SCCM – Deploy Unknown Computers with Assettag as computername

January 5, 2017


In a recent Windows 10 deployment project (with SCCM) a customer of mine wanted to use the Serialnumber as the computername within Active Directory. The customer is using Unknown Computers so they don’t the need to import them first. Also there was the need to identify if a computer was a desktop or laptop, this was needed to make sure the computer was joined in the right OU depending of that type and to make sure Bitlocker was only applied to laptop computers.  To provide this functionality I’ve created a vbs script:

Part 1: Set Computername variable

Set objOSD = CreateObject(“Microsoft.SMS.TSEnvironment”)

Set SWBemlocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objWMIService = SWBemlocator.ConnectServer(strComputer,”root\CIMV2″,UserName,Password)
Set colItems = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)

For Each objItem in colItems
strOSDComputername = objItem.SerialNumber

objOSD(“OSDComputerName”) = strOSDComputerName

The variable OSDComputerName is a default task sequence variable. Therefore no further actions need to be taken in the task sequence to make sure it is used to name the computer.

Part 2: Set Chassis variable

Set colChassis = objWMIService.ExecQuery(“Select * from Win32_SystemEnclosure”,,48)
For Each objChassis in colChassis
    For  Each strChassisType in objChassis.ChassisTypes
        Select Case strChassisType

            Case 3
                  StrType = “Desktop”
            Case 4
                   StrType = “Desktop”
            Case 6
                   StrType = “Desktop”
            Case 7
                  StrType = “Desktop”
            Case 8
                StrType = “Laptop”
            Case 9
                 StrType = “Laptop”
            Case 10
                  StrType = “Laptop”
            Case 11
                  StrType = “Laptop”
            Case 12
                   StrType = “Laptop”
            Case 14
                  StrType = “Laptop”
            Case 15
                  StrType = “Laptop”
            Case Else
    StrType = “unknown”
            End Select

objOSD(“Chassis”) = StrType

The variable “Chassis” can now be used like any other task sequence variable to make sure certain steps only run for a laptop or desktop.

Save the above codesnippets into a vbs file and create an SCCM package containing the script.

Afterwards add a “Run Command Line” step to the task sequence, provide the package details and the following command line: cscript.exe “…vbs”

That should do the trick.

Obviously this is one solution among others, there are many other ways to accomplish the same but this seemed the easiest to me.

A little remark: When reinstalling a computer with Bitlocker enabled, make sure the Run Command Line step is located after the partition disk step, otherwise the script will fail as WMI cannot be accessed from WinPE. I’ve experienced this the hard way.

Hope this helps!


Best regards,










SCCM 2012 DCM #rdproud

July 31, 2015


Today I created a sccm2012 dcm rule for verifying if all services set to automatic are effectively started. Sound easy but there are some catches.

For a walkthrough see

The interesting part is however :

-> As soon as you add a remediation script to your CI it will allways show up compliant.

Baseline 1 without remediation


Shows up as non compliant ( which is correct )

As you can see the output presented by the script is “Incompliant” and it needs to be “Compliant” so we’re in an error state.


Now if we add the remediation script.


And perform the exact same thing ( after policy refresh )


And you’ll see that the rule reports as compliant because it automatically assumes the remediated value is “Compliant”

Since there was logging attached to the ps we can see the following. First of all I use the scriptname as logfile and apparently the powershell script name is regenerated each time the dcm rule is evaluated so take a hardcoded log file.


Now the remediation script logs the same output : Incompliant


So my guess is the detection rule is not re-evaluated after repair so state is assumed compliant.

Solution could be to add the same rule twice :

-> Once with remediation reporting no issues when non compliant

-> Once without remediation reporting Critical severity


Hmm.. This is not working still Compliant after evaluation. So I added 2 settings and created a set of 2 Comliance Rules



Much better, now I have an incompliant state but my repair script has executed.


We can see the Rule1 is evaluated and remediated but has not made a change in compliancy state.


Wow, this should have been easier to do no ?


Gino D

Quick Tip ! Redistribute failed packages in ConfigMgr #RDProud

May 26, 2015


We were having issues with several packages not being distributed correctly in a large sccm 2012 environment. If we redsitribute the failed packages on a specific dp then the issue is resolved.

We’ll perform a root cause analysis next time, let’s focus on getting our content to the DP’s for now.

So I have created a powershell script ( based on ) that will take all the failed distributions on a specifc DP and refresh them.

Here it is ( replace XXX with your site code):


$failures = Get-WmiObject -Namespace root\sms\site_XXX -Query “SELECT packageid FROM SMS_PackageStatusDistPointsSummarizer WHERE (State = 3 AND SourceNALPath like ‘$fileserver’ )”

foreach ( $failure in $failures )


$id = $failure.PackageID

write-host $id

$DP = Get-WmiObject -Namespace root\sms\site_XXX -Query “SELECT * FROM SMS_DistributionPoint WHERE (ServerNALPath like ‘$fileserver’ and PackageID=’$id’ )”

write-host $DP




If you combine this with content validation on a schedule and the report ->

Software Distribution -> Content -> All active content distribution -> failed


You can export to csv and have a nice filtered excel that can be used as in order to select the correct DP.



Gino D

Rename and set password for local admin using configmgr #rdproud

May 19, 2015



As you all know 🙂 -> Modification of local user password no longer possible using preference. When did this happen ?

You can find additional info here

Solution could be to reuse a sccm task sequence in order to rename the local admin and set the password.

We will use a task sequence variable as the password that should be applied.

We’ll create a powershell script.

# Change_passwords.ps1



# Author = Gino D’hoker


# Will be used in SCCM task sequence for renaming and setting password of local admin

# requires task sequence variable named vPassword with the required password



# Version 1.0

$computerName = $env:COMPUTERNAME

$computer = [ADSI] “WinNT://$computerName,Computer”

foreach ( $childObject in $computer.Children ) {

# Skip objects that are not users.

if ( $childObject.Class -ne “User” ) {



$type = “System.Security.Principal.SecurityIdentifier”


$childObjectSID = new-object $type($childObject.objectSid[0],0)


if ( $childObjectSID.Value.EndsWith(“-500”) ) {

“Local Administrator account name: $($childObject.Name[0])”

“Local Administrator account SID: $($childObjectSID.Value)”

$username = $($childObject.Name[0])




$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

$strPassword = $tsenv.Value(“vPassword”)

$user = [ADSI]”WinNT://./$username”




Now create a task sequence in order to deploy the task.

First create the required variable


Second run a posh script


Now deploy in on a scheduled base


And you have a worthy replacement of your preference !



Gino D

Configmanager dependencies and conditions.

July 16, 2013


Today a talk about dependencies and prerequisites ( conditions ). Say you have an application like scsm console , which has several apps required for installing. If you upgrade from scsm 2012 console then you need ( in my case ) :

  • Scsm2012 ur2
  • Ms report viewer 2008 sp1
  • Ms sql analysis objects 2012
  • Scsm 2012 sp1
  • Scsm 2012 sp1 cu2

As described in previous post you can create dependencies for the different applications.

Below you see the latest cu2 for scsm 2012 sp1.

We create an application…

With a detection Method…

First issue , after the installation of the 2012 sp1 cu2, the scsm 2012 sp1 no longer detected as installed, so he tries to reinstall. ( after the cu2 has been applied )

Result :

Solution modify the detection method because the update CU2 modifies the version number of the console

After the update has been installed.

Ok, now we can chain them together.

First Install OK but as soon as the application detection cycle kicks in : issue because the installation no longer detects the 2012rtm ur2 as being installed ( because the installation of the 2012 sp 1 removes these keys ). So the application will install the 2012 rtm ur2 on top of a 2012 sp 1 installation which results again in an error.

Solution is to create a condition

add this to the UR2 deployment

Now the installation of the ur2 will only apply once because the requirement is no longer met after the installation of the scsm 2012 sp 1.

However ! When an application has several dependencies and one of those dependencies has a requirement which is not met, the none of the dependencies will be enforced. In other words the console will not be reinstalled.

So, you’ll see something like this

So this will mess up your monitoring because you don’t see if the scsm 2012 sp 1 cu 2 is correctly deployed or not.

So alternative approches :

  • Create a good old fashioned task sequence with packages and programs and set conditions to the steps
  • Create 2 seperate deployments with conditions :
    • One for the installation of 2012 rtm ur2 with condition 2012 rtm console installed
    • One for the 2012 sp 1 cu 2 with dependency 20120 sp1 console
  • Install manually 😊

Also remember that the console has a different commandline for full install or upgrade.

A bit complex but this would provide better reporting. Anyhow be carefull with the detection mechanism and conditions, they can prove to be tricky !


CM 2012 Wake on LAN – Right click tools

January 4, 2013


First of all our best wishes for the new year.

Today was my first day back after almost 2 weeks off and I immediately had something interesting at my customer.

They wanted to use the Wake On LAN feature of Configuration Manager 2012, that’s why I have installed the right click tools for the Configuration Manager 2012 Console. More information about the right click tools can be found here:

Installing the right click tools didn’t work because Configuration Manager 2012 is installed on the D: partition, so I manually copied all folders in the right place

After copying the right click tools new options are available for every computer. The option I’m interested in at the moment is Wake On LAN (marked in yellow on the following screenshot)


When this option is clicked a messagebox appears which states that sending the WakeUp to the specific computer succeeded, but if I look at the computer doesn’t wake up at all.


When using the Wake On LAN feature of Altiris Deployment Server for example the Wake On LAN did succeed. So I started to examine the differences between both. After using some network tracing tools like WireShark I saw that the Wake On LAN functionality provided by the right click tools for Configuration Manager 2012 did a broadcast to and the Wake On LAN from Altiris performed a broadcast to the broadcastaddress of the VLAN where the client was located (eg. After some more digging in I found out that the switches dropped all traffic with destination

So what I needed to do was editing the Wake On LAN functionality of the right click tools to make sure the VLAN broadcast address was targeted, now I will describe how I did that.

First I looked at the console extension XML to see what commandline was started when I clicked Wake On LAN from the Configuration Manager 2012 console. The XML is located in the installation directory of Configuration Manager: D:\Program Files\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions\ed9dee86-eadd-4ac8-82a1-7234a4646e62.

<ActionDescription Class=”Executable” DisplayName=”Wake On LAN” MnemonicDisplayName=”Wake On LAN” Description=”Send Wake on LAN signal to system”>






          <Parameters> “C:\Program Files\SCCMConsoleExtensions\SCCMAction.vbs” ##SUB:Name## W ##SUB:ResourceID## ##SUB:__Server## ##SUB:__Namespace##</Parameters>



The area marked in boldshows what script is started when Wake On LAN is clicked, so I’ve opened this script.

 Sub WakeOnLAN

    On Error Resume Next

     Set objSMSWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strSiteServer & “\” & strNameSpace)

    Set colMACAddress = objSMSWMIService.ExecQuery(“SELECT * FROM SMS_G_System_NETWORK_ADAPTER_CONFIGURATION WHERE ResourceID='” & strResourceID & “‘ AND IPAddress IS NOT NULL”)

    For Each instance in colMACAddress

        strMACAddress = instance.MACAddress

        strWOLAddress = (Replace(instance.MACAddress,”:”,””))

         WshShell.Run chr(34) & strCurrentPath & “WOL.exe” & chr(34) & ” ” & strWOLAddress,0

        strWOLSent = strWOLSent & vbCrLf & strMACAddress


     ResultMsg = MsgBox(“Wakeup sent to the following MACs for ” & strComputer & vbCrLf & strWOLSent,64,strVersion)


End Sub

It is clear that the WOL.exe is started with the parameter strWOLAddress (which is the Macaddress without colons (:)).

WOL.exe doesn’t support entering the VLAN broadcastaddress so I searched for another exe-file that was able to do that. I found an alternative mc-wol.exe which was able to handle the broadcastaddress. More information about mc-wol.exe:

First of all I copied mc-wol.exe to the folder C:\Program Files\SCCMConsoleExtensions where all the rest of the scripts, exe-files,… are located. This will make sure the new exe can be used from the Configuration Manager console.

Next thing to do was getting the subnet from the specific resource from Configuration Manager. That was rather easy because the Wake On LAN sub in SCCMAction.vbs contains the functionality to retrieve information from Configuration Manager. Just adding the intelligence to retrieve the IP address did the trick. Afterwards splitting the IP address and replacing the last part with 255 (eg. IP: –>

Final thing to do is building up the new commandline using mc-wol.exe instead of the default wol.exe.


Sub WakeOnLAN

    On Error Resume Next

     Set objSMSWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strSiteServer & “\” & strNameSpace)

    Set colMACAddress = objSMSWMIService.ExecQuery(“SELECT * FROM SMS_G_System_NETWORK_ADAPTER_CONFIGURATION WHERE ResourceID='” & strResourceID & “‘ AND IPAddress IS NOT NULL”)

    For Each instance in colMACAddress

        strMACAddress = instance.MACAddress

strIPAddress = instance.IPAddress(0)

strIPSplit = split (strIPAddress,”.”)

strIP = strIPSplit(0) & “.” & strIPSplit(1) & “.” & strIPSplit(2) & “.255”

       WshShell.Run chr(34) & strCurrentPath & “mc-wol.exe” & chr(34) & ” ” & strMACAddress & ” /a ” & strIP

        strWOLSent = strWOLSent & vbCrLf & strMACAddress


     ResultMsg = MsgBox(“Wakeup sent to the following MACs for ” & strComputer & vbCrLf & strWOLSent,64,strVersion)


End Sub


Save the new SCCMAction.vbs and try again.

Now the VLAN broadcast address will be targeted and the computer will be able to perform Wake On LAN.

Hope this helps.



CM2012 Role Based Administration: Computer Import Manager

October 25, 2012

Hi there,

At a customer where I went a few weeks ago there was a need of an extra Configuration Manager 2012 role which only had the rights to import computers. It struck me that there was no default role provided which provided the necessary rights.

This security role would then be assigned to someone who would import the computers to run OSD.

This is the way I’ve done it.

– First of all I imported the Computer Import Manager role under the form of an .XML file which can be found here. The .XML file can be downloaded at the bottom of that webpage.

– The default behavior of this role is to only allow computer import in the All Systems collection. If the OSD task sequences are targeted to other collections then the All Systems collections this behavior should be extended so the user is able to import computer to other collections. This is done by editing the newly created security role and under Collection add the Modify resource right like shown below. Click Apply and OK.

– When the console is now opened with a user that has this Computer Import Manager role associated, the console looks as follows:

When the same role also needs the rights to delete computers from collection , just add the additional right: Collection –> Delete Resources in the same way the previous rights were added.

After all modifications I’ve exported the Computer Import Manager security role so I can just reuse it at other customers when needed.

Hope this helps.