Get notified about duplicate host names in SCCM

As part of the general maintenance and upkeep of SCCM we have a “Duplicate Host Names” collection in SCCM.

These are the most common duplicate objects. Most likely this occurs due to OSD or conflicting discovery cycles. We basically end up with two computer objects, with the same name/hardware/MAC but different SMSBIOSGUID. It causes much confusion for ConfigMgr because it often doesn’t know how to process the inventory for the phantom object.

https://blogs.technet.microsoft.com/configmgrdogs/2011/12/18/how-to-find-sccm-duplicate-computer-objects/

This collection finds duplicate host names but unfortunately does not notify us when one is found. The script below will send an e-mail when the collection membership is greater than 0. We have it set up as a scheduled task that runs daily.

Preview of e-mail notification

If you do not have a “Duplicate Host Names” collection you can create it by adding this query rule to a collection.

select R.ResourceID,R.ResourceType,R.Name,R.SMSUniqueIdentifier,
R.ResourceDomainORWorkgroup,R.Client from SMS_R_System as r 
full join SMS_R_System as s1 on s1.ResourceId = r.ResourceId 
full join SMS_R_System as s2 on s2.Name = s1.Name 
where s1.Name = s2.Name and s1.ResourceId != s2.ResourceId

Alternatively you can run this PowerShell command:

Wish I knew this trick years ago (CMD/PoSH)

Ever wish you could easily find a previous command in CMD? Try pressing F7… go ahead, I’ll wait. 🤯

Command Prompt History

Ever wish you could easily find a previous command in PowerShell? Try pressing CTRL+R then start typing in a previous command… go ahead, I’ll wait. 🤯

PowerShell History

Source:

https://www.reddit.com/r/sysadmin/comments/bty2qv/how_to_trigger_your_impostor_syndrome/

Test your SCCM deployment using PsExec

When getting an application ready for deployment it is typically much faster to test that the install works as expected by running it as SYSTEM. When an application is ran from Software Center it is ran under the SYTEM context. Manually running the install as SYSTEM means you do not need to wait for your content to refresh or for your policies to refresh. This allows you to test and debug much quicker.

Instructions

  • Download and extract the PSTools suite from Windows Sysinternals
  • Open CMD or PowerShell as an admin
  • Navigate to the location where you extracted PSTools
  • Run the following command: psexec -s -i cmd
    • -s means run under the SYSTEM context
    • -i means run interactively
    • cmd is what program to run as SYSTEM
  • You will see a new CMD prompt open up, type in whoami to verify you are under the SYSTEM context
  • Navigate to where your install is and test running it as SYSTEM
Running PsExec from Command Prompt
Verifying that you are running as SYSTEM
Running PsExec from PowerShell
Verifying that you are running as SYSTEM

If all goes well you can add your application to SCCM with the confidence that it will work as expected.

Upgrading 7-Zip crashes explorer

We started deploying 7-Zip v18.01 but quickly had to stop the deployment due to Windows Explorer crashing. A user without a toolbar is not a productive user. We tweaked our deployment and added this parameter to the install string:

Execute-MSI -Action Install -Path “7z1801-x64.msi” -Parameters “/QN MSIRMSHUTDOWN=2

Once we added that we were able to deploy with no issues.

Sources:

https://sourceforge.net/p/sevenzip/discussion/45797/thread/a7cdb5e2/?limit=25

http://psappdeploytoolkit.com/

Allow a user to delay a Windows 10 upgrade task sequence

Upgrading Windows 10 (e.g. v1511 to v1607) is easy using the upgrade task sequence in SCCM. Unfortunately it is not as user friendly as we would like, most notably there is no warning to the user that an upgrade is about to take place (when you set the upgrade task sequence to required). To fix this issue we used PowerShell App Deployment Toolkit to warn the user and allow them to delay the upgrade task sequence.

Create a package using PowerShell App Deployment Toolkit but do not create a program. Include serviceui.exe (included with MDT) in your source folder. In deploy-application.ps1 add the following code:

[string]$installPhase = 'Pre-Installation'

##Show Welcome Message
$AnyLoggedOnUsers=Get-LoggedOnUser -ErrorAction SilentlyContinue
if ($AnyLoggedOnUsers.Count -gt 0)
{
	$TSProgressUI = New-Object -COMObject Microsoft.SMS.TSProgressUI
	$TSProgressUI.CloseProgressDialog()
	Show-InstallationWelcome -PersistPrompt -AllowDefer -DeferTimes 3
}

In the first step of your upgrade task sequence set the error timeout dialog. We are setting the error timeout dialog to 1 so if/when a user delays the upgrade task sequence they do not see the task sequence error message.

In the second step of your upgrade task sequence create a run command line with the following

ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File Deploy-Application.ps1

Add a query wmi option on the run command

SELECT * FROM Win32_ComputerSystem WHERE UserName != NULL

That’s all the additions you need to make to your upgrade task sequence.

If no user is logged on it will NOT run the PSADT script and just continue on with next step in the task sequence.
If a user is logged on it will run the PSADT script and not continue with next steps until user continues the install.
NOTE: The above WMI query will not work if you are RDP’d in.

If the user delays the upgrade then the task sequence will fail. The task sequence will try again on its next scheduled time (I set mine to rerun every day if the previous attempt failed).

Sources:
http://psappdeploytoolkit.com/forums/topic/does-running-as-a-task-sequence-always-disable-interactive-mode/

Citrix Receiver hangs during task sequence

We had a lot of problems getting Citrix Receiver to install correctly during imaging. During imaging it would hang until you moved the mouse or it timed out. Apparently this is a semi-common problem due to how Citrix Receiver installs USB support. We use PowerShell App Deployment Toolkit for all of our deployments so what we ended up doing was mimicking mouse movement if the installer detected we were in a task sequence. We also did a restart step in our task sequence directly before the Citrix Receiver installation.

## <Perform Installation tasks here>
if($runningTaskSequence -eq $false)
{		
	Write-Log -Message "Not in Task Sequence, running Citrix Receiver Installer..." -LogType 'CMTrace'
	Execute-Process -path "$dirfiles\CitrixReceiver.exe" -parameters "/silent /includeSSON /noreboot"
}
else
{
	Write-Log -Message "In Task Sequence, running Citrix Receiver Installer with mouse movement..." -LogType 'CMTrace'
	Execute-Process -path "$dirfiles\CitrixReceiver.exe" -parameters "/silent /includeSSON /noreboot" -nowait
	do
	{
		$Pos = [System.Windows.Forms.Cursor]::Position
		$x = ($pos.X % 500) + 10
		$y = ($pos.Y % 500) + 10
		[System.Windows.Forms.Cursor]::Position = New-Object System.Drawing.Point($x, $y)
		Start-Sleep -Seconds 2
		$i++
	}
	while ($i -lt 120)
}

Sources:
http://discussions.citrix.com/topic/330691-citrix-receiver-install-in-mdt-2010-hangs-until-mouse-is-moved
http://stealthpuppy.com/automated-citrix-receiver-deployment-hangs-indefinitely

Internet Explorer home page not being set at first logon

We had an issue in our environment where when a user first logged onto a Windows 10 workstation their Internet Explorer home page wasn’t set to our intranet. This issue occurred even though the home page was being set via GPO. We determined this was due to how Windows 10 provisions profiles on first logon. In order to fix this we had to ‘enable’ the following GPO:

User Configuration / Policies / Administrative Templates / Windows Components / Internet Explorer / Disable external branding of Internet Explorer

Sources:
https://msdn.microsoft.com/en-us/library/ms814824.aspx
https://social.technet.microsoft.com/Forums/windowsserver/en-US/85ca6bdb-bfc4-4fbb-9501-4a0a90492e17/home-page-gpo-keeps-resetting?forum=winserverGP

Enable the TPM chip for Lenovo workstations via WMI and PowerShell

For whatever reason the TPM chip was being set to disabled during our imaging process/checklist. This became an issue when we started rolling out MBAM/BitLocker. In order to remediate this we deployed a package using SCCM and PowerShell App Deployment Toolkit that would enable the TPM chip.

Thankfully Lenovo makes it easy to modify the BIOS settings from inside Microsoft Windows. There is a gotcha when enabling the TPM chip though, that gotcha is that the WMI call is different depending on if it is a desktop or a laptop.

## Get all BIOS settings (for reference)
## gwmi -class Lenovo_BiosSetting -namespace root\wmi | ForEach-Object {if ($_.CurrentSetting -ne "") {Write-Host $_.CurrentSetting.replace(","," = ")}}

$Model = gwmi -Class Win32_ComputerSystemProduct

## Laptop
if ($Model.version.TrimEnd() -like "*ThinkPad*")
{
#enable TPM
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("SecurityChip,Active")

#save settings
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
}

## Desktop
if ($Model.version.TrimEnd() -like "*ThinkCentre*")
{
#enable TPM
(gwmi -class Lenovo_SetBiosSetting –namespace root\wmi).SetBiosSetting("TCG Security Feature,Active")

#save settings
(gwmi -class Lenovo_SaveBiosSettings -namespace root\wmi).SaveBiosSettings()
}

 

No entries in MBAM event logs

I came across an odd issue during my BitLocker/MBAM rollout. A small handful of workstations didn’t have any entries in the MBAM event logs (admin or operational) and if you ran manage-bde -status on these workstations you would get the following error:

ERROR: An error occurred (code 0x8004100e): Invalid namespace

This error prevented MBAM from automatically encrypting the hard drive.

To fix this do the following on the affected workstation:

Open up a command prompt as an administrator
Navigate to C:\Windows\System32\wbem
Run mofcomp.exe win32_encryptablevolume.mof

If successful you should see the following text:

Microsoft (R) MOF Compiler Version 6.1.7600.16385
Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
Parsing MOF file: win32_encryptablevolume.mof
MOF file has been successfully parsed
Storing data in the repository...
Done!

You should now see entries in the MBAM event logs and MBAM will now be able to encrypt the hard drive.