The Ballad of Orchestrator

wpid-chinese-take-out.jpgIf I had a dollar for every time I’ve had a discussion with someone who works with Microsoft System Center, while I stare at the floor, wondering why they never bothered to have that weird reddish-brown stain removed, and it’s in their main lobby, as they describe the pain, and effort they endured to build some crazy semi-automated chain of mouse traps using a wheelbarrow full of third-party utilities, truckloads of scripting, and a few crates of some long-forgotten Windows CLI utilities, registry hacks and whatever, and after they were done, I’d be thinking to myself “that was one stupidly-long run-on sentence”, but I end up saying, “You know? You could’ve knocked that out in a lot less time using Orchestrator”, well, I’d be rich enough to not have time to write a blog.  I’d be too busy having my toenails custom painted while skydiving from my private jet onto the deck of my private yacht. Floating in the lagoon of my private island.  Okay, that’s a big stretch.


First off, 99.999999999% of the time, here’s what the response is, “What’s Orchestrator?”

(15 seconds of awkward silence ensues)

Whatever Microsoft has paid their marketing folks, I would like to officially ask for 10% of it, just for doing my part to inform their customers, “well, it’s this amazing virtual Lego kit that you can use to build just about anything. Oh, and by the way, you already paid for it.”  That might help pay a few bills at least.  I think that I’ve earned it.  Or I could be delusional too.

Anyhow, for those who still begin every explanation with “it was called Opalis, once…”, and have ripped open that Christmas box and put the batteries inside, you know what I’m talking about.  You also know the dreaded feeling of hearing someone say one of the following:

“They didn’t make any changes to it in System Center 2016”

“It’s dead, Jim.  Long live the cloud.”

Sad.  Truly sad. It never really had it’s glory day (imho).  Isolated moments of sheer awesomeness are to be found, for sure.  But on a ubiquitous (see?  you didn’t think I could whip out a big word like ubiquitous, did you?) and pervasive scale? No; not what it really deserved. It was that incredible 2nd string player, drafted in the 2nd round, that was capable of smashing records, but never got on the field, and now it’s hitting retirement age.

Not so fast.

Just like Arnold Schwarzenegger (I cheated on the spelling, I had to), it can still press a few hundred pounds while smiling.  Maybe while clenching a cigar in it’s mouth at the same time.

Some interesting use-cases I’ve seen in the past year or two…

  • The typical New-Hire / Employee-Term scenario runbooks, but with extensions for ordering facilities services (phone, desk, chair, whiteboard), telecom (phone), computer equipment (HR app checkbox for “mobile user” triggers order for laptop or tablet), and notifying front desk security personnel with employee photo.  And don’t forget the standard AD group memberships, attributes, and OU management stuff.
  • Monitoring file system folder where app-devs upload final code check-ins, read specific files to create SCCM applications, deployment types, detection methods, requirements, as well as distribute to certain DP groups, and deploy to Collections (with additional parameters)

There have been a few others.  Some were just discussions around “what if…”, which could have easily turned into more amazing concoctions, but I didn’t stick around long enough to find out if they did.

Alas, before I toss back a ceremonial shot (of something cheap, like me), I have to say I’ve spent some time with Azure Automation runbook authoring and I have to say, it’s very, very promising indeed.

CMWT How-To: Enable Client Tools

CMWT Client Tools are a set of Javascript-based features which enable invoking local services in order to connect to, and manage remote clients.  This is much like the infamous “right-click Tools” for the SCCM Console.  The features provided in CMWT at this point are not as robust as the one mentioned, but that may change (as always – it all depends on user feedback).

The caveat for this feature is that it requires using Internet Explorer, rather than Google Chrome, or Firefox.  I have not tested this with Edge yet, as my site server is still on Windows Server 2012 R2.

The reason for this is in how IE handles clientside scripting and security controls.  So, to enable this in IE, you need to follow the instructions in the provided CMWT Installation Guide, but I will cover this process in this blog post as well.

  1. In Internet Explorer, open CMWTtools01
  2. Click the gear icon at the top right (settings), and select “Internet Options”tools02
  3. Select the Security tab.
  4. Make sure CMWT is included in either the Local intranet, or Trusted sites security zones.
  5. Select the appropriate security zone.
  6. Scroll down to “Initialize and script ActiveX controls not marked as safe for scripting”
  7. Change the setting from “Disable” to “Prompt”tools04
  8. Click OK, and click OK again to close Settings
  9. Browse to select a particular Device you wish to manage or connect to.  For this example, I’m connecting to desktop “D001”, which I happen to know is online and accessible.
  10. Click the drop-down menu of options, and select “Tools tools05
  11. Click on one of the first four (4) tools, such as Manage.
  12. If you set the ActiveX security option to “Prompt” you should get a warning…
  13. Click Yes and the tool should open.

Note that even if you cannot configure the options in IE to make this work (usually due to company security policies), or if you’re using Chrome, Safari, or Firefox, the actual command statement is shown to the right of each tool.  This allows you to copy and paste it into a Run command box and launch it directly.

That’s it!

Preposterous Profile Propagation Perils


Question:  “Is it advisable to migrate Windows user data when refreshing or replacing their computer?”  This was asked in the context of two scenarios:

  1. Migrating an existing Windows 7 machine to Windows 10
  2. Refreshing a hosed-up Windows 10 machine to a known state

For scenario 2, I recommend the “Reset this PC” feature in Windows 10 1607.

For scenario 1, here’s my long-winded response:  Avoid allowing your environment to get into this scenario in the first place.

I compare this with how I treat my phone.  My photos, contacts, emails, bookmarks, apps list and settings are all stored in the cloud. The only items I’d lose if my phone were lost or stolen would be SMS threads.  Not a concern.  My phone, to me, is 100% disposable.  I don’t sweat losing anything valuable if my phone were crushed under a truck wheel, dropped in a bathtub, or doused in gasoline and ignited with a blow torch (although, that would be kind of cool, hmmm).

Desktops and laptops should be no different.  Now, I’m not saying “the cloud” is the primary solution here.  ANY centralized repository will suffice as an “off-device” storage point.


Because of the following potential faults:

  • Migrating data and settings is costly.  It takes time to design, build, test and maintain for an organization.  The more variations in the environment, the more work is often required on the back end.  Even when a process/system has been in place for a long time, that doesn’t justify it’s existence (i.e. “because that’s the way we’ve always done it” = space shuttle O-ring maintenance processes too)
  • Having data stored locally is a liability.  Period.  Ask any attorney.
  • Having data stored locally is a security risk. Ask your InfoSec person (drink additional coffee first)
  • Having data stored locally adds need for disk encryption, RMS and DLP controls (more time and cost).
  • Having data stored locally incurs additional storage capacity and performance requirements on each device (depending upon the nature of data formats)

If a device is lost, destroyed, or stolen, you will need to address…

  • the potential lost of a vital copy/version of each document on the device.
  • the potential leak of private/sensitive information on the device.
  • the additional downtime incurred from replacing the user’s device as compared with providing them a “vanilla” device which immediately restores their access to all documents they need to do their job.

Is it always possible to implement this client-centric data model?  No.  There are a variety of reasons, one classic example is local processing requirements, such as CAD, media authoring, music production, etc. (high-bandwidth or high CPU demand, particularly when extensive graphic performance are a concern).

However, over the last ten (10) years of consulting and FTE work where I’ve been involved with deployment processes, I’ve only seen a few that really needed it (mentioned above).  The majority don’t really need to support local storage of business data.

The reason I bring this up is that I often see a lot of hand-wringing, project investment, and focused effort on applying a “solution” to the wrong problem.  This is just one example.  I have plenty of others to share if you’d like me to.

Another SCCM SQL Query: SQL Server Hosts

Find Windows Server computers which have some version of SQL Server installed…

  dbo.v_R_System.Name0 AS [Name], 
  dbo.v_R_System.ResourceID AS ResourceID,
  dbo.v_R_System.SMS_Unique_Identifier0 AS [GUID],
  dbo.v_R_System.Resource_Domain_OR_Workgr0 AS Domain,
  dbo.v_R_System.AD_Site_Name0 AS ADSiteName,
  dbo.v_R_System.Client0 AS Client 
FROM dbo.v_R_System 
  ON dbo.v_GS_ADD_REMOVE_PROGRAMS.ResourceID = dbo.v_R_System.ResourceId 
  INNER JOIN dbo.v_GS_System
  ON dbo.v_GS_SYSTEM.ResourceId = dbo.v_R_System.ResourceId 
  (dbo.v_GS_ADD_REMOVE_PROGRAMS.DisplayName0 LIKE 'Microsoft SQL Server%')
  (dbo.v_GS_SYSTEM.SystemRole0 = 'Server')

SCCM / SQL – Machines Not Scanned in 15 Days

Here’s a SQL query to return machines which have not run a Software Updates scan within the past 15 days.

  dbo.v_R_System.Name0 AS ComputerName, 
  dbo.v_ScannedUpdates INNER JOIN
  dbo.v_R_System ON 
  dbo.v_ScannedUpdates.ResourceID = dbo.v_R_System.ResourceID
  (dbo.v_ScannedUpdates.ScanTime IS NULL)
  (DATEDIFF(dd, dbo.v_ScannedUpdates.ScanTime, GETDATE()) > 15)


The Perfect PowerShell Script


  1. Set-UserCredentials
  2. Connect-VMHost
  3. Create-VMGroup
  4. Configure-ActiveDirectory
  5. Leave-ObsoleteADObjectsIntactForWayTooLong
  6. Add-TooManyUsersToAdminSecurityGroups
  7. Create-WayTooManyGPOsWithOverlappingSettings
  8. Create-CustomServiceAndUserAccountsAndGroups
  9. Install-CMPrerequisites
  10. Install-SQLServerUsingImproperDriveAllocations
  11. Ignore-SQLServerSettings
  12. Install-CMPrimarySite
  13. Install-CMSecondarySiteWhenDPorMPwouldWorkJustFine
  14. Configure-CMSiteHierarchy
  15. Configure-CMDiscoverySettings
  16. Configure-CMSiteBoundariesAndBoundaryGroups
  17. Configure-CMClientSettings
  18. Deploy-CMClientSettings
  19. Deploy-CMClients
  20. Ignore-CMStatusLogs
  21. Ignore-CMMaintenanceTasks
  22. Ignore-SQLServerMaintenancePlanBenefits
  23. Wait-ForCMCrash
  24. Listen-ToTechsBitching
  25. Escalate-ToManagement
  26. Allow-ManagementToIgnoreComplaints
  27. Compress-ITRolesAndSalaries
  28. Get-NothingDone
  29. Move-OperationsToTheCloud
  30. Empty-DataCenterFloorSpace
  31. Consume-PrescriptionMedsWithColdCoffee
  32. Remove-PersonalLife
  33. Remove-Sleep
  34. Find-AnotherJob