Sunday, September 13, 2015

Remove deprecated Software from SUP

I have a site that they finally moved away from XP and Server 2003 and even from Office 2003 and 2007. So now I'm off to cleanup SUP and remove all this stuff. It means ConfigMgr and WSUS have less to process but even the end points will have less to process each time they check in with WSUS. The DPs have less content as well.

First thing is to remove the products from SCCM by going to the Administration pane and then Site Configuration and Sites. Right click the site and select Configure Site Components | Software Update Point. In SUP goto the Products tab and deselect all the stuff you don't have in your environment. This is a good point to do a quick audit and enable/disable other. For this site I removed Windows XP, Server 2003, Office 2003, and Office 2007.

Onto the mind numbing part! goto Software Updates on the Software Library pane. Navigate to All Software Updates. I create Software Update Groups (SUGs) for each year and the current year by month. I'd suggest you do the work per SUG as while it takes longer, its less patches being removed in one shot and allows you to quickly audit them before boredom steps in and you miss something. Plus you can stop and come back later where you left off.

With that said though, Office is small enough that I did do it at the All Software Updates level. Search for 'Office' and add criteria for Deployed = Yes and a couple titles for 2003 and 2007.


Once it finds everything, parse the list to make sure its right. If so select all and right click to 'Edit Membership' and remove from any SUGs that are checked.

You will need to rinse and repeat for all the products within those Office suites. So change 'Office' above to Excel, Word, Outlook, Access, etc. Remove membership for any of those. It should find one or two like Junk E-mail Filters.

Once that is removed goto your SUG and select the first year. In my case is was '2008 and earlier'. Do a search for 'Windows XP' with a title does not contain 'Server 2008'.




Many patches will be combo patches for multiple OS' so we have to exclude those and adding the does not contain does that. Once it pulls back a list, parse it to make sure its right and then remove these memberships. Rinse and repeat for each SUG.

Once done, you can go back to the All Software Updates and search for Windows XP and deployed and see if there are oddball ones to remove. For this site I also removed IE6 and IE7. Did I get rid of everything I could have? nope.

This work was done on a 2012 R2 SP1 CU1 site so it will take care of replication on its own. With that said I took it one step further since the less advertisements you have the better and took my 2008 and earlier and was able to merge it through 2013 removing 5 SUGs. Be sure to keep your SUGs under 1000 patches.

-Kevin Fason



Shutdown mid Task Sequence

We are working to have our hardware vendor lay our image down for us in their factories. I provide them a Stand-Alone ISO and they muck with it and stick in on the drive for deployment. The Task Sequence still processes however much of it is done before the device arrives on-premises. The software that goes on every computer, such as Adobe Reader, and even stuff targeted to say latops, like a VPN dialer is ran there. Then our HTA and any per unit customization, such as machine name, is done on-premises as well as domain join.

In order to streamline this, they have us make several changes to the Task Sequence. One is a step that runs a "secret sauce" script with two Restart steps surrounding it. This is the point in the Task Sequence that the device is boxed up and sent to its destination. Before giving the ISO to the vendor they have a checklist to test against. They ask that the NIC is disabled in the BIOS/UEFI and the process ran until this special step and press the power button during the second restart step, during POST. Once off, turn on the PC and go into the BIOS/UEFI and enable the NIC and continue the Task Sequence. This emulates both the factory process, that has zero network, and the on-premises part which does. You have to watch the Task Sequence progress and sometimes you miss it and have to start over. Its like watching paint dry at times right?

I unfortunately missed that step a couple times so I devised a dirty way to shut the machine down mid task sequence. When it was off I knew I was at that point in the testing. Two steps is all it takes.


The first just runs shutdown for 60 seconds

 shutdown.exe /s /t 60  

The second is a built in restart step that is set for 90 seconds. Be sure to set to currently installed OS.



This second step will hook the TS for the next startup and display the countdown. The first step is what does the actual shutdown. The second step timer needs to be long enough for the second step to hook the TS for next startup. On an SSD 60 and 90 worked well but slower spinners may need both steps tweaked. Once you see the countdown its hooked and all is good.

What other uses does this have? who knows, It helped me in my testing so I can multitask and not watch paint dry.

-Kevin Fason