SCCM and Chocolatey

browsers

Trying to leverage goodness from various mixtures of Chocolatey with SCCM is definitely not new. Others have been playing around with it for quite some time. However, I wanted to pause from a month of mind-numbing work-related things to jot down some thoughts, realizations, pontifications, gyrations and abbreviations on this.

Much of this idiotic rambling that ensues hereinafter is based on the free version of Chocolatey.  There is also a “Business” version that offers many automation niceties which you might prefer.  There’s a lot more to this Chocolatey thing than I can possibly blabber out in one blog post (even for yappy little old me), such as the Agent Service features, packaging, and so more.  Visit http://chocolatey.org for more.

1 – Is it “Better”?

No.  It’s just different.  But, regardless of whether if “fits” a particular need or environment, it’s often nice to know there’s another option available “just in case”.

2 – Who might this be of use to?

I can’t list every possible scenario, but I would say that if the potential benefits are lined up it kind of points to remote users without the use of a public-facing (or VPN-exposed) distribution point resource.  It also somewhat negates the need for any distribution resource, even cloud based (Azure, AWS), since there’s no need for staging content unless you want to do so.

3 – How does SCCM fit?

At this point (build 1703) it’s best suited for use as a Package object, since there’s no real need for a detection method, or making install/uninstall deployment types.  A Program for installation, and another for uninstallation, are pretty much all that’s needed.

4 – How does an Install or Uninstall work via SCCM?

As an example, to install Git, you would make a Package, with no source content, and then create one Program as (for example only) “Install Git” using command “choco install git -y”, and another as “Uninstall Git” using “choco uninstall git -y”.  (Caveat: some packages incur dependencies, which may throw a prompt during an uninstall.  For those you can add -x before the -y, but refer to the Chocolately documentation for more details)

5 – How do you push updates to Chocolatey apps via SCCM?

You can use the above construct with a third Program named “Update Git” (for example) with command “choco upgrade git -y”.  Another option (and my preference) is to deploy a scheduled task that runs as the local System account, to run “choco upgrade all -y” at a preferred time or event (startup, login, etc.).  And, as you might have guessed by now (if you haven’t fallen asleep and face-planted into your cold pizza), someone has done this for you.

6 – Can you “bundle” apps with Chocolatey with or without SCCM?

Absolutely.  There’s a bazillion examples on the Internet, but here’s one I cobbled together for a quick lab demo a while back.  This one feeds a list of package names from a text file. You can also hard-code the list, or pull it from anywhere that PowerShell can reach it (and not just PowerShell, but any script that you can run on the intended Windows device).

7 – What about MDT?

Here’s a twist, you can deploy Chocolatey packages using MDT, or deploy MDT using Chocolatey.  How freaking cool is that?  If you sniff enough glue, you might even construct a Rube Goldberg system that deploys itself and opens a wormhole to another dimension.  By the time you find your way back, America will be a subsidiary of McDonald’s and we have real hoverboards.

8 – What about applying this to Windows Server builds?

You can.  I’d also recommend taking a look at BoxStarter, and Terraform.  I built a few BoxStarter scripts using Github Gists for demos a while back.  Here’s one example for building and SCCM primary site server, but it’s in need of dusting off and a tune up.  You can chop this up and do things all kinds of different (and probably better) ways than this.

The list of automation tools for building and configuring Windows computers is growing by the day.  By the time you read this sentence, there’s probably a few more.  Hold on, there’s another one.

PS – If you get really, really, reeeeeeally bored, and need something to either laugh at, ridicule or mock, you can poke around the rest of my Github mess.  I don’t care as long as you put the seat back down after flushing.

Interview: Mike Terrill

Introduction

Each “interview” I’ve done has been a wildly different experience. This one was impacted by logistics and direction changes.  By that, I mean both Mike and I were in the midst of major scheduling demands, however, Mike is also navigating a job change, which is always a tough thing to try to insert extracurricular activities (like half-brained bloggers nagging people with questions).

Mike is one of my short-list, go-to people for information about things related to deploying and managing Windows devices via System Center technologies.  I’m not implying that’s all he’s good for, but that’s how I discovered his blog and Twitter feed. Mike is also one of several people I tried (and failed) to meet in person during Microsoft Ignite 2016 in Atlanta, due to crazy schedules, navigational challenges, and caffeine shortage.  I’m planning to be at Ignite 2017, so I’m going to be more diligent in meeting people (those that want to meet me in person, that is).

Name: Mike Terrill

Job Title: OS Engineer

1. Describe what you do for a living – to someone who has no idea what it means.

Architect systems to deploy and manage Windows devices electronically without touching them.

2. How did you get into this type of work?

I have always been interested in computers since the day when I got my first computer – C64. I was big into cars during high school and college, and I wanted to work on automotive computer systems when I graduated. I ended up getting into systems management instead.

3. What area or aspect of technology are you most excited about?

Self-driving cars and connected cars – people are idiot drivers and half of them should not be behind the wheel. It is exciting to see the progress in this area. The Systems and Industrial Engineering Department at the University of Arizona is one of the leaders in this space and have been ever since I was there in the 90s.

4. What gives you the most satisfaction today?

Family vacations, cart racing and Megadeth concerts.

5. Name the 3 most inspiring people in your life or career?

My parents and my wife. My parents taught me how to work hard to meet my goals. My wife has helped me make my career decisions, including my recent one (but she still thinks it is called SMS since I gave up talking to her about it a long time ago).

6. If I hadn’t gone into this field, I’d probably be…

an automotive engineer with an emphasis on engine (computer) management systems. I had a Mustang GT 5.0 growing up that I not only turbocharged, but I replaced the Ford computer system with a fully programmable after market computer system that provided engine management.

7. Favorite place to travel?

Hawaii (second to that would be Mars with skatterbrainz of course).

[edit: oh, this poor guy]

8. What 3 books, movies or other works have influenced you most in life?

Millionaire Next Door, Smart Couples Finish Rich, and of course one of Kent Agerlund’s books. The first two teach basic common financial sense and these concepts should be taught in high school. Kent’s books teach Configuration Manager common sense.

9. There’s never enough …

time in the day (or money).

10. There’s way too much …

hatred (and big government).

11. What’s your favorite sound?

Dave Mustaine’s guitar.

12. What would you say to those who insist that technology has only made life worse?

I would say “What about all of the technology that is now making things possible for disabled people that previously were only a dream?” Technology has made life better, not worse. Sometimes people use technology for bad things (like the recent WannaCry ransomware), but that is a people problem, not a technology problem.

13. How do you feel about the importance of college degrees, and certifications as it pertains to IT careers?

Do those credentials mean as much, or more, than they use to? Yes and no. There is still a need for advanced education. Formal college degrees and certifications show one’s desire and persistence to complete a goal (and hopefully learn in the process). However, there are plenty smart individuals out there that do not have formal education. As for IT, it is a mixed bag. Some people happened to fall in to IT as a career and probably should be in a completely different field (skatterbrainz knows what I am talking about – just read his tweets from his projects).

[edit: omg – I promise I did not bribe anyone for that mention]

14. You’ve crashed on a remote island along with 4 other engineers, and 5 sales people. There’s only enough food for five people total to last a week. What do you do?

The 5 sales people will end drowning since they believe they can walk on water. That will leave enough time for the engineers to come up with a plan and get off the island.

[edit: there is an alternate theory that the sales people will ultimately survive by way of verbally ‘synergistically envisioning’ the engineers to death]

15. If you could go back in time and change one piece of technology to end up better today, what would it be, and why?

Hmm…this is a tough one, but it would probably be with something that helps people or saves lives.

More about Mike

Mike’s twitter profile

Mike’s blog

Arizona Systems Management Users Group

 

SCCM Collection Queries by Server Role

MFfn7

Rather than spew forth a bunch of sample queries, I’ll just hand you a virtual fishing rod, a case of imaginary beer, and point you to the make-believe boat.  This little procedure came in handy today with a customer I was helping.  I hope it helps you as well…

  • Device Collections
    • Create Device Collection
      • Name: Servers – WDS Servers (example)
        • Limiting collection: (whatever has servers with clients)
        • Use incremental updates for this collection (check)
        • Add Rule > Query-Rule
          • Name: 1 (or whatever you want, I’m lazy)
          • Edit Query Statement:
            • Omit duplicate rows (check)
            • Criteria tab
              • “Select” button (click it)
              • Class = Server Feature
              • Attribute = Name (click OK)
                • Is Equal To (leave as-is)
              • Click the “Value” button
                • Select an appropriate Feature Name
                • Enjoy a cold one!

SCCM User Collections by Job Title, etc.

For some of you this is going to be a no-brainer, but for some reason I’ve been getting more and more questions about how to make User Collections in SCCM based on query rules using AD account properties, like:

  • Job Title
  • Department Name
  • Division
  • City
  • Description

While it’s still fine to use other criteria for Collection membership rules, such as OU path, Security Group names, and so on, it’s always nice to know you have even more options available.

For one customer, they found it unnecessary to add people to security groups when they already have a consistently maintained job “title” for each user account in Active Directory.  When they want to deploy software to employees by their title, why not do that directly, instead of populating a group and adding more work?  In some cases, a group is necessary for other purposes, so it’s a fact of life.  But for this customer, and others like them, they don’t rely on security groups for targeting configuration rules or software deployments.

Best of all, this is really easy (I mean REALLY, REALLY, REEEEEEEEAAALLY easy) to do.

Step 1 – Adjust the Discovery Settings

By default, SCCM collects a fairly good subset of AD account attributes for user and computer objects in a given AD forest/domain.

  • name
  • distinguishedName
  • dnsHostName
  • mail
  • objectGUID
  • objectSID
  • primaryGroupID
  • sAMAccountName
  • userAccountControl
  • userPrincipalName
  • whenCreated

The best thing about SCCM is that it’s flexible.  You can select other attributes to gather from the environment during each discovery cycle.  Just be aware that when you change Discovery settings, it does have some impact on the environment, even if negligible.

For example, when you add more settings to collect, such as discovery information, hardware and software inventory, it means more data being transmitted across the network, and more data being stored in the SCCM SQL database tables.  The impact of a discovery rule change is typically short-lived.  From then on, only delta changes are collected, and network overhead is back to minimal.

For this example, lets add some attributes for User discovery:

  1. In the SCCM admin console, select Administration, and then expand Hierarchy Configuration / Discovery Methods.
  2. Open “Active Directory User Discovery” (or right-click / Properties)
  3. Select the “Active Directory Attributes” tab
  4. Press CTRL and select “department“, “division“, “employeeID” and “title“, then click “Add >>” to move them into the Selected Attributes list.
  5. Click OK

sccm1.png

At this point, you can wait for the next Discovery cycle to run, or force it (get your fully-charged snake prod ready, for when the Network folks come storming in to yell at you for a small spike in network traffic, “caused by your evil SCCM tool thing!!”)  Just kidding.  If they freak over this small blip, offer them some marijuana-infused cookies.  Works every time.

Step 2 – Create a Collection

  1. Select Assets and Compliance
  2. Select User Collections (if you have folders beneath this, expand the appropriate folder, or create a new folder, whatever floats your boat)
  3. Create a new User Collection (right-click or select from ribbon menu)
  4. For this example, I’m going to make a User Collection to identify Sales Managers, because they’re fun to mess with.  We can deploy all sorts of painful things to them as reward for the joy they bestow upon their technical brethren.  So I will name this “Users – Title – Sales Managers”
  5. For Limiting Collection, you can use “All Users”, and click Next
  6. On the Membership Rules panel, check both “Use incremental updates for this collection” and “Schedule a full update on this collection”, because the query-based membership could change as Sales Managers are assassinated by angry coworkers and replaced by more of them stamped from the assembly line.  Just kidding.  But still, check both options.
  7. Click “Add Rule” / “Query Rule
  8. Name the rule “1” (that’s right, a number one.  For the rank of those who annoy us most)
  9. Click “Edit Query Statement…”
    sccm2
    sccm3
  10. On the General tab, check the option “Omit duplicate rows (select distinct)” (which should be selected by default, but whatever, I’m too lazy to upload this tiny request to User Voice).
  11. Select the “Criteria” tab.
  12. Click the weird little asterisk button (new query)
    sccm4.png
  13. On the Criterion Properties form, click “Select”.  On the Select Attribute popup, select Attribute Class “User Resource”, and select Attribute “title”.  Then click OK.
    sccm5
  14. Back on the Criterion Properties form, below the Value box, select the Value… button and choose the title you wish to filter on, such as (equal to) “Sales Manager” or (is like) “Sales%”
  15. Click OK and OK again to complete the process of creating the new Collection.

Now, you (hopefully) have a collection of users with a specific job title (or department, division, location value, employeeID sequence, etc.) which can be used to drive reports, and target software deployments.

Caveats

Because everything in life comes with conditions, this does as well.  First off, it depends on a properly-managed and maintained Active Directory environment.  Whether that is the result of manual effort, scripting, or third-party applications, it doesn’t matter as long as the data is reliable enough to based queries on.  If the data exists in AD, and SCCM discovery can find it, you can leverage it for almost anything.

How to Unintentionally Reimage Every Computer in your Company using SCCM

airplane

Step 1 – Be a complete Idiot

Step 2 – Do not do any research or seek training of any kind.  In fact, ignore every bit of advice, guidance, or recommendation by any experienced human being

Step 3 – Enable IP Helpers on every Router – or – place every computer in the same IP subnet as the PXE-enabled DP server

Step 4 – Do not use a password on any of your Task Sequences

Step 5 – Deploy the Task Sequence to the All Systems collection and set the Deployment availability to Required *AND* set “Configuration Manager Clients, media and PXE”

Step 6 – Make sure EVERY machine is set to boot from the Network by default

Step 7 – Reboot EVERY computer

Step 8 – Press F12 on EVERY computer as it reboots (after contacting the PXE host of course)

Step 9 – Tell everyone you know that SCCM “accidentally” reimaged all your computers

Step 10 – Run for public office, where these skills are valued most

 

5 SCCM Myth Corrections

In keeping with the popular (and completely stupid) trend of “5 this…” and “10 that…” memes…

ta-puke

Myth 1 – Discovery Settings

Contrary to what you may hear (I hear it a lot, unfortunately) SCCM discovery settings do not modify the computers in your environment.  They simply allow SCCM to shine a flashlight on what’s in the environment.  Think of it like a restaurant menu.  The waiter hands it to you to look over and see what you’d like.  SCCM is the waiter. It’s not cooking anything until you place your order.  Discovery doesn’t install anything, or modify configuration settings, restart, etc.  The only situation when it could make changes to discovered computers would be having automatic client push installation enabled (in most cases you shouldn’t)

Myth 2 – Script Wrapping is not “Packaging”

“Packaging”, technically, is the process of creating the ORIGINAL installation payload (.exe, .msi, .whatever).  When you create a new package from an existing package, that’s technically called “repackaging”.  Executing a package with additional (optional) command line switches is simply called “using the package”.  Putting the package and switches into a script file is called “script wrapping”.  Entering the package name, with optional switches, into the SCCM console is called “doing your job”.

Myth 3 – “Packaging” is NOT “Repackaging”

When Microsoft builds the setup.exe for something like Office or Visual Studio Code, that’s called “Packaging”.  When you take that package, initiate a snapshot monitoring session on a reference computer using Flexera AdminStudio Repackager*, run the package installer, make some system changes, add stuff, remove stuff, laugh at stuff, yell at stuff, capture the changes, create a project, clean it up, bitch and moan a lot, drink some coffee, crank out the package solution, compile that into an .MSI or .EXE, copy it over to another folder location, go outside and scream the anger and frustration out of your soul, throw your cold, empty coffee up at the nearest hard surface, then THAT is called “repackaging”.

Real, honest, true, repackaging sucks.  It’s not a fun job.  It’s like rebuilding a transmission to a typical auto mechanic, or removing impacted feces from a cow for a veterinarian.  Un-fun.  Last resort.  The kind of thing that makes you internalize a lot of anger and frustration at how the situation COULD have been avoided, had someone taken the time to do something differently at an earlier stage.  But NOooooooooo… it then becomes YOUR problem to deal with.  Anyhow, hourly billing offers some solace.

Myth 4 – SCCM will NOT automatically reimage all your computers just because you enable PXE with OSD

I’m not even going to waste time on this one.  If you don’t believe me, you’re an idiot, but don’t be offended.  Lots of people are idiots.  Most of them write blogs like this one.  Hey, wait a minute!?

Myth 5 – MDT and SCCM Can coexist.  SCCM and WSUS can coexist

I don’t know where it started, or who started it, but whoever said SCCM cannot coexist in the same environment with separate instances of MDT or WSUS was wrong.  It can.  It does.  In some cases, it’s even recommended.  Like anything else in IT, it comes down to having a solid technical and business case for doing it.

Cheers

What Would it Take to Move from SCCM to Intune?

1wearandtear

Every week I’m on a conference call with customers who are using, or interested in using, SCCM and Intune/EMS.  Every single conversation finds its way into the following questions:

  1. “Should I use Intune to manage Windows 10 Surface Pro and Dell/HP laptops outside the network?”
  2. “Should I integrate SCCM and Intune?”
  3. “Can I just move all my SCCM infrastructure into Azure?”

Good questions.  Unfortunately, the answers aren’t yet fully-baked.  The answer to each is “it depends”.

But during one call in particular, we had a bunch of crusty old SCCM engineers discussing the past, present and future of the product.  This wound up in a discussion about “what would it take?” …to switch to Intune as the primary management interface, even for on-prem devices.  The gist of this was not about “eventually” or long-term, but rather, what could be dropped in our lap sooner, and make us say “oh, snap! time to reconsider!”

Anyhow, we came up with the following:

1 – Hybrid Deployments

The ability to configure application deployments in a cloud console, while directing clients to fetch the content from on-prem sources.  The reverse of cloud DPs, if you will.  The application configuration resides in the cloud, and the source content, and deployment content, are hosted on-prem.

This could be handled with the Intune client being equipped to poke for the on-prem location as a means to determine on/off prem status.  If on-prem, download the content from the on-prem DP.  Otherwise, follow the configuration (wait, or download from another source).  The goal would be to support cloud clients, mobile clients and on-prem clients, where each could pull content based on proximity, performance and least cost.

This would also span out to OSD as well.  If the WIM files, driver packages, and other bits were available from an on-prem source (via PXE/WinPE) it could work. Maybe it would require something like iPXE Anywhere, or maybe not.

2 – Expanded Deployment Types

Intune would need to be able to deploy more flexible types of instructions.  Such as EXE files with additional parameters (aka “switches”), MSI’s with MST transforms.  PowerShell scripts would be nice too.

3 – Full Inventory

This is actually two parts combined.  The first being a split inventory detection that pulls a complete (e.g. SCCM-style) WMI inventory data set from a full Windows client, but does the status quo for other clients.  The second part being a means for leveraging that extended inventory to save time/effort in other areas (targeting policies, apps, etc.)

And speaking of inventory, is there a CIM-like equivalent for mobile platforms like iOS, Android, etc.?

Summary

Granted, this is *not* enough for SCCM to throw in the towel and surrender.  But these seem to be the most-used features in SCCM which are not replaceable with Intune, yet.

If this is true, or “accurate”, then it doesn’t seem like such a tall hill to climb.  We were not entirely sober at the time, so it’s quite possible we overlooked something here.  Maybe something embarrassingly obvious, but hey.

Thoughts?  Substance or Garbage?  Let me know.