Discussion Points / FudgePop again

20160305_121835

So I had a nice discussion about this FudgePop thing, which is starting to sound like a marketing ploy.  But trust me, it’s only a project, nothing being marketed.  I’m not sure if I’ll add any more stuff to it unless I get really bored or some sort of revenue scheme hatches from it.  Again, that’s unlikely at this point.  As with CMWT, GPODoc, and CMBuild, these are just for fun and exercise.  I’m pretty sure some of you are tired of hearing about this thing with a childish name attached to it, and that’s fine. But keep in mind, the same could be said about the U.S. government, but I digress. 🙂

In case you can’t tell already, I’m slowly getting back to blogging after a brief hiatus.  I still don’t know where this is going to go, or for how long, etc.  One day at a time.

So, given that this is all open source and available on GitHub, here’s some thoughts for anyone feeling bored enough to fork or branch this for a future pull, or just to run off and get rich while I toil for table scraps, here’s some roadmap thoughts…

Mighta, Oughta, Woulda, Coulda, Shoulda…

Inventory

Inventory collection and reporting would be fairly simple to add.  I already built a proof-of-concept branch to collect data and upload it to a SQL database in Azure.  Anyone can do that.  What I would do differently is store a local copy of the payload with a checksum, maybe store the checksum and timestamp in the Registry, along with a timestamp of “LastInventoryUpload”.  Then subsequent inventory cycles would compare the new output checksum against that previous and only upload if the values are different.  Sound familiar?

Offline Mode

Rather than reading the control XML in real-time on each execution cycle, it could download the latest version to a local cache.  Then continue to enforce that on subsequent execution cycles if there are no available Internet connections.

Smaller Stuff

Other suggestions for possible consideration:

  • Download caching for either (or both) the Files and Win32 Apps control groups (fairly simple)
  • Manage local Group Policy for workgroup computers (ideas) (somewhat complex and limited, but promising)
  • Add, modify local user accounts (easy)

What it can do now

As of build 1.0.16, FudgePop can do the following on remote computers which are configured with the agent service:

  • Chocolatey Packages
    • Install, Update, Remove
  • Win32 Application Packages
    • Install, Uninstall
  •  Files
    • Copy, Move, Rename, Delete, Download
  • Folders
    • Create, Delete, Empty
  • Windows Services
    • Modify/Configure, Start, Stop, Restart
  • Registry
    • Create, Delete (keys, values)
  • Permissions (ACLs)
    • Files/Folders: Modify
    • Registry: Not implemented
  • PowerShell Modules
    • Install, Update
  • Shortcuts
    • Create, Delete
  • AppX Applications
    • Remove
  • Windows Update
    • Force Scan/Download/Installation
  • Inventory
    • Basic HTML reporting
  • Targeting
    • Device = comma-delimited list of device names (NetBIOS names)
    • Collection = arbitrary name which is then assigned a comma-delimited list of device names.
    • Enable = true/false (per setting or group, or per control file)
    • Central authority = deploy changes from central XML file, even redirect to new XML files without touching remote device by hand.
  • Ingredients
    • PowerShell and XML, and a sprinkle of cloud storage (to host control files)
  • Tools
    • Visual Studio Code, Notepad++, Paint.Net (for the spiffy icon)

The Future

Who knows.  I don’t even know what my 401-k is doing tomorrow.

Advertisements

My Favorite Things: 2017

My Favorite Tech Web Sites / Tools

My Favorite Tech Web Sites / Blogs

My Favorite Tech Web Sites / References

My Favorite Podcasts (iTunes, Google Play, PodCast Addict, etc.)

  • Freakonomics Radio
  • NPR Fresh Air
  • Malcolm Gladwell – Revisionist History
  • The Joe Rogan Experience
  • Invisibilia
  • 60 Minutes
  • The Tim Ferriss Show
  • Planet Money
  • Star Talk with Neil deGrasse Tyson

My Favorite Wife

  • My first and only wife: Kathy

My Favorite Children

  • Our four: Rachel, Sarah, Gabrielle and Zachary

My Favorite Cat

  • Oreo (our only cat)

My Favorite Dog

  • Dory and Emily (tied for first place)

My Favorite Drinks

  • Coffee
  • The Glenlivet
  • The Glenfiddich
  • A good Root Beer Float
  • Water

My Favorite Musicians / Bands (new to me only)

My Favorite Laptops

  • HP Elitebook 9470m Folio

My Favorite Pet Supply

My Favorite Tools

  • Snap-On
  • DeWalt

My Favorite Beers

  • Sam Adams Utopia
  • Dogfish Head 120, Palo Santo Maron, and Three Philosophers
  • St. Bernardus Abt. 12

My Favorite Wines

  • Merlot
  • Malbec
  • Pinot Noir
  • Tempranillo

This is a very VERY short list.  I could add much more.

Quick Rundown on FudgePop and why the Silly Name

The name comes from a wine-infused discussion around Chocolatey, which was around Nuget, which was around Brooklyn Brewery’s Black Chocolatey Stout, which was bout $9 per bottle.  This post however, was sponsored by half a bottle of Pinot Noir, by an unnamed winery somewhere in Wineville.  FudgePop itself was contrived from a casual “bet” over a bottle of Dogfish Head 120 IPA that it’s possible to use nothing but free tools and features included with Windows 10 to manage a “group” of such devices from a central location, regardless of where those other devices are located.

Btw, I just uploaded 1.0.16 to the PowerShell gallery

Installation

Install-Module FudgePop
Import-Module FudgePop

Note: .NET framework 3.5 is recommended for some Chocolatey packages.  FudgePop does not install .NET 3.5 by default.

Use the following to confirm/verify the latest version…

Get-Module

Once the module has been installed on each subsequent victim, er, I mean “device”, scaling out is just a matter of replicating the same steps as the previous device.  On domain-joined devices, you can use Group Policy to deploy it as well as via PowerShell deployment from Intune for devices joined to Azure AD Premium.  Workgroup computers require manual intervention (hands-on, remote connection, etc.)

Functions

New-FudgePopTemplate

Creates a new XML control file using the default (sample) provided with the module.  Other samples are posted on the project GitHub site.  Note that all settings are disabled by default, and filled in with sample/example information only.

New-FudgePopTemplate -OutputFile "c:\devtest\control.xml"

Install-FudgePop

Configures default options such as control file location, enable/disable recurring scheduled execution, and hourly interval between scheduled executions.

Install-FudgePop

Invoke-FudgePop

Executes the FudgePop agent.  If you configured it correctly, magical things happen before your drunken eyes.  If you goofed up the configuration, it forces you to watch The View until your eyeballs bleed.  That last feature is not yet enabled.  Note that this function is what is called by the RunFudgePop.bat script during each scheduled execution (if scheduled execution is enabled).

Invoke-FudgePop -TestMode -Verbose
Invoke-FudgePop -Verbose

Remove-FudgePop

Disables and uninstalls FudgePop from a client device.  It then applies 440 volts of taser current to your genitals until you reinstall it.  jk

Remove-FudgePop -Complete

Show-FudgePop

Displays information about current configuration, last runtime status and rectal thermometer temperature of your cat or dog.  That last feature is not yet enabled.

Show-FudgePop

Get-FudgePopInventory

Bonus, low-calorie, gluten-free, and totally vegan function to export basic inventory data from your meth-addicted Windows device.  It was a proof-of-concept to export a basic set of juicy and utterly useless data into an Azure SQL database so I could win a bet and enjoy a free sushi lunch.  The Azure SQL interface is planned for a future version, but will ultimately depend on user feedback (i.e. does anyone really want that capability?) and how badly I want more sushi.

Get-FudgePopInventory
Get-FudgePopInventory -Computer d001,d002,d003
Get-FudgePopInventory -FilePath "c:\reports\"
Get-FudgePopInventory -StyleSheet "c:\reports\custom.css"

Help

The markdown files were cranked out by a team of recovering caffeine addicts fresh from the Port Authority bus terminal.  Actually, they were cranked out with PlatyPs, which is pretty cool, and doesn’t come from the bus terminal.  You can find them in the “docs” folder beneath the module path (e.g. “c:\program files\WindowsPowerShell\Modules\fudgepop\1.0.16\docs”).

Use FudgePop in a Sentence

Hey man.  I just took a FudgePop on your mattress.”

Sample Scenario

You’re drunk.  But that’s not unusual with your day job as an airline pilot.  You staggered out of an airport terminal, and fell face-first into a random Uber vehicle with the doors open.  You wake up the next morning at your apartment, in a bathtub filled with ice, and a clear plastic aquarium tube attached to where your left kidney used to be.  You get up carefully, and drag the tube with you to the kitchen and make some fresh ramen with Srirachi sauce and a cup of coffee.  The entire time you keep thinking that of all his pranks, your roommate did a fantastic job of making these sutures look and feel authentic.

You grab your roommate’s laptop which has Windows 10 1709 installed, and you logon as a local administrator account and open a PowerShell console using “Run as Administrator”

You set the execution policy to Unrestricted, while staring at the PowerShell book with Don Jones’ picture on it, and say to yourself, “I know, this is very very bad, but I live on the edge baby.”

Set-ExecutionPolicy Unrestricted

You then use one finger on each hand to type:

Install-Module FudgePop

…and press Enter.

(example only. actual results may vary, depending upon your alcohol intake and criminal record)

Then, you can’t help it, but you hurl directly onto your cat, who returns the favor by urinating in your snow boots.  You use the cat to wipe your face off, and return back to the keyboard and type:

Import-Module FudgePop

…and press Enter.

After an IV drip of Death From Above coffee, and a Cat Shampoo enema, you type:

New-FudgePopTemplate -OutputFile wtfisthis.xml

…and make a new control XML file.  You edit it to suit your test environment (computer names, collection names, apps, etc.) and copy the XML file to your GitHub Gist.  You get the “raw” Gist URL and copy the address to your clipboard.

You make some breakfast from whatever isn’t fuzzy in the fridge and then go back to the keyboard, where you cat fell asleep, causing the letter “zzzzzz” to overflow the buffer and make a machine gun beep sound.  You realize that wasn’t Cat Shampoo, but Drano that your poured into the Cat Shampoo bottle because the Drano bottle leaked after you dropped while trying to light your vaporizer with a match.  You scoot the kitty off the keyboard, brush off the hair balls and type…

Install-FudgePop

You answer the prompts with one hand, choosing to enable the scheduled run option for 3 hour intervals, while the other hand is manipulating a pair of greasy chopsticks you found in the trashcan because you couldn’t find a fork, spoon, or plastic spork anywhere.

You look around for the mouse, but it’s gone.  After scouring the entire house/apartment, you find it buried in the kitty litter box.  You recover it, wipe it off on your pants and set it back on the desk and use it to poke around to see what all this FudgePop mess did to your roommate’s computer…

  • It created a registry hive under HKLM:Software\FudgePop
  • It created a PowerShell module folder under $env:PSModulePath
  • It created a Scheduled Task named “FudgePop Agent” under the root folder
  • It added $100 to your bank account (not really)

You go back to the PowerShell console, pause, look around for the cat, and think “what in the **** am I doing anyway?” and after 30 seconds of staring into space you remember that you were using your roommate’s laptop for an important experiment, and you continue on.

You type in…

Invoke-FudgePop -TestMode -Verbose

…so you can see everything it would have done if it weren’t using that stupid -TestMode switch.  It prompts you to trust some mysterious thing called an “untrusted repository”, but you’ve got 55 gallons of testosterone coursing through your veins, and no stupid sissy warnings are going to scare you off.  And besides, you can’t spell “untrusted” without the word “trust” so how could it be bad?  Just like your cousin who kept whining about putting that safety “on” when you were shooting at tin cans and you ignored him and shoot him in the foot.  Like that’s any excuse to use safety stuff.  Yeah.  But it’s okay, because FudgePop is only asking you to trust the PowerShell Gallery, so it can install some needed tools.

You toss back another glass of liquor, notice the cat staring at you, making you wonder if she spiked your glass with something special.  You ignore that feeling and type…

Invoke-FudgePop -Verbose

…just to see what it’s doing to diabolically reconfigure your roommate’s laptop into a tactical nuclear toilet flushing device.  Not really, but it’s likely that it’s creating a desktop shortcut for Internet Explorer, installed a bunch of Chocolatey packages like 7-Zip, Visual Studio Code, Office 365 ProPlus, and Putty, added some folders, files and registry keys, reconfigured some services, and installed a custom .MSI or .EXE from an on-premises server share (you know, the “Chris Hansen Kiddy Porn Undercover Arrest Me Kit 2015 Premium Edition.exe” with the important /S switch).

Everything looks great.

But, being that you don’t trust anyone who’s birth certificate says their name is really ‘skatterbrainz’ you decide to look under C:\Windows\Temp and find a “fudgepop.log” file and open it up.  Your skull falls in pieces on the floor due to the overload of retinal bombardment of verbosity and quantum-level granularity, and because you’re still hung over AF.  But that’s beside the point.  You make some tweaks to the control XML file, rub your hands together while nodding and grinning, laughing like a German lab scientist in a WWII movie, not realizing your cat is going to the bathroom on something else you value on the other side of the room.  You install FudgePop on another device and repeat the process.

You carefully tie that plastic kidney tube closed using the twisty-tie from the plastic bag you use for the litter box.

Later, your room mate returns, sees what you’ve done and pounds your face into the sofa and leaves.

I hope to return in 2018.  Until then: Happy New Year!

Rants about Configuration Manager and PowerShell

Note: Although I’m still on hiatus, I was reminded about a few blog posts sitting in my drafts queue that need to get posted before they get stale like me.  There may be a few more.  Until then – cheers!

How many times have you seen PowerShell code that looks similar to the following?

param (
  [parameter(Mandatory = $True, HelpMessage = "Site Server Name", ValueFromPipeline = $True)]
  [ValidateNotNullOrEmpty()]
  [string] $ServerName, 
  [parameter(Mandatory = $True, HelpMessage = "Site Code")]
  [ValidateNotNullOrEmpty()]
  [string] $SiteCode
)
Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -Verbose:$False

Notice how this is expecting the user to (manually) provide the name of the server, the site code, and so on?  What bothers me most about this is that these two pieces of information are easy to obtain directly from the local computer.  Even when running on a workstation or member server which is not a ConfigMgr site system, you can easily obtain the site server name and the site code.  So why ask a user to key this in manually?

I’ve blogged about this general topic a few times before, but I still see most snippets posted online today doing this exact same approach to setting up the most basic, albeit “core” aspects, on which the rest of the script depends.  Bad idea!  So 1990’s.

Think of this in alternate contextual forms:

  • We expect to drop AD computers and users into Organizational Units (OUs) to automate Group Policy management processes.
  • We expect to drop ConfigMgr resources into Collections to automate policy and content deployment processes.
  • We expect to place AD domain controllers into Sites to automate replication optimization processes.
  • We expect to place AD users into security groups to automate permissions inheritance processes.
  • So why don’t we expect our scripts to drop into execution environments and inherit and automate processes as well?

Reiterating one of the lectures from my CS days in college, “every program needs to start with stated assumptions“.  Other great bits of advice: “If it can be automated, then automate the shit out of it.”, and, “If you automate a broken process, you can only get an automated broken process.” (that was from a manager, not a professor, but still top of my list).  I could go on much longer, but maybe that would be best for an in-person discussion or speaking event.  God help you.

So, the questions should be:  what then are the expectations when executing a program (or script)?  I realize this is 100-level stuff right here, but so-often I see people dive into writing code before they pause to answer some basic questions about how it will be used.  The most basic questions should be…

Where will it be used?

When will it be used?

How will it be used?

and… Who, will use it?

Let’s define some base assumptions:

  • Where?  On the ConfigMgr site server (locally or via PSRemoting, WSMAN/Rexec/WinRS/PsExec, etc.)
  • When?  On demand, or via scheduled job
  • How?  PowerShell + ConfigMgr Admin Console framework
  • Who?  A user or process-owner account which has local Administrator rights

Assuming this is going to be invoked on a Central Administration Server (CAS) or Primary Site Server (PSS), we can also assume that the ConfigMgr admin console will be installed.  And along with that, it will have the PowerShell cmdlet library available as well.

In this scenario, we can easily obtain the name of the server, as well as the Configuration Manager site code.  There’s no need to ask a user to manually input this information, because, as we’ve seen many times, manual intervention causes cars to crash, trains to derail, and space shuttles to explode.  Humans are bad.

There are several ways to get the site server name (locally):

# environment
$ServerName = ($env:COMPUTERNAME+'.'+$env:USERDNSDOMAIN)

# WMI
$ServerName = Get-WmiObject -Class Win32_ComputerSystem | Foreach {$_.Name+'.'+$_.Domain}

# registry
$ServerName = (Get-Item -Path HKLM:SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName).GetValue('ComputerName')

You get the idea.  The easiest (and fastest) may be the environment variable option.  So, we can also use this to set a default value even when using input parameters…

param (
  [parameter(Mandatory = $False, HelpMessage = "Site Server Name", ValueFromPipeline = $True)]
  [ValidateNotNullOrEmpty()]
  [string] $ServerName = $($env:COMPUTERNAME+'.'+$env:USERDNSDOMAIN)
)
Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -Verbose:$False

We can also fetch the ConfigMgr Site Code using the Registry…

$SiteCode = (Get-Item -Path HKLM:\SOFTWARE\Microsoft\SMS\Identification).GetValue('Site Code')
$OldLoc = (Get-Location).Path
Set-Location "$($SiteCode):\" -Verbose:$False
...

So, that works fine when the assumption is that the script will be invoked directly on a ConfigMgr site server.

As a side note, there’s plenty of other useful information exposed in the Registry location HKLM:SOFTWARE\Microsoft\SMS

Going Remote

Now, let’s change the assumptions a bit.  Now the script will be invoked on a workstation, which is joined to the same AD domain as the ConfigMgr site.  Assuming the workstation is also a ConfigMgr client, and the desired Site Server is also the Management Point (MP) for this workstation, we can fetch the server name from the local machine as well, but it resides under the client Registry tree, rather than the site system Registry tree…

$mp = ((Get-Item -Path HKLM:SOFTWARE\Microsoft\CCMSetup).GetValue('LastValidMP') -split '//')[1]

Even if the MP is not the Primary we wish to connect to, we can use the MP information and perform additional queries against its Registry to “walk-up” the hierarchy to find the Primary we wish to connect with (if necessary).

Note: The actual value of “LastValidMP” is stored in URI format… example…

"http://cm01.contoso.com"

So if we split the string into a 2-element array on the instance of double slashes, we can then grab the index=1 value (2nd element), which is the FQDN of the MP.  You could also use .Substring() or .Replace() to manipulate the string in order to remove the http:// prefix.

$mp = (Get-Item -Path HKLM:SOFTWARE\Microsoft\CCMSetup).GetValue('LastValidMP')
$mp = $mp.Substring(7)
# or
$mp = $mp.Replace('http://', '') # or -replace 'http://', ''

So, now we have the ConfigMgr site server (again, assuming this is a small site and the MP is the primary), we can still fetch the site code either from the local client environment, or from the remote registry.  Either will work…

$SiteCode = (Get-Item -Path HKLM:SOFTWARE\Microsoft\CCM\CcmEval).GetValue('LastSiteCode')

You may be thinking (or saying aloud) right about now “so what? what can I do with this from a workstation?”  Well, if the ConfigMgr Admin console is installed, you have access to the same PowerShell module that is available on the site server.  So, if you intend to run your script locally on a workstation (or member server) which has the ConfigMgr Admin console installed, you can automate the site server name, and site code parts of your script very easily…

$mp = ((Get-Item -Path HKLM:SOFTWARE\Microsoft\CCMSetup).GetValue('LastValidMP') -split '//')[1]
$SiteCode = (Get-Item -Path HKLM:SOFTWARE\Microsoft\CCM\CcmEval).GetValue('LastSiteCode')
Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -Verbose:$False
$OldLoc = (Get-Location).Path
Set-Location "$($SiteCode):\" -Verbose:$False

Keep in mind that no matter where you execute your script code, it will only be able to access resources which are allowed for the user context under which it is running.  So, if you run the script under your own domain account, and that account has limited rights in ConfigMgr, it’s going to be limited in what it can do against the site system environment as well.  I know many of you will shake your heads when reading this, but it is very often overlooked.

Speaking of the ConfigMgr Registry (SMS) tree

Beneath the HKLM:SOFTWARE\Microsoft\SMS registry tree, there are plenty of other useful pieces of information.

  • Server
  • Full Version
  • Domain
  • Parent Site Code (useful for Secondary sites and CAS environments)
  • Parent Server (ditto)
  • Site Name
  • Installation Directory
  • DatabaseMachineName
  • DatabaseName

So, even if your script needs to make some database connections to SQL Server (ADO, etc.) you can fetch the site database server and site database name, to automate the connection setup and continue onward.

Okay, so now what?  Well, there’s more.  Another thing I see way too-often is reinventing the wheel.  And not just any wheel, but octagonal wheels.  Here’s a few examples, and corresponding suggestions to avoid unnecessary work:

  • Writing elaborate ACL manipulation code, or invoking a blob of .NET reflection mess.
  • Writing elaborate code to manipulate local user permisions, like “logon as a service”
    • Use the Carbon PowerShell module – done (thank you Rob!)
  • Writing elaborate code to query or manipulate SQL Server settings
    • Use dbatools or SQLServer PowerShell modules
    • You can configure server memory and recovery model settings this way also (example)
  • Writing elaborate code to check if script is being executed via “run as administrator”
  • Manually writing help documentation
    • Enforce consistent commenting
    • Use PlatyPs to generate markdown files automatically (thank you Kevin!)
  • And finally…

Some final bits of advice:  NEVER test your scripts on a live Configuration Manager environment.  If you don’t have a test environment, build one, and test everything there BEFORE introducing into the production environment.  Also, when you are testing scripts against Configuration Manager and/or SQL Server, always keep the Task Manager window open and watch the Performance tab closely.

Summary

Am I some sort of “expert” when it comes to PowerShell or Configuration Manager?  Only when I’m around people who can’t spell “computer” and they’re serving alcohol.   I’ve just spent too many years soaking up what others have shared.  You are free to disregard everything I’ve said.  In fact, in America, it’s expected. But that’s okay too.

Forking the Road

I know three people who will know immediately what the image above means, before reading any of this.  But I have a glass of Merlot staring me in the face, so I’m legally required to say more.

So, I’ve been blogging since 1842, but that was on Blogger, and it was coal-powered with stone fonts and wooden templates. Publishing articles meant pulling a cast iron handle, and waiting by the fireplace until someone invented a computer.  Then the punch cards were carefully placed on a horse wagon and taken to the steam-powered Internet.  Those were hard times indeed.

Seriously, I think I started blogging around 2004 or 2005, but I didn’t really stick with it until 2008. The Blogger era for me was a time while I transitioned from CAD programming, coffee spilling and shit-talking, into Microsoft infrastructure, coffee spilling and more shit-talking.

I had actually been wearing both hats for a few years prior, but officially it was around 2004 when I left CAD entirely. I wrote a few books on Autodesk things up until 2011 and a final rock through the windshield around 2015 and then I left it for good.  In 2014, I moved the blog to WordPress, for two reasons: Blogger wasn’t adding any new features or responding to feature requests (still true today), and WordPress just sounded like a cool name.  I also read a biography of Matt Mullenweg, and he sounded kind of cool, so I figured why not.

There were other blog attempts over the years, like The Code Mine, Scriptzilla and so on.  Every now and then someone will walk up to me and remind me about one I completely forgot.  Imagine what kids today will look back on when they’re in their 70’s or 80’s.  We had over-the-air TV, phone booths, smoking allowed everywhere, and real wall-mounted phones with cords.  Cars were made of steel, and the remains of drivers and passengers were hosed off after each accident and the car was like new again.

Anyhow, so, 2014.  That was three years ago. Soon to be four.  In dog years, that would be 21 years.  In computing time, it’s like 150 years.

It started as a means of self-induced mental therapy and venting.  I wanted to share my daily thoughts about things I encountered at work as an IT consultant (former employer at the time).  At times I had to adjust the timing to work around projects, travel, and so on, but I tried to make at least once per week minimum.  I pretty much kept that routine up until now.

I met with an attorney friend of mine, early on, to discuss the ramifications of my idea.  He listened intently, and said “although it will be impossible for you, I would strongly recommend you do it anonymously”.  He was right.  He’s pinged me a few times to remind me about keeping names, places and dates anonymous, and I’ve tried to do that.  “Don’t leak your real name.” he said once.  Ummmm.  Well, about that….

It’s been really fun at times, and I’ve received a lot of great email, tweets and so on.  I got to meet some really awesome people at conferences, like at TechEd 2011, 2012, and Ignite 2016 and 2017.  It’s also been interesting how many email messages I get where people mention other Twitter accounts and blogs that seem to be following the same genre of mixing humor with techno-babble.  That’s cool too, but I can’t take any credit for that.  I’m not that influential, nor do I wish to be.

Timeline-wise:

  • 2000 – shifting away from CAD to Microsoft
  • 2004 – changed job roles, turned 40, started blogging
  • 2006 – joined Facebook
  • 2007 – joined Twitter
  • 2008 – joined the unemployed (for a few months)
  • 2010 – back to consulting
  • 2013 – ugh…
  • 2014 – moved blog to WordPress
  • 2015 – turned 50, turned into a 7-Eleven soon after
  • 2015 – another job/career change
  • 2017 – lots of travel
  • 2018 – ____________

Another aspect to the blog and my Twitter account has been how it helped me recover from a very bad 2013-2014.  That was a period I hope to leave behind as a distant memory.  I’m happy to say that I haven’t had any more major issues since then, and my brain tumor has remained benign to this day, even though the annual MRI drains my bank by around $800.  So, if you own stock in any big medical insurance or pharmaceutical companies, you’re welcome.

Still, in spite of all those fun ambulance rides, and the giddiness of needle pokes, I got to blabber away about techy things and joke about goofy things people say and do, with an occasional detour into something serious, all of which helped get my mind back into a brighter place.

Along the way, I tried some wacky ideas, from interviews, to cartoons, to serial-projects, and goofball satires.  Some of it was well received, some not.

But now I think I need a break from it.

I’m not killing the blog or anything, at least not yet.  I just need to step away from it for a while and see how it plays out.  If I get a strong urge to write some more,  I’ll pour some gas in and start it back up.

My plan for now is to let this be the last blog post, for now, but not forever.  And continue on Twitter, but less intrusively.  I may engage with people a bit, but not as annoyingly (I hope).  Think of it as an early Christmas gift.  In any case, I would like to wish you all a very Merry Christmas, Happy Hannukah, Happy whatever religious or semi-religious event you observe, and a very Happy New Year.  Here’s to 2018 – may it be a good year for you and everyone you know.

Here’s some pics from 2014 to now.  Scattered through places and time, like me.  …

  

  

Random Stuff, Part 42

Between work, studying, tinkering and trying to have something close to being considered “a life”, I haven’t been blogging much lately.  And every time I get close to having that magical, mythical thing called “a life”, I have to travel.  I can’t complain, since it gives me new perspectives on “life”, which help me to feel like I have “a life”.

And speaking of travel, here’s a cheap diagrammatic view of how I roll (literally, since my suitcase does in fact have wheels)…

packing.png

This is just the backpack.  I also didn’t include tampons, whips, chains, hand grenades, latex gloves, surgical masks, or bags of unmarked pills.  Those tend to slow me down with TSA, and I’d rather they spend most of their time with their hands around my privates.  If I touch myself in public it looks unsettling, but when they do it for me, it’s professionalism at its best, and they love it when I smile during the procedure.

Speaking of TSA, I’ve found that the passive aggressive score follows the scale of the airport, at least in the U.S.  Meaning, the bigger the airport, the less humor they tolerate.  The friendliest bunch I’ve encountered would be Medford, Oregon (MFR), and the other end of the scale would be Boston (BOS).  I love Boston.  The TSA have a consistent and warm way of welcoming travelers to bean town with that glaring “I’ll stomp your face in if you make eye contact for more than 5 seconds!”

I’ve also been updating some PowerShell-related projects.  I have always maintained personal project time to keep my sanity.  It also makes my dog want my attention more.  She leaves me little gifts to express how much she misses my attention.  And at 95 lbs, the size of those gifts can almost clog the toilet.

Here’s a few examples of what too much caffeine, too much vlog watching, and access to PowerPoint will do to someone like me, a latent marketing student.  I’m just kidding, I would’ve gone into statistics as a “statistician” but it’s too difficult to pronounce after 3 or 4 beers, and the pay doesn’t come close to most IT related jobs.

fudgepop.pngFudgePop

 

cmhealthcheck.pngCMHealthCheck

gpodoc.pngGPODoc

cmbuild.pngCMBuild

They almost look professional.  And almost as if I know what I’m doing.  Cooked up with only a frying pan, a little butter, some chunks of PowerPoint and sprinkled with Paint.Net.  All four took a whopping hour to create.  The pencil was the most fun.  I highly recommend the shape tools (Boolean stuff, like Union, Subtract, etc.), you can spend hours immersed in that strange world, forgetting to shave and bathe too.

You can find the rest of this exciting stuff at https://www.powershellgallery.com/profiles/skatterbrainz/ – where I publish things I almost know how to do.  CMBuild is still in beta, so if you get really, really, reeeeeeally bored, and you have a lab environment in which to try things like this – feel free to post angry, hurtful, mocking and demoralizing comments and bug reports.  The more condescending the better. My doctor enjoys this too.  The visits for medication help his kids through another semester at medical school, and I don’t want to let him down.

Travel

I forgot to mention that MFR, while being a very small airport, also has some really nice artwork on the walls around baggage claim…

20171105_213501.jpg

Approaching Norfolk (ORF), the most dynamic and interesting place for underpaid IT professionals…

20171111_102616.jpg

Leaving San Fran (SFO).  The most dynamic and interesting place for well-paid IT professionals who can’t afford to live there…

20171110_193714.jpg

Getting ready to board my next flight.  I have the window seat just behind the wing…

20171110_204509_Burst01.jpg

Back in my office…

20170902_231019.jpg

Technical Stuff

In the past month, I’ve been dunked into projects involving a variety of different beatings, I mean challenges.

  • 2 involving MDT+Windows 10 with distributed/replicated MDT deployment shares.  One using DFS and the other using Nasuni, for the replication service.  Both worked out very well.
  • 2 involving Office 365 ProPlus.  One mixing C2R Office with MSI Visio and Project.  The other mixing C2R Office using O365/AzureAD licensing, with C2R Visio/Project using KMS licensing.  Neither was that difficult, but I did come away with a continued wonder and amazement at how something so simple (C2R deployments) could be left half-baked by Microsoft and nobody seems to care.
  • 3 involving Configuration Manager.  1 focused on SUP strategies for servers.  1 focused on being a crying shoulder for an overloaded admin and under-give-a-shit managers.  1 focused on replacing some horrific mess some other (independent) consultant attempted while in between binges of drinking and glue sniffing.

The rest of the time has been Azure, Intune, O365, PowerShell, PowerShell with Azure AD, PowerShell with Intune, PowerShell with System Center, System Center with PowerShell, PowerShell with PowerShell, and a little bit of PowerShell. I’d think by now I’d know something about PowerShell, but I’m not going to pat myself on the back just yet.

User Groups

Our geographic region seems to have very few IT-related user groups with regards to the population of professionals.  We do have a few, such as groups for Docker, SQL Server, .NET, Machine Learning/AI, and a few others.  So, I’ve been trying once again (third time) to get a Microsoft-related group off the ground.  And I’m happy to say it’s actually starting to get off the ground!  It’s called Hampton Roads Cloud Users Group.  “HRCloudGroup” on Slack, and Facebook.

For those not familiar with this interesting little area, it’s officially comprised of 7 cities in the southeastern corner of Virginia, at the North Carolina border.  Mouth of the Chesapeake Bay.  But the actual list of surround municipalities include Norfolk, Virginia Beach, Portsmouth, Chesapeake, Hampton, Newport News, Williamsburg, Yorktown, Suffolk, Surry, and Smithfield.  There’s also a large number of people who commute from North Carolina to jobs in this area, so it extends beyond Virginia.

Some call it “Tidewater”, which is a stupid name.  Some call it “Hampton Roads”, which is a less stupid name.  Some call it “that shitty place I hated being stationed at while in the Navy/Marines/Air Force/Army/Coast Guard/CIA/FBI/NSA/DEA/NATO…” eh, you get the idea.  I would venture to say it is the most militarized area of land in the United States, maybe in the world.  Every branch of military, intelligence, logistics, special operations, tactical operations, is located within a small enough radius to be a ridiculously appealing target for Russian satellites.  My house, is under the flight path between Little Creek JEB (SEAL team 6 or DEVGRU), Fort Story and Oceana NAS.  I can name the fighter jet, cargo plane, or helicopter models by sound alone. I just haven’t found a way to earn a living doing that yet.

Enough Rambo talk. Our group is still very small, at about a dozen members, with about 4 or 5 people attending the monthly meet-ups so far, we’ve been fortunate to get some very skilled, very creative members, so I couldn’t be happier.  I feel like my role is more of a facilitator than a leader.  The others have way more experience than I at this point, so I’m happy to just connect the wires and keep the engine running, and learn what I can along the way.  We’ve only had 2 meet-ups so far, but I’m optimistic.  Our next one is December 14, 2017 at 6pm.  If you live in the area, hit us up.

Miscellaneous

As if the entire blog post isn’t already “miscellaneous”.  Shit, my whole life is “miscellaneous” when I get down to it.  But who’s complaining? Okay, I do from time to time.  Anyhow, shotgun blast…

  • PlatyPS is cool.  Once you remember to actually put comments in the right places and import the module before running New-MarkdownHelp for fifth time and cursing at the monitor for not reading my my mind.
  • Carbon is still cool.  Even cooler.
  • The Tesla semi is freaking awesome.  The Roadster is obviously cool as well.  I can afford neither.
  • I had my first MSATA failure today.  A Lite On 256 GB card in my HP Elitebook.  RIP.  It was nice having you while you lasted.
  • Shout out to Whitner’s BBQ in Virginia Beach.  Still the best I’ve had anywhere I’ve traveled, and it’s right in my backyard.
  • Shout out to the group of kids who yelled across the busy street “I like your chocolate dog!!”  She loved it too.
  • I need fish food for the aquarium.  Off to the stores on a Saturday.  Wish me luck.

Chocolate dog.  Aka “Dory”

20171117_131721.jpg

Random Thoughts and Stuff

While packing for travel I was having a conversation around the “state of IT” with a friend. So I figured (A) it might be worth jotting down some of the key points, and (B) do it before I fly out, in case some underpaid mechanic forgets to tighten that one bolt that holds the engine onto the wing.  Actually, who am I kidding, that mechanic probably earns more than I do.  Anyhow…

this is rambling, so drink plenty of medication and smoke your wine before continuing.

(travel-packing sidenote: Oreo is 15 years old, and like most humans, used to hate my guts.  Eventually, as daughter number 3 moved out, and I became her sole source of attention and food, she has become my friend.  She follows me around all day.  Every time she sees my suitcase out the night before I travel, she does this.  I’ll need to go over that ball cap with a ball of tape in the morning.)

The Future of SCCM and MDT and EMS

This is admittedly a Microsoft-centric topic. The discussion mentioned above was about “how long” will SCCM and MDT be “of interest” to consumers?  Obviously, I do not own a real crystal ball.  I only have a Dollar Tree knock-off, and I don’t have access to real business data, therefore I rely upon what scientists often refer to as ‘shit talking‘.

I’ll admit, after day 1 at MS Ignite this year, I was feeling the angst.  For example, while riding the bus back from the conference center to the hotel, staring out the window, I kept thinking “why, why, why did I leave app-dev to move into this infrastructure rat race?!  wtf was I thinking?!” and “I hope my dog isn’t chewing up my last pair of flip flops right now.”  It really felt like the job market for anyone walking around a typical IT shop today, would be dried up to around 10% of that volume within 5 years.  And who really knows?  It could go in any direction.  I think everyone is in agreement that there is already a major tectonic shift in play, with traditional operations moving into software-defined operations.  The thought of learning things like JSON, Git, VSTS, on top of PowerShell and Azure, is adding wrinkles to quite a few faces I see.

The mere mention of “new certs” is probably having a measurable effect on the sales of alcohol, tobacco and firearms, which should keep these guys employed for a long time.  For many I’ve known over the years, the feeling is like being shoved onto a rollercoaster by your drunk buddies, against your will, and now you’re approaching the top of the first peak in the run.

After 3 more days, and soaking up session content, food, beer, and more importantly: engaging vendors in deep discussions out on the expo floor, my initial expectations of SCCM/MDT doom were relaxed quite a bit.  Mainly out of realizing the following points:

  • The majority of imaging work I see being done at most mid-sized and large customers is refresh of existing hardware.  The mix of new vs. reuse is cyclical at most larger shops, due to budget cycles and SLA’s about hardware refresh programs.  So at various times in a given year, there’s more new imaging, but for the remainder of the year it seems to be more refresh/reuse.
  • Most of the (above) people I’ve spoken with are very interested in AutoPilot, but quite a few hadn’t yet been allowed access to the preview at the time I spoke with them (I think most are now seeing it in their portals)
  • In-place upgrades are still a minority (far too low in my opinion)
  • The description of “automatic redeployment” got their attention, but most are still tied to the comfort of a “clean wipe and load” for various reasons.
  • Ultimately: Regardless of what anyone says, things which “work” have a very VERY tough time dying in the IT world.  Hence why so many machines still run XP.  I’d also wager my tombstone that Windows 7 will easy to find running on machines in 2027.  That’s because I’m planning to be cremated on a Walmart grill.  But that’s beside the point.

The weeks after Ignite I’ve made it a point to casually interview my customers to get a feel for where they see the biggest and most immediate changes coming.  It’s a delicate thing to ask, since it can easily smell like a sales pitch.  Sales pitches have a distinct odor that is often confused with bus station toilets or dead cows laying in the sun.  However, most of them are well aware of my dislike for sales people in general (some of my friends are in sales, so there are exceptions).

  • The biggest hurdles they have today are keeping up with device models and drivers, patching, moving to some new system for IT operations (ticketing, change mgt, etc.), and endless training of each new-hire who is replacing three who just left.  See what I did there?
  • The single biggest complaint about imaging in general revolves around drivers.
  • There’s still quite a bit of frustration and confusion I hear around Intune capabilities.  Some is related to Intune agent vs. agentless, management; Some is around app deployment capabilities; Some is inventory reporting.

Windows 10

I still spend way too much time explaining Windows 10 servicing models and the naming convention.  They were just starting to grasp CB, and CBB, but now “Semi-Annual” and “Semi-Annual Targeted” are leaving them in one of two modes: pissed off or chuckling.  The most common response I hear from the former is around the constant renaming of things in general.  “Active, Live, Visual, and now CBB, then Semi Annual Targeted, WUS, then WSUS”, and so on.  Their words, not mine.

I’m always surprised to find so many shops still heavily invested in MDT and doing very well with it.  The other interesting thing is that the majority of them assume they’re doing everything wrong and are panicked when I arrive that I’ll redline their papers.  In fact, most of them are doing very well.  They’ve read the blogs, the tweets, bought the books, watched the videos, done the TechNet labs, and so on.  A few have been lucky enough to attend training and/or conferences as well, but that’s a very small percentage.

The pace at which organizations are getting their Windows 10 rollouts moving is gaining speed and volume.  However, the Office aspect has thrown a wrench into quite a few (see below)

Office

This reminded me of a discussion I had at Ignite with the Office team on the expo floor.  It was around the issue of third-party extensions (add-ons) for Office, and how many are produced by small shops which do not stay current with Office versions.  The result I’ve continued to see is a fair amount of shops who can’t upgrade Office until the third-party vendor puts out an update or a new version.  Then there’s the cost factor (is it free or not?).  In many of those cases, the hold-up triggered the IT department to wait on other projects such as Windows 10.

The number of Access applications interfering with Office upgrades has dropped significantly for me in the past 3 years.  Not just the projects I’m working on, but also from reports I get from other engineers and customers.  That’s a good thing.

Controls vs. Controls

I’m still seeing a continued reliance on inefficient control mechanisms with regards to device and user configuration management.  Way too much effort put into the imaging side, and not enough on the environment side.  Way too much on the “nice to have” side, vs. the “gotta have” side.  Not enough attention is being paid to ‘baseline’ and ‘continuous’ control models, and when to use which one, and how best to apply tools for each.  For example, hours and hours spent on wallpaper, shortcuts, and folders in the imaging process, being manually adjusted with each update cycle, rather than letting Group Policy Preferences step in and mop that shit up with one hand.

I’ve had fairly good results convincing customers to drop the continuous meddling with reference images, instead, (at least trying to)…

  • Change the data storage process to keep users from storing anything valuable on their device
  • Remove as many non-critical configuration controls as possible
  • Move continuous controls to the environment (GPO)
  • Move baseline controls to the environment wherever possible (GPP)
  • Move remaining baseline controls to task sequence steps

There are obviously exceptions that require mucking with the install.wim to make a new .wim, but I’m finding that’s only REALLY necessary in a small percentage of the time.  The vast majority of controls I see are voluntary and serve little functional or operational benefit.  Things like hiding Edge, Forcing IE, hiding Cortana, forcing Start Menu and Taskbar items, etc.  Just educate users to avoid them.  Treat them like adults and who knows, maybe they’ll stop urinating on your office chair.  Try it and see.  The worst you’ll get is whining (you get that anyway), but the best (and most likely) outcome is less work for you and less risk of something breaking.

Role and Salary Compression

It not only continues to thrive, it seems to be accelerating its pace.  Almost every customer I meet tells me how they’re expected to do more with fewer people, less training, less budget, and shorter time constraints.  Most haven’t had a significant raise in a long time.  This seems more prevalent at companies which are publicly-traded than those which are not, but it affects both.  Personally, I see a correlation with public organizations and cost reduction priorities over innovation and revenue increase.  Then again, I have no formal training in such matters, so again, I’m probably talking shit.  Again.

Intune

Speaking of Intune.  I’ve been spending more time with it this past week, along with Azure AD, and AzureADPreview powershell module.  I’ve always like the concept of what Intune and EMS are aimed at. The mechanics are still frustrating to me however.  There are plenty of design quirks that drive me batshit crazy.  Like devices / all devices vs. Azure AD devices, and the differences in how provisioning an app for iOS or Android and Windows, from the Windows Store no less.  As Ricky Bobby would say, “it’s mind-bottling”.

Then again, I’m not at all a fan of the “blade” UI paradigm.  The Blade model is (in my humble, semi-professional, almost coherent opinion) marginally efficient for direct touchscreen use, but for mouse and keyboard it blows chunks of post-Chipotle residuals.  I’m sure that will infuriate some of you.  But that’s just how I feel.  Drop-down menus, panels, heck, even ribbons, are more efficient in terms of hand and finger interaction (mouse, touchpad) for operations involving closely related tasks (settings, options, etc.)  Ask yourself if moving ConfigMgr to a blade UI would make it better?  Or Office?  If you think so, try switching to another brand of model glue.

Back to Intune.  I would really look forward to seeing it mature.  Especially in areas like agent vs. agentless device management (it’s very confusing right now, and the differences are weird), AutoPilot, Redeployment/Reset, and expanding the features for deploying applications, remote management (TeamViewer, etc.), and GPO-to-MDM migration.  I’m thinking Windows desktops and laptops of course (if you hadn’t already figured that out).  Phones are great, but nobody, who isn’t masochistic, is going to write a major app using their phone most of the time.  Auto-correct and latent-rich touch screen typing, would cause most PowerShell, C# or Ruby code writers to massage their head with a running chainsaw.

I think I digressed a bit.  sorry about that.

Other Stuff

I’ve spent some after-hours time keeping my brain occupied with scripting and app-dev projects.  I’ve been doing Windows 10, Windows Server 2016, MDT and SCCM lab builds and demos for months, along with real implementation projects, and starting to burn out on it all.  I needed a break, so I’ve managed to get a few things done and few in the pipeline:

I ran across a couple of (seem to be) abandoned Git projects focused on DSC for building ConfigMgr sites, but none of them appear to be factored into a template construct.  Meaning?  That they’re still built on specific parameters, or require extensive customization for various roles, configurations, environments.  I’m still poking at them and forked one to see what I can make it do.  In the meantime, I’m moving ahead with CM_BUILD and CM_SITECONFIG being merged into a new CMBuild PowerShell module.  So far so good.  And when that’s done, I’ll go back to see what I can in that regard with DSC and applying that towards Azure VM extensions.

I’ve come to realize that there’s 4 basic types of southern dialect in America:  Fast, Slow, Twangy and Crooked Jaw.  Think about it, and you’ll see that’s true.

The shortest distance between two points is often the most expensive.

If you never fail, you’re not trying hard enough.

If you fail most of the time, you’re probably in the wrong career path.

I’m on travel next week.  Expect more of the same stupid tweets about mundane stuff.  If you tire of me, unfollow me.  I don’t mind.  It’s just Twitter after all.  I will do my best to keep my camera ready for anything interesting.  I need to watch some air crash documentaries now, to get my mind relaxed for tomorrow.