Add a password to task sequence ConfigMgr #rdproud

May 19, 2015



Say you want to add a password to a task sequence ?

Yes, you can do that starting from PXE but not starting from the OS (out-of-the-box) so let’s modify.

First create a simple posh Script ,

# Script can be used in order to ask a password in SCCM task sequence

# Requries vPassword to be created in TS , if input equals then vContinue will be set to OK


# Gino D’hoker


# 4/05/2015

$password = Read-host “Please enter the password.” -AsSecureString

# Prompt for input

$password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

If ($password -eq $tsenv.Value(“vPassword”))





This will ask for input, check if the answer is identical to a ts variable called vPassword and then set a variable called vContinue to OK.

Now let’s create the ts, you’ll need the MDT package for Serviceui.exe in order to allow interaction with the ts


Step 1 will only be applied if not in WinPE


Now use the mdt package and perform a custom action for asking input


Because we’ll use the same ts from PXE and from OS we’ll need to set the vContinue to OK if started from PXE



And now just continue the rest of the ts only of the vContinue is OK


So what does this look like ? Step 1 you receive the default warning


Step 2 the script asks for the password.


If incorrect it will not perform the reinstallation.

P.S I know the dos box isn’t state of the art, I’ll check into the Powershell forms the next time to get a more fancy request for input

The rest you know.


Gino D


Rename and set password for local admin using configmgr #rdproud

May 19, 2015



As you all know 🙂 -> Modification of local user password no longer possible using preference. When did this happen ?

You can find additional info here

Solution could be to reuse a sccm task sequence in order to rename the local admin and set the password.

We will use a task sequence variable as the password that should be applied.

We’ll create a powershell script.

# Change_passwords.ps1



# Author = Gino D’hoker


# Will be used in SCCM task sequence for renaming and setting password of local admin

# requires task sequence variable named vPassword with the required password



# Version 1.0

$computerName = $env:COMPUTERNAME

$computer = [ADSI] “WinNT://$computerName,Computer”

foreach ( $childObject in $computer.Children ) {

# Skip objects that are not users.

if ( $childObject.Class -ne “User” ) {



$type = “System.Security.Principal.SecurityIdentifier”


$childObjectSID = new-object $type($childObject.objectSid[0],0)


if ( $childObjectSID.Value.EndsWith(“-500”) ) {

“Local Administrator account name: $($childObject.Name[0])”

“Local Administrator account SID: $($childObjectSID.Value)”

$username = $($childObject.Name[0])




$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

$strPassword = $tsenv.Value(“vPassword”)

$user = [ADSI]”WinNT://./$username”




Now create a task sequence in order to deploy the task.

First create the required variable


Second run a posh script


Now deploy in on a scheduled base


And you have a worthy replacement of your preference !



Gino D

Config Manager Powershell 2012 R2 CU2

September 1, 2014



Recently tried to perform a fairly simple action in config manager : create a new DP and modify the required parameters. Since this would be done during SCCM Server OSD we decided to go for an orchestrator runbook using powershell. Sounds good.


However … we had some issues.


First if you attempt to run the config manager cmdlets on a machine where the console is installed you’ll notice that the new-cmsiteserversystem crashes the powershell, other commands work fine ( remote )


Hey no problem … you can use remote powershell to connect to the pss and run the script from there.


Issue 1 : enter-pssession refuses to find the psd1 file


The script refuses to load the required psd1 if we use a enter-session. We had to use a scriptblock for the execution.


Issue 2 : The script will not enter the required cm site. Drive not found exception.



Solution :


Import the required digital cert or run the cm powershell once from the pss with the correct user.




Issue 3 : We sometimes recieve a warning : The self signed certificate could not be created succesfully.



This happens during the addition of the DP role. The reason is that a specific temporary folder under the user profile does not exist so the solution is to log on to the PSS with the required user and perform the same action once in order to make sure the required folder exists.


Issue 4 : From time to time we randomly recieve an access denied error . ( without credssp )


When this happens we see the following in the powershell event viewer on the PSS.




Solution : Use the credssp parameter in order to allow double hopping. See for additional info. However as soon as we added this parameter we arrive at issue 5.


Issue 5 : powershell crashes while using new-cmsiteserversystem with credssp


So if we add the credssp parameter then we see that the remote session is in a broken state because the powershell.exe crashes when we use new-cmsiteserversystem for a non-existing site server.




If you run the cmdlet on an existing object you’ll notice that you recieve an “object allready exists” but the powershell.exe does not crash.




Bottom line : if you connect to the pss , open the cm console and run a config manager powershell prompt and execute a new-cmsiteserversystem the powershell.exe will also crash. Locally on the server.






We noticed that this issue is proper to the installation of CU2 before we did not experience this behavior.


A bug has been filed using microsoft connect for this issue. Will keep you posted.


This is the script we were using :


$ErrorActionPreference = “Stop”
$pw = convertto-securestring -AsPlainText -Force -String “xxx”
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist “xxx”,$pw
write-host “================= Starting remote ps-session ========================”
$s= new-pssession -computer server1.domain.local -name PSSSession -credential $cred -ConfigurationName Microsoft.Powershell32 -Authentication CredSSP   

$Scriptblock = {
write-host $env:COMPUTERNAME
$SCCMAdminConsolePath = Split-Path -parent $ENV:SMS_ADMIN_UI_PATH
write-host $SCCMAdminConsolePath
Import-Module “$SCCMAdminConsolePath\ConfigurationManager.psd1”
Set-location ps1:
write-host “================= Creating New site server ========================”
New-CMSiteSystemServer -ServerName “server1.domain.local” -SiteCode PS1
write-host “================= Creating new distribution point server ========================”
Add-CMDistributionPoint -SiteSystemServerName “server1.domain.local” -SiteCode “PS1” -InstallInternetServer -CertificateExpirationTimeUtc “2112/11/26 17:45:00” -MinimumFreeSpaceMB “50”
write-host “================= Adding server to boundary ========================”
Set-CMDistributionPoint -SiteCode “PS1” -SiteSystemServerName server1.domain.local  -AddBoundaryGroupName “Group1” -AllowFallbackForContent 0
write-host “================= Adding server to distribution point group ========================”
Add-CMDistributionPointToGroup -DistributionPointName server1.domain.local -DistributionPointGroupName “All Distribution Points”
write-host “================= Running scriptblock ========================”
Invoke-Command -Session $s -ScriptBlock $Scriptblock
Remove-PSSession $s

$errmsg = $Error[0]


if ($errmsg)
write-host $errmsg




UPDATE : FIX released by MS , install on Site server and consoles

Run Powershell script from software package

October 1, 2012


It might be really handy to run a Powershell script on your clients for doing a broad range of tasks.

In the past, vbscript was used to perform these tasks but considering to use powershell for the same tasks might be interesting

The big advantage of using Powershell is that it’s been built on top of .NET which means that it utilizes the base classes and is capable of interacting with some applications that cannot be manipulated using vbscript. Powershell also supports a wide range of cmdlets that facilitate tasks that might be difficult to perform when using vbscript.

Running a Powershell script using a package + program within SCCM 2007 ( or Configuration Manager 2012) can be done following the steps below:

  1. Create a package which contains the script you want to run eg. myscript.ps1
  2. Create a program for that package that sets the ExecutionPolicy of Powershell to unrestricted. This can be done by using this commandline: “powershell set-ExecutionPolicy Unrestricted -force” (without quotes)

  1. Create another program which runs the script that contains all the actions that need to be done on the client machines. In this example the command line should be: “powershell .\myscript.ps1” (again without the quotes). Be sure to add the “.\”-part because it doesn’t seem to run without that.

  1. Create a last program which sets the Executionpolicy back to restricted (or remotesigned) by using the commandline: “powershell set-ExecutionPolicy Restricted -force”  (once again without the quotes)

Now link the 3 programs together by using the “Run program first” checkbox from the program wizard in SCCM as follows:

  • Program mentioned at 4. has a run program first which points to the program mentioned at 3.
  • Program mentioned at 3. has a run program first which points to the program mentioned at 2.

As a final step create an advertisement (or deployment in ConfigMgr 2012) which uses the program mentioned at 4. and target all devices needed.

This should do the trick.

I can imagine there are other ways of achieving the same, feel free to comment with your opinion about this.

If you find this post useful, please consider buying me a virtual beer with a bitcoin donation: 3QhpQ5z5hbPXXRS8x6R5RagWVrRQ5mDEZ1



EDIT: Running a Powershell script should also be possible by using the following commandline as a program: “Powershell.exe -ExecutionPolicy Bypass -file .\myscript.ps1” (without quotes). This is a lot easier then using the 3 programs mentioned above, I’ll try and test this as soon as possible and get the result back at you guys.

EDIT2: the method of using “Powershell.exe -executionpolicy Bypass -file .\myscript.ps1” seems to work.

Import computers in ConfigMgr database

September 24, 2012

Hi there,

This is a script that we’ve developed to easily import computers in the SCCM database. The script can be run from any device that is able to launch the underlying WMI queries at the SCCM 2007 / Configuration Manager 2012 server.

In a GUI the user can input all the information that is needed to import a computer.

You can clearly see the site code at the top of the GUI. The script also lists all available collections that are present in SCCM. The user can choose from these collections to add a computer.

Now the computername and MAC-address can be entered. Also the collection where the computer must be imported can be selected (by default the computer will only be imported into the All Systems collection). After entering all the information the Import button must be pushed and then you should see output similar like this.

You can see that the computer is successfully imported in the Deploy Windows 7 ENT x64 collection.

You can also import a computer with a computer variable, so the computer is immediately ready for deployment depending on this variable. Just fill in the name of the variable and the value. Be sure to doublecheck the spelling of the name and value because otherwise additional editing will be needed afterwards.

On this screenshot you can see that the computer (TESTPC_002) is imported in the Deploy Windows 7 ENT x86 collection with a computer variable DEPARTMENT with value IT. This can be checked afterwards in the SCCM console.

If you have an opinion about this script or you have questions about how we made it, feel free to put a comment here.

For code samples you can also place a comment



PS: We are working on a script that imports the computer both in the ConfigMgr database and the MDT database (with selection of appropriate roles). This is quite handy in a situation where the MDT integration (with database) has been setup. More news on that later.

Limit incident status to user groups in #servicemanager

September 18, 2012


This week I had an interesting demand by one of our clients. They had a custom incident workflow with custom incident status fields ( like example status1, status2, … ).

They wanted to have a set of 3 user groups to be able to set a specific status :
Example :

Group1 can set Status from Active -> Open

Group2 can set Status from <All> -> Closed

Group3 can set Status from Resolved -> Closed

You understand where I’am going to. Now apparently this was not possible out-of-the-box. Let’s go through the steps :

  1. Create a powershell script that can be used to set the correct status and contain the logic required for the status changes.

    I created this script as an example. The script will set the status if the current incident to “Active” only if the previous state was “Closed”. If another previous status was found that the script will not reset the status. Now this is just an example that can certainly be extended.

    The script look like this :


    import-module smlets

    $PropertyHash = @{“Status” = $Status}

    $class = get-scsmclass -name system.workitem.incident$

    $Selection = Get-SCSMObject -Class $class -Filter “ID -eq $id”

    # Add conditions to status

    If ( $Status -eq “Active” -AND $Selection.Status -match “Closed” ) {

    $Selection | Set-SCSMObject -PropertyHashtable $PropertyHash

    write-host “Status set to $Status” }

    else { write-host “Status change to Active only allowed From Closed State” }

    Now let’s go through the script.

    The script performs the following actions :

    Define 2 parameters : the required status and the Incident ID.

    Import the module for using the service manager cmdlets.

    Get the classname for the incident class.

    Get the service manager incident object that has the ID of the selected record.

    Add if clause : If the required status is “Active” and the previous Status is “Closed” then the incident can be reset the Active. If not a message is logged and nog changes are created.

    You can test the script manually in order to verify the correct functioning. Just add a state and use an existing incident ID. Attention ! This is the ID in the form of IDXXX not the internal ID ( GUID ) of the workitem.
    Okay Step 2.

  2. Create and additional task in order to run the script to set the correct status.

Add a task that performs the following actions :

The task will perform the following command:


With the following parameters :

-file “c:\program files\sc\scripts\sc_status.ps1” “Active” + the property for the ID of the incident.

Just use the insert property button for the id.

Okay last step.

  1. Create a custom user role

    Now just add an additional user role ( incident resolvers ) and limit the actions that the user role can access. Just remove the traditional buttons :

  • Change incident status
  • Resolve
  • Close

    And add access to the newly created task.

    Add a user and test.

    It’s looks like this :
    The user only has access to the custom task in order to set the status of an incident. If the incident status is not “Closed” and the Set to Active button is executed then nothing happens.

    The output is saved as comment in the incident. This can be changed during the creation of the task.

    Now if the incident has a status “Closed” the set to active will run.


Auto close resolved incidents

May 31, 2012


Trackback to the previous version of SM. Let’s auto close resolved incidents after 2 days using a custom MP in service manager 2010 SP1. Been there , done that but it is a requested feature by a lot of clients so here we go …

You will need the the service manager authoring tool and the Smlets powershell scripts. You can find them here

First create an MP with a powershell script.

Run at scheduled time

Choose desired schedule

Add Powershell script to the workflow

Set the script body. Here we used a 5 minute interval for testing. ( d.hh:mm:ss )

get-scsmincident -status resolved -inactivefor 2.00:00:00 | set-scsmincident -status closed -comment “Auto Closed”

Add snapin Smlets as snapin

Copy the created .dll to the system center 2012 installation directory

Create public / private key pair as described in

Seal the MP

Import the MP and test …

At first however the worklfow failed.

Solution is to modify the script to import-module smlets and remove it from the GUI

Then success