Jan 11 2017

Print this Post

Updating SAP client logon configuration file

The SAP client supports several methods to detect the logon configuration file, this INI file contains information for the SAP client to connect to SAP servers.

Normally the file is created in the users AppData folder during first start of the client. Or during setup you can configure a custom SAPLogon.ini file to be used in one of the following ways,

  1. Use a command line parameter /INI_FILE=<File Path> to launch SAP client.
  2. Use and environment variable SAPLOGON_INI_FILE
  3. Place SAPLogon.ini file in the SAP GUI directory in Program Files or under the Windows directory.

Note: For more info about these methods and how they work see here.

My favorite method is placing the third one using the SAP GUI directory. I configured the setup of SAP GUI to place the INI file during installation. When this method is used, the client copies the INI file during first run and place it in AppData allowing the user to customize his logon preferences later.


The SAP team are making significant changes that requires updating the logon configuration on all computers company wide and replace any customizations the users made.

This means we need to replace the file in Program files AND delete it from each profile on the machines.

Here comes SCCM compliance settings

To achieve this goal, we are going to use the magic of SCCM Compliance settings and PowerShell to detect if the default file needs to be replaced the replace the file and delete it from all profiles’ AppData folder.

PowerShell Scripts

Detecting if the correct file is in place

This script will check SAPLogon.ini file in the SAP GUI and report if it is the required one or not. We will use hash of the correct file to detect its existence then report status.

First get the hash of the new SAPLogo.ini file use the following command,

The result shows the hash of the file; in my case it is: 3C5976B4C413E3B852711CEC970FA7315B6785DFB0A9C1C87F33BCA7683F4E7C

Now to the script that reports if the correct file is in place,

The script will give us one of three outputs

  1. The files match
  2. The files do NOT match
  3. The file is missing

SCCM will then use this information to perform the remediation action, that is replace the file in Program Files and remove it from users’ Profiles. This will also use a PowerShell script

Script to replace the file

The trick I wanted to use here, is to embed the new SAPLogon.INI file inside the PowerShell script in order to avoid using external links to a file share. To achieve this, we save the file as a Base64 string in a variable.

Note: Henk Hofs wrote a great blog about this method on LoginVSI, find it here.

The first step is to get the Base64 of the new SAPLogon.ini file.

The TXT file should look something like the image below,


We will use this string in the remediation script to replace the file. The script below does not have the full string for viewing purposes.


SCCM Compliance Rules

Open the SCCM console and browse to Assets and Compliance > Compliance Settings

Create new Configuration Item

Follow the steps below,

  1. Right-click on Configuration Items and select Create Configuration Item
  2. Under General, Type a name and description. Assign a category as a best practice.Image_2div>
  3. Under Supported Platforms, select the Oss you wish to run the rule on. For me its Windows 10 and 7Image_3li>
  4. Under Settings, Create a new setting.
    1. Give the new setting a name and description.
    2. Under Setting type select, Script.
    3. Under Data type select, String.
    4. Under Discovery Script, click on Add Script. Select Windows PowerShell and paste the first script.
    5. Under Remediation script, click on Add Script. Select Windows PowerShell and paste the second script.Image_4
    6. Move to the Compliance Rules tab.
    7. Create a new Compliance Rule.
    8. Give the new rule a name and description
    9. Set the Rule type to Value.
    10. Set the value to “Existing File is up-to-date” without the quotes.
    11. Ensure that Run the specified remediation script when this setting is noncompliant is checked.
    12. Under Noncompliance severity for reports, select WarningImage_5div>
    13. Click OK to go back to the CI
    14. Finish the wizard

Create Configuration Baseline

The following steps shows how to create the configuration baseline that will be deployed to devices later.

  1. Right-click on Configuration Baselines and select Create Configuration Baseline.
  2. Give the new baseline a Name and Description
  3. Click on Add > Configuration Items and select the CI we just created.
  4. Assign a category as a best practice.Image_6div>
  5. Click OK.

Deploy the Configuration Baseline

Here we deploy the baseline, I prefer testing it on a small subset of users first J

  1. Right-click on the newly create configuration baseline and click on Deploy.
  2. Check the Remediate noncompliant rules when supported and Allow remediation outside the maintenance window.
  3. Check the Generate an alert box if needed. Usually needed in production.
  4. Select a collection to deploy to.
  5. Change the schedule settings if needed.Image_7
  6. Click OK

Test, Test, Test!

Now is time to test how this thing works,

  1. Open the Configuration Manager control panel on a computer where the baseline is deployed.
  2. Go to Actions and run the Machine Policy Retrieval & Evaluation Cycle.
  3. Go to Configuration. You should find the new baseline. If not then wait a minute and click Refresh.Image_8div>
  4. Click on Evaluate.
  5. When completed view the report.
  6. If compliant the report should like the image below.Image_9
  7. If not (I missed with the file) it should be replaced as per the script. And the report should have a remediation section at the end.



About the author

Walid AlMoselhy

Permanent link to this article: http://almoselhy.azurewebsites.net/2017/01/updating-sap-client-logon-configuration-file-2/

Leave a Reply

Your email address will not be published. Required fields are marked *