still only appears in the “Collection” category on the ribbon.  Clicking this will indeed trigger the operation on every machine in the collection.


Unlike many areas of the Admin Console, when you select an Item, the available options for that item appear on the Ribbon.  This is not the case for Endpoint Protection.  You must right-click the individual device and select Endpoint Protection from the context menu.


You will be prompted to click OK prior to the action being initiated.  This confirmation dialog also shows you how many devices will be targeted.


Although this method is certainly acceptable for triggering an Endpoint Protection action, you can see how one may overlook that the ribbon is still in the Collection context if not paying close attention.

Now start scanning!!

Preparing for SCCM 2012 Client Upgrade

Thought I would throw this gotcha out in case anyone else runs into this.

The scenario:  Installing SCCM 2012 Client Prerequisites prior to your upgrade.

After updating my WIM image with all the prereqs (that are applicable) from the SCCM 2012 Client directory, I then did a test deployment against my existing SCCM 2007 Infrastructure.  My Task Sequence step that installs FEP 2010 failed. (Fep-ApplyPolicy-WCOMPUTERNAME.log shows “ERROR FEP Client Installation failed.  Error Code 0x8004FF52”

Upon further investigation it was the SCCM 2012 prerq “Windows Firewall Configuration Provider” causing the fail.

Specifically the following message is displayed if you run the install with the GUI:

“One or more programs on your computer conflict with Forefront Endpoint Protection.  To Install Forefront Endpoint Protection, you must remove the following programs and then run the installation wizard again:

Windows Firewall Configuration Provider”

So long story short, do not pre-deploy this update prior to your SCCM 2012 client upgrade.  😉

So far the other prereqs seem to be fine and highly recommend you deploy these prior to your client upgrade otherwise the client install can be VERY lengthy. Especially .NET Framework 4.0.

*A side note, in my environment I also added Silverlight 5 to my image and will be deploying that out to all existing clients with the other prereqs as well (excluding Windows Firewall Configuration Provider of course!).  Silverlight 4 is included with SCCM 2012 RTM Client however SCCM 2012 SP1 will require Silverlight 5 and its backwards compatible with SCCM RTM.