Reboot notifications

May 9, 2016

Hello,

Reboot notifications , we all hate to reboot. Normally the less the better but as … an admin you want to pursuade your users into rebooting the device from time to time. Keeps it healthy and running smoothly.

Now in sccm we have several options for rebooting. In this particalur case we supress the reboot for the update deployment. So the user gets notified but not forced to reboot.

Unfortunately the result was this :

clip_image002

That’s odd the windows update reboot notification was not wat we wanted. If we check the notifications area we see 2 notifications : one for sccm client and one for windows update.

clip_image004

The setting required to modify this behavior was the following :

· System -> Windows Components -> Windows Update -> Configure Automatic Updates :Disabled

· Re-prompt for restart : Disabled.

clip_image006

After modification of these policies the result was better ! Just one notification.

clip_image008

And if the user presses the Open restart button :

clip_image010

Or select the restart now option :

clip_image012

In the software center applet you can see detailed info about which update requires a reboot.

clip_image014

Now the behavior is different for software installations requiring a reboot. For example this IE11 installation returns a 3010.

clip_image016

The user will be notified about a required reboot on the device , the settings are be configured by the sccm client settings for “Computer Restart”

clip_image018

The user will recieve a popup :

clip_image020

If ignored the restart icon will stay in the notification area.

clip_image022

Now according to the settings there is a permanent message shown as soon as there is only 15′ left on the clock. The color of the progress bar will change and the hide button will become unavailable.

clip_image024

Enjoy

Gino D


SCCM Distribution point down !

December 17, 2015

Ho ho ho,

Almost merry Christmas everyone ! Enjoy the holidays .

Until then, here’s some useful information about fallback locations in sccm 2012.

As you all know there are lots of different options for redirecting a client to a specific distribution point for downloading content. The most common setup involves “preferred” distribution points linked to a specific boundary group. By specifying the option “allow fallback source location” on the distribution point we can allow clients to use a fallback option when content is not available.

clip_image002

Now there is a great blog going through the option in detail : http://blogs.technet.com/b/neilp/archive/2013/01/03/on-demand-content-distribution-fallback-distribution-points-a-2012-configuration-manager-micro-depp-dive.aspx

Here’s the catch however. These scenario’s all work when the DP is online but the content is unavailable.

But , if the DP is offline the deployment will fail as the MP will continue to present these DP’s to the clients even while unavailable. The client will retry the unavailable DP for 8 hours until switching to the next.

You can find detailed info about the behavior here : http://blogs.technet.com/b/wemd_ua_-_sms_writing_team/archive/2008/11/25/clarifying-retry-behavior-for-distribution-points.aspx

clip_image004

So what can we do ?

Well we can remove the DP from our boundary group and then the MP will no longer present it to the client.

clip_image006

Nice ! But that’s a manual action. No, not really as we can use orchestrator to run a simple ping test on our DP and when it’s unavailable just run a powershell script to remove it from the boundary group and add some alerting ( in our case we create an alert in SCOM ).

Some good examples can be found here : http://cm12sdk.net/?p=513

Enjoy !

Gino D


SCCM 2012 DCM #rdproud

July 31, 2015

Hello,

Today I created a sccm2012 dcm rule for verifying if all services set to automatic are effectively started. Sound easy but there are some catches.

For a walkthrough see http://blogs.msdn.com/b/scom_2012_upgrade_process__lessons_learned_during_my_upgrade_process/archive/2012/09/21/compliance-settings-sccm-2012.aspx

The interesting part is however :

-> As soon as you add a remediation script to your CI it will allways show up compliant.

Baseline 1 without remediation

clip_image002

Shows up as non compliant ( which is correct )

As you can see the output presented by the script is “Incompliant” and it needs to be “Compliant” so we’re in an error state.

clip_image004

Now if we add the remediation script.

clip_image006

And perform the exact same thing ( after policy refresh )

clip_image008

And you’ll see that the rule reports as compliant because it automatically assumes the remediated value is “Compliant”

Since there was logging attached to the ps we can see the following. First of all I use the scriptname as logfile and apparently the powershell script name is regenerated each time the dcm rule is evaluated so take a hardcoded log file.

clip_image010

Now the remediation script logs the same output : Incompliant

clip_image012

So my guess is the detection rule is not re-evaluated after repair so state is assumed compliant.

Solution could be to add the same rule twice :

-> Once with remediation reporting no issues when non compliant

-> Once without remediation reporting Critical severity

clip_image014

Hmm.. This is not working still Compliant after evaluation. So I added 2 settings and created a set of 2 Comliance Rules

clip_image016

clip_image018

Much better, now I have an incompliant state but my repair script has executed.

clip_image020

We can see the Rule1 is evaluated and remediated but has not made a change in compliancy state.

clip_image022

Wow, this should have been easier to do no ?

Enjoy.

Gino D


Quick Tip ! Redistribute failed packages in ConfigMgr #RDProud

May 26, 2015

Hello,

We were having issues with several packages not being distributed correctly in a large sccm 2012 environment. If we redsitribute the failed packages on a specific dp then the issue is resolved.

We’ll perform a root cause analysis next time, let’s focus on getting our content to the DP’s for now.

So I have created a powershell script ( based on http://www.david-obrien.net/2013/11/redistribute-failed-packages-configmgr-dps/ ) that will take all the failed distributions on a specifc DP and refresh them.

Here it is ( replace XXX with your site code):

$fileserver=”%Name_of_your_DP%”

$failures = Get-WmiObject -Namespace root\sms\site_XXX -Query “SELECT packageid FROM SMS_PackageStatusDistPointsSummarizer WHERE (State = 3 AND SourceNALPath like ‘$fileserver’ )”

foreach ( $failure in $failures )

{

$id = $failure.PackageID

write-host $id

$DP = Get-WmiObject -Namespace root\sms\site_XXX -Query “SELECT * FROM SMS_DistributionPoint WHERE (ServerNALPath like ‘$fileserver’ and PackageID=’$id’ )”

write-host $DP

$dp.RefreshNow=$true

$dp.put()

}

If you combine this with content validation on a schedule and the report ->

Software Distribution -> Content -> All active content distribution -> failed

clip_image002

You can export to csv and have a nice filtered excel that can be used as in order to select the correct DP.

clip_image004

Enjoy.

Gino D


Add a password to task sequence ConfigMgr #rdproud

May 19, 2015

 

Hello,

Say you want to add a password to a task sequence ?

Yes, you can do that starting from PXE but not starting from the OS (out-of-the-box) so let’s modify.

First create a simple posh Script ,

# Script can be used in order to ask a password in SCCM task sequence

# Requries vPassword to be created in TS , if input equals then vContinue will be set to OK

#

# Gino D’hoker

#

# 4/05/2015

$password = Read-host “Please enter the password.” -AsSecureString

# Prompt for input

$password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

If ($password -eq $tsenv.Value(“vPassword”))

{

$tsenv.Value(“vContinue”)=”OK”

}

clip_image002

This will ask for input, check if the answer is identical to a ts variable called vPassword and then set a variable called vContinue to OK.

Now let’s create the ts, you’ll need the MDT package for Serviceui.exe in order to allow interaction with the ts

clip_image004

Step 1 will only be applied if not in WinPE

clip_image006

Now use the mdt package and perform a custom action for asking input

clip_image008

Because we’ll use the same ts from PXE and from OS we’ll need to set the vContinue to OK if started from PXE

clip_image010

clip_image012

And now just continue the rest of the ts only of the vContinue is OK

clip_image014

So what does this look like ? Step 1 you receive the default warning

clip_image016

Step 2 the script asks for the password.

clip_image018

If incorrect it will not perform the reinstallation.

P.S I know the dos box isn’t state of the art, I’ll check into the Powershell forms the next time to get a more fancy request for input

The rest you know.

Enjoy.

Gino D


Rename and set password for local admin using configmgr #rdproud

May 19, 2015

 

Hello,

As you all know 🙂 -> Modification of local user password no longer possible using preference. When did this happen ?

You can find additional info here https://support.microsoft.com/en-us/kb/2962486

Solution could be to reuse a sccm task sequence in order to rename the local admin and set the password.

We will use a task sequence variable as the password that should be applied.

We’ll create a powershell script.

# Change_passwords.ps1

#

#

# Author = Gino D’hoker

#

# Will be used in SCCM task sequence for renaming and setting password of local admin

# requires task sequence variable named vPassword with the required password

#

#

# Version 1.0

$computerName = $env:COMPUTERNAME

$computer = [ADSI] “WinNT://$computerName,Computer”

foreach ( $childObject in $computer.Children ) {

# Skip objects that are not users.

if ( $childObject.Class -ne “User” ) {

continue

}

$type = “System.Security.Principal.SecurityIdentifier”

#CALLOUT A

$childObjectSID = new-object $type($childObject.objectSid[0],0)

#END CALLOUT A

if ( $childObjectSID.Value.EndsWith(“-500”) ) {

“Local Administrator account name: $($childObject.Name[0])”

“Local Administrator account SID: $($childObjectSID.Value)”

$username = $($childObject.Name[0])

break

}

}

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

$strPassword = $tsenv.Value(“vPassword”)

$user = [ADSI]”WinNT://./$username”

$user.psbase.rename(“xxx.localadmin”)

$user.SetPassword($strPassword)

clip_image002

Now create a task sequence in order to deploy the task.

First create the required variable

clip_image004

Second run a posh script

clip_image006

Now deploy in on a scheduled base

clip_image008

And you have a worthy replacement of your preference !

clip_image010

Enjoy.

Gino D


Interactive Task sequence

March 22, 2014

Hello,


Task sequences in sccm provide a great mechanism for executing several steps, for example during complex application or operating system deployment.


One of the features, by design, is that task sequences allways run without interaction of the end-user, logic in most circumstances.


In order to show what we mean we have created a simple ts, running notepad.exe



If we run the ts this is what we see :



The TS is running but the user does not see the process notepad.exe



The notepad is running but the user can’t see it , it’s running in the system context without user interaction.


Now we create another ts using serviceui.exe, this executable is part of the MDT2010 installation. Just create a package with the executable.



Remember that you have a X86 and X64 edition and if you want to test, the process needs to be executed under system credentials ( so use psexec -s cmd.exe )



The interactive ts looks like this.


Run a custom command line :
serviceui.exe -process:TSProgressUI.exe %windir%\notepad.exe

Now if we run this task sequence :


Oh … great ! Now you can run your favorite powershell wrappers interactively in a task sequence.


serviceui.exe -process:TsProgressUI.exe %windir%\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy Bypass -file .\MyFavoriteWrapper.ps1


Update ! There is a problem with running the serviceui.exe if there is no active user logged on. The executable returned an error in our environment at this moment. In order to workaround this issue you can use a WMI query as a condition for the serviceUI.exe task.


select * from win32_computersystem where username IS NOT NULL


Use this so the serviceui task will only run if there is a logged on user. If not the task will be skipped and the rest of the ts will run.

Enjoy …