With the new version of Configuration Manager, comes a bunch of new juicy logs. I’ll separate the posts into Client and Server. In this first instalment, I’ll cover off on the new logs found on your clients.
The first thing you need to know, is the log location has changed slightly.
Client logs can now be found at C:\Windows\CCM\Logs – rather than in the System32 or SysWoW64 directory
With the new ConfigMgr 2012 App Model, we now scan each machine at a regular period (default is every 7 days) and make sure that applications that should be installed on a machine are indeed installed. The AppDiscovery.log will show you the discovery engine (based on DCM) checking to make sure the app is installed.
Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppDiscovery 3/05/2012 9:27:30 AM 7988 (0x1F34)
+++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppDiscovery 3/05/2012 9:27:31 AM 7988 (0x1F34)
Here we can see the WMI query for the Microsoft Silverlight application and it not being found. The AppDiscovery.log will then flag Silverlight for installation
ActionType – Install will use Content Id: Content_b0e86929-a5f2-4154-b876-ed83965ce25d + Content Version: 1 for AppDT “MS_Silverlight” [ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0], Revision – 2 AppDiscovery 3/05/2012 9:27:34 AM 12156 (0x2F7C)
If an application should be installed, and the AppDiscovery doesn’t find it, the AppEnforce log should kick in with the installation routine
+++ Starting Install enforcement for App DT “MS_Silverlight” ApplicationDeliveryType – ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision – 2, ContentPath – C:\Windows\ccmcache\1a, Execution Context – SystemAppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)
A user is logged on to the system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)
Performing detection of app deployment type MS_Silverlight(ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, revision 2) for system. AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)
+++ Application not discovered. [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)
App enforcement environment:
Command line: “Silverlight.exe” /q
Allow user interaction: No
UI mode: 1
User token: null
Session Id: 4294967295
Content path: C:\Windows\ccmcache\1a
Working directory: AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)
Prepared working directory: C:\Windows\ccmcache\1a AppEnforce 3/05/2012 9:28:29 AM 7988 (0x1F34)
Prepared command line: “C:\Windows\ccmcache\1a\Silverlight.exe” /q AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)
Executing Command line: “C:\Windows\ccmcache\1a\Silverlight.exe” /q with system context AppEnforce 3/05/2012 9:28:33 AM 7988 (0x1F34)
Once the application has installed, it will rerun the application detection and this time succeed.
+++ Discovered application [AppDT Id: ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0, Revision: 2] AppEnforce 3/05/2012 9:29:41 AM 7988 (0x1F34)
The AppInterval.log works with the two previous logs, and should tell you which applications are required. You should see something like
ScopeId_73F3BB5E-5EDC-4928-87BD-4E75EB4BBC34/DeploymentType_246b2460-f182-4916-959c-0a2c41c55ca0/2 :- Current State = Installed, Applicability = Applicable, ResolvedState = Installed, Title = MS_Silverlight
The CCMVDIProvider.log will show you if the machine is a virtual or a physical machine
The EndpointProtectionAgent.log will only show you that the SCEP agent is/isn’t installed. It will not show you any information about definition updates. For SCEP definition updates and SCEP functionality, you’ll find a bunch of logs in C:\ProgramData\Microsoft\Microsoft Antimalware\Support
ExpressionSolver.log is a log that records MSI discovery. This log is only available when verbose logging is enabled
The ExternalEventAgent shows all of the state messages sent from SCEP, into the CCM client. The CCM client will then process this state message as it would any internal state message.
This log file records all Software Inventory file system scans. You can see in the log file below, that we’re looking for qmgr.dll, scrnsave.exe, scrnsave.scr and msiexec in the System32 directory.
Query = SELECT __class, __path, __relpath, name, path, lastwritedate, size, companyname, productname, productversion, productlanguage, fileversion, filedescription FROM FileSystemFile WHERE name = ‘qmgr.dll|scrnsave.exe|scrnsave.scr|msiexec.exe’ and path = ‘%windir%\\system32\\*’ and iscompressed = false and isencrypted = false; Timeout = 14400 secs; ScanInterval = 2 msecs; SkipFile = skpswi.dat
You’ll see a bunch of SCNotify logs in your logs directory. This log describes the user notification for new applications. In the log you’ll see a bunch of WMI calls, and whether or not applications should notify the user of their availability
This software should not display a user notification balloon, removing it from the available notification list.
The SoftwareCatalogUpdateEndpoint log will show any changes to the Software Catalog URL and will show the URL being added to the Trusted Sites list in Internet Explorer
CSoftwareCatalogUpdateHandler::StartUpdateTrustedSitesProcess: Started UpdateTrustedSites process
CSoftwareCatalogUpdateHandler::SetCatalogSecurity: Updating the registry for Software Catalog.
This log will show you the Software Center notifications and whether or not the Software Center is installed and healthy.
The UpdateTrustedSites logs the actual updates after the SoftwareCatalogUpdateEndpoint reports that the URL needs to be added to the Trusted Sites
CSoftwareCatalogUpdateHandler::AddDefaultPortalToTrustedSites: Catalog Url should be added to the trusted sites zone. UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)
AddDefaultPortalToTrustedSites: url = http://applicationcatalog.yourdomain.com:80, zone = 258 UpdateTrustedSites 18/05/2012 1:13:32 PM 14172 (0x375C)
With the new 2012 App Model, we need to determine which users are primary users of a device. The UserAffinity log will show which users have been added as primary users, and the method for determining the primary user
Auto affinity threshold settings Days = ’21’, User Minutes = ‘2880’, AutoApproveAffinity = ‘1’. UserAffinity 18/05/2012 1:12:33 PM 14332 (0x37FC)
No WMI instance. Setting an affinity. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)
Setting auto affinity for user ‘yourdomain\mattshadbolt’. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)
Successfully sent user affinity state message for user ‘yourdomain\mattshadbolt’. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)
Successfully saved user affinity data for user ‘yourdomain\mattshadbolt’ into WMI. UserAffinity 18/05/2012 1:12:45 PM 14332 (0x37FC)
We can see that AutoApproveAffinity is enabled for any users that have used the machine for anyone using the machine within 21 days, and for 2880 minutes or more.
So that’s it! If you find any other logs that weren’t around in 2007, please let me know and I’ll do my best to cover them!