Hardware Inventory after SCCM OSD Task Sequence

August 4, 2017

Hi,

I like using a lot of custom collections based on data from Hardware Inventory: Operating System Version, Hardware Manufacturer, Hardware Model, etc.

However to make sure the properties are available the Hardware Inventory needs to run at least once, using this information you will be able to start the hardware inventory right after the OSD task sequence completes. We will be using the Task Sequence Variable SMSTSPostAction:

Somewhere in the task sequence add “Set Task Sequence Variable” step. Give it an appropriate name and fill in the information as seen in the screenshot below:

If you want to copy/paste, here’s the value: %windir%\System32\wbem\WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule “{00000000-0000-0000-0000-000000000001}” /NOINTERACTIVE

When the task sequence completes, this action will occur.

When processing was succesfull you should see something like this in the dataldr.log (on the Configuration Manager site server)

Also locally on the computer where the task sequence was run, information can be found in the smsts.log and in the Inventoryprovider.log. Both logs located under C:\windows\ccm\logs

Hope this helps!

 

Best regards,

Bert

 

 

 


SCCM – Deploy Unknown Computers with Assettag as computername

January 5, 2017

Hi,

In a recent Windows 10 deployment project (with SCCM) a customer of mine wanted to use the Serialnumber as the computername within Active Directory. The customer is using Unknown Computers so they don’t the need to import them first. Also there was the need to identify if a computer was a desktop or laptop, this was needed to make sure the computer was joined in the right OU depending of that type and to make sure Bitlocker was only applied to laptop computers.  To provide this functionality I’ve created a vbs script:

Part 1: Set Computername variable

Set objOSD = CreateObject(“Microsoft.SMS.TSEnvironment”)

Set SWBemlocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objWMIService = SWBemlocator.ConnectServer(strComputer,”root\CIMV2″,UserName,Password)
Set colItems = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)

For Each objItem in colItems
strOSDComputername = objItem.SerialNumber
Next

objOSD(“OSDComputerName”) = strOSDComputerName

The variable OSDComputerName is a default task sequence variable. Therefore no further actions need to be taken in the task sequence to make sure it is used to name the computer.

Part 2: Set Chassis variable

Set colChassis = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)
For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType

            Case 3
                  StrType = “Desktop”
            Case 4
                   StrType = “Desktop”
            Case 6
                   StrType = “Desktop”
            Case 7
                  StrType = “Desktop”
            Case 8
                StrType = “Laptop”
            Case 9
                 StrType = “Laptop”
            Case 10
                  StrType = “Laptop”
            Case 11
                  StrType = “Laptop”
            Case 12
                   StrType = “Laptop”
            Case 14
                  StrType = “Laptop”
            Case 15
                  StrType = “Laptop”
            Case Else
    StrType = “unknown”
            End Select
    Next
Next

objOSD(“Chassis”) = StrType

The variable “Chassis” can now be used like any other task sequence variable to make sure certain steps only run for a laptop or desktop.

Save the above codesnippets into a vbs file and create an SCCM package containing the script.

Afterwards add a “Run Command Line” step to the task sequence, provide the package details and the following command line: cscript.exe “…vbs”

That should do the trick.

Obviously this is one solution among others, there are many other ways to accomplish the same but this seemed the easiest to me.

A little remark: When reinstalling a computer with Bitlocker enabled, make sure the Run Command Line step is located after the partition disk step, otherwise the script will fail as WMI cannot be accessed from WinPE. I’ve experienced this the hard way.

Hope this helps!

 

Best regards,

Bert

 

 

 

 

 

 

 


Add URL to customized Windows 10 Start Menu

September 1, 2016

Hi,

Since more and more of our customers are adopting Windows 10 in their environment we start to learn more tricks every day.

An important component of Windows 10 is the start menu. Administrators could apply a default startmenu layout for all users by using a GPO but downside of this approach is that the user isn’t able to add any custom applications himself. That’s why I prefer to set the startlayout during the Windows 10 deployment task sequence using a Powershell script.

Afterwards the default layout is set when the user first logs in, from then on the user can edit his start menu as he likes. Adding “classical” applications such as Word, Excel and Powerpoint is quite easy as those applications are already present when the user first logs in. Adding a shortcut to a website might be a little bit harder, in this post I’ll be explaining the steps that need to be taken to accomplish this. It’s a combination of Powershell, SCCM  (also applicable for MDT) and Group Policy Preferences. Let’s get started

First of all start by customizing the start menu as you like on a test machine. The start menu I want is the one shown below. We’ll be focusing on the highlighted icon in the start menu as this is a URL, other shortcuts are applications.

Screenshot_1

When the start layout is finished, launch powershell and execute the following command to export the startlayout:

Export-Startlayout -Path “C:\windows\temp\Startlayout.xml”

The XML generated looks as follows (text in bold is related to the Citrix URL):

<LayoutModificationTemplate Version=”1″ xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification”&gt;
<LayoutOptions StartTileGroupCellWidth=”6″ />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth=”6″ xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout”&gt;
<start:Group Name=”Webbrowsers” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.InternetExplorer.Default” />
</start:Group>
<start:Group Name=”Office ” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\WINWORD.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Office.OUTLOOK.EXE.15″ />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\POWERPNT.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\EXCEL.EXE” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”Microsoft.SoftwareCenter.DesktopToasts” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Windows.ControlPanel” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”https://citrix.contoso.com&#8221; />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>

Now create an SCCM Package containing the XML file and a Powershell script with the following content:

Import-StartLayout -LayoutPath $PSScriptroot\StartLayout.xml -MountPath $env:systemdrive\

Now this can be executed using a Run Powershell Script during the SCCM OSD task sequence.

Without performing further actions when a user first logs in the start menu will be generated but the URL to citrix.contoso.com will not be present. To make sure it’s there we need to create a Group Policy Preference to put the exact URL in the start menu for the user. Pay close attention because the target URL specified in the GPP must EXACTLY match the value of DesktopApplicationID (without the “”)

Screenshot_2

Now when the user (for which the GPP is applied) logs on for the first time on a Windows 10 computer, the default Start layout will be applied properly and the URL will also appear.

Hope this helps!

 

Best regards,

Bert

 

 


Move SquaredUp directory to other location

November 25, 2015

Hi all,

Today I’ve had the need to move the directory where SquaredUp files are stored from the C:\inetpub\SquaredUp to another drive on the same server (G:\inetpub\SquaredUp).

What I initially tried was a copy paste of the folder to the new location and changing the Website properties to the new folder location and restarted IIS.

25112015_1

This seemed to work, the website was still online

Then I’ve deleted the SquaredUp folder on the previous location (C:\inetpub\SquaredUp) and when connecting to SquaredUp I received an error 500 – Internal server error.

25112015_3

After checking all settings in IIS and not seeing anything wrong I went to look in the applicationhost.config in the directory C:\windows\system32\inetsrv\config and I found out there was still 1 reference to the old directory in there.

25112015_2

Changing the C:\ to G:\  (after creating a backup of the file) and restarting IIS did the trick, SquaredUp was back online.

 

Hope this helps,

Bert

 

EDIT: I was experiencing problems when I wanted to publish changes to an existing dashboard. I received this error in the console (I could see that by using F12 tools in my browser):

pageContextId=f65e35cb-7a40-403e-9fda-8a974e29eb7e 500 (Internal Server Error) send @ jquery-1.11.2.js?squaredupbuild=50de6ac2:4ie.extend.ajax @ jquery-1.11.2.js?squaredupbuild=50de6ac2:4a @ BaseComponents?squaredupbuild=50de6ac2:2Ractive.components.GridPage.Ractive.components.Base.extend.publish @ BaseComponents?squaredupbuild=50de6ac2:2(anonymous function) @ BaseComponents?squaredupbuild=50de6ac2:2(anonymous function) @ jquery-1.11.2.js?squaredupbuild=50de6ac2:3c @ jquery-1.11.2.js?squaredupbuild=50de6ac2:3d.fireWith @ jquery-1.11.2.js?squaredupbuild=50de6ac2:3n @ jquery-1.11.2.js?squaredupbuild=50de6ac2:4t @ jquery-1.11.2.js?squaredupbuild=50de6ac2:4

Because of moving everything from C:\inetpub\squaredup to G:\inetpub\squaredup the permissions got messed up. Using the following command the permissions were reset and everything was good to go:

“G:\inetpub\wwwroot\squaredupv2\tools\config.exe” applypermissions

This resets the permissions for the application identity account (in my case that was still NetworkService). When using a custom application identity after the applypermissions the SID of the user should be added eg.:

“G:\inetpub\wwwroot\squaredupv2\tools\config.exe” applypermissions S-1-5-21-3684388899-3955262116-226316336-1130

The SID of a user can be found using wmic useraccount where (name=’username’ and domain=’domain’) get sid

This issue was quickly resolved thanks to the fast response of SquaredUp Support, thanks!

 

 

 


Configuration Manager 2012 R2 SP1 IBCM WSUS #RDPROUD

August 5, 2015

Hi all,

For some time I’ve been busy configuring Internet Based Client Management (IBCM) at a customer of mine. The infrastructure consists of System Center 2012 Configuration Manager R2 SP1 and has one primary site. One management server was already present for the intranet clients and I wanted to add the necessary means to support IBCM.

The most straightforward method was to add an additional management server which would be occupied with everything related to internet clients.

The general setup can be found here: https://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012 and is quite straight forward.

Now the tricky part: How to make sure the infrastructure can be reached from the internet? First of all I needed a public IP adress which I could use for the CNAME eg. sccm.customer.com. Then I needed to add the necessary components in the reverse proxy solution available (in this case: Citrix NetScaler). There I added a virtual server on port 443 configured using Protocol SSL_BRIDGE. This makes sure the connection gets passed through the NetScaler directly to the backend server.

When this was configured deploying software, requesting policies, etc. worked like a charm.

Additionally I wanted to make sure internet client could also use SCCM to check for updates (not directly to Windows Updates).

Therefore some extra configuration was needed:

  • Install WSUS on the new management server (sharing the same database as the WSUS that is already present in the Configuration Manager infrastructure.
  • Install SUP on the new management server (with SSL enabled + Internet only traffic allowed)
  • Configure IIS to use the SSL certificate (additional information here)
  • Make sure URL https://sccm.customer.com:8531 can be resolved on the internet ( therefore an additional virtual server can be added to the NetScaler: port 8531 protocol TCP)

Now when a computer is connected to the internet, the SCCM agent will detect that and will replace the existing WSUS URL (eg. http://sccminternal.customer.local:8530) by the one available from the internet (https://sccm.customer.com:8531). One of the places to check this is in registry: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. This should point to the internet available FQDN. Also the Locationservices.log should show some information.

20150805_2

 

20150805_4

When the computer checks for updates it will connect to the published URL to see what updates are missing. Afterwards the deployment of updates will be checked to see what updates are “Actionable” (see UpdatesDeployment.log)

20150805_1

For the download itself the agent will use Windows Update. These downloads are done over HTTP and can be followed in the DataTransferServices.log on the computer.

20150805_3

The user experience is the same. Everything is listed properly in the Software Center

20150805_5

If Windows Update isn’t available then a fallback will happen to http://sccm.customer.com. But because HTTP traffic isn’t redirected through the reverse proxy this will fail. Nevertheless I prefer the direct download from Windows Update as this minimizes bandwidth constraints in the customer infrastructure.

 

Hope this helps.

 

Best regards,

B

 


Configuration Manager 2012 R2 Powershell Application Detection Method #RDProud

July 2, 2015

Hi all,

This blog post describes how to enable .NET Framework 3.5 on Windows 8.1 after the computers already have been deployed.This can be quite annoying because the SXS source folder is needed when installing + this bug (https://support.microsoft.com/en-us/kb/3005628) can also kick in.

The installation is done using an SCCM application containing an installation powershell script and powershell detection method. An easier alternative is using a package and task sequence to run the powershell script (no detection method needed here). Using the application has the advantage that it can be used as dependency and requirements can be added.

The installation script contains different phases

  • Downloading the source to a local folder in C:\windows\temp\NetFX3
    • This folder contains the installation powershell script and the SXS folder from the Windows 8.1 PRO ISO
  • Installing KB2966828 (to avoid the bug)
  • Enable .NET Framework using the downloaded SXS folder as source
  • Detect if .NET Framework was installed successfully
  • Delete temp folder C:\windows\temp\NetFX3

First of all a little thing about using Powershell as an Application Detection Method

The main purpose is to make sure the detection method exits with exit code = 0 (no errors during the script)  + Depending on the value of STDOUT (Write-Output) the detection method will return that the application is installed or not installed.

Script exit code Data read from STDOUT Data read from STDERR Script result Application detection state
0 Empty Empty Success Not installed
0 Not empty Empty Success Installed

Additional details: http://blog.kloud.com.au/2014/08/12/powershell-detection-method-for-sccm-2012-application-compliance-management/

Now we’ll try to apply this to the .NET Framework 3.5 feature we want to get installed here, the script I use is this:

$Framework = Get-windowsoptionalfeature -FeatureName NetFx3 -Online | Select-Object -ExpandProperty State

if ($Framework -eq “Disabled”)

{

  exit 0

}

else

{

  Write-Host “.NET Enabled”

  exit 0

}

This script is quite easy to understand and does the following

  • If .NET is not installed (disabled): exit script with exit code 0 –> Detection method sees this as “Application Not Installed”:
    • Exit code = 0
    • STDOUT (Write-Host) = Empty
  • If .NET is installed (enabled): exit script with exit code 0 –> Detection method sees this as “Application Installed”:
    • Exit code = 0
    • STDOUT (Write-Host) = Not Empty

Now let’s start adding this into SCCM: Create an Application and give it a suitable name. When creating a Deployment type give in the path to the source and the commandline. This is the commandline I used: “Powershell.exe -executionpolicy Bypass -file .\install.ps1” (without quotes)

02072015_1

When prompted for the detection method, select “Use a custom script to detect the presence of this deployment type and Click Edit, Select powershell and copy the detection method script in here

02072015_2

Finish creating the deployment type adding needed requirements (here I have added Operating System = Windows 8.1 x64)

After the application is created, update distribution points, deploy it to a test machine and see the result

Using the “Retrieve Machine Policy” on the test client we should rapidly see the new deployment, but this didn’t happen. I went to look into the ConfigMgr Client logs and found something interesting in the AppDiscovery.log

The Detection method couldn’t be run because it was not signed “CScriptHandler::DiscoverApp failed (0x87d00327).” I stumbled upon this post by someone who experienced the same error http://www.petervanderwoude.nl/post/deployment-of-configuration-baseline-failed-with-error-script-is-not-signed-in-configmgr-2012/. So I did what he highlighted: Enabling the Powershell Bypass option for the ConfigMgr Client.

A next test should result in the application being successfully added in the Software Center doesn’t it? Yes, it’s there but it says “Installed” while the .NET Framework wasn’t installed . Let’s go back to the AppDiscovery.log. Now no errors were listed but only warnings stating the script returned some error message (The application is detected as shown in the log “Detected App Deployment Type…”, but the application is not installed)

02072015_4

This one was tackled by disabling by unchecking “Run script as 32-bit process on 64-bit clients” on the detection method

02072015_5

After this little adjustment and another try everything looked good. The application was listed as “Available” in Software Center and the AppDiscovery.log showed the following: The App Deployment type was not detected.

02072015_6

Great! Hope this helps in helping you guys out!

Best regards,

B


UEFI PXE Boot for Surface Pro with Configuration Manager 2012 R2 #RDProud

May 19, 2015

Hi all,

The last days I’ve been struggling to enable a Surface Pro 2 tablet to PXE boot while different kinds of HP laptops were able to PXE boot in the same VLAN. The only difference between the 2 types is that the laptops all had BIOS while the Surface Pro 2 tablet only supports UEFI.

First of all I had to update the firmware of the device using the files on this website: https://www.microsoft.com/en-us/download/details.aspx?id=38826 That was needed because PXE boot wasn’t supported with the firmware that was installed on the device.

PXE boot options were added in the DHCP Scope:

  • Option 66: FQDN of the PXE server (in this case the Configuration Manager 2012 R2 primary site server)
  • Option 67: SMSBoot\x86\wdsnbp.com

When booting the Surface Pro 2 I receive the following error:

19052015_01

Looking further into this error I found that option 67 should be SMSBoot\x64\wdsmgfw.efi in stead of SMSBoot\x86\wdsnbp.com

So I’ve edited the DHCP Scope options as follows:

  • Option 66: FQDN of the PXE server (in this case the Configuration Manager 2012 R2 primary site server)
  • Option 67: SMSBoot\x64\wdsmgfw.efi

I performed another PXE boot with the Surface Pro 2 device but I received the following error: “Windows Deployment Services encountered the following error 0x102”

To avoid this behaviour DHCP option 60 should also be added with value “PXEClient”.

When I wanted to add this option I saw it was missing from the default DHCP scope options list (because WDS and DHCP are not installed on the same server). I had to set this option using the commands listed below in a cmd as administrator:

C:\WINDOWS\system32>netsh
netsh>dhcp
netsh dhcp>server \\<server_machine_name>
netsh dhcp>add optiondef 60 PXEClient String 0 comment=PXE support
netsh dhcp>set optionvalue 60 STRING PXEClient
netsh dhcp>exit

The DHCP options are now:

  • Option 60: PXEClient
  • Option 66: FQDN of the PXE server (in this case the Configuration Manager 2012 R2 primary site server)
  • Option 67: SMSBoot\x64\wdsmgfw.efi

A final test was a successful PXE boot with the Surface Pro 2 device.

Disadvantage of this is that devices doing PXE boot from BIOS will no longer be able to boot, this can be solved by using different DHCP scopes for different kind of devices.

Hope this information is usefull for you guys!

 

Best regards,

B