Search This Blog

Thursday, 17 June 2021

Welcome


Hi There,

My name is Dan, I currently work in London as a SCCM consultant on a working holiday from Australia.

I will be updating this blog from time to time with tips on application packaging and OS Deployment , specifically using MDT/SCCM.

If you have any questions dont hesitate to contact me.

LinkedIn: https://uk.linkedin.com/in/dan-padgett-36b982a5

Cheers,

Dan

Friday, 10 March 2017

[PowerShell] Remove Objects Tool v1.0







If you are like me and use "All Unknown Computers" to deploy your OSD to you will also be fairly familiar of making sure you have cleared an object from the SCCM Database before trying to re-image, otherwise ... well its not Unknown now is it?

Typically this would involve a tech opening AD searching for the computer and removing it, then opening the SCCM console and doing the same. I have spent some time adding to a tool i previously released , adding many more functions. 


I have expanded the tool and added further features which allows you to

  • Remove AD Objects
  • Remove SCCM Objects
  • Remove both SCCM/AD objects
  • View LAPS (Local Admin Password)
  • View additional machine details
  • Remote control 

Download Tool - if LAPS is deployed in your environment

Download Tool - if LAPS is NOT deployed in your environment


Requirements of Tool.



1. Before running the tool, ensure you have the ‘Remote Server Admin Tools’ installed
2. Tool will need to be launched with credentials sufficient for the functions you plan to use. ( Tool doesn't prompt for credentials)

Under the hood.




The "Remove Objects" tool is written in PowerShell and compiled. The tool essentially looks at all computer objects (taken from settings file), does a lookup in AD for these objects, then scans your SCCM instance for the same name. It will then merge all the information together.

 Settings for your environment are referenced in the file "settings.xml"

Settings.XML




SCCMServer: Location of SCCM instance
SearchBase: the root location for workstations (in format of DistinguishedName)
SCCMSite: your SCCM Site Code

SystemOUName: Same path as SearchBase , but in the format of CanocialName 
CMRCViewer: Location of the SCCM Remote control viewer files - see below for more info


Spaces in the search base should be accepted without worry.

Ensure that you set these values to match your environment. The settings file MUST reside in the same root folder as the Remove Objects executable, if not you will see this error.


Logging

You will get an output file stored in the same location as the executable, this will be recreated each time the "search/filter" button is used, this is used in case you face issues with objects not being found.

Remote Control

The Remove Objects tool has the ability to remote control a workstation. Remote control is issued through CmRcViewer. CmRcViewer is installed locally when you have the SCCM Console installed on your machine. To avoid installing the full SCCM console on every machine you with to run "Remove Objects" you can copy these files to each machine. The files required for remote viewing are seen in the screenshot below:



I have provided a "InstallRemote.cmd" which would copy these files to the default path in C:\Program Files (x86)\ConfigMgrConsole\bin\i386 . I haven't included the actual remote control files in my download as these are copyrighted. 


Usage.

When the tool launches, you will see the following, press Search/Filter to list objects

(Note: If you dont have LAPS deployed, script will still work but you will not see the column for it)






When search is complete, you will be presented with all objects. The Data source for the objects listed is as follows:
Name: Active Directory 
Description: Active Directory 
Operating System: Active Directory
IPV4Address: SCCM
Enabled: Active Directory
LAPS Password: Active Directory
MAC Address: SCCM
SCCMResourceID: SCCM 



You can search/filter off any value, for example, name. 





The function controls are self-explanatory. All functions (except remote) will prompt for confirmation. All cells can be copied to clipboard.

NB. To perform any function, you must highlight the computer name from the NAME column. 

All options chosen will prompt for confirmation, except for "Remote Control". 



Remote Control:  This uses CmRcViewer.exe which is either

a. Bundled when installing the SCCM Console
b. Installed from the InstallRemote.cmd as mentioned earlier.

Remove AD Object: Removes AD Object 



Remove SCCM Object: Removes SCCM Object 



Remove SCCM/AD Object: Removes SCCM and AD Object – This is the default function you should use to clear a machine for reimaging. 





Cells highlighted in yellow indicate that a computers SCCM resource ID has been removed or not found. This would happen if you were to use the "Remove from SCCM" option only. 

Note, your SystemOUName variable should be the root location for your workstations, if your system OU name doesnt match your searchbase, items will be shown as yellow , as they cannot be matched against the same computer names in AD.

The lookup code that manages this is: $sccmQuery = get-wmiobject -query "select * from SMS_R_SYSTEM WHERE Name like '%' " -computername $sccmserver -namespace "ROOT\SMS\site_$sccmsite" | Where-Object { $_.SystemOUName -contains $SystemOUName }



This code exists to ensure that you dont return other SCCM objects such as servers or mobile devices.

A block of code will run for each computer loaded that will check that each AD Hostname has a matching record in the above lookup code, if the Hostname is not found, the row will be shown as yellow.

Code for that lookup is :

if ($datagridviewResults.Rows[$i].Cells['SCCMResourceID'].Value -eq $null)
{
$row.defaultcellstyle.backcolor = 'yellow'

}

Limitations.

In further releases i will include a settings option to either use SCCM remote control OR Microsoft Remote Assistance.

Because the tool scans AD then matches the host names of computers to their object names in SCCM, machines that have been removed from AD and still exist in SCCM will not be shown. 


Disclaimer.

Be sure to read the "readme" file in the download package for all T's and C's. All efforts have been put into testing this application.

Full code can be viewed here - Note this is created with PS studio therefore all object controls are held separately, if you would like the full code export with object controls, let me know. 

Friday, 3 March 2017

TeamViewer QuickJoin - Windows 10 Image




If your company uses TeamViewer to support remote clients, you may wish to add the TeamViewer QuickJoin support tool into your Windows 10 Image. Including this tool in your image will remove the need for remote clients to download this from the TeamViewer website each time they need support. You can customise the QuickJoin tool where you can modify things like the Logo, Title, Description etc.

TeamViewer QuickJoin does not come with a bundled installer, it is simply a small executable. My aim was to add the TeamViewer quick support tool onto all laptops during build, the shortcut is then automatically placed in the Windows 10 start menu during imaging.  The following is the process i followed to get this working.

Firstly, the end product






1. Customise your QuickJoin tool to your liking, and then download

Customisation of QuickJoin



2. The QuickJoin download will include your ID which links your customisations to your tool, do not edit the name of the executable. For example - TeamViewerQS_en-idcbydd25.exe (idcbydd25 is the ID that links to your customisations [example id]) 

3. Create a source folder for your SCCM software package.  In it, place:

  • QuickJoin executable.
  • Create a shortcut for named "Support"
    Target = "C:\ProgramData\TeamViewer\TeamViewerQS_en-idcbydd25.exe"
    Path = "C:\ProgramData\TeamViewer"
  • Create a simple batch/cmd file with this place the following, in this example i have called it copyTV.cmd.

Source Files

4. You will want to adjust your Windows 10 customise start menu step to include the QuickSupport "Support" shortcut we created in the previous step. Open your W10 Start Menu XML and inject the below code to represent the shortcut placement (information on customising Windows start menu here). The end result can be seen at the beginning of this post. Ensure you update your content containing your XML file to sync new changed to DP's. 



If you would like my exact start menu layout, you can get the XML here.

5. Create an application package in SCCM,  Set your content paths to the files we copied earlier, your installtion program to "copyTV.cmd" and your detection method to your executable in C:\ProgramData\TeamViewer








6. Distribute your content, then add a step within your OSD task sequence before your Start Menu customisation step. 






Wednesday, 8 February 2017

Set SIP Address For AD Users - PowerShell



I had a requirement to assign a SIP address to each AD account on my domain, this is to facilitate a rollout of Skype for Business. The lack of a SIP address stops Skpe (Lync) from autodiscovering the users address. The SIP value is stored in the ProxyAddresses attribute, however you can store it in the msRTCSIP-PriamryUserAddress attribute as long as you have extended your AD Schema.

Without the SIP present, users will see the following when launching SFB (Skype for Business)

After running the script, your attribute should look something like this:




Script:


Friday, 13 January 2017

Migrating User Profiles & Resetting Permissions - Powershell



I recently begun to look at migrating user profile data for a client. Existing user profiles were hosted on a Windows file server and these profiles were being used in conjunction with folder redirection and offline files. After discussions the client decided to move to Work Folders (native to Windows Server 2012). Work folders requires users are owners of their "workfolder" (see here) and the existing data had many broken SIDs and unnecessary permissions set so it was a requirement to strip everything and start again.

'Special Folders' used by folder redirection (Desktop, Favorites, Documents) were completely broken and no user other than the owner had read access to them, therefore copying the data would prove difficult. I attempted to initially use RoboCopy for the task however this fell over when trying to copy these special folders. The client had an install of Dell Secure Copy on an old file server so i was able to leverage that, i believe it copies at the disk level and does not honor OS NTFS permissions.

The below script is what i ended up coming up with for the copy. The client would be migrating individual users initially therefore the script is prompting for paths and usernames but the code could easily be modified to facilitate groups of users.

The below code basically:

  1. Reads in values for Source and Destination
  2. Copies data to destination
  3. Sets the AD user to modify and makes them the owner.

Hopefully this script helps someone in a similar position.

Cheers



Monday, 5 September 2016

Deploying Windows 10 1607

Following on from my post last year Building a Clean Windows 10 Reference Image - MDT 2013 U1 this entry will go rehash over some of the same steps that were discussed there as well as additional steps to deploy Windows 10 1607.

For this build i am using:

Windows 10 1607 - https://blogs.windows.com/windowsexperience/2016/08/02/how-to-get-the-windows-10-anniversary-update/

MDT 2013 Update 2 - https://blogs.technet.microsoft.com/msdeployment/2015/12/22/mdt-2013-update-2-now-available/

SCCM 1606 - https://blogs.technet.microsoft.com/enterprisemobility/2016/07/22/now-available-update-1606-for-system-center-configuration-manager/

ADK 1607 - https://blogs.technet.microsoft.com/ausoemteam/2016/08/03/windows-adk-for-windows-10-version-1607-available-for-download/


Reference Image:


From here i will assume you have all of the above running however you do not need to be on the latest SCCM version (1606) for these, you will however want to have the ADK and MDT up to date.

1. To build your reference image please follow the steps in this post. However do not update your deployment share (one of the last steps)
http://deploymentresearch.com/Research/Post/540/Building-a-Windows-10-v1607-reference-image-using-MDT-2013-Update-2

2. Watch this video from the 8:00 till 13:20 to learn how to tweak CMTrace.exe and SMSTS.ini to bolster your OSD experience. https://youtu.be/HtvDHs5NCPw?t=481 , once you have done this go back and update your deployment share and continue with Johans Post.

Boot Wim: 


1. Check out my post here  on how you can leverage DART for dynamic remote control for your OSD builds.

Prepare OSD Scripts and Logs:

Logs:

On your SCCM Site server create a share to store log files eg :\\configmgr\logs$ , insure your staff have access to this path. The final steps in your task sequence should be to copy logs if successful or not to this share (will outline how later). Within this logs folder make two folders named:

OSD_Success
OSD_NotSuccess

There is a reason i am not using a folder named "OSD_Failure" - each time CmTrace detects the word "fail" in your SMSTS.log file you will see an "error" which in this case is just the name of the step, so to make your logs nicer to read, avoid using the word "failure" wherever possible. 


Scripts:

The following scripts are used throughout my task sequence:

Scripts Share

UI++  (Nice UI to allow you to set variables to kick start your TS) - http://blog.configmgrftw.com/uiplusplus/

adcompdesc.vbs (Sets AD computer description during OSD ) - See scripts share

adgroup.vbs (Sets AD computer group membership during OSD ) - See scripts share

DefaultAppAssoc.xml (Sets defaults for application association - Acrobat in example is set ) - See scripts share

DumpVar.vbs (Dumps SMSTS variables to file for testing) - See scripts share

SetDefaultsW10.cmd (Sets various OSD settings, speech etc ) - See scripts share

StartLayout1607.xml (Sets start menu and taskbar layout  ) - See scripts share


Place these files (tweaked to your liking) in a share in SCCM sources folder and create a package (with no program) . This package will be called upon multiple times during your task sequence.



Create Unattended.XML

Log onto your SCCM box and open Windows System Image Manager.  From here you can modify your unattended as much as you like, here is mine.. with some info redacted.


Note:  <Logo>c:\windows\media\COMPANYLOGO.bmp</Logo> . This file is being copied to my WIM during my reference image creation.This will allow you to show your logo and in windows "system" page.


Create Task Sequence

Create a new TS (with MDT integration) and add the following steps.
(I will not go through every option just specific settings to improve OSD)

Set the following 3 Variables at the beginning of your TS. 

Name: SMSTSPostaction
Value: shutdown /r /t 5
Why: Forces the machine to reboot at the very end of the TS, this helps with post TS cleanup tasks and gpo application


Name: SMSTSRebootDelay
Value: 0
Why: Will force reboot instantly after each step to 0 seconds. Improves TS time. 


Name: SMSTSErrorDialogTimeout
Value: 86400
Why: Sets the error delay to 86400 seconds , which will let you know that there has been an error until you interact with it (default is too fast)


Add step for apply OS, use the Unattended.xml you created earlier. (This can be placed into your OSD scripts folder)

Add step to copy CMTrace: Add the following step AFTER apply OS step: 

Type: Run Command Line
Value: cmd /c xcopy x:\sms\bin\x64\CMTrace.exe %OSDTargetSystemDrive%\windows\system32 /E /H /C /I /Q /Y


Add step to for Set AD Group (see scripts folder)

Name: adgroup.vbs (run command line)
Value: wscript.exe adgroup.vbs "ADGROUP"



Add step to for Set AD Description (see scripts folder)

Name: adcompdesc.vbs  (run command line)
Value: cscript.exe adcompdesc.vbs "[%VALUE%] - [%VALUE%] - [%VALUE%]"


Add step to for Set W10 Defaults (see scripts folder)

Name: Apply W10 Settings (run command line)
Value: cmd /c SetDefaultsW10.cmd


Add step to Tattoo the registry


Name: Tattoo (run command line)
Value: cmd.exe /c reg add HKLM\SOFTWARE\COMPANY/v COMPANYOSD-Name /d "[%_SMSTSPackageName%]" & reg add HKLM\SOFTWARE\COMPANY/v COMPANYOSD-Time /d "[%date%]-[%time%]" /t REG_SZ  & reg add HKLM\SOFTWARE\COMPANY /v COMPANYOSD-ImagedBy /d "[%XAuthenticatedUser%]" /t REG_SZ


Add step to set Windows 10 Start Menu  (see scripts folder)

Name: Set Windows 10 Start Menu Layout (run command line)
Value: powershell.exe -executionpolicy bypass import-startlayout -layoutpath .\StartLayout1607.xml -mountpath C:\

Add step to Remove Windows 10 Apps  (see scripts folder)

Name: Remove Windows 10 Apps (run command line)
Value: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file .\RemoveApps2.ps1

Edit: Use this link for script : https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/scripts/remove-default-apps.ps1 

Add step to block windows 10 apps installing 
Name: Block New W10 Apps (run command line)
Value: reg add HKLM\Software\Policies\Microsoft\Windows\CloudContent /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f


Add LOGS folder logic.

Here we will add logic to do a Try/Catch for any errors.

Copy these steps changing for your own folder names.






From here copy the same logic as the previous steps but change to Not_success

To be continued... 

Wednesday, 31 August 2016

Suppress Office 365 "First Things First"

You may have noticed when installing Office 365 via the Click to Run installer you get a popup like this for each user.


You will no doubt have seen many methods to make this go away, however in my testing none of the popular suggestions actually work, like:

1. Setting key for OptInDisable in SOFTWARE\Microsoft\Office\16.0\Common\General
2. Setting key for ShownFirstRunOptin in SOFTWARE\Microsoft\Office\16.0\Common\General
3. Setting key for Authorized in SOFTWARE\Microsoft\Office\16.0\Common\General
4. Setting key for AcceptAllEulas in SOFTWARE\Microsoft\Office\16.0\Common\General

These methods may work for standard Office 2016 installers (usually set via OCT) but for 365 because it is licensed per user this notification will be generated for each user account that runs office.

If you would like to properly suppress this you need to perform the following during OSD.

1. Find a step after you install Office 365 in your task sequence. 
2. If you have a batch file or script that does windows customisations add the following to it (or create a new script).




(Step in TS - script is in SetDefaultsW10,cmd)

What we are doing here is loading in the Default User registry hive and adding the entry which is created when each user accepts the EULA.

We do this via OSD as the key has the computers hostname within it, and making this dynamic from a Group Policy preference is not easily achieved.


Also, i set the following

Disable "Make Skype better "

Value: UserConsentedTelemetryUpload
Key: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\General
DWORD: 0

Disable "file type prompt on EU only"

Value: ShownFileFmtPrompt
Key: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\General
DWORD: 1

NB. In SetDefaults,cmd i also set speech language to en-GB and set up DesktopInfo.

Cheers,

Dan