This is extracted from a real, actual conversation from this past week.  Names have been obfuscated to avoid being litigated and imprisonated, er, something like that.  Anyhow, grab your popcorn and enjoy!

Customer: “What are the new Dev and Test environments going to look like?”

Architect: “They will look exactly like the production environment, except that the domain names will end with ‘.dev’ and ‘.test'”

Customer: “But how will it be configured?”

Architect: “Exactly the same as the production environment, except that the domain names will end with ‘.dev’ and ‘.test'”

Customer: “Do you have an architectural diagram for each, so I can get a better idea of how they’re going to be configured?”

Architect: “Did you receive the design document for the production environment?”

Customer: “Yes.”

Architect: “Did you have a chance to look at the diagram in the design document?”

Customer: “Yes.”

Architect: “Dev and Test will be exactly the same.  Including the diagrams.  The only difference will be the domain suffixes.”

Customer: “I would still like to see a diagram to better understand.”

Approximately 30 seconds of complete silence…

Architect: (softly) “I’m not sure what you really need.”

Customer: “I would just feel better having a diagram.”

Architect: “Like the one shown in the production design document?”

Customer: “Yes! Exactly like that!”

Architect: “Dev and Test are identical.  Only the two domain names have different endings.”

Customer: “Ok. I understand.”

Architect: “Ok. That’s good.  Are there any other questions?”

Customer: “So, when do you think you could send me the diagrams for the Dev and Test environments?”

wash. rinse. repeat.

Analysis Time: GUI vs CLI, round 3

I did a round 1 several years ago, and I can’t remember when round 2 happened, so I played it safe by calling this round 3.  Anyhow, the point of this is what exactly?


The point is, I’m an emphatic proponent of anti-dogma.  It started as a child, when others would say to me “G.I. Joe cannot really fly.” and I set out to prove them wrong.  Then they said “Plastic model battleships can’t really do battle or explode and sink” and again, I proved them wrong (and a big thanks to the local fire department for helping to bring that sea battle to a safe close).

I just had my first cup of real coffee in 48 hours.  I can’t explain why.  I think I was having some sort of self-hatred phase or something.  So, I’m having what Leonard, in the movie Awakenings, would call a “moment of clarity”.  Or, maybe that was Jules in Pulp Fiction, anyhow…

In this case, it’s the dogma that CLI is inherently better than GUI.  It’s the same argument that one programming language is “the best”.  Or that only one kind of food is objectively “the best”.  To me that’s saying one tool in the entire hardware store is “the best”.  Being yet another kind of tool, as I’m often called, a CLI or GUI is “best” with regards to the context.

For scalable repetition, CLI is often the obvious choice.  And for single-instance scenarios, a GUI is often ideal.  But there’s that big middle ground, where the Red Bull drinkers debate the Supplement powder drinkers for world domination of the “my way is the only way” argument.  Those are indeed first world dilemmas.

First off, let’s keep things in perspective.  Just as the early-mid 1960’s were rife with the phrase, “it’s a man’s world“, and don’t hate me, I’m just offering an observation from watching Mad Men; 2017 is still a GUI world.  You can argue this if you want, but if CLI were truly the king of all that is software, you would NEVER see a packaged application installer with a GUI face, and your “smartphone” would only be a command prompt, and nothing more.  Touchscreens, video games, music production software, credit card swipers, ATMs, airline ticket kiosks, all are immersed in the GUI bathtub.

That said, CLI is obviously the king of process automation.  The efficiency comes in with zero-interaction operations.  Pre-configured parameters.  Even when a GUI is optimal for a given task, the trend today is to equip the GUI to save parameters to a file in order to leverage that captured parameter state for CLI repetition.

As one friend of mine would say “if you’re pulling one engine, you rent a hoist, and buy a case of beer.  If you’re pulling 1,000 engines, you get a loan and build an assembly line.

Let’s break the GUI down a bit.  One of the common points of debate is around item selection:  Radio buttons, check boxes, single and multi- select lists, dials, sliders, date pickers, range approximation, color pickers, and so on.

Much of the following is derived from a project I worked on back in college.  We were discussing the merits of CLI vs GUI and our professor said “prove it.  with numbers.”  So we consumed sufficient quantities of caffeine and sugar, and went to work.

If you use a stop watch, and compare two engineers, equally caffeinated and infused with sugary snacks, and have them execute the same tasks in both the GUI and CLI, excluding differences in relative typing speed/accuracy, or mouse control skills, the completion times will lean towards one or the other based on the circumstances:

Disclaimer: This is based on a “first run” scenario, where no preconfigured data is yet available or determined.

  • Check boxes.  If using “Select All” or “Select None” the difference is zero.  But sporadic, non-contiguous selections, are quicker by GUI clicks than by typing in non-contiguous names.  This is further differentiated by the relevance of string pattern consistency.  If RegEx or wildcards can be used, it can lean in the favor of CLI.  But if the selections provide no consistent patterns, the GUI will win hands down.
  • Radio buttons are a wash
  • Single-select lists are a wash if the list does not require scrolling in the GUI.  If the list requires scrolling, the CLI is faster.
  • Multi-select lists are only marginally quicker by GUI due to CLI having tab-completion.  This is predicated on a static set of options to select, which can be fed into an IntelliSense cache.
  • Sliders are faster via CLI (direct input)
  • Date selection is faster via CLI (direct input)
  • Calendar pickers are faster by CLI (direct input)
  • Color pickers will vary by pre-determined color values.  If you don’t know the color, but you are selecting by visual acuity only, the GUI is faster.  If you know the color name or code value, the CLI is faster.

The caveat from here on out is that once the GUI is used, if the inputs are captured, then the CLI steps in and knocks it out of the park.  This goes back to the repetition claim.

So, what does this really mean?  Aside from turning capable IT professionals into non-productive windbags (until the boss walks in), it means that anyone writing software that uses a GUI, and expects their product to be used repeatedly, should be building in a means to capture inputs to a file to facilitate reuse via CLI.  If they are not doing this, they can only fall into one of the following categories:

  • They’re stupid or lazy, or both
  • They don’t really care about customer satisfaction
  • They need to be beaten with a pepper spray can and tasered until the battery runs out

Until next time: happy CLI-ing.

Why SCCM Doesn’t Accidentally Image Machines

I’ve finally had enough.  Maybe it’s the result of hearing people just blindly repeat false garbage and claiming it as fact (I call it “phact” now).  But after hearing yet another so-called (another meme-ish aphorism du jour) engineer state to a group of other so-called engineers that “SCCM can ‘just randomly reimage computers'” because either:

A. They’ve seen it, or more often…

B. They heard a friend say they saw it happen.

Truth:  NO.  SCCM CANNOT RANDOMLY REIMAGE COMPUTERS.  IT DOES NOT.  IT WILL NOT.  IT CAN’T.  IT WON’T.  Stop saying stupid shit like this.

The real reason is that someone (aka a stupid idiot, yes, double redundancy intended) was poking around and made changes without knowing what they were doing.  That’s it.  I’ve seen “unintended” cases of SCCM involved with reimaging computers, but it was ALWAYS ALWAYS ALWAYS (and still is) due to human stupidity.

I’m probably missing a few steps here, in fact, yes, I see one right now:  The Task Sequence Deployment setting labelled “Make available to the following” from the Deployment Settings tab (e.g. “Only media and PXE” versus “Configuration Manager clients, media and PXE”, etc.)


In short, your resident idiot would have to target the wrong collection, OR, put the wrong machines into the targeted collection, OR, use the wrong deployment assignment setting, AND…

Have the machine on a subnet with access to PXE, AND boot to the network (boot config), AND press F12 before the boot time-out expires, AND (either) did not put a password on the Task Sequence deployment OR entered the password.  That’s a lot of “accidental” stuff to accidentally trip over by accident.  Maybe your admin needs a walker and a crash helmet.


Top 10 Tech Issues for Last Month


1 – SCCM Site Boundaries Stayed at the Bar too long.  Got in a fight with some angry UFC folks and wound up in the ER with tubes going in all sides.

Doctor writes in patient record: “Be sure to talk with your Network engineers to insure they are staying on top of their end.  No messing around with overlapping subnets, or laughing hysterically at the need to maintain AD sites and services.  Then be sure to actually heed the information they provide you and build your site boundaries to correctly match the environment.”

2 – Don’t forget about a Fallback Status Point

3 – Don’t forget to mention the FSP in the client push settings

4 – Don’t forget to include the appropriate accounts, and account permissions, for the client push installation account.  Especially when dealing with AD Forest Trusts and machines on both sides of the trust.

5 – Coffee.  Never never never forget about the coffee.  RedBull/Monster, etc. are okay, but real men chew their coffee whole, worry about the liquid part later.  Bonus: If you can manage to push the grinds through a tube, then injection may be your best bet.

6 – Get outdoors.  Staring at the screen for too long leads to glazing over, which leads to missing obvious things.

7 – Primal scream therapy.  It’s still allowed.  Practice it often, in random locations.  In the middle of a staff meeting.  In an elevator.  Standing in line at the deli. Whatever.  It can be very refreshing.

8 – SCCM Backups should be targeted to a different location than the SCCM drive itself.  And make sure there’s an offline backup process for double-protection.  If someone else manages the virtual hosting environment, and storage, talk to them about their backup processes to find a solution to fit everyone’s needs.

9 – Active Directory.  Do not ignore it.  If you don’t regularly check on DNS and DHCP configurations (and health), start doing it now.  Keep the accounts clean.  Devices that don’t exist, should be vaporized with extreme anger and a twitching eyelid.

10 – Always focus on the process first.  Then worry about the tools and methods.  Quite often, the best tools are a whiteboard and a cup of coffee (see item 5).  90% of my engagements end up chopping out a ton of unnecessary work just by standing back to take a fresh look at how things are done.

The Ballad of Orchestrator

wpid-chinese-take-out.jpgIf I had a dollar for every time I’ve had a discussion with someone who works with Microsoft System Center, while I stare at the floor, wondering why they never bothered to have that weird reddish-brown stain removed, and it’s in their main lobby, as they describe the pain, and effort they endured to build some crazy semi-automated chain of mouse traps using a wheelbarrow full of third-party utilities, truckloads of scripting, and a few crates of some long-forgotten Windows CLI utilities, registry hacks and whatever, and after they were done, I’d be thinking to myself “that was one stupidly-long run-on sentence”, but I end up saying, “You know? You could’ve knocked that out in a lot less time using Orchestrator”, well, I’d be rich enough to not have time to write a blog.  I’d be too busy having my toenails custom painted while skydiving from my private jet onto the deck of my private yacht. Floating in the lagoon of my private island.  Okay, that’s a big stretch.


First off, 99.999999999% of the time, here’s what the response is, “What’s Orchestrator?”

(15 seconds of awkward silence ensues)

Whatever Microsoft has paid their marketing folks, I would like to officially ask for 10% of it, just for doing my part to inform their customers, “well, it’s this amazing virtual Lego kit that you can use to build just about anything. Oh, and by the way, you already paid for it.”  That might help pay a few bills at least.  I think that I’ve earned it.  Or I could be delusional too.

Anyhow, for those who still begin every explanation with “it was called Opalis, once…”, and have ripped open that Christmas box and put the batteries inside, you know what I’m talking about.  You also know the dreaded feeling of hearing someone say one of the following:

“They didn’t make any changes to it in System Center 2016”

“It’s dead, Jim.  Long live the cloud.”

Sad.  Truly sad. It never really had it’s glory day (imho).  Isolated moments of sheer awesomeness are to be found, for sure.  But on a ubiquitous (see?  you didn’t think I could whip out a big word like ubiquitous, did you?) and pervasive scale? No; not what it really deserved. It was that incredible 2nd string player, drafted in the 2nd round, that was capable of smashing records, but never got on the field, and now it’s hitting retirement age.

Not so fast.

Just like Arnold Schwarzenegger (I cheated on the spelling, I had to), it can still press a few hundred pounds while smiling.  Maybe while clenching a cigar in it’s mouth at the same time.

Some interesting use-cases I’ve seen in the past year or two…

  • The typical New-Hire / Employee-Term scenario runbooks, but with extensions for ordering facilities services (phone, desk, chair, whiteboard), telecom (phone), computer equipment (HR app checkbox for “mobile user” triggers order for laptop or tablet), and notifying front desk security personnel with employee photo.  And don’t forget the standard AD group memberships, attributes, and OU management stuff.
  • Monitoring file system folder where app-devs upload final code check-ins, read specific files to create SCCM applications, deployment types, detection methods, requirements, as well as distribute to certain DP groups, and deploy to Collections (with additional parameters)

There have been a few others.  Some were just discussions around “what if…”, which could have easily turned into more amazing concoctions, but I didn’t stick around long enough to find out if they did.

Alas, before I toss back a ceremonial shot (of something cheap, like me), I have to say I’ve spent some time with Azure Automation runbook authoring and I have to say, it’s very, very promising indeed.

The State of IT Work in America

Disclaimer:  This is scientifically indeterminate information. Statistically unfounded, and somewhat anecdotal.  I would use more adjectives and analogies, but my coffee ran out hours ago and my dog just tried to eat my cat.


What is This?

This article is a summarization of data collected from customer engagements working as an IT consultant over the past calendar year.  The information is taken from notes that are primarily intended to provide scoping around specific IT projects.

After reading so many Forester and Gartner reports, as well as internal assessment emails from various customers, I sometimes wonder if they suffer from the Heisenberg principle, or if they focus on alternative motives, I really don’t know.  I wanted to at least try and put a stick in the ground and point at it while mumbling.

I’ve made every effort to translate my notes into this compilation, but I cannot share the actual names or identifying information due to serious legal risk (there’s a white van circling my house… right…. now…)

Business Types

(just the ones I have personally connected with)

  • 3 municipalities
  • 4 hospitals
  • 4 manufacturing
  • 5 retail corporate offices
  • 3 health insurance corporate offices
  • 2 luxury goods
  • 3 food processing
  • 2 food service retailers
  • 1 railroad company
  • 1 cloud data center hosting company
  • 2 financial services companies
  • 5 banks
  • 2 chemical processing companies
  • 2 engineering firms
  • 10 legal firms
  • 1 household products company
  • 2 defense engineering companies
  • 1 electronic circuitry designer
  • 1 sports franchise marketing firm
  • less than 20% are publicly traded
  • and a partridge in a pear tree

IT Organization Sizes

(just my own personal involvement, not our company as a whole)

  • 50% – 5000 devices/users or less
  • 25% – 500 devices/users or less
  • 20% – More than 5000 devices/users
  • 5% – More than 10,000 devices/users
  • Smallest = 60 devices
  • Largest = 185,000 devices

Infrastructure and Platforms

(very approximated numbers)

  • 100% are Windows Server Active Directory environments
  • 50% are using cloud services currently (AWS or Azure)
  • 90% are using VMware datacenter products
  • 75% are using MDT or SCCM
  • 40% of “new” SCCM customers are on current branch
    • 50% of the rest are preparing to upgrade
    • 50% of the rest are scared to death for no reason
  • 90% are still using Windows 7
  • 80% are actively deploying Windows 10
  • 10% are actively deploying Windows Server 2016
  • 30% are actively deploying EMS/Intune, Azure AD Premium
  • 95% are actively deploying Office 365 and Azure AD
  • 50% still don’t understand Group Policy
  • 90% still assess configuration controls via a product-centric perspective (bad)
  • 80% still don’t document Group Policy changes
  • 90% have switched from Batch or VBScript to PowerShell
  • 95% are using Symantec or McAfee antimalware products
  • 35% are using, or trying to use, disk encryption (e.g. BitLocker)
  • 5% using other endpoint management tools (e.g. LANDesk)
  • 80% of SCCM owners still don’t understand ADR’s
  • 99% of System Center owners still don’t know what Orchestrator does
  • 75% of SCCM owners still don’t understand thin, thick or hybrid image concepts
  • Observations:
    • Most are excited to get to Windows 10 as soon as possible
    • Most are excited to upgrade SCCM when they learn how it can help them get to (and support) Windows 10
    • Most are frustrated with the gaps in Cloud technologies, but mostly (always) due to assuming it’s a “done” technology, rather than an evolving one.  Examples: SCCM/Intune integration, Azure ADDS.
    • Not implying these are deficient or faulty products.  Just that many customers expected everything is available to “switch over” right now, when many of the expected features are not quite ready.

Roles and Functions

  • Breakdown of those I’ve worked with:
    • 60% mid-level operations
    • 30% senior-level operations / architecture
    • 9% executive management
    • 1% whoever answered the phone
  • Observations
    • Vast majority would state they are providing two or more distinct job functions, many stating 3 or 4.  In most cases, each role would have been a distinct job position five years ago.
    • Most of the role-compression has been the result of passive attrition, small percentage from active attrition.
    • Almost all (actually only 1 exception) stated they are expected to respond to business requests after normal business hours.
    • Most of the preceding group still don’t know how they got tricked into doing that
    • Almost all (3 exceptions) are salaried, rather than hourly.
    • None were compensated for overtime hours, but were allowed flex/comp time as make-up.
    • 75% received a small raise in the last three years.
    • 25% had no raise in over a year (usually department or company wide)
    • Only 3 or 4 had received any monetary bonus payouts in the last three years.
    • 75% stated that they feel IT is a reactive, not a controlling, force within the organization.
    • 10% of SCCM owners still have managers that are afraid SCCM will automatically reimage every computer in the organization one day without notice.  Because they heard from a friend of a friend how it can “just happen”

Job Tiers

  • Almost all organizations use a seniority-based model for assigning job titles, rather than a functional or role-based model
    • Most engineers are doing administrator work
    • Most architects are doing engineer work
    • Most technicians are doing administrator work
    • Most Administrators are asking WTF?
  • Lower-paying roles are difficult to staff to meet customer SLA expectations due to ability-versus-upward-mobility challenges. (e.g. top-performers rarely want to remain in help desk or call center roles longer than they feel necessary)
    • The exception to this seems to be tech-focused businesses, like datacenters, software development, etc.  Roles and functions didn’t seem to be as caste-oriented as non-tech-focused businesses.
  • The quality and aesthetic appeal of the work spaces seem to relate to the overall “happiness factor” as far as I’ve seen.
    • Offices with play rooms, sofas, cafeterias, free vending machines, etc., often have more workers walking around in a good mood.
    • Offices with a roach infestation, dead bodies, and yellow-ribbon across doorways, tend to have fewer smiling workers walking around.
    • Very very very few unhappy telecommute workers.  But that may be due to encountering very very very few telecommute workers.

Work Patterns

  • Just read “The Phoenix Project” up to chapter 23, and that’s pretty much how most organizations seem to operate.  Continuous effort to maintain.
  • Most have said that proactive, innovation-oriented work is considered a luxury.
  • Company-paid training is noticeably less available than it was 5 years ago.
  • Reimbursement for certifications continues to be available at most organizations


  • If you like getting prostate or cervical exams with a garden shovel, you are probably a good fit for working in IT as of 2017.  If a work-life balance of 90:10 is your thing, you’re probably going to excel.  If you thought “do more with less” only applied to home improvement projects, well, think again.
  • Are there still rewarding careers in IT?  Sure.  Based on this, obviously anecdotal, mini-slice of the world, I would subjectively propose that, in general, it’s heading towards a more rigorous environment than a more-creative environment.
  • Somewhere, somehow, it seems (to me, anyway) that there’s a growing disconnect between the IT staff layers, and executive management.  This varies widely based on the nature of the business, and the scale of the organization.  But regardless, it seems that the CIO and CTO roles are increasingly difficult to fit into the divide between business and technology.  Their roles are often aligned more closely to one or the other.  When aligned too close to non-tech, the technical side seems to suffer more.  But when aligned too close to purely technical, the executive layer (cultural) support seems to suffer.
  • Again, this is all subjective, anecdotal, non-empirical, non-deterministic, kerfluffery stuff.  Whatever that is.  I just needed to vent.  Been on 20 hours of phone calls dealing with everything from SCCM site problems to cats fornicating outside people’s hotel windows at 2am.  It’s been an interesting day.
  • Cheers!

Itsy-Bitsy Teeny Weeny little SCCM tips

None of these are my own inventions.  I’ve collected them over the years and they’ve helped me more times than I can count.  I’m also surprised how many times I encounter customers that either aren’t aware of these tips, but end up using them afterwards. Paying it forward I suppose.

Use The Force (Group Policy)

  • Let it handle your server configurations.  This includes firewall settings, local administrators, service login rights, and so on.
  • Use GPPrefs to deploy standard goodies, like bginfo.exe (along with bgi files), and other Sysinternal’s utilities.  Deploy cmtrace, KeePass and other portable apps (e.g. don’t require an installation before use).
  • Ultimately, you join the machine to your domain, reboot it, and when it comes up after the next domain login, it’s like coming back to the table from the restroom to find your meal waiting for you (props to Pulp Fiction for that one).

NIC Teaming

  • Whether you have one (1) network adapter or ten (10), place them into a team.  This adds an abstraction layer in case you need to change the physical (or virtual) adapter and don’t want to disrupt applications and services that rely on it at the upper layers.

BGInfo Customization

  • It’s sooooooooooo easy to add custom tags to the BGINFO display set.  One of my favorites is to add the SCCM client version, and SQL version to the display set.  You can query almost any WMI, registry or file source to pull something interesting for automatic display on the desktop.

Pin Logs Folder to the Taskbar

  • If you use a preferred log manager then you can ignore this tip.  But if you don’t, and you typically use cmtrace.exe (like many of us mortals), and you’re using Windows Server 2012 R2 or 2016, you can Pin folders to the right-click list from the taskbar, on the Start Menu, and to the Quick Access list.

and Speaking of Windows Server 2016

  • If you run your site systems on Windows Server 2016, you gain quite a lot of small, but helpful advantages.  Among the neat little goodies, are…
  • Right-click Start Menu for fast access to many common admin tools.

ConfigMgr Console / Column Headings

I’ve mentioned this before, but to save time, just do this and I’ll stfu:

  • Navigate into Assets and Compliance / Devices
  • Right-click on one of the column headings in the details pane (right-hand)
  • When the popup menu appears, stare at it for a full minute.
  • Then scroll down.
  • Okay, now scroll back up.
  • Now, check a few items like Client Version, Active Directory Site, Device Online Status, and maybe Serial Number
  • Turn around and pick your jaw back up off the floor.  The cleaning guy is coming around with the vacuum cleaner.

ConfigMgr Toolkit and RBAViewer

  • Yes, it still exists.  Yes, it still shows version “2012 R2”.  Yes, it works fine with 1610.  At least, it has been working fine for myself and most everyone else I know.  Among the plethora of goodies it lays on your machine, is the RBAViewer utility.  Once beaten, blooddied and battered, laying in an alley, puking profusely after SCCM 1511 used a blowtorch and vice grips on it, it has since recovered in a rehab and got a hair cut.
  • If  you ever work with role based access (hence “RBA”) using the ConfigMgr console features, you owe it to yourself to try this old but helpful utility.

AD Account Attributes -> Queries, Collections

  • I’m still surprised to find customers that take the time to really use Active Directory LDAP attributes like a (smart) Lego kit.  Some of them populate non-typical attributes on user and computer accounts, and then use that to assist other automation processes, either with PowerShell, Orchestrator, Azure Automation, or a trained squirrel with a radio antenna on its head.  And yet others take the time to register their own OID and craft their own custom extensions. Kudos for pushing the envelop!
  • For those of you that use interesting AD, Exchange, Lync/Skype and custom attributes, like employeeID, employeeType, or msExchExtensionAttribute12, you can leverage those within SCCM for queries and collections too!
  • To do this, you need to modify your Discovery method settings, which has some caveats (short-term additional inventory traffic after the change is made).   For example, to capture the “title” attribute, open the Active Directory User Discovery properties, click on the Active Directory Attributes tab, select “title” from the Available Attributes list, and click “Add >>”, then click OK.
  • Now you can create a query-rule collection of users that have a job title of “executive douchebag” and deploy a package of questionable web shortcuts to their desktop.  Although I’m kidding here, hopefully you see the (serious) potential.

Special Shortcuts

  • This is old, but not as old as me, moo-haa haa haaaaa (cough, cough, wheeze… gasp…*).  If there’s a shortcut that you always launch using “Run as administrator”, you can configure the shortcut to always launch that way without having to right-click on it, select Properties / Shortcut  and click “Advanced”.  Check the box for “Run as administrator” and click OK.

Site System Maintenance Windows

  • A lot of customers complain that they can’t control when SCCM checks for, and downloads, the next version on a site system.  They don’t want their site systems to automatically download and update things, but yet, they still want the option to do so with a leash around its neck.  You can.  It does, with some conditions.
  • If you’re on 1610, you can enable this by going into Administration / Site Configuration / Sites, then right-click on the Site, choose Properties.  Select the “Service Windows” tab.