O365 PowerBI

April 17, 2018

Hello,

Today I would like to demonstrate a real life example on how to use Microsoft Power BI.

Setting the scene :

We are currently deploying the Windows 10 platform in a large environment, we have allready performed a swap of approx 6000 devices and are now starting the refresh on existing devices that are capable of running Windows 10.

In order to do so we rely on our network or Champions. These are skilled , ict minded collegues that each have a group of enduser under their “care”. They can assist their group of users and have specific tools and communication channels available with the ICT service.

Now the customer has approximately 350 different locations in Belgium and we have created a “self-service” system where the end-user drives the upgrade by contacting his favorite champion. He/she can start the refresh operation after performing some manual, some semi-automated actions and after a few hours the laptop is completely up and running with Microsoft latest operating system.

However there are approx 12k devices that will need to be upgraded so this will be an ongoing operation for quite some time. So we needed a way to visualise and to stimulate progress. In comes Power BI !

In short Power Bi is the Business Intelligence part of Office 365 , allowing you to create valuable insight in data. We are not going to discuss the details , we are just going to perform a quick overview and show the result.

Additional info and step by step can be found here :

https://docs.microsoft.com/en-us/power-bi/guided-learning/

Step 1 : get the data

Easy , we export the data from sccm query to excel. We get raw data like pc name , AD site and client OS name.

clip_image001

We allready modify the data by creating a pivottable that show totals for location , OS version and devices.

clip_image002

Now we can import this file in our Power BI environment.

clip_image003

Step 2 : manipulate the data

Well our sccm report has the following parameters : pc name, operating system version and AD Site name. The AD site name has a syntax that contains postal code, city and adress information.

Because we want to visualise per province we needed to do the following :

=> Split the column with the ad site information based on “,”

clip_image004

=> Create an additional column that displays province information based on the postal code. Use a formula.

clip_image005

Then combine the information for maximum accuracy on geo location. Also rename to English language.

clip_image006

Good ! Now we want to display something that show the number of devices with Windows 10 versus thet total number of devices. We use a new measure.

clip_image007

Tip ! Rename you headers so you know which data you are using.

Now we define the location field and select the visualisation.

clip_image008

Stunning ! We quickly get an interactive overview of how the rollout is progressing.

clip_image009

And we can even create a location based visualisation.

clip_image010

The sky is the limit … Enjoy.

Gino D

Advertisements

SCOM – File Count Management Pack

December 21, 2017

Hi,

I come at a lot of customers to implement or support SCOM. Sometimes the same questions or troubles come up.

One of that questions is: “Is it possible to monitor the count of files (with a specific extension) in a share?”

The answer to this question is yes and no. There is a possibility to count files on Windows Servers that have an agent installed using this management pack: http://www.systemcentercentral.com/pack-catalog/file-system-management-pack-2/ but for shares located on non-Windows Servers, let’s say on a SAN for example I haven’t found a solution available.

Therefore I created my own management pack to monitor the file count, independent of the location of the file share (Windows Server or not).

In this post I describe how the management pack works. With the management pack you can count files with a specific extension (or no extension if everything should be counted) in a share (optionally also subfolders included).

There is also the ability to add a specific age zo the given scenario is possible: Count if there are more then 20 files in a share (subfolders included) that are older then 10 minutes.

First of all we need a seed discovery which is targeted to a registry key located on a SCOM agent monitored Windows Server.

The value in the registry is located under SOFTWARE\Filecount. The value is “CSV” and it should contain the path to a CSV file. The server will be discovered as a “File Count Watcher Node”

Next stop is the csv file itself, for every share to be monitored it should contain a line with a specific syntax shown in the screenshot below

Different parameters are added:

  • ID
    • Must be unique per share
  • Share
    • UNC path of the share
  • Extension
    • The extension of the files that needs to be counted, leave empty to count all files in the share
  • Count
    • How many files must be present for a critical state
  • Time
    • This is the time in minutes of the maximum file age of file count
  • Recurse
    • 0 = No need to count files in subfolders
    • 1 = Count also files in subfolders

When the info is filled in, SCOM will discover every line as a “File Count Share”. The properties are used to configure the monitoring.

A monitor is also defined based on the properties filled in the csv file, but it’s basically a powershell script with necessary parameters.

The core of the script is this command:

$count  = Get-ChildItem -Recurse $strShare\$strExtension | where{$_.LastWriteTime -le (Get-Date).AddMinutes($strAge)}|Measure-Object |%{$_.Count}

The file count is also gathered as a performance counter so it can be included in reporting or in a Squared Up dashboard for example.

The management pack is also configured to use a specific Run As account. This account needs rights on the shares: at least Read-only Share rights and Read-Only NTFS rights.

I’ve been able to help some customers already by using this management pack.

The first customer where I set this up is a big hospital in Belgium where they use this management pack to monitor shares which are used to store (and process) images and movies made during surgery.

The content should be processed from the network share and transferred somewhere else but sometimes the processing hangs and the share is getting full without anyone knowing. Since they have the management pack in place this hasn’t happened anymore.

If you have interest in the management pack, I’ve made it available via GitHub: https://github.com/bpinoy/ManagementPacks/tree/master/File%20Count%20MP

Best regards,

Bert

 

 

 


SCOM – Powershell Recovery Action – Stopped Windows Service

August 31, 2017

Hi,

Today I was at a customer who had a really specific question regarding monitoring of Windows Services with Operations Manager (SCOM).

We had already set up some basic recovery actions which restart the service automatically after it was stopped.

For some other services the customer wanted to add extra functionality: The recovery action should retry starting the service a maximum of 3 times, if the service wasn’t started after 3 tries the customer wanted to receive an email telling them the recovery action failed. Out-of-the-box SCOM is unable to do stuff like that, therefore I used Powershell to accomplish this.

Sidenote: To be able to use Powershell as a recovery action you can use the free management pack provided by the community & SquaredUp, it can be downloaded from this website: https://squaredup.com/free-powershell-management-pack/. This management pack adds Powershell everywhere it is missing in Operations Manager, this is one of the default management packs I always install at customers.

 

To be fully functional different components are needed:

  • A monitor that checks the status of the service
    • This monitor can be created from the Authoring pane of the SCOM console using the Windows Service template

3

  • A recovery action for the monitor created previously
    • The recovery action can be created from health explorer1
  • A rule that picks up the event created by the recovery action Powershell script
    • This is an Alert Generating Rule (NT Event Log), the configuration is linked to the type and location of the event logged during the script2
  • A subscription on the rule to send the email.

The powershell script:

# Fill in the service name here

$ServiceName = “LPD Service”

$ServiceStarted = $False

$i =0;

#Create Eventlog source, erroraction Ignore is neededbecause once the source is created an error is thrown because the source already exists

New-Eventlog -LogName Application -Source “Powershell – Restart Service” -ErrorAction Ignore

Do{

# In second or third run, wait a minute before trying
to start the service

if ($i -gt 0){Start-Sleep -s 60}

#Try to start the service

Start-Service $ServiceName

$Service Get-Service -Name $ServiceName

     if($Service.Status -eq “Running”)

    {

    $ServiceStarted = $true

     }

    $i++

    if (($i -eq 3) -and ($ServiceStarted $false))

    {

    $eventmessage = $Servicename failed to restart after $i attempts, exiting script”

    #Log error event in eventviewer

    Write-Eventlog -LogName Application -Source “Powershell – Restart Service” -EntryType Error -Eventid 101 -Message $eventmessage

    exit

    }

 }

Until ($ServiceStarted = $true)

 $eventmessage = $ServiceName restarted after $i attempt(s)”

Write-Eventlog -LogName Application -Source “Powershell – Restart Service” -EntryType Information -Eventid100 -Message $eventmessage

 If you have any difficulties doing this, don’t hesitate to drop a comment below.

If you find this post useful, please consider buying me a virtual beer with a bitcoin donation: 3QhpQ5z5hbPXXRS8x6R5RagWVrRQ5mDEZ1

 

Best regards,

Bert


Quick Tip ! Bitlocker Pin screen gone !

January 11, 2017

 

Hello,

We recently used a partners’ deployment services in order to prestage approximately 5000 laptops for a windows 10 deployment. Today we recieved our first shipment from the factory and we started one in full confidence.

After all the image had been validated on site, everything worked there except for our part 2 sccm task sequence that we use to finish up some minor issues and enable bitlocker.

So all went well, machines booted, startup scripts worked, part 2 was recieved and executed by the client.

But wait … We were expecting to see this after boot

clip_image002

But instead we saw this…

clip_image004

Now this really a tricky issue because it took some time before we realized that the screen was actually there but we did not see it, so if you wait then the machine just shut down.

Ok so now for the solution :

On the machine run bfsvc.exe %windir%\boot /v

Reboot the device and it should be ok.

What probably happened is that some of the fonts that are on the UEFI boot partition are corrupted and result in the “blue” screen, the command bfsvc.exe copies the required files from windows\boot to the required partition.

Saved our day !

Some refs : https://answers.microsoft.com/en-us/windows/forum/windows8_1-security/bitlocker-pin-pre-boot-screen-empty/f985c4f6-dd71-4586-bd46-50f513432bb3?page=1

Enjoy

Gino D

P.S. We were unable to execute this command in the task sequence environment so we had to run it during our startup script.


Quick Tip ! GPO delay Windows 10 DA

December 8, 2016

Hello,

We discovered in one of our customer environments that there was a long delay at computer startup time with Windows 10 build 1607.

Now we had an acceptance environment where the issue did not occur, only difference was that DA was enabled at production site and not at the acceptance environment.

So we activated verbose messaging using :

Computer -> Admin Templates -> System

clip_image002

… This revealed a 60 second timeout during startup : waiting for workplace connectivity.

A quick lookup revealed a default one minute wait time for connectivity before processing gorup policy. So we modified the following policy :

Computer -> Admin -> System -> Group Policy

clip_image004

This resulted in a much quicker computer startup.

Enjoy.

Gino D


#RMS in Azure

December 6, 2016

 

Hello,

Today we’ll run a RMS scenario in our demo office 365 environment. RMS provides the ability to restrict certain actions to documents ( office and other ) depending on the authenticating user by encrypting the required files. This way you can share confidential data in an easy way and make sure only the allowed persons can perform some actions with the documents.

You can find a clear overview here ( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms )

clip_image002

What is Azure Rights Management? | Azure Information Protection

https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms

 

Now, we’ll start by enabling the feature on a limited group.

Step 1 : we’ll limit the usage to a test group so we’ll use the procedure described in https://docs.microsoft.com/en-us/rights-management/deploy-use/activate-service

We have downloaded and installed the required Azure AD Rights Management Administration toolset.

clip_image004

Hmm. Apparently we need the MS Online Services Sign-in assistant first.

https://support.office.com/nl-nl/article/Microsoft-Online-Services-aanmeldhulp-opnieuw-installeren-6f295d05-ae37-4054-8faf-c89dd48d1827?ui=nl-NL&rs=nl-NL&ad=NL so download and install.

Ok straightforward setup of both components.

clip_image006

Now let’s create a test group that will be used in order to validate the RMS functionality. In this case we create a azure security group.

clip_image008

You’ll need to install the azure AD powershell module in order to retrieve the id of the group.

See : https://msdn.microsoft.com/en-us/library/jj151815.aspx

Then run some commands in order to retrieve the required ID.

clip_image010

Now we can set the RMS feature active for a specific security group and only if the user has the correct

PS C:\Windows\system32> Set-AadrmOnboardingControlPolicy -UseRMSUserLicense $True -SecurityGroupObjectId 532a71c3-f370-47bb-9dd8-34026ea751cf

WARNING: The tenant user on-boarding control policy will be updated by this operation.

license assigned.

clip_image012

Verify the result by using get-aadrmonboardingControlPolicy

clip_image014

Ok done, now let’s add our test user to the group.

clip_image016

And let’s add the required license to our user. In this case the allready assigned E3 license covers RMS ( see https://technet.microsoft.com/nl-be/library/office-365-plan-options.aspx and https://technet.microsoft.com/en-us/dn858608 )

clip_image018

And enable it !

clip_image020

You can now check the status by using portal.azure.com -> Rights management status

clip_image022

If you click through you’ll see that there are 2 templates allready published

clip_image024

On the client device download and install the rights management sharing application for Windows. This application is available for multiple OS’s.

clip_image026

Set it up

clip_image028

All went well

clip_image030

Now if you create a word document and save it then you can use explorer to add RMS based security to this document

clip_image032

If you use the protect in place option then you will see that the client will download the policies from the RMS system and then present the options to use these templates ( 2 templates are created by default )

clip_image034

As soon as the document is protected you’ll see the RMS banner if you open the document in Word.

clip_image036

Now you can also share the content in a secure way, this will create a secured attachment with specific rights included

However when I tried to share it with an external user with commercial email ( @hotmail / @gmail / … ) this will not work ( yet, this functionality will be implemented in a next version of the product )

clip_image038

But you can share it with other ( non commercial ) email addresses. Now there are 2 possbilities :

-> The recipient already uses an azure service so it has a azure active directory and can authenticate

-> The recipient does not already use an azure service so it needs to be enrolled in Azure ad in order to be able to authenticate

The user can use this link ( https://docs.microsoft.com/en-us/information-protection/understand-explore/rms-for-individuals-user-sign-up )

Once done you can track usage etc by using web link ( the specific link will be added to your email message )

clip_image040

Additional info and faqs can be found here : https://docs.microsoft.com/en-us/information-protection/get-started/faqs-rms

Overall some great functionality at your fingertips !

Enjoy.

Gino D


Windows 10 Enterprise IE11

November 6, 2016

 

Hello,

Windows 10 is great but there are some annoyances in an enterprise environment discovered. For example we deploy the Windows 10 to an environment where IE11 is the standard browser so we don’t want to confuse the user with the default edge icon.

You know this one

clip_image002

We can set the default browser and file type associations on a reference machine and export them by using dism /online

clip_image004

And we can import the again using the same toolset, no problem here.

But as soon as a user logs in a windows 10 device he/she gets a default profile and gets the edge and store icon attached to the quicklaunch bar.

Now there are several solutions for this :

-> We can script ( but we don’t want to do that , it starts simple but it ends up being a complete bible )

-> We can modify the default user profile ( copyprofile setting in unattend.xlm doesn’t add the quicklaucnh icons so this would be hardcoded in our default user profile, we don’t like that either)

-> We can use preferences ( it can be centrally managed and we can modify afterwards, not perfect we’ll explain but this is the best option for me )

What do we need :

Well actually 3 things , you’ll see that if you manually modify the quicklaunch bar and add icons to it using the explorer like this ( pin to taskbar Option )

clip_image006

There are 2 modifications : first a change in registry ( HKCU\Software\Microsoft\Windows\Current Version\Explorer\Taskband ) and second a link file that is created in %appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar)

clip_image008

So we’ll create a preference that performs the required actions :

Step 1:

Copy the icons of Office 2013 to the quicklaunch location

 

clip_image010

Copy them from the default startmenu location to the quicklaunch.

Step2 :

Create the shortcut for iexplore (X86 )

clip_image012

Step 3 :

Import the required registry keys

clip_image014

Et voila … Correct quicklaunch icons set.

Now we use an item level targetting so the settings only apply @ a windows 10 device because we have a mixed environment. Now the goal is to use the set once and do not reapply for these settings so they are only applied once but we noticed that when a user gets a new profile the registry settings are not applied the first time so we had to abandon that idea meaning the quicklaunch icons cannot be modified by the user as during logoff/logon they will be back set to default.

We have a call open to investigate the issue further.

Enjoy

Gino D

 

Update better ways available since 1607 : https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-taskbar