how to deploy sccm 2012 bat file app so that it actually executes on client machines and not just go to software center? RRS feed

  • Question

  • I have a bat file with some regedit commands. I created an application and it distributed OK. I have a collection for these machines. I used the deployment wizard and the only thing that happens is the app get put into the software center. None of the machines actually got the regedits installed. I suppose it wants to put up a notification to the machines for the user to get the app from the software center and install it. That's not what I want. I want the regedits installed automatically and a message telling the user that the update was installed and they need to reboot. Can anyone give a step-by-step for how to do it? Please, no lectures about getting training. Thanks.
    Tuesday, February 12, 2019 3:52 PM

All replies

  • What does your bat file look like? Are you sure the registry hasn't been modified?

    What happens if you run process monitor and trace the install, are any keys written?

    Richard Knight | Collection Refresh Manager | Automate detection rules for patch \ msp files | Twitter

    Tuesday, February 12, 2019 5:11 PM
  • @ECHO ON
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    I created the application per the wizard.  It's on the distribution point(s).  I made it required and to install per device whether anyone is logged on or not and to send wake-ups and notice to reboot.

    Rather than using GPO this Spectre/Meltdown vulnerability for certain machines I'm using reg add.   I haven't looked at the registry(s) nor run process monitor, but sccm says compliance = 0%. 

    Tuesday, February 12, 2019 6:22 PM
  • What did you specify for your detection method?

    What deadline did you specify for the deployment?

    You really need to directly view a system where this ran to troubleshoot though as anything else is just guessing. This would include of course examining those values in the registry as well as reviewing appenforce.log.

    Finally, is there a reason you didn't simply use a configuraiton item and baseline for this? This is a super easy way to deploy changes to registry values.

    Also, keep in mind that WoL may require configuration in your network infrastructure and must also be enabled in ConfigMgr -- even though WoL uses a magic packet it doesn't does magically work without some potential configuration.

    Jason | | @jasonsandys

    Tuesday, February 12, 2019 6:37 PM
  • By "configuration item" you mean GPO, I chose not to do that.  My deadline is ASAP after available (which was immediately).  Using the wizard, even though it isn't necessary because every machine has such key, for "detection method" I checked that "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" is present.  Regarding WoL, we have not configured it -- yet.  I'm just looking at the status that says "failed".
    Tuesday, February 12, 2019 8:04 PM
  • By "configuration item" you mean GPO,

    No, I mean exactly as stated, "Configuration Item":

    Have you examined a system directly yet?

    Jason | | @jasonsandys

    Tuesday, February 12, 2019 10:16 PM
  • I'm asking for help here.  Regarding configuration items, can they be deployed for only specific machines?  When I create one it seems as though it will apply to all machines.  Also, it seems as though I can do only one registry entry per CI.  Is all of this true or am I missing something?


    Friday, February 15, 2019 3:01 PM
  • As with all deployable items in ConfigMgr, you target collections when deploying a baseline (CIs go into baselines and then you deploy the baseline). The collection can have one member or as many members as you'd like based upon the rules you assign to that collection.

    You can add as many rules to a single CI as you'd like and as many CIs to a baseline as you'd like. Generally, for compliance reporting, it's cleaner to include only one rule per CI and then include many CIs in a baseline, but that's not a technical limitation.

    As an alternative here, depending on your exact goal, you could also use the new(-ish) Scripts feature introduced in 1710 (I think it was 1710). The Scripts feature allows you to nearly-instantly run a PowerShell script on any managed system or set of managed systems. Scripts are meant for one-time actions though in general so if you are interested in continued enforcement and compliance reporting of that enforcement, baselines are still the way to go.

    Going back to your initial issue though, What did you specify for your detection method in the deployment type?"

    And, have you directly examined the registry on a targeted system to see if the change has occurred yet?

    And, have you examined the appenforce.log on a targeted client to see if the Application was successfully enforced or not?

    Jason | | @jasonsandys

    Friday, February 15, 2019 4:09 PM
  • Thank you for the suggestion of using configuration item.  I defined the configuration item (with also a query to identify the eligibility of the target machines) and the baseline and deployed to collection.  Am monitoring in reports.  First day we hit most of the desired machines and the report showed that.  Next day many of the stragglers were hit.  By now almost all desired machines are mitigated and the ineligible ones are not affected.  Great idea.  We bypass the A.D. group and are able to target specific machines easier than they do.

    BTW, the reason we want to bypass certain machines is that for some reason Win 10 build 1703 and older have reboot issue when the Spectre fix registry items are installed.  Win 10 1709 and later are OJK.  Win 7 and Win 8.1 are OK.  A.D. group can't exclude the 1703-older machines as easily as we can.  

    So, if anyone has had the same reboot issue with putting the Spectre registry values on Win 10 1703 or older, and knows the reason I'd like to hear about it.

    Monday, February 25, 2019 7:13 PM