WSUS Synchronization Failures in SCCM with HTTP Status 503

By | September 19, 2016

I ran into a new error today during a WSUS synchronization for SCCM Software Updates. Synchronizations had been running fine for a while, but it would fail after running for an extended amount of time. The error was easy to find in the wsnycmgr.log file in the Configuration Manager logs:

wsus

Usually when synchronization fails, it does so immediately due to WSUS not being configured properly, WSUS missing a hotfix, or not being mapped to the proper ports in IIS.

After a bit of research, I found a very useful article saying that the WSUS Application Pool in IIS may be running out of memory during synchronization. To help identify this issue, you will see the 503 error in wsyncmgr.log, and the Application pool for WSUS will be stopped in IIS when it fails:

image1_thumb_4c714962

To fix the issue, you can set the Private Memory Limit to 4000000 or 8000000 as recommended in the article and restart the application pool. You can then trigger a manual synchronization and monitor the log again.

image6_2e26926c

So far in testing this change in other environments, it appears that it can significantly improve performance and cut down on those sync times as well.

Bulk Assign Licenses in Office 365 Using PowerShell

By | September 13, 2016

If you manage an Office 365 tenant, you are probably familiar with assigning licenses to provision services for users. That process is pretty straightforward for a single user.

license1

But how do you do it for a hundred or thousand people in your organization? PowerShell.

First, you will need to connect to Office 365 via PowerShell. If you haven’t done this before, follow these steps to install the prerequisites.

To connect to O365/MSOnline, use the following command:

Import-Module MSOnline
Connect-MsolService

You will be prompted for credentials – this needs to be a user with at least user management role permissions, but most operations in this module will require global admin permissions.

Next, you will need to get a list of licenses available in your tenant. This can be viewed easily in the admin portal under Billing, but is identified by the AccountSkuID in PowerShell. To generate a list of what is available and assigned, run the following command:

Get-MsolAccountSku

The results will contain your tenant name and sku and looks something like this:

license2

If you’re using E1/E3 licenses, they will have a name like “tenantname:ENTERPRISEPACK” or “tenantname:STANDARDPACK”.

Now that you know what you have available to assign, you need to determine which users will be assigned a license. This can be a difficult task, especially in larger organizations.

If you’re lucky enough to just assign all users in your tenant a license, your process will be relatively simple. Prior to assigning licenses, you must assign a location. This is a required field and is done by country. This will essentially provision the Exchange Online mailbox in the proper region and ensure that it follows all local laws, etc.

To assign the US location to a single user, you would use the following command:

Set-MsolUser user@domain.com $upn -UsageLocation US

All countries follow the 2-letter ISO code standard – a list of those can be found here.

Now, we’re using PowerShell – we want to actually bulk assign licenses and locations, not just do single users. To assign the US location to all of your tenant users, use the following command:

Get-MsolUser -All | Set-MsolUser -UsageLocation US

To verify the results, use the following command:

Get-MsolUser -All | Select DisplayName,UsageLocation

Once the location is assigned either through the admin portal or PowerShell, you can assign licenses. The following command would assign an E3 license to all users in the US only:

Get-MsolUser -All -UsageLocation ‘US’ | Set-MsolUserLicense -AddLicenses “tenantname:ENTERPRISEPACK”

There are several other properties that may be useful in narrowing down the scope of users to bulk assign licenses to. Use the following command to view only users that do not have a license assigned:

Get-MsolUser -UnlicensedUsersOnly

This command will assign licenses only to users with a specific domain name:

Get-MsolUser -All -DomainName ‘joshheffner.com’ | Set-MsolUserLicense -AddLicenses “tenantname:ENTERPRISEPACK”

A full list of properties to use with Get-MsolUser can be found here.

What if it isn’t this straightforward in your organization? You may have several countries, types of licenses, or maybe you want to assign licenses in batches. Sometimes it’s just easiest to assign both the location and license at the same time from a CSV file – this is usually the preferred method in larger organizations. This operation can be done with a simple PowerShell script (download it here):

license4

The above script references users in a CSV file containing users’ UPN, location, and license to assign. It looks like this (download it here):

license3

You will need to modify the script to use the correct path to the CSV file.

If you need to generate a list of users in your O365 tenant, including their UPN, location, and whether or not a license is currently assigned, you can use the following command:

Get-MsolUser | select-object DisplayName,UserPrincipalName,UsageLocation,IsLicensed

Your results will look similar to this:

license5

To export the same data to a CSV file, add a bit more to the end:

Get-MsolUser | select-object DisplayName,UserPrincipalName,UsageLocation,IsLicensed | export-csv C:\pathtofile\o365export.csv -notype

Which Version of the ADK should I use with SCCM?

By | September 12, 2016

With the new release cycle for Configuration Manager, it can be difficult to know which version of the Windows ADK to use when upgrading to new releases. To further complicate the issue, each time you upgrade the ADK on the server used by SCCM, you must upgrade boot images used for OS deployment to be able to edit them going forward (the old ones are preserved but are read-only after you upgrade the ADK).

There’s a recent blog post that was really good at answering which versions of SCCM, the ADK, and Windows 10 are compatible with each other. In short, if you want to deploy the latest branch of Windows 10 (the Anniversary update), you need the latest version of the ADK installed. To use the latest version of the ADK, you must be using either the 1602 or 1606 build of SCCM.

Here’s a compatibility chart from that post, but be sure to check out the full post as it has more info:

adk

Azure AD Connect 1.1 Released with Several New Features

By | February 23, 2016

azure-active-directoryAzure AD Connect 1.1 (formerly DirSync) is now generally available for download. If you’ve been using Azure AD Connect, you’ll want to pay attention to the new features that come in 1.1.

Automatic Upgrade

This is the last time you need to manually upgrade Azure AD Connect. There is a new auto-update feature that will periodically perform upgrades.

More Frequent Synchronizations

In the past, the default sync interval was 3 hours. Now, you can schedule a sync to run as often as every 30 minutes, if desired.

Support for MFA

This is a big one. Previously, accounts that used multi-factor authentication could not be used with Azure AD Connect. This was a huge security risk because the account used by Azure AD Connect had to be a global administrator on your tenant. In the new release, MFA is now supported to better secure your service accounts.

More Flexibility

You can now configure with OUs to synchronize with your tenant during the installation process. Previously, you had to install Azure AD Connect and then later filter the OUs in the Synchronization Service Manager.

You can also modify the user sign-in method after installation now. Previously, you had to choose this during the install of Azure AD Connect and didn’t have the option to modify it later without reinstalling.

New Hotfix: Fix for Slow SCCM Patching and Windows 10 Upgrades on Win7/2008 Clients

By | November 4, 2015

systemcenter_logo_smallKB3102810 has been published by Microsoft to address two issues that are affecting Windows 7 and Windows Server 2008 clients.

  • First issue: Windows Updates run slower than usual when using SCCM for patch management.
  • Second issue: When trying to deploy an in-place Windows 10 upgrade from Windows 7, svchost.exe takes 100% CPU utilization and the upgrade might fail.

This hotfix addresses an SCCM issue but is actually applied to the OS and not the SCCM client. To install the hotfix silently, use the following command:

wusa.exe Windows6.1-KB3102810-x64.msu /quiet /norestart