Why SCCM Doesn’t Accidentally Image Machines

I’ve finally had enough.  Maybe it’s the result of hearing people just blindly repeat false garbage and claiming it as fact (I call it “phact” now).  But after hearing yet another so-called (another meme-ish aphorism du jour) engineer state to a group of other so-called engineers that “SCCM can ‘just randomly reimage computers'” because either:

A. They’ve seen it, or more often…

B. They heard a friend say they saw it happen.

Truth:  NO.  SCCM CANNOT RANDOMLY REIMAGE COMPUTERS.  IT DOES NOT.  IT WILL NOT.  IT CAN’T.  IT WON’T.  Stop saying stupid shit like this.

The real reason is that someone (aka a stupid idiot, yes, double redundancy intended) was poking around and made changes without knowing what they were doing.  That’s it.  I’ve seen “unintended” cases of SCCM involved with reimaging computers, but it was ALWAYS ALWAYS ALWAYS (and still is) due to human stupidity.

I’m probably missing a few steps here, in fact, yes, I see one right now:  The Task Sequence Deployment setting labelled “Make available to the following” from the Deployment Settings tab (e.g. “Only media and PXE” versus “Configuration Manager clients, media and PXE”, etc.)

badboot

In short, your resident idiot would have to target the wrong collection, OR, put the wrong machines into the targeted collection, OR, use the wrong deployment assignment setting, AND…

Have the machine on a subnet with access to PXE, AND boot to the network (boot config), AND press F12 before the boot time-out expires, AND (either) did not put a password on the Task Sequence deployment OR entered the password.  That’s a lot of “accidental” stuff to accidentally trip over by accident.  Maybe your admin needs a walker and a crash helmet.

  • RANT OVER

Itsy-Bitsy Teeny Weeny little SCCM tips

None of these are my own inventions.  I’ve collected them over the years and they’ve helped me more times than I can count.  I’m also surprised how many times I encounter customers that either aren’t aware of these tips, but end up using them afterwards. Paying it forward I suppose.

Use The Force (Group Policy)

  • Let it handle your server configurations.  This includes firewall settings, local administrators, service login rights, and so on.
  • Use GPPrefs to deploy standard goodies, like bginfo.exe (along with bgi files), and other Sysinternal’s utilities.  Deploy cmtrace, KeePass and other portable apps (e.g. don’t require an installation before use).
  • Ultimately, you join the machine to your domain, reboot it, and when it comes up after the next domain login, it’s like coming back to the table from the restroom to find your meal waiting for you (props to Pulp Fiction for that one).

NIC Teaming

  • Whether you have one (1) network adapter or ten (10), place them into a team.  This adds an abstraction layer in case you need to change the physical (or virtual) adapter and don’t want to disrupt applications and services that rely on it at the upper layers.

BGInfo Customization

  • It’s sooooooooooo easy to add custom tags to the BGINFO display set.  One of my favorites is to add the SCCM client version, and SQL version to the display set.  You can query almost any WMI, registry or file source to pull something interesting for automatic display on the desktop.

Pin Logs Folder to the Taskbar

  • If you use a preferred log manager then you can ignore this tip.  But if you don’t, and you typically use cmtrace.exe (like many of us mortals), and you’re using Windows Server 2012 R2 or 2016, you can Pin folders to the right-click list from the taskbar, on the Start Menu, and to the Quick Access list.

and Speaking of Windows Server 2016

  • If you run your site systems on Windows Server 2016, you gain quite a lot of small, but helpful advantages.  Among the neat little goodies, are…
  • Right-click Start Menu for fast access to many common admin tools.
    ws2016startmenu.png

ConfigMgr Console / Column Headings

I’ve mentioned this before, but to save time, just do this and I’ll stfu:

  • Navigate into Assets and Compliance / Devices
  • Right-click on one of the column headings in the details pane (right-hand)
  • When the popup menu appears, stare at it for a full minute.
  • Then scroll down.
  • Okay, now scroll back up.
  • Now, check a few items like Client Version, Active Directory Site, Device Online Status, and maybe Serial Number
  • Turn around and pick your jaw back up off the floor.  The cleaning guy is coming around with the vacuum cleaner.

ConfigMgr Toolkit and RBAViewer

  • Yes, it still exists.  Yes, it still shows version “2012 R2”.  Yes, it works fine with 1610.  At least, it has been working fine for myself and most everyone else I know.  Among the plethora of goodies it lays on your machine, is the RBAViewer utility.  Once beaten, blooddied and battered, laying in an alley, puking profusely after SCCM 1511 used a blowtorch and vice grips on it, it has since recovered in a rehab and got a hair cut.
  • If  you ever work with role based access (hence “RBA”) using the ConfigMgr console features, you owe it to yourself to try this old but helpful utility.

AD Account Attributes -> Queries, Collections

  • I’m still surprised to find customers that take the time to really use Active Directory LDAP attributes like a (smart) Lego kit.  Some of them populate non-typical attributes on user and computer accounts, and then use that to assist other automation processes, either with PowerShell, Orchestrator, Azure Automation, or a trained squirrel with a radio antenna on its head.  And yet others take the time to register their own OID and craft their own custom extensions. Kudos for pushing the envelop!
  • For those of you that use interesting AD, Exchange, Lync/Skype and custom attributes, like employeeID, employeeType, or msExchExtensionAttribute12, you can leverage those within SCCM for queries and collections too!
  • To do this, you need to modify your Discovery method settings, which has some caveats (short-term additional inventory traffic after the change is made).   For example, to capture the “title” attribute, open the Active Directory User Discovery properties, click on the Active Directory Attributes tab, select “title” from the Available Attributes list, and click “Add >>”, then click OK.
  • Now you can create a query-rule collection of users that have a job title of “executive douchebag” and deploy a package of questionable web shortcuts to their desktop.  Although I’m kidding here, hopefully you see the (serious) potential.
    useratt.png

Special Shortcuts

  • This is old, but not as old as me, moo-haa haa haaaaa (cough, cough, wheeze… gasp…*).  If there’s a shortcut that you always launch using “Run as administrator”, you can configure the shortcut to always launch that way without having to right-click on it, select Properties / Shortcut  and click “Advanced”.  Check the box for “Run as administrator” and click OK.
    foo.png

Site System Maintenance Windows

  • A lot of customers complain that they can’t control when SCCM checks for, and downloads, the next version on a site system.  They don’t want their site systems to automatically download and update things, but yet, they still want the option to do so with a leash around its neck.  You can.  It does, with some conditions.
  • If you’re on 1610, you can enable this by going into Administration / Site Configuration / Sites, then right-click on the Site, choose Properties.  Select the “Service Windows” tab.

6 Things to Avoid when Building an SCCM Site System

MFfn7

These are based on actual, real, true events, which I’ve been asked to help resolve in some capacity over the past three weeks:

  1. Do not let someone create your VM using an unknown template which contains leftover remnants of a previous SCCM site installation, and dozens of unknown changes for which the site admin has no knowledge what happened.
  2. Do not let someone create your VM and join it to an AD domain under an OU with a bunch of linked GPO’s which are undocumented.
  3. Do not let your boss approve another department’s request to take ownership of your SCCM SQL Server instance without prior discussion or them being advised as to what SCCM is.
  4. Do not let another engineer start building the site before you’ve provided him/her with the design document.  Especially when it includes Intune integration and they go ahead and set Intune as it’s own MDM authority, without discussing anything with you in advance.
  5. Do not recommend an SCCM site installation to a customer after a sales person insisted it was the “perfect fit” for their 10 desktop computers, when all they wanted was to manage software updates.
  6. Do not recommend to a customer that they’re fine with allowing their Primary site server VM, running on a Hyper-V failover cluster, to fail over another node, on another cluster, on another continent.

CMWT 2017.01.02.01 (interim)

Not a ZIP download yet.  Just raw files posted in the CMWT GitHub repo for now.

wonka2

Additions

  • Reports: Device Logins
  • Software: OS Images
  • Software: Automatic Deployments
  • Software: Deployment Summary: All and Brief (2 views)
  • Site: Windows Store for Business configurations

Bug Fixes

  • AD User / referenced a 404 link
  • Cleaned up function CMWT_AutoLink()

Thank you for the feedback!  Please keep it coming!

(the answer to the question is: because it works just fine)

SCCM Query: Devices by IP Gateway

stupid-people-188

While working on a project involving IP subnet reassignments and SCCM site boundaries, and factoring in the HW inventory scan cycles, with the nature of roaming vs. fixed device types, along with the phase of the moon, current stock market index, the daylight saving time offset, the menstrual cycles of our local male politicians, and my dog’s sleep patterns, I found this to be somewhat useful in tracking down stray devices.

SELECT DISTINCT [DefaultIPGateway0], COUNT(*) AS QTY
FROM [dbo].[v_GS_NETWORK_ADAPTER_CONFIGURATION]
WHERE [IPEnabled0]=1
GROUP BY DefaultIPGateway0
ORDER BY QTY DESC

CMWT 2016.12.29

Bug Fixes

  • Task Sequences report had a query strung out on meth.
  • Task Sequence detail view was on crack, and meth.
  • Task Sequence History was passed out drunk.
  • Client Summary report couldn’t sort it’s way out of a wet paper bag.
  • The CMWT_DB_TableGridFilter function was shooting Drano in an alley but you probably didn’t even know it existed, which is probably why it was feeling so down that it felt the need to escape reality, but Drano was all it could find in a dumpster.

New Features

  • Task Sequence detail view has a “History” and “Detailed” report of execution results.
  • Component Status Summary report was kidnapped in a white van, bound with zip ties, duct tape and snuffed with a rag soaked in something my dog couldn’t keep down.  A red van pulled up behind it, and dropped off a new report with a better haircut that answers questions as “yes, I’m the same guy.  even though I don’t look anything like the other guy, but it’s okay”.
  • Ola Hallengren’s SQL Server Maintenance Solution (as wonderfully demonstrated by Steve Thompson) is now supported for the CommandLog table via the Site Hierarchy page “CM Monitor Commands” (this requires a new line in the _config.txt file – see details below)

Change to _Config.txt

  • If you intend to use the SQL Maintenance Solution (and you should), and would like to use the web report to see the command log details, you will need to copy the line that starts with “DSN_CMDB~” and make two changes to the new line:
    • Rename the new “DSN_CMDB” to “DSN_CMM”
    • Change “Database=CM_xxx” to “Database=CMMonitor”
    • Be careful NOT to modify your existing DSN_CMDB line
    • You may need to recycle the IIS application pool

Download

  • Go here and download CMWT-2016-12-29-01.zip
  • New Installations:
    • Follow the Installation Guide (in the Docs subfolder within the ZIP file)
  • Existing Installations / Upgrade:
    • Back up your _config.txt file
    • Extract ZIP into CMWT folder (overwrite files)
    • Restore your _config.txt file
    • Done!

cmmon.PNG

New CMMonitor Command Log view

compstat.PNG

New Component Status Summary view

Bonus: BoxStarter Server Config Script

traffic-accident

Sort of a Part II – This part was somewhat eluded to in the previous post, this script is run immediately after provisioning a toothless Hyper-V guest running Windows Server 2016.

Sequence of events:

  1. Provision VM guest:
    1. 12-16 GB memory
    2. 1 or 2 vCPU
    3. 1 Differencing Disk pointed to a VHD with sysprepped Windows Server 2016 (I’m too lazy and cheap to stand up a real VMM environment, and I don’t have the right hardware for it anyway)
    4. Two (2) SCSI disks, at 200 GB each, dynamic sized VHDX (lab environment only)
  2. Boot the VM guest
  3. Finish the OOBE process
  4. Edit the TXT script in GitHub (Gist item)
  5. Click RAW view, copy URL
  6. Restart (to invoke Hyper-V guest tools, and enable the guest clipboard)
  7. Open PowerShell console
  8. Type http://boxstarter.org/package/nr/url? followed by the URL to the raw Gist file
  9. Press Enter

What it does:

  • Rename the VM
  • Assign a static IPv4 address and gateway
  • Initialize and format the 2 secondary disks at 64k units, with labels
  • Join to domain
  • Reboot
<#
.SYNOPSIS
 server-setup1.txt
 
.DESCRIPTION
 invoked from BoxStarter to prepare a general Windows Server configuration
 other scripts follow on to this to create specific roles
 
.NOTES

 written by David Stein
 1. powershell console
 2. start http://boxstarter.org/package/nr/url?(paste the raw-view URL here)
 
Assumptions
 1. Machine has Windows Server 2012 R2 or 2016 installed
 2. Machine has 1 OS disk and 2 additional disks
 note: using hyper-v with differencing disk as disk[0]
 3. The additional disks are not online (vmguest default)
 note: using hyper-v with 2 scsi vhdx disks as disk[1] and disk[2]
 4. [global parameters] below are configured prior to running
 powershell start http://boxstarter.org/package/nr/url?....
#>


#-------------------------------------------------------------
# global parameters
#-------------------------------------------------------------
$ServerName = "CM01"
$DomainName = "CONTOSO"
$OuPath = "OU=Servers,OU=Corp,DC=contoso,DC=com"
$DomainUser = "$DomainName\sccmadmin"
$IPv4Address = "192.168.29.31"
$IPv4Mask = "255.255.255.0"
$IPv4Gateway = "192.168.29.1"
$IPv4DNS = "192.168.29.16"

$ScriptVersion = "2016.12.19.01"
#-------------------------------------------------------------

$Boxstarter.RebootOk = $true

write-host "Script Version $ScriptVersion" -ForegroundColor Green

Disable-UAC

write-output "info: configuring static ip address: $IPv4Address ..."
$wmi = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IpEnabled = 'true'"
if ($wmi -ne $null) {
  $wmi.EnableStatic($IPv4Address, $IPv4Mask)
  $wmi.SetGateways($IPv4Gateway, 1)
  $wmi.SetDNSServerSearchOrder($IPv4DNS)
}
else {
  write-output "error: no active network adapter found"
  break
}

#-------------------------------------------------------------
$HostName = $($env:computername).ToUpper()
if ($HostName -ne $ServerName) {
  write-output "info: renaming host to $ServerName..."
  Rename-Computer -NewName $ServerName
  if (Test-PendingReboot) { Invoke-Reboot }
}
else {
  write-output "info: computer is already named $ServerName"
}

#-------------------------------------------------------------
write-output "info: provisioning secondary disks..."
$disks = @("1=APPS","2=DATA")
foreach ($disk in $disks) {
  $diskset = $disk.Split("=")
  Get-Disk -Number $diskset[0] |
  New-Partition -AssignDriveLetter -UseMaximumSize |
  Format-Volume -FileSystem NTFS -NewFileSystemLabel $diskset[1] -AllocationUnitSize 65536 -Force -Confirm:$False
}
write-output "info: secondary disks have been provisioned."

#-------------------------------------------------------------
write-output "info: checking domain join status..."
$Dom = $env:userdomain
if ($Dom -ne $DomainName) {
  write-output "info: joining computer to domain $DomainName..."
  Add-Computer -DomainName "$DomainName" -Credential $DomainUser -OUPath $OuPath
}
else {
  write-output "info: computer is already domain joined."
}

#-------------------------------------------------------------
$sm = Get-ItemProperty -Path HKCU:\Software\Microsoft\ServerManager -Name DoNotOpenServerManagerAtLogon -ErrorAction SilentlyContinue
if ($sm -eq $null) {
  write-output "info: disabling server manager at startup..."
  New-ItemProperty -Path HKCU:\Software\Microsoft\ServerManager -Name DoNotOpenServerManagerAtLogon -PropertyType DWORD -Value "0x1" -Force
}

Install-WindowsUpdate

#-------------------------------------------------------------
write-output "info: base configuration is finished!"

$Boxstarter.RebootOk = $False
Restart-Computer -Force