Report to help find collections a machine is in

All we really care about is the Collection ID, Name and the Comment section.  We could add more but this is a quick report to help us find the machine. 


select
 C.CollectionID,
 C.Name,
 C.Comment
from
 dbo.v_Collection C
 join dbo.v_FullCollectionMembership FCM on C.CollectionID = FCM.CollectionID
Where
 FCM.Name = @PC


When the report runs you will simply type in the machine name and click Run Report.

Auto Approve Cross Forest Machines

Are you working with machines from another forest that you need to approve in SCCM?


As a good security practice you should only Auto Approve machines in your own domain.
If you are merging or pulling in other machines you don't want to manually approve the machines.  Here is a simple process:


Create a powershell  to approve machines in a given collection
Import-Module 'C:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'


cd PR1:


Get-CMDevice -CollectionID "PR1299F3" |select name |ForEach-Object {Approve-CMDevice -DeviceName $_.name }




Next create a collection for all these machines to come into. Let's assume the machines coming in were in a Workgroup or Domain call ABC:



select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_CM_RES_COLL_SMS00001 on   SMS_CM_RES_COLL_SMS00001.ResourceId = SMS_R_System.ResourceId   where SMS_CM_RES_COLL_SMS00001.IsApproved= '0' and SMS_R_System.ResourceDomainORWorkgroup = "ABC"




All we are doing here is creating a collection of the machines we want to approve and then running the PowerShell to approve them.


This allows you to approve those special machines as the enter the infrastructure without Admins having to manually approve them.

1E - Nomad, creating Pre-cache command file

While working on a project, I needed to cache a set of files but I didn't want to run the standard pre-cache process on multiple packages for a single or multiple machines and wait the standard time.


Step in PowerShell and the SMSNomad command.  SMSNomad is used to call for the package download and can be executed manually.  The command can be run on outside of SCCM and this was important when you have machines in different forests and you want them to have the same cache files before the forests merge. 


Syntax:
SMSNomad.exe
s   : Run in standalone mode (we don't rely on SCCM to do anything)
p: Package Path
ver: package version as seen in the console


Since I use custom ports my example will include that.  For the default ports of 80 or 443, leave it blank


Here is an example of the command we need to run:


"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://Server.Foo.com:132/SMS_DP_SMSPKG$/AB100002"  --prestage --ver=16


[Download the Configuration Manager package from site AB1, source version 16]


Let's get to the heart of what I was doing ;)


There are two parts, the first part pulls all the packages from a Task Sequence, the next pull all the Packages with a given name in the title and then pull Applications.


*******************************CACHE.PS1*****************************************
## SMSNomad.exe --s --pp="http://server.foo.COM/SMS_DP_SMSPKG$/ABC0007A" --prestage --ver=27


#This code doesn't check to see if a deployment is present
#Pulling Application ContentID is terribly slow, recode!!
Import-Module 'C:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1'
cd ABC:
$ServerPUll="http://Server.foo.com:1234"  #omit :1234 if you don't have custom ports running for IIS
$CacheCMD = "C:\Precache.bat"
$SCCMServer = "PrimaryServerName" #Server, Primary or CAS where the script can read the data from
$SCCMSiteCode = "XXX"  #Site Server code
############################################################################################
 "REM create cache for Task Sequence (both Packages and Applications)"| Out-File -encoding Ascii -filepath $CacheCMD
#XXXXXX Should be replaced with the TAsk Sequence ID
$Ts= Get-CMTaskSequence -TaskSequencePackageId 'XXXXXXX'
$Ts.references  |  Foreach {
  if ( $_.type -ne 1)
  {
     $PackageID  = get-cmpackage -ID $_.Package
     If ( $PackageID.PackageID.length -gt 0)
     {  
        "REM {0}" -f $PackageId.Name  | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
       """C:\Program Files\1E\NomadBranch\SMSNomad.exe"" --s --pp=""{0}/SMS_DP_SMSPKG$/{1}""  --prestage --ver={2}" -f $Serverpull,$PackageID.PackageID, $PackageID.SourceVersion  | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
     }
     else #not Package ID, this must be a WIM or boot media or not package
     {   
     
       $SpecialPackage= Get-WMIObject -ComputerName $SCCMServer -Namespace Root\SMS\Site_$SCCMSiteCode -Class “SMS_Packagebaseclass” | where-object packageid -eq $_.Package 
       "REM {0}" -f  $SpecialPackage.Name  | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
       """C:\Program Files\1E\NomadBranch\SMSNomad.exe"" --s --pp=""{0}/SMS_DP_SMSPKG$/{1}""  --prestage --ver={2}" -f $Serverpull,$_.Package, $SpecialPackage.SourceVersion  | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
    
     }
   }

if ( $_.type -eq 1)  #Application
  {
 
  #WMI is faster, so they say...
   $Application= Get-WMIObject -ComputerName $SCCMServer -Namespace Root\SMS\Site_$SCCMSiteCode -Class “SMS_Application” | where-object Modelname -eq $_.Package  | Sort-Object ContentID -Descending | select LocalizedDisplayName -first 1
    "REM {0}" -f $Application.LocalizedDisplayName  | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
  $Content= Get-WMIObject -ComputerName $SCCMServer -Namespace Root\SMS\Site_$SCCMSiteCode -Class “SMS_CIToContent” | where-object SecuredModelname -eq $_.Package | Sort-Object ContentID -Descending |Select ContentUniqueID -first 1  
    """C:\Program Files\1E\NomadBranch\SMSNomad.exe"" --s --pp=""{0}/SMS_DP_SMSPKG$/{1}""  --prestage --ver=1" -f $Serverpull,$Content.ContentUniqueID    | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
 
  }
 
 }
 ############################################################################################
 "REM create cache for  Packages"| Out-File -encoding Ascii -APPEND -filepath $CacheCMD
### (ABC) Pull Packags that have a (ABC) in the Name
  ###pull all data for a package based on its name
Get-CMPackage -Name "*(ABC)*" | Foreach {
 If ( $_.PackageID.length -gt 0)
   {
     "REM {0}" -f $_.Name  | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
     """C:\Program Files\1E\NomadBranch\SMSNomad.exe"" --s --pp=""{0}/SMS_DP_SMSPKG$/{1}""  --prestage --ver={2}" -f $Serverpull,$_.PackageID, $_.SourceVersion | Out-File -encoding Ascii  -APPEND -filepath $CacheCMD
   }
  
  }
 
  ############################################################################################
###pull all the Applications for a App name
###  Pull Applications that have a (ABC) in the Name

 "REM create cache for  Applications"| Out-File -encoding Ascii -APPEND -filepath $CacheCMD
Get-CMApplication -Name "*(ABC)*" | Foreach {
  #WMI is faster here
   ## 26 SECONDS
    "REM {0}" -f $_.LocalizedDisplayName  |  Out-File -encoding Ascii -APPEND -filepath $CacheCMD
  $Content= Get-WMIObject -ComputerName $SCCMServer -Namespace Root\SMS\Site_$SCCMSiteCode -Class “SMS_CIToContent” | where-object SecuredModelname -eq $_.ModelName | Sort-Object ContentID -Descending |Select ContentUniqueID -first 1  
  
    """C:\Program Files\1E\NomadBranch\SMSNomad.exe"" --s --pp=""{0}/SMS_DP_SMSPKG$/{1}""  --prestage --ver=1" -f $Serverpull,$Content.ContentUniqueID   | Out-File -encoding Ascii -APPEND -filepath $CacheCMD
 
  }






########################
Output will look like this:






"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://SERVER.FOO.COM.DIR.SLB.COM:132/SMS_DP_SMSPKG$/AB100002"  --prestage --ver=16
"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://SERVER.FOO.COM.DIR.SLB.COM:132/SMS_DP_SMSPKG$/AB1000AD"  --prestage --ver=7
"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://SERVER.FOO.COM.DIR.SLB.COM:132/SMS_DP_SMSPKG$/AB1004CD"  --prestage --ver=2
REM Application NAME 123456
"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://Server.foo.com:1234/SMS_DP_SMSPKG$/Content_2eb63a6d-1be5-41bc-9ef7-814e079de693"  --prestage --ver=1
REM Application NAME 456789
"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://Server.foo.com:1234/SMS_DP_SMSPKG$/Content_bab5aaad-4ce7-4c34-a3d4-a21e9fb89436"  --prestage --ver=1
REM Application NAME ABC
"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://Server.foo.com:1234/SMS_DP_SMSPKG$/Content_65d72259-9477-4501-b1ed-ab2582bddfed"  --prestage --ver=1
REM Application NAME DEF
"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://Server.foo.com:1234/SMS_DP_SMSPKG$/Content_a6ad7f31-b31e-46ea-9de5-343f0b2a1675"  --prestage --ver=1
REM Application NAME GHI
"C:\Program Files\1E\NomadBranch\SMSNomad.exe" --s --pp="http://Server.foo.com:1234/SMS_DP_SMSPKG$/Content_e5112d47-e477-4878-abc0-fa4830318f7f"  --prestage --ver=1

When to use Prestage content to force a package status

You look in the Monitoring node and notice your package is still pending on the DP


Monitoring Package Status node in The SCCM console


In Progress:


The content for package XXXXXXXXX have not yet arrived from the source site XYZ Distribution Manager will try again later to distribute the content.

Distmgr.log on the Secondary server shows this


No action specified for the package XXXXXXXXX , however there may be package server changes for this package.
All DP threads have completed for package XXXXXXXXX processing thread.
Exiting package processing thread for package XXXXXXXXX .


Looking in the Content Library tool you see the content is still Pending.

********************************************************************
What might make you upset is that you can redistribution, remove add, cancel and yet the lower server will not complete the process.  You might be ready to reset the flag in the database but here is another solution to try first: Use the Prestage tool.


There are many blogs about how to use it so I will point here that will step you through how to create the Prestaged Content File.


Steps:

1. Create your content file
2. Copy the file to your lower server
3. Run the extract command: D:\Program Files\Microsoft Configuration Manager\bin\X64>extractcontent /p:C:\Users\admin\Desktop\Myfile.pkgx /f

Log file - "C:\Temp\2\PrestageContent.log"
Prestaging content to content library D:\SCCMContentLib
        uncompress      25 %
        uncompress      50 %
        uncompress      75 %
        uncompress      100 %
        extract         25 %
        extract         50 %
        extract         75 %
        extract         100 %
Content of package XXXXXXXX.3 is prestaged and registered.


the package and version number should match the SCCM Console


Note: Do not use the /s command, this will ignore the content and that is exactly what you don't want to do. 


You will this in your c:\temp\2\PrestageContent.log
Since content 'XXXXXXXX.3' was skipped, success state message is not sent to server for package 'XXXXXXXX.3'


You will be back at the same problem you had before.


    /F - Force prestaging of content even when it already exists on the site


With this command you will see the 'Extracting' comments in the log.  It should also send a successful command back to the Primary/CAS.  Then you can wait and refresh and see the package marked as Success.


You don't need to change the package or DP to a Prestaged machine.  Simply export the content move and load it.  It is that simple. 


I don't know why it sometimes fails to move the package, yet, you can see all the files and folders correctly in the Content Library.  But this solution does work.

Why manage Mobile Devices?

There are many blogs and news articles about which solution is better but very few talk about the Why?  Let’s not start into the debate of the BYOD (Bring Your Own Device) question.  Let’s look more fundamentally at the “why” part.

Companies are anxious about viruses, lost laptops and data breaches but this landscape was never thought of until well after ARPANET started to connect machines in 1969.  It was believed that everyone would work together and security was not well thought of at the time.  Later they started to inflict rules and policies like, don’t send personal data or personal emails over the network.  It was when Morris created what would be later known as the first worm in 1988 and released it to gauge the depth of the Internet and wreaked havoc on the machines that everyone took a serious view of why we need to protected the landscape and write better code.  We have now seen the ability to crash an IPHONE with a special Text message.  What is next?

Why do we want mobile device management?

Control over:

• Upgrades of Operating System
• Software install/upgrade of applications
• Access, Policy and settings
• Geo-fencing of data or applications
• What about what we haven’t thought of?

This is just a small view of what companies want to control.  If there is a vulnerability in the OS of the device, grant them control of what do to: Upgrade the device, lock it down, etc.  Everyone wants to protect the company.  I am not going to move into the “user rights vs company protection”. 

You can see many of the desktop management slowly moving to the mobile devices such as policy restrictions, software installs or upgrades.

Let’s think further down the road why it is important to manage not just the mobile devices we carry in our pocket but the IoT (Internet of Things) that run our lives!

Just as you now have A/C, washer, sprinkler service areas, you will soon have more of an IT service personnel at your house making sure they all talk to each other and the “central office”.  No longer will you just have the IT repair person come fix your computer nor will you take your machine to the store to be fixed.  You will have them come in and perform an inspection, yearly or monthly maintenance on devices that control your life.  Each one of your devices might require software, firmware, or possibly even a chip/board upgrade to keep your house secure and compliant.  You don’t want someone hacking your thermostat to gain access to your electronic safe or worse, turn off the security system, open the garage door and walk in.

It is important that all companies and even individuals look in to management of Internet based devices.  Soon the consumer might need to manage their other devices much like they do their car, A/C unit and other “maintenance required” equipment, only this time it is an electronic device interacting with other devices and possibly the Internet.

Embrace device management, no matter if you’re an individual, big or small company.  I look forward to the protection and management of all devices.

This is why Microsoft increased the cadence of Software releases and is slowly adding features to Intune. 

Check out the April 2016 feature list:

April 2016

Now Available: Update 1602 for System Center Configuration Manager

For those waiting in anticipation for 1602, here if the official release. 


The major enhancements to this release is the Servicing of Windows 10 and the health Attestation. 


Windows 10  health is a vital part of this upgrade because you need to be aware of client health.  You also want to be aware of which version of Windows 10 is running on the devices.  This the first of many advances we will see with Current Branch for both Windows 10 and Configuration Manager.

• Client Online Status: You can now view the online status of devices in Assets and Compliance. New icons indicate the status of a device as online or offline.
• Support for SQL Server AlwaysOn Availability Groups: Configuration Manager now supports using SQL Server AlwaysOn Availability Groups to host the site database.
• Windows 10 Device Health Attestation Reporting: You can now view the status of Windows 10 Device Health Attestation in the Configuration Manager console to ensure that the client computers have a trustworthy BIOS, TPM, and boot software.
• Office 365 Update Management: You can now natively manage Office 365 desktop client updates using the Configuration Manager Software Update Management (SUM) workflow. You can manage Office 365 desktop client updates just like you manage any other Microsoft Update.
• New Antimalware Policy Settings: New antimalware settings that can now be configured include protection against potentially unwanted applications, user control of automatic sample submission, and scanning of network drives during a full scan

Not Ready to move to CM 1511, Update to Cu3 for R2Sp1 and for Sp2

Microsoft has provided another CU for ConfigMgr 2012 R2Sp1





To see the complete list revier the KB3135680
https://support.microsoft.com/en-us/kb/3135680


Here is the ConfigMgr Team blog article
https://blogs.technet.microsoft.com/configmgrteam/2016/02/25/now-available-cu3-for-sc2012r2-configmgrsp1-and-sc2012-configmgrsp2/


and some highlights:

Administrator Console

• The Administrator Console may take longer than expected to expand different nodes, such as the All Users or All Devices nodes. This occurs when the console is installed on a touch-screen enabled computer.
• The Create Task Sequence Wizard generates an Unhandled exception when the Configuration Manager Console is installed on a computer that is running Windows 10 version 1511.
• The Configuration Manager console exits unexpectedly when the Task Sequence Editor is used to change a Microsoft Recovery (Windows RE) partition. Additionally, you receive an exception that resembles the following:
  
  System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
• The Configuration Manager console exits unexpectedly when you try to add a custom icon for an application that's available in the Application Catalog. This only occurs if the FIPS local/group security policy, 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing', is enabled on the computer that is running the console.

Operating system deployment

• A task sequence may continue for an application installation failure, even if the Continue on error option is not selected in the task sequence properties. This applies to task sequences installing applications that use a dynamic variable list.
• A task sequence will try to reinstall applications already installed by using a dynamic variable list if one of the applications is configured to restart the computer. For example, if the third in a list of 3 applications requires a restart, the first and second applications in the list will try to install again after the restart.
• Use of the pre-provision BitLocker task sequence step during an operating system deployment results in the Trusted Platform Module (TPM) having a status of Ready for use, with reduced functionality.

Microsoft Intune and mobile device management

• In a Configuration Manager environment in which the Microsoft Exchange Server connector is configured for use with Microsoft Exchange Server 2013, mobile devices aren't listed as expected in the All Mobile Devices node of the administrator console. Additionally, errors that resemble the following are recorded in the EasDisc.log file on the Configuration Manager site server:
  
  ERROR: [MANAGED] Invoking cmdlet Get-Recipient failed. Exception: System.Management.Automation.RemoteException: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean….
  STATMSG: ID=8817 SEV=W LEV=M SOURCE="SMS Server" COMP="SMS_EXCHANGE_CONNECTOR" …
  ERROR: [MANAGED] Exception: Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "$true" could not be converted to type System.Boolean."
  ERROR: Failed to check status of discovery thread of managed COM. error = Unknown error 0x80131501
  
  Note This log entry is truncated for readability.
• The certificate required to connect to the Intune service cannot be renewed if the Microsoft Intune connector is installed to a server other than the site server, and proxy authentication is required for Internet access.
• Blocking Exchange ActiveSync access for an enrolled device fails. Errors that resemble the following are recorded in the EasDisc.log file on the site server after the blocking action fails:
  
  *** [42000][102][Microsoft][SQL Server Native Client 11.0][SQL Server]Incorrect syntax near 'IsUIBlocked'.ERROR: UpdateDeviceAccessState: Execute() failed.

Site Systems

• The SMS Executive service may exit unexpectedly when it processes a NOIDMIF file that contains a Unicode character invalid for the codepage of the site server.
• The "Reassign Distribution Point" migration task may stop responding when it tries to reassign a distribution point from a Configuration Manager 2007 secondary site. This occurs if the database record for the 2007 distribution point is removed and replicated to the primary site before the new record is added.
• The WMI Provider Host (WmiPrvSE.exe) hosting the Configuration Manager Provider (SMSProv) may exceed its memory quota on a site that processes lots of status messages from a custom application. This can result in a loss of connectivity through the Configuration Manager console until the server hosting the provider is restarted.
• Queries, and query-based collections that use the Windows Update Agent Version as criteria return unexpected results for Windows 10-based computers. This is because the Windows Update Agent Version in hardware inventory data is reported incorrectly in the 6.x range, such as 6.0.10240.16397 instead of the 10.x range, such as 10.0.10240.16397.

Software distribution and content management

• 3120338 Content can’t be downloaded from Cloud-Based Distribution Points System Center 2012 Configuration Manager Service Pack 2 when BranchCache is enabled
• Applications deployed to a device that uses the Primary Device global condition will fail if the primary user has an apostrophe in their name.
• Distribution Points configured for HTTPS communications will be reset to use HTTP communications after other site properties are changed. For example, installing a new Software Update Point can trigger the Distribution Point to revert to HTTP communications. Other Distribution Point settings may also change.
• 3123884 Application installation fails from the Company Portal in System Center 2012.

1E Nomad / Active Efficiency, Groups Subnets for Single Site Download

If you are using Nomad 5.x / 6.x and Active Efficiently then hopefully you are utilizing the Single Site Download (SSD) feature.  This allows all machines in a given site to share content more efficiently, thus improving the experience.


Example:
Machine (computer1) is in an AD boundary call BOSTON.  This machine is in Subnet A
Machine (computer2) is in an AD boundary call BOSTON.  This machine is in Subnet B
 
Without SSD one machine from each subnet would pull from the local DP/Secondary.  With SSD enabled a machine would have the ability to jump from Subnet A to Subnet B for files instead of reaching over to the DP. 


The default script create the groups via AD Sites and Services
What if you have several AD sites that should be grouped. 
Suppose you have an AD Site called "Boston-1st-Floor" and Boston-2nd-Floor" they are separate AD sites but they are still talking to the same DP.  Here is how you can force the group to create as the PowerShell script is running.


Note that I am ignoring the IPRange boundary types.  This is because for us the IPRanges are use via the VPN solution so we ignore them.


The IPSubnet display name for us is normally like 'XXXXXX - (127.0.0.0./30) ' So for us we simply read the name in SCCM and pull the IP address


'**************************************************************
##place this just after the wipe command to remove the current boundaries from AE.


$Boundaries = Get-WmiObject -Namespace "root\sms\site_AB1" -ComputerName "PrimaryServerName" -Query "SELECT * FROM SMS_Boundary WHERE BoundaryType ='0'"


foreach ($Boundary in $Boundaries)
{
  $SiteID = $Boundary.DisplayName.Substring(0,6)
  ###Make special Requests here  #####  
if ($SiteID -like 'Boston-1st-Floor' -or $SiteID -like 'Boston-2nd-Floor' )
 {
    $SiteID = "Full-Boston-Building"
  }
 
$IPSubnet = $Boundary.DisplayName.Substring( $Boundary.DisplayName.indexof("(")+1, $Boundary.DisplayName.indexof(")") - $Boundary.DisplayName.indexof("(")-1 )


#$IPSubnet = 127.12.12.1/24

   AddLocation $SiteID $IPSubnet


'**************************************************************