CMWT 2017.02.22.01 Posted

UPDATE: Build 2017.02.22.01 Posted

This is an interim update for specific files only:

  • global.asa (version stamp updated)
  • clients.asp (fixed default sort on computer name)
  • confirm.asp (fixed redirect URL bug)
  • reports.asp (fixed heading)
  • sqlrepdel.asp (added to fix missing delete/confirmation form)

If you don’t have CMWT installed, download the full installer and follow the instructions provided in the installation guide (under the “/docs” folder within the ZIP file):

If you have CMWT installed and just want to update to the newest build, just download the individual files which are newer than what you have, and copy them into the root directory where CMWT is configured:

Known Issues

  • The home page may show incorrect site summary information when CMWT is configured on a CAS host.  This will be fixed soon, but updates are still in testing.  Thanks to Larry for reporting this!
  • The Client Summary report (linked from Site Hierarchy) may show duplicate “No Client” rows.  This because it’s grouping by the Resource ID and it is splitting between those with a Resource ID and those without (unknown computers)

Please keep the feedback coming!

Why SCCM Doesn’t Accidentally Image Machines

I’ve finally had enough.  Maybe it’s the result of hearing people just blindly repeat false garbage and claiming it as fact (I call it “phact” now).  But after hearing yet another so-called (another meme-ish aphorism du jour) engineer state to a group of other so-called engineers that “SCCM can ‘just randomly reimage computers'” because either:

A. They’ve seen it, or more often…

B. They heard a friend say they saw it happen.

Truth:  NO.  SCCM CANNOT RANDOMLY REIMAGE COMPUTERS.  IT DOES NOT.  IT WILL NOT.  IT CAN’T.  IT WON’T.  Stop saying stupid shit like this.

The real reason is that someone (aka a stupid idiot, yes, double redundancy intended) was poking around and made changes without knowing what they were doing.  That’s it.  I’ve seen “unintended” cases of SCCM involved with reimaging computers, but it was ALWAYS ALWAYS ALWAYS (and still is) due to human stupidity.

I’m probably missing a few steps here, in fact, yes, I see one right now:  The Task Sequence Deployment setting labelled “Make available to the following” from the Deployment Settings tab (e.g. “Only media and PXE” versus “Configuration Manager clients, media and PXE”, etc.)


In short, your resident idiot would have to target the wrong collection, OR, put the wrong machines into the targeted collection, OR, use the wrong deployment assignment setting, AND…

Have the machine on a subnet with access to PXE, AND boot to the network (boot config), AND press F12 before the boot time-out expires, AND (either) did not put a password on the Task Sequence deployment OR entered the password.  That’s a lot of “accidental” stuff to accidentally trip over by accident.  Maybe your admin needs a walker and a crash helmet.


Top 10 Tech Issues for Last Month


1 – SCCM Site Boundaries Stayed at the Bar too long.  Got in a fight with some angry UFC folks and wound up in the ER with tubes going in all sides.

Doctor writes in patient record: “Be sure to talk with your Network engineers to insure they are staying on top of their end.  No messing around with overlapping subnets, or laughing hysterically at the need to maintain AD sites and services.  Then be sure to actually heed the information they provide you and build your site boundaries to correctly match the environment.”

2 – Don’t forget about a Fallback Status Point

3 – Don’t forget to mention the FSP in the client push settings

4 – Don’t forget to include the appropriate accounts, and account permissions, for the client push installation account.  Especially when dealing with AD Forest Trusts and machines on both sides of the trust.

5 – Coffee.  Never never never forget about the coffee.  RedBull/Monster, etc. are okay, but real men chew their coffee whole, worry about the liquid part later.  Bonus: If you can manage to push the grinds through a tube, then injection may be your best bet.

6 – Get outdoors.  Staring at the screen for too long leads to glazing over, which leads to missing obvious things.

7 – Primal scream therapy.  It’s still allowed.  Practice it often, in random locations.  In the middle of a staff meeting.  In an elevator.  Standing in line at the deli. Whatever.  It can be very refreshing.

8 – SCCM Backups should be targeted to a different location than the SCCM drive itself.  And make sure there’s an offline backup process for double-protection.  If someone else manages the virtual hosting environment, and storage, talk to them about their backup processes to find a solution to fit everyone’s needs.

9 – Active Directory.  Do not ignore it.  If you don’t regularly check on DNS and DHCP configurations (and health), start doing it now.  Keep the accounts clean.  Devices that don’t exist, should be vaporized with extreme anger and a twitching eyelid.

10 – Always focus on the process first.  Then worry about the tools and methods.  Quite often, the best tools are a whiteboard and a cup of coffee (see item 5).  90% of my engagements end up chopping out a ton of unnecessary work just by standing back to take a fresh look at how things are done.

The Ballad of Orchestrator

wpid-chinese-take-out.jpgIf I had a dollar for every time I’ve had a discussion with someone who works with Microsoft System Center, while I stare at the floor, wondering why they never bothered to have that weird reddish-brown stain removed, and it’s in their main lobby, as they describe the pain, and effort they endured to build some crazy semi-automated chain of mouse traps using a wheelbarrow full of third-party utilities, truckloads of scripting, and a few crates of some long-forgotten Windows CLI utilities, registry hacks and whatever, and after they were done, I’d be thinking to myself “that was one stupidly-long run-on sentence”, but I end up saying, “You know? You could’ve knocked that out in a lot less time using Orchestrator”, well, I’d be rich enough to not have time to write a blog.  I’d be too busy having my toenails custom painted while skydiving from my private jet onto the deck of my private yacht. Floating in the lagoon of my private island.  Okay, that’s a big stretch.


First off, 99.999999999% of the time, here’s what the response is, “What’s Orchestrator?”

(15 seconds of awkward silence ensues)

Whatever Microsoft has paid their marketing folks, I would like to officially ask for 10% of it, just for doing my part to inform their customers, “well, it’s this amazing virtual Lego kit that you can use to build just about anything. Oh, and by the way, you already paid for it.”  That might help pay a few bills at least.  I think that I’ve earned it.  Or I could be delusional too.

Anyhow, for those who still begin every explanation with “it was called Opalis, once…”, and have ripped open that Christmas box and put the batteries inside, you know what I’m talking about.  You also know the dreaded feeling of hearing someone say one of the following:

“They didn’t make any changes to it in System Center 2016”

“It’s dead, Jim.  Long live the cloud.”

Sad.  Truly sad. It never really had it’s glory day (imho).  Isolated moments of sheer awesomeness are to be found, for sure.  But on a ubiquitous (see?  you didn’t think I could whip out a big word like ubiquitous, did you?) and pervasive scale? No; not what it really deserved. It was that incredible 2nd string player, drafted in the 2nd round, that was capable of smashing records, but never got on the field, and now it’s hitting retirement age.

Not so fast.

Just like Arnold Schwarzenegger (I cheated on the spelling, I had to), it can still press a few hundred pounds while smiling.  Maybe while clenching a cigar in it’s mouth at the same time.

Some interesting use-cases I’ve seen in the past year or two…

  • The typical New-Hire / Employee-Term scenario runbooks, but with extensions for ordering facilities services (phone, desk, chair, whiteboard), telecom (phone), computer equipment (HR app checkbox for “mobile user” triggers order for laptop or tablet), and notifying front desk security personnel with employee photo.  And don’t forget the standard AD group memberships, attributes, and OU management stuff.
  • Monitoring file system folder where app-devs upload final code check-ins, read specific files to create SCCM applications, deployment types, detection methods, requirements, as well as distribute to certain DP groups, and deploy to Collections (with additional parameters)

There have been a few others.  Some were just discussions around “what if…”, which could have easily turned into more amazing concoctions, but I didn’t stick around long enough to find out if they did.

Alas, before I toss back a ceremonial shot (of something cheap, like me), I have to say I’ve spent some time with Azure Automation runbook authoring and I have to say, it’s very, very promising indeed.

Itsy-Bitsy Teeny Weeny little SCCM tips

None of these are my own inventions.  I’ve collected them over the years and they’ve helped me more times than I can count.  I’m also surprised how many times I encounter customers that either aren’t aware of these tips, but end up using them afterwards. Paying it forward I suppose.

Use The Force (Group Policy)

  • Let it handle your server configurations.  This includes firewall settings, local administrators, service login rights, and so on.
  • Use GPPrefs to deploy standard goodies, like bginfo.exe (along with bgi files), and other Sysinternal’s utilities.  Deploy cmtrace, KeePass and other portable apps (e.g. don’t require an installation before use).
  • Ultimately, you join the machine to your domain, reboot it, and when it comes up after the next domain login, it’s like coming back to the table from the restroom to find your meal waiting for you (props to Pulp Fiction for that one).

NIC Teaming

  • Whether you have one (1) network adapter or ten (10), place them into a team.  This adds an abstraction layer in case you need to change the physical (or virtual) adapter and don’t want to disrupt applications and services that rely on it at the upper layers.

BGInfo Customization

  • It’s sooooooooooo easy to add custom tags to the BGINFO display set.  One of my favorites is to add the SCCM client version, and SQL version to the display set.  You can query almost any WMI, registry or file source to pull something interesting for automatic display on the desktop.

Pin Logs Folder to the Taskbar

  • If you use a preferred log manager then you can ignore this tip.  But if you don’t, and you typically use cmtrace.exe (like many of us mortals), and you’re using Windows Server 2012 R2 or 2016, you can Pin folders to the right-click list from the taskbar, on the Start Menu, and to the Quick Access list.

and Speaking of Windows Server 2016

  • If you run your site systems on Windows Server 2016, you gain quite a lot of small, but helpful advantages.  Among the neat little goodies, are…
  • Right-click Start Menu for fast access to many common admin tools.

ConfigMgr Console / Column Headings

I’ve mentioned this before, but to save time, just do this and I’ll stfu:

  • Navigate into Assets and Compliance / Devices
  • Right-click on one of the column headings in the details pane (right-hand)
  • When the popup menu appears, stare at it for a full minute.
  • Then scroll down.
  • Okay, now scroll back up.
  • Now, check a few items like Client Version, Active Directory Site, Device Online Status, and maybe Serial Number
  • Turn around and pick your jaw back up off the floor.  The cleaning guy is coming around with the vacuum cleaner.

ConfigMgr Toolkit and RBAViewer

  • Yes, it still exists.  Yes, it still shows version “2012 R2”.  Yes, it works fine with 1610.  At least, it has been working fine for myself and most everyone else I know.  Among the plethora of goodies it lays on your machine, is the RBAViewer utility.  Once beaten, blooddied and battered, laying in an alley, puking profusely after SCCM 1511 used a blowtorch and vice grips on it, it has since recovered in a rehab and got a hair cut.
  • If  you ever work with role based access (hence “RBA”) using the ConfigMgr console features, you owe it to yourself to try this old but helpful utility.

AD Account Attributes -> Queries, Collections

  • I’m still surprised to find customers that take the time to really use Active Directory LDAP attributes like a (smart) Lego kit.  Some of them populate non-typical attributes on user and computer accounts, and then use that to assist other automation processes, either with PowerShell, Orchestrator, Azure Automation, or a trained squirrel with a radio antenna on its head.  And yet others take the time to register their own OID and craft their own custom extensions. Kudos for pushing the envelop!
  • For those of you that use interesting AD, Exchange, Lync/Skype and custom attributes, like employeeID, employeeType, or msExchExtensionAttribute12, you can leverage those within SCCM for queries and collections too!
  • To do this, you need to modify your Discovery method settings, which has some caveats (short-term additional inventory traffic after the change is made).   For example, to capture the “title” attribute, open the Active Directory User Discovery properties, click on the Active Directory Attributes tab, select “title” from the Available Attributes list, and click “Add >>”, then click OK.
  • Now you can create a query-rule collection of users that have a job title of “executive douchebag” and deploy a package of questionable web shortcuts to their desktop.  Although I’m kidding here, hopefully you see the (serious) potential.

Special Shortcuts

  • This is old, but not as old as me, moo-haa haa haaaaa (cough, cough, wheeze… gasp…*).  If there’s a shortcut that you always launch using “Run as administrator”, you can configure the shortcut to always launch that way without having to right-click on it, select Properties / Shortcut  and click “Advanced”.  Check the box for “Run as administrator” and click OK.

Site System Maintenance Windows

  • A lot of customers complain that they can’t control when SCCM checks for, and downloads, the next version on a site system.  They don’t want their site systems to automatically download and update things, but yet, they still want the option to do so with a leash around its neck.  You can.  It does, with some conditions.
  • If you’re on 1610, you can enable this by going into Administration / Site Configuration / Sites, then right-click on the Site, choose Properties.  Select the “Service Windows” tab.

6 Things to Avoid when Building an SCCM Site System


These are based on actual, real, true events, which I’ve been asked to help resolve in some capacity over the past three weeks:

  1. Do not let someone create your VM using an unknown template which contains leftover remnants of a previous SCCM site installation, and dozens of unknown changes for which the site admin has no knowledge what happened.
  2. Do not let someone create your VM and join it to an AD domain under an OU with a bunch of linked GPO’s which are undocumented.
  3. Do not let your boss approve another department’s request to take ownership of your SCCM SQL Server instance without prior discussion or them being advised as to what SCCM is.
  4. Do not let another engineer start building the site before you’ve provided him/her with the design document.  Especially when it includes Intune integration and they go ahead and set Intune as it’s own MDM authority, without discussing anything with you in advance.
  5. Do not recommend an SCCM site installation to a customer after a sales person insisted it was the “perfect fit” for their 10 desktop computers, when all they wanted was to manage software updates.
  6. Do not recommend to a customer that they’re fine with allowing their Primary site server VM, running on a Hyper-V failover cluster, to fail over another node, on another cluster, on another continent.

CMWT 2017.01.02.01 (interim)

Not a ZIP download yet.  Just raw files posted in the CMWT GitHub repo for now.



  • Reports: Device Logins
  • Software: OS Images
  • Software: Automatic Deployments
  • Software: Deployment Summary: All and Brief (2 views)
  • Site: Windows Store for Business configurations

Bug Fixes

  • AD User / referenced a 404 link
  • Cleaned up function CMWT_AutoLink()

Thank you for the feedback!  Please keep it coming!

(the answer to the question is: because it works just fine)