Z-Nerd

Pause a Task Sequence Without the Task Sequence Debugger

Thu, 21 Jan 2021 00:00:00 +0000

Introduction Do you ever have an idea so phenomenally bad that you just had to see it through just to see the disaster? I’m talking like Electrified Water levels of bad. Yes… that is a real thing from the early 1900s. And look, I’m not here to judge anyone or any particular time period (we’ve made our fair share of big mistakes in the new millennium). What I am here to do is take you on a journey of an idea I just couldn’t let go of.

Co-Management Workloads - What Do They Mean To Me: Windows Update Policies

Fri, 31 Jul 2020 00:00:00 +0000

Introduction This is part two in my series on “Co-Management Workloads – What Do They Mean to Me?” I have no apologies for it taking six weeks to get back to this series, because we have a new baby boy at home! We welcomed our third child into the world on June 30th and we couldn’t be happier. Now that things are getting into a bit of a routine, it’s time for me to pick this back up.

(G)UI++ Is Now In Alpha!

Tue, 21 Jul 2020 00:00:00 +0000

I promised to release a big tool this year, and this is it! I’m not going to go into much detail here in this post - I’m saving that for the beta release. If you want to blindly download a utility from me with no description, you can download the latest alpha release from my GitHub repo for (G)UI++ here: https://github.com/theznerd/GUIpp/releases, or you can keep reading for the basic detail.

Co-Management Workloads - What Do They Mean To Me: Compliance Policies

Wed, 17 Jun 2020 00:00:00 +0000

Introduction Co-management. What is it? What is it not? While there are plenty of blog posts on the how-to of enabling and moving workloads, I wanted to share my own journey of wrapping my brain around the ins-and-outs of the different co-management workloads and what they mean for administrators. I’ll be honest that when I first heard about “moving workloads to Intune” my first thought was “why would I cripple my ConfigMgr client by moving a workload like client applications to full time Intune?

[PODCAST] ConfigMgr Technical Preview 2005

Sun, 07 Jun 2020 00:00:00 +0000

[PODCAST] ConfigMgr Technical Preview 2004

Wed, 13 May 2020 00:00:00 +0000

Bye, Bye, Android Device Administrator

Tue, 21 Apr 2020 00:00:00 +0000

Introduction This is somewhat old news, but Google is sunsetting Android Device Administrator. It shouldn’t come as any surprise because frankly Android Enterprise is 1000x better. Since Google is removing support for the platform, Microsoft will only (at least as of the time of writing this) support device administrator through the end of Summer 2020. If you’ve still got device administrator devices in your environment, it’s time to talk about migration and mitigation strategies.

[PODCAST] ConfigMgr Technical Preview 2002.2/2003

Tue, 07 Apr 2020 00:00:00 +0000

ConfigMgr Deep Dives: Revisiting Binary Differential Replication

Tue, 31 Mar 2020 00:00:00 +0000

Introduction First off I’m going to apologize for the length of this post. Over 1/3 of it covers RDC in detail, so you can skip that block if you’re not interested in the nitty gritty. Secondly, there are some things I have had to make assumptions on for how ConfigMgr handles some of the “nitty gritty” details since they are not documented (as far as I know). I have called out these specific sections in the blog post so that you know I have had to make some educated guesses (by educated I mean that I came to the conclusions after testing theories in my lab).

Script Snippets: Run 64-Bit PowerShell as Intune Win32 App Install Script

Tue, 31 Mar 2020 00:00:00 +0000

Introduction Let me set the stage here. Let’s say you have a Win32 app you want to deploy, but you need to do some configuration as part of the install that the installer cannot natively handle - such as registry changes or file copies. In ConfigMgr, you might write a wrapper script in your favorite language to run the installer and then do that post configuration. You install it and everything is right in the world.

[PODCAST] ConfigMgr Technical Preview 2002

Wed, 26 Feb 2020 00:00:00 +0000

[PODCAST] ConfigMgr Technical Preview 2001/2001.2

Wed, 12 Feb 2020 00:00:00 +0000

Building PowerApps for ConfigMgr - The Frugal Way (Part 1)

Tue, 28 Jan 2020 00:00:00 +0000

Introduction There is no doubt that I am an insanely frugal person when it comes to some things. Why pay for French’s Yellow Mustard when Kroger brand is literally the same product? Why buy two-ply toilet paper when single-ply is all you need?! (Just kidding… Ultra-ply for life). The same holds true for my license purchases. If I can make something work without a subscription, or with a cheaper subscription, why would I pay for the more expensive subscription?

ConfigMgr Deep Dives: Single Instance Storage

Sun, 12 Jan 2020 00:00:00 +0000

Introduction One of the things that I have not spent a great deal of time on in my career is diving deeper into the things that I take for granted in ConfigMgr. I’ve certainly done a couple of investigatory deep dives before, such as my investigation into the new cumulative update architecture, but I feel like I could do more. So, I figured a fantastic way to encourage myself to do more of these is to start blogging them.

2020 Vision

Sat, 04 Jan 2020 00:00:00 +0000

Introduction First off, let’s get this out of the way. 2020 Vision. 2019 was an awesome year for me. I was able to take a more active role in the community with a few speaking engagements, more blogging, leading MEMUG, and helping launch SysManSquad with Adam Gross and Jake Shackelford. With more involvement in the community, I’ve also become a bit victim to my tendency to rush through things. I’ll say that with two kiddos and a third on the way, finding time to do community things can be a difficult venture outside of my 9-5 and other responsibilities (like band leading our worship team at Grace Chapel).

Working with the AdminService - Reading Data

Fri, 06 Dec 2019 00:00:00 +0000

I have to say, the ConfigMgr team has done a truly phenomenal job of implementing a nice REST API to read data. If you’ve talked with me about the AdminService (or Adam Gross) you’ll know that there is SO much value here. For me, the possibility of creating Power Apps on the Power Platform with this data (and the associated methods) is going to be a game changer. So I know you’re itching to get to work - let’s start with the basics.

[OLD INCORRECT POST] Securing Access to the ConfigMgr AdminService Over Cloud Management Gateway

Tue, 03 Dec 2019 00:00:00 +0000

NOTE: THIS POST HAS SOME GLARING ERRORS. I am keeping it for posterity, but please note that the correct post is available here I’m going to start this post off with a disclaimer - I’m still not fully happy with this solution. I would like to rely on RBAC controls within ConfigMgr to handle access to the AdminService through Cloud Management Gateway, but I have yet to discover a method to do so.

Securing Access to the ConfigMgr AdminService Over Cloud Management Gateway

Tue, 03 Dec 2019 00:00:00 +0000

NOTE: A previous version of this post had enough glaring errors that I have chosen to rewrite it. It’s not often I hit the post button faster than my error checking and research, but I am alas, only human. Thank you to Yinghua (Sandy) Zeng for correcting me, and doing so in such a polite way. I would not have been upset had she done so publicly, but out of respect she chose to do it privately.

Free Utility - PeerCache Explorer

Fri, 01 Nov 2019 00:00:00 +0000

I hate taking these hiatuses, but this one has been for good cause! I’ve been working on a few different projects (in and out of work), but this one I’ve been dying to share with you all. The PeerCache Explorer! Ever since PeerCache has become more popular with my clients, the more times I’ve run into them having issues with it. Not because of anything wrong with PeerCaching itself, but because of bad packaging practices carried over from legacy packagers.

PowerShell Presentation Framework - Part 5 (Responsive GUIs)

Tue, 03 Sep 2019 00:00:00 +0000

Now that we have a good handle on creating non-smelly layouts let’s talk about something equally important - user experience or UX for short. Consider the following experience that I’m sure we’ve all experienced at least one time: You find yourself running an application, let’s say Microsoft Outlook (bear with me, I know Outlook never crashes, but this is just an example) and you go to perform something that has the potential to take a long time or a lot of resources… searching your 8 years worth of saved emails (every lawyer reading this just shuddered at the thought of all that legal hold) for a particular email.

WaaS Upgrade Complete Mobile/SMS Notification

Thu, 15 Aug 2019 00:00:00 +0000

I’m always impressed with the vast availability of Windows as a Service (WaaS) community solutions and tools. The way our community shares solutions without expecting anything in return is just great and in my opinion a major reason why we can all be so successful. Especially as we push our users harder with more frequent updates and upgrades. My new mantra is “Happy Users, Happy Admins.” While we can be successful in getting devices upgraded without regard for the users it will be a miserable existence for us as admins.

PowerShell Presentation Framework - Part 4 (Good Layout Hygiene)

Thu, 30 May 2019 00:00:00 +0000

It’s been three posts since we’ve showered, and our XAML is starting to smell a bit. It’s time to practice some good hygiene. Thus far we’ve just dragged elements into our window and resized by hand. For the most part that has worked, up until we ran our last example. Our loon didn’t expand to the entire window and left some gross white space on the right side we need to scrub off.

PowerShell Presentation Framework - Part 3 (Media Resources)

Wed, 29 May 2019 00:00:00 +0000

Alrighty, so now we know how to create a window and make a button do something. What about media like images and sounds? In C# you might embed the resource (image/sound) directly in your executable and reference it via an internal path reference. In PowerShell though, short of converting the file to a base-64 value there isn’t a really good way to store file content directly in your script. Nor should there be.

PowerShell Presentation Framework - Part 2 (Wiring Controls)

Tue, 28 May 2019 00:00:00 +0000

Today we’ll kick off Part 2 of the series on building WPF GUIs with the PowerShell Presentation Framework. We’re still in the beginning phases of our GUI building learning, so things will still be simple. I hope you kept a copy of your XAML from last time (the one where we created a label and a button). If you didn’t - here’s a solution you can launch in Visual Studio that has everything we need for today.

PowerShell Presentation Framework - Part 1

Mon, 27 May 2019 00:00:00 +0000

A special thanks to Stephen Owen (FoxDeploy) and by proxy Boe Prox (Learn PowerShell) for the inspiration behind this script. I know that Stephen has his own version of a script like this and I won’t claim that this is any better - just a “different” approach. Here are a few of the differences: In this script XAML is split out into separate files rather than loaded into the script directly.

Let's Encrypt Cloud Management Gateway

Mon, 20 May 2019 00:00:00 +0000

I’m cheap. Like seriously cheap. So when I wanted to go test Cloud Management Gateway (CMG) with eHTTPS and a public cert I knew I would already be in for some money from my MSDN subscription to run the CMG/CDP instance. Yes, yes, I know… a one year cert from most providers is about $20-30. But seriously - did I already mention I’m cheap? The thought immediately crossed my mind - I already use Let’s Encrypt for my website, I should be able to use it for CMG/CDP right?

PERSONAL: Living with Anxiety...

Sat, 11 May 2019 00:00:00 +0000

TRIGGER WARNING: I know that talking about anxiety can be a trigger for some. Just know that I might touch on some of those things that trigger you or me. Taking a detour from my normal content here to get a bit personal. Last week was MMS and boy howdy did I have a good time! So many people I got to talk to who I’ve previously only talked with online and I had a great time giving back to the community.

Preparing to Repair. Setting up a Windows Repair Source

Mon, 29 Apr 2019 00:00:00 +0000

Well, we’re T-7 days from MMSMOA - I’ve been radio silent for a number of weeks for this exact reason. One of the presentations I’ll be giving surrounds the new cumulative updates that started in Windows 10 version 1809 (you can read about it here). One of the things that I talked about in that post is what to do if you block access to Windows Update in your environment. The answer is to create a Windows Repair Source (WRS).

Death to Express Updates

Thu, 24 Jan 2019 00:00:00 +0000

R.I.P. Express Updates - November 13, 2018. Placed on life support to be turned off at the end of support for 1803. TL;DR: You won’t be seeing express updates or delta updates for 1809. Celebrate and rejoice. The release of 1809 Microsoft has brought a change to how they package and deploy the monthly quality updates (cumulative updates) for Windows 10 (versions 1809 and later only). This change will reduce the file size of the current cumulative update process significantly saving you a bunch of network bandwidth.

Managing Lightswitches and -bAnd Practice

Tue, 15 Jan 2019 00:00:00 +0000

Let’s paint a picture, and since I’m no Bob Ross it’s paint by numbers time. More specifically let’s talk about binary numbers. This post assumes you have a basic understanding of the binary numbering system (or base 2). If you’re not familiar you should read this. Back to the picture - it’s all lightswitches. A load of them. So we want a way to represent the status of all of these lightswitches and easily look up a value.

Peer Cache Source Lifecycle Automation

Thu, 20 Dec 2018 00:00:00 +0000

For those of you looking for the latest release of the script… it is always available here: https://github.com/theznerd/Optimize-PeerCacheSources Microsoft recently had a great post on “how they do IT” - and more specifically how they are using Peer Cache in their environment. You can read their post here. There is a lot of good information in that post - seriously, if you haven’t read it, take a minute to look over what they’re doing.

Peer Cache Tips and Tricks

Thu, 13 Dec 2018 00:00:00 +0000

It’s been a bit of time since my last post due to working on a rather large migration project. As part of this project we’re looking to utilize peer to peer content sharing features like BranchCache and Peer Cache since the client has numerous remote locations that are too small to warrant their own distribution point but also have limited bandwidth so we can’t have every client reaching out to the distribution point at the same time.

Fix WPF in 1809 WinPE - Temporary Workaround

Mon, 08 Oct 2018 00:00:00 +0000

Had a client reach out to me last week after installing the new Windows 10 ADK and the Windows PE addon. A script that I had created for them to assign machine names, OU location, and time zones ceased to function. It would open for about 2-3 seconds and then immediately close, causing the task sequence to fail due to the exit code from PowerShell. I spent a bit of time troubleshooting the issue with him and isolated it to the following error:

Let's Learn EM+S: Privileged Identity Management for Azure AD

Thu, 27 Sep 2018 00:00:00 +0000

I’ve worked in some interesting environments. By “interesting” I mean everyone had the keys to the kingdom. Every IT person on staff had domain admin privileges. Yeah. Let that sink in. Of course I’m not alone in my experience at that environment - I’ve heard numerous other stories like this. Remediation is always “planned” but since the policies have been in place for so long, there are a lot of steps that need to be taken to make sure that the necessary access isn’t lost.

Let's Learn EM+S: Multi-Factor Authentication (MFA) - Cloud

Sat, 22 Sep 2018 00:00:00 +0000

Continuing the series on EM+S it’s time to take a look at Multi-Factor Authentication or MFA for short, because now that we have some online services (AAD portal) it would be wise to protect them. Phishing attacks have become more popular than ever because frankly it’s really easy to trick end users (yes, you are an end user too) into clicking on things and entering their passwords without a second thought.

Exceeding the 10 Parameter Limit for PowerShell Scripts in ConfigMgr

Thu, 09 Aug 2018 00:00:00 +0000

I honestly haven’t played around too much with the scripting features built into ConfigMgr - probably makes me a terrible consultant, but oh well. A fellow ConfigMgr blogger @gwblok however has had the chance to play around with them, and find the limitations inherent to any massively scalable system. The official response from the ConfigMgr development team makes a lot of sense. When you give someone unlimited resources they will abuse them and it tends to lead to bad things happening.

System Reserved Space and Windows Updates

Tue, 07 Aug 2018 00:00:00 +0000

I recently worked with a client who had an issue with deploying updates to one specific model of machine. Using the same image on any other hardware updates worked just fine, but for this line of workstations it did not. Of course where we all thought the issue might reside is with a bad driver, but when they couldn’t isolate the issue they called me in to take a look.

Let's Learn EM+S: Azure Active Directory Continued

Wed, 01 Aug 2018 00:00:00 +0000

We’ll continue our Let’s Learn EM+S series with some more configuration of our Azure AD environment. Login to your Azure portal with an account with Global Administrator rights and we’ll get started. Today we’re going to look at the following items: Configuring a custom domain name Synchronizing on-prem AD with Azure AD Self-Service Password Reset (SSPR) Company Branding If you don’t have a custom domain name, and/or you don’t have a lab domain to test against - most of this post will probably not be applicable to you.

Let's Learn EM+S: Getting Started With Azure Active Directory

Tue, 31 Jul 2018 00:00:00 +0000

For those of you who are familiar with Azure Active Directory, probably none of what is in this post will surprise you or be of interest. I’m also not going to guarantee that what I write in here are “best” or even “recommended” practices. The goal behind these posts is to at least introduce those who have an interest in EM+S to some of the processes and procedures to get it set up and how to use it.

Making MSIX Packages from MSIs

Sat, 28 Jul 2018 00:00:00 +0000

If you’re unfamiliar with Microsoft’s new application packaging format, I suggest you take a look at this breakout session from Microsoft Build this year: Channel9 - Build - BRK2432. It is about an hour long (before Q&A), but there is a lot of good information in there. Or rather, if you’re pressed for time, here’s the tl;dr: In the traditional Win32 app model, you basically had full trust of the operating system.

Making a Custom MOF with an Embedded Script

Mon, 23 Jul 2018 00:00:00 +0000

WMI is awesome. So much good data is contained in such an easily accessible “database”. Hard drive information, software installs, printer information, services, man oh man there is so much data available to you. Sometimes however, you just have to have more. If you’re interested in the guts (poor Mr. Creosote) instead of the details, you can skip ahead by clicking here This was the case when I needed to build a ConfigMgr report/query that would get the current status of the TPM (including IsEnabled, IsActivated, and IsOwned).

Let's Learn EM+S: Setup Your 90 Day Trial

Sun, 22 Jul 2018 00:00:00 +0000

There’s a lot in the Enterprise Mobility and Security Suite (EM+S) from Microsoft. A lot. I mean just look at this list. It’s also ever evolving. Microsoft in recent years has been very committed to bringing new products and features to the EM+S suite as is evidenced in its name change from Enterprise Mobility Suite (EMS) to the Enterprise Mobility and Security Suite (EM+S). So this series is dedicated to teaching you components of the EM+S suite from beginning to end.

PowerShell Credential Manager

Thu, 25 Jan 2018 00:00:00 +0000

First off, let me state for the record that I know that this probably has its security flaws. For one, any time you have reversible encryption your data is only secure as the key that was used to encrypt the data. Secondly, I’m not a security guy by trade - I do my best to understand and secure where I can, but security is an artform I have just not mastered.

Collection Relationship Viewer

Wed, 03 Jan 2018 00:00:00 +0000

I recently had a client who had collections nested deep via limiting collections and various include/exclude relationships. This is absolutely fine… organize your collection structure how you see fit; I wouldn’t say there is a right way to do it. There is however a concern when you start to nest collections too deep and it becomes hard to figure out how the chain of updating works. Depending on how you organize the collections in ConfigMgr can make finding the limiting collections a bit difficult when you just want to check details like membership rules and update schedule.

The One About Collection Refresh

Wed, 03 Jan 2018 00:00:00 +0000

I’ve seen my fair share of organizaitonal structures when it comes to collections. Some involve creating collections for specific functions (e.g. Power Settings, Deployments, Client Settings) and all split by some sort of logical grouping (OS, Server vs. Workstation, etc) - others have been pretty basic (just OS and groups). Whatever your structure involves, there is nearly always one goal that everyone has with their collections: getting the correct devices or users into the collection as fast as humanly computerly(?

INCORRECT - Binary Differential Replication and Automatic Deployment Rules

Thu, 05 Oct 2017 00:00:00 +0000

2020-01-04: Note that this post has some incorrect information. If you have come across this page you likely found it from a link. There will be an updated version of this post coming in the future. When this new post is released a link will be placed here in this comment. This post will mainly cover Automatic Deployment Rules, but honestly this applies to any package that uses Binary Differential Replication.

New Job, New Site!

Mon, 11 Sep 2017 00:00:00 +0000

Well, goodbye corporate and hello consulting! I’ve decided that I just can’t settle down at one place and would rather help as many people as I can explore the opportunities available to them through Microsoft System Center products. As of September 29th I will begin as a Senior Lead Consultant at Catapult Systems. With that announcement out of the way, I figured now would be a good time to spend some late nights revamping the site (since my schedule will afford me less time to do this going forward).

Hijacking the Task Sequence for Monitoring and Alerting

Tue, 16 May 2017 00:00:00 +0000

I’ve spent the better part of the last two evenings working on this - and I’m honestly not 100% satisfied but I’ve made some excellent progress thus far that I’ve decided to share. Monitoring a task sequence to me has been a rather manual process - either I get notified by a support tech that a task sequence failed or I happen to see a failure in the monitoring tab of SCCM.

Task Sequence Variable Series: _SMSTSLastActionSucceeded (BONUS: Task Sequence E-Mail Notification Script)

Sun, 14 May 2017 00:00:00 +0000

Conference time! MMS is upon us and it seems conferences and vacations are the only time I get some respite from the busyness of working on our Windows 10 deployment to do a little blogging. While I’m here I’ll be working on a series of posts regarding built-in variables for task sequences and how they might be of benefit to you (or how I use them in my environment). I didn’t even consider submitting a topic for MMS this year, but maybe next year I’ll take the collective learning I invest in built-in task sequence variables and propose a topic. As an aside - if you’re here at MMS and want to chat, hit me up - my schedule is available on Sched if you link up with my Twitter or LinkedIn and link your account to Sched.

Now onto business. The variable we’ll be taking a look at today is _SMSTSLastActionSucceeded. And just as the name implies it reports on whether or not the last action in the task sequence succeeded. Nothing much more to it. From TechNet :

The variable is set to true if the last action succeeded and to false if the last action failed. If the last action was skipped because the step was disabled or the associated condition evaluated to false, this variable is not reset, which means it still holds the value for the previous action.

Read on for how we use this in our environment.

GPOs? Screw it, We’ll do it Live… (Part IV)

Sat, 24 Dec 2016 00:00:00 +0000

We’ve thus far installed and configured AGPM, created our first policy, and at the same time walked ourselves through the approval flow built into AGPM. What happens when we have existing policies though? I’m assuming that if you’re reading this you’re not building GPOs from the ground up (if you are, kudos for implementing good practices up front). This post will cover a few different things:

GPOs? Screw it, We'll do it Live... (Part III)

Thu, 22 Dec 2016 00:00:00 +0000

In the second part of this series, we walked through the initial considerations, installation, and configuration of the AGPM Server and the AGPM Client (which if I didn’t make it clear before - the client is ONLY required on the machines that will be managing controlled group policies) - in this post we’ll actually put all of that work to “good” use and create some policies. We’re going to do this two separate ways:

the hard way (following the full approval process)

and the easy way (when you’re the judge, jury, and executioner of your GPOs)

GPOs? Screw it, We'll do it Live... (Part II)

Wed, 21 Dec 2016 00:00:00 +0000

After taking over a year long hiatus on this series (can I even call it a series if there was only one post?), I got a gentle reminder that I should finish what I started (thanks for the reminder @markraldridge). So when we last talked about this we had a brief top-level overview of how AGPM functions and a promise that the next post would cover installation of AGPM and creating/deploying your first controlled policy.

Tales from the Script: SCCM Collection Migration and Empty Limiting Collection

Mon, 19 Dec 2016 00:00:00 +0000

We took the opportunity during our SCCM migration (2012r2 to 1610) to clean up a lot of the “junk” that had accumulated in our environment. Instead of using the migration wizard the goal was to use the export/import features selectively to get us to a “clean” environment going forward. This for the most part worked really well - application deployment types obviously had to have new content locations set, packages had to have updated content locations, and the task sequences had to have the package/application references updated as well.

One thing that didn’t work so well - or at least wouldn’t have saved a bunch of time without some custom scripting - was the Device and User collections export and import. The main problem that we ran into is Limiting Collections are not maintained (with the exception of collections limited to built-in collections) regardless of the order in which the collections were re-imported. This was because the MOF file that is created for export includes the reference to the old collection ID, so when the collection is re-imported SCCM just assumes you want the same limiting collection. In a similar vein (and another problem that I’ll address in a future post) is that anything other than queries is also referenced by SCCM Object ID - which means that direct memberships and include/exclude collections are not maintained either.

So, we had a couple options at this point - after importing all of the collections we could go through and manually update all of the collections (the “safe” but time consuming venture) - or we could script up and have PowerShell do all of the heavy lifting. This is where things get really interesting though…

Running LAPS Around Desktop Security (Part 3 - GPOs and Testing)

Wed, 23 Nov 2016 00:00:00 +0000

Now we reach the final stretch - the domain configuration is complete, we’ve installed the client side extensions on our workstations or servers, now they just need a policy that tells the CSE what to do!

If you missed the first part of this series you can find it HERE, and the second part is HERE - otherwise continue reading on for the Group Policy configuration and testing of the console.

Lenovo BIOS to UEFI Conversion During Task Sequence (SecureBoot and Virtualization Technology Too)

Fri, 28 Oct 2016 00:00:00 +0000

As we plan for our migration from Windows 7 to Windows 10 as an organization we know that we want to take advantage of Credential Guard and Device Guard in our new OS. ConfigMgr, we also know that this requires us to make a few configuration changes to our workstation “BIOS” configuration - namely converting from BIOS to UEFI, enabling SecureBoot, and enabling the virtualization technologies. Our organization has about 2300 workstations, and at least 1800 of them are physical devices spread over 50 sites including international offices - this is definitely not something that we want to handle manually.

SCCM and "Failed" Drives

Thu, 13 Oct 2016 00:00:00 +0000

First a little disclaimer… you should be backing up your data. If you’re not, stop reading and go work out a backup strategy.

We recently had an issue where our primary SCCM site server failed to boot after updates were applied to it. As it turned out, for whatever reason one of the secondary drives for the VM had been corrupted and we had to detach it from the VM to run a repair on the VHD. This drive happened to contain not only the entirety of our packaging efforts (source files, scripts, etc), but also was the default and only content storage location for our primary site DP role.

What we didn’t know - and what I’m sharing with you today - is now painfully obvious to me but slipped me by at the time. When we detached the drive from the VM and booted SCCM to reattach it and run repairs, the SCCM core components had already started up and didn’t see it’s content storage location. So after we repaired the drive when we expected everything to start working again (namely distributions from the DP) we were surprised when it refused to deliver anything that we didn’t refresh.

Don’t Let The Word SERVER Scare You… (Part IV: Building Our Server 2016 Template)

Thu, 06 Oct 2016 00:00:00 +0000

In case you missed it - in the last round we built up our first VM and configured a basic router - I’m not going to promise that this blog post will be any shorter, but here’s to hoping that it will be!

This post will focus mainly on installation and configuration of the “Desktop Experience” for Server 2016 - hear me out when I say that I’m a BIG proponent of PowerShell and honestly I believe that CLI and the “Core” or even “Nano” installations of Windows Server will be the future. With that in mind - I will be including the commands that you would use to perform the steps we are performing today in a “Core” installation as I think it’s important for you to know them (by the way - core installs considerably faster… so it’s got that going for it too). ConfigMgr, for the sake of pretty pictures, I’ll be demonstrating everything from the “Desktop Experience” installation.

All the pretty pictures! So if you’re ready to press on - let’s do this thing and install Server 2016!

Don’t Let The Word SERVER Scare You… (Part III: Configuring XenServer and Building Our First VM)

Wed, 05 Oct 2016 00:00:00 +0000

Well it’s been awhile since I released a blog post - aside from me sneakily re-releasing part two of this series (to change install to XenServer instead of ESXi for no other reason than I wanted to try something new). Much has happened (SCCM 16xx, Server 2016, Windows 10 Anniversary Update), but especially after attending Microsoft Ignite 2016 in Atlanta and talking to other desktop analysts and engineers I’ve decided that this series is just too important to pass up. It’s time to face your fears and build your own lab - including AD, DNS, DHCP, you name it. For most of you it’s probably not a fear - for some of you maybe you just don’t care - but I think it will become increasingly important to our jobs as the lines between desktop and server become blurred.

Look - for those of you who are afraid “servers are just too far out of your league” I’ve got news for you: they’re not. If you can build and configure a desktop OS, I promise you that you can understand servers. You may not be an expert in the technology, but just having a basic understanding of some of the underlying technologies that allow you to “network” inside your company will help you communicate with your server team that much better. Okay - I’ll step off the soapbox now.

Don’t Let The Word SERVER Scare You… (Part II: Why You Should Have A Lab, And How To Build One)

Sat, 01 Oct 2016 00:00:00 +0000

This is part two of a series on facing your fears regarding servers - part 1 is available here.

How many of you have a lab at work? Probably a decent amount of you, but not an overwhelming majority. I find it that most companies don’t have the available resources to give the desktop people their own labs, or if you’re one of the lucky ones you’re using it to build test VMs of your desktop image.

Now, who among you have a lab at home?

That’s what I thought. Okay, all joking aside I know that many of us don’t see the value of a home lab, but I’m going to try and change your mind about that this week.

The Problem with Mixed OS Environments, the SCCM Application Model, and User Collection Based Deployments

Wed, 09 Mar 2016 00:00:00 +0000

UPDATE: I have sent my feedback to Microsoft - if you agree with me would you be willing to send a vote or three my way? https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/12873717-add-options-to-deployment-type-application-model Let me paint a picture for you. You have a mixed environment in SCCM 2012 of server and desktop operating systems. You also choose to utilize user security groups as a way to manage applications that are only deployed to certain users (from now on we will call these Level 2 applications).

Removing Quick Action Tiles from the Action Center in Windows 10

Thu, 03 Mar 2016 00:00:00 +0000

This is gonna be a short-but-sweet post. You know those Quick Action tiles in the Action Center? These “tiles” can actually be removed - and to some degree customized as well (although I’m still working on a reliable way to create my own before I share those secrets). The list of tiles available to the Windows 10 Action Center is populated by this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ActionCenter\Quick Actions\All Obviously before making changes to your registry make a good backup.

Running LAPS Around Desktop Security (Part 2 - Workstation Configuration)

Tue, 02 Feb 2016 00:00:00 +0000

So we pick up where we left off last time; the domain configuration is complete, so we’ve just finished our warm-ups now it’s time to get to the starting line (I’m not even sure if I’m using the right sports analogy here).

If you missed the first part of this series you can find it here - otherwise continue reading on to installation of the client side extensions for the workstations.

Running LAPS Around Desktop Security (Part 1 - AD Configuation)

Mon, 01 Feb 2016 00:00:00 +0000

Let’s face it - some probably all of us were managing our local Administrator password via Group Policy (or maybe you’re not managing your password at all… tsk tsk). This was great until Microsoft published the location of the keys used for encrypting that data and had to disable the ability to store passwords in Group Policy since they were no longer “secure”. Crap. Now if you’re in an environment with more than say, 10 machines, you don’t want to go around updating the admin password on every machine, every time you need to change it.

Free Stuff... Group2CSV - A utility to generate CSVs from AD groups...

Fri, 07 Aug 2015 00:00:00 +0000

Well, it has been quite some time since I last posted - sorry! I have been working on getting my BizSpark approval so that I can start writing more solutions without having to test them in my production environment. As of a couple of weeks ago, I got my approval! Microsoft is hooking me up with an MSDN license, Azure credits, and more - for free - for the next three years!

Checking User Access to a Webpage with PowerShell... Don't Fear The .NET Class

Thu, 02 Jul 2015 00:00:00 +0000

UPDATE: I’ve included some analogies in the “Doing Stuff With Our Class Object” section to hopefully make what is being done a little more clear.

We recently came across an issue in our environment with an application that has permissions manually defined on the server rather than through security group. Normally, we’d just brush it off and allow the team managing the application to continue to do things the hard way, but this time we had a direct need to know who had access and who didn’t. Honestly, it’s probably more an issue with how the application is configured than the team managing it, but I digress.

This particular application has an Outlook add-in that is not quiet when it cannot connect to the server, and since it’s a base image application we need to be able to disable the add-in for users who don’t have access to the application. Previously we did it using a process we called “Outlook First Run” - it was run during the provisioning of a user account on a laptop to setup a number of different things (signature, DMS integration, etc). The process worked, but relied on seeing the “error” dialog pop up and then disabling the add-on for the next run. For some reason, this proved to be an issue in our Remote Desktop environment.

Enter PowerShell. Microsoft’s best gift to SysAdmins since VBScript.

PoSH Uninstaller - The Utility You Didn't Know You Wanted...

Fri, 26 Jun 2015 00:00:00 +0000

Do you keep your environment free of rogue installs? I know we try at my company with a well maintained application list, but try as we might we somehow end up with 10 different versions of (INSERT APPLICATION HERE). This can make remediation for upgrades a pain when the installer doesn’t gracefully upgrade.

There are quick commands to do removals utilizing WMIC, you could just run every potential uninstaller available for the product, or maybe you’re lucky enough to have an uninstaller built specifically for all versions of that application (we thank you Adobe, for the flashplayeruninstaller.exe that you have graciously bestowed upon us). ConfigMgr, when you don’t have a super duper uninstaller, when you’ve decided that WMIC might be too unreliable for your tastes, or when you don’t want to list out every potential uninstall command… enter the PoSH Uninstaller.

Who Cares About Users? (Part II: User Interaction in SCCM)

Wed, 24 Jun 2015 00:00:00 +0000

This is part 2 of a series on user experience. Click here for Part 1

I know. I know. User interaction is typically a big no no when it comes to deployments. The less the user knows, the less opportunity there is for something to happen that you didn’t see in testing. It’s the reason tools like SCCM were created in the first place! In a perfect world we would be able to do our job without interacting with the user aside from friendly water cooler banter about how the local sportsball team won the big game.

GPOs? Screw it, We'll do it Live... (Part I)

Tue, 23 Jun 2015 00:00:00 +0000

Is there a better way to manage settings across thousands of machines at one time with the click of a button? I don’t think so. ConfigMgr, when it comes to testing out group policies you can be very limited. Few options exist to recreate the environment that the actual group policies would be applied: For those of us lucky enough to have Microsoft’s Desktop Optimization Pack (MDOP), there is a better way to manage these policies.

Who Cares About Users? (Part I: Introduction)

Thu, 11 Jun 2015 00:00:00 +0000

Admit it, all of us in the IT world who would love to just be able to press a button and deploy software without affecting the end user experience. Unfortunately we all know that updates/deployments can be intrusive especially when a reboot is involved; and as you and I both know, the end user’s perception of IT directly relates to how well we are able to stay out of their way. As one of my favorite quotes from Futurama says: “When you do things right, people won’t be sure you’ve done anything at all.”

There are a number of different approaches to staying out of the users’ way while still keeping the our environment up and running smoothly. Some of these include:

Don't Let The Word SERVER Scare You... (Part I: Introduction)

Sat, 06 Jun 2015 00:00:00 +0000

Fellow desktop guys and gals - I know that the word “server” can illicit the faint obnoxious smell of an air of superiority. Server/network peeps were the untouchables of the IT world - they made a lot of money, they had an insane knowledge base on a specialized topic (AD, Exchange, Networking, etc), and most of all they were better than you; or at least that is what they thought.

I Absolutely, Positively, Most Certainly, Cannot Reboot At This Moment

Fri, 05 Jun 2015 00:00:00 +0000

Have you ever received this frantic call before? So, I know you gave me two hours to reboot, but I am in the middle of an important (INSERT EXCUSE HERE) and I cannot reboot at this moment. Is there something you can do to stop it? When it comes to SCCM reboots, the standard response is “I’m sorry, we can’t delay the reboot any further.” In my industry (Legal) ConfigMgr, there are certain users who we must accommodate immediately lest we bear the repercussions later.