SCCM Collection Based on Baseline Compliance

select SMS_R_System.ResourceId,
SMS_R_System.ResourceType,
SMS_R_System.Name,
SMS_R_System.SMSUniqueIdentifier,
SMS_R_System.ResourceDomainORWorkgroup,
SMS_R_System.Client
from
SMS_R_System inner join SMS_G_System_CI_ComplianceState on SMS_G_System_CI_ComplianceState.ResourceID = SMS_R_System.ResourceId
Where
SMS_G_System_CI_ComplianceState.ComplianceStateName = "<ComplianceState>"
and SMS_G_System_CI_ComplianceState.LocalizedDisplayName = "<BaselineName>"
and SMS_G_System_CI_ComplianceState.CI_UniqueID = "<CI Unique ID>"

<ComplianceState> can be ‘compliant’ or ‘non-compliant’

<BaselineName> is the displayname of the Configuration Baseline

<CI Unique ID> is the unique ID e.g. ‘Scope_xxxx’

Source

Advertisements

Timing how long each group in a Task Sequence is Taking

I wanted a way to determine how long steps in an OS deployment TS were taking, until recently I thought the only window we had into this was running scripts as part of OSD or looking at Status Messages.

Then I found this view in the SCCM DB – v_TaskExecutionStatus

Like most views and tables in SCCM, each row has a ResourceID and contains information which looks very similar to the status messages. However, I have noticed that the Action Output is sometimes truncated (cut-off), and there are multiple rows for some steps.

Each row has fields called ActionName, GroupName, and ExecutionTime. Using these fields we should be able to build up a picture of how long each step and group is taking.

Initially, I started by querying all rows for a specific client which I knew had run a TS lately. This gave me all the information I needed, but if the client had run multiple task sequences it had entries for all the runs.

SELECT
	*
FROM
	v_TaskExecutionStatus AS ts
	inner join
	v_R_System AS s
		ON ts.ResourceID = s.ResourceID
WHERE
	s.Netbios_Name0 = '#HOSTNAME#'
ORDER BY
	ExecutionTime ASC

I then noticed that some steps would be listed incorrectly as Step 0, this was messing up the script I wrote to compare the time between one row and the next. I noticed each type of step was accompanied by a LastStatusMessageID field, using these IDs we can limit the query down to something more useful :

SELECT
	a.PackageName,
	s.Netbios_Name0,
	ts.ExecutionTime,
	ts.step,
	ts.GroupName,
	ts.LastStatusMessageID
FROM
	v_TaskExecutionStatus AS ts
	inner join
	v_R_System AS s
		ON ts.ResourceID = s.ResourceID
	inner join
	v_AdvertisementInfo as a
		on ts.AdvertisementID = a.AdvertisementID
WHERE
	s.Netbios_Name0 = '#HOSTNAME#'
	AND
	(LastStatusMessageID IN (11124,11127,11143)
	OR
	(LastStatusMessageID = 11140 AND step = 0))

ORDER BY
	ExecutionTime ASC

If the hostname / client has only run 1 TS, this query will return data on when it started (11140 & Step 0) as well as when each group started and completed. Using this and a bit of powershell we can establish the duration that each group takes to run.

This is just a snippet of the script on GitHub :


$table = (invoke-sql -dataSource $sccmsqlserver -database $sccmsqldb -sqlCommand $query).Tables[0]

$hash = DataTableToHashTable -table $table

$groupoutput = @()
foreach ($line in $hash)
{
    $thisgroupname = $line.GroupName
    if($line.LastStatusMessageID -eq 11124)
    {
        ## Start of Group
        $obj = [pscustomobject]@{
            GroupName = $line.GroupName
            ParentGroup = $null
            StartTime = $line.ExecutionTime
            EndTime = $null
            Duration = $null
            DurationSeconds = $null
        }
        $groupoutput += $obj
    } elseif ($line.LastStatusMessageID -eq 11127)
    {
        ## End of Group
        $findgroup = $groupoutput | ?{$_.GroupName -eq $line.GroupName}
        $findgroup.EndTime = $line.ExecutionTime
    }
}

## Calculate Duration of Each Group
$groupoutput | % {$_.Duration = $_.EndTime - $_.StartTime}

## Calculate Duration in Seconds
$groupoutput | % {$_.DurationSeconds = $_.Duration.TotalSeconds}
#endregion

If you output $groupoutput to a gridview you should see something like this :

ts_group_duration1

This is just an initial script, which I will improving in the future. Groups are often nested in a TS and we need to be able to see and understand this in the output. I also want to extend the extend the script to show the duration of individual steps.

Cireson ConfigMgr Ticker WMI Permissions Fix

We encountered an issue with the Cireson ConfigMgr Ticker App recently where it stopped working on some clients. The log was reporting WMI permissions issues…

ConfigMgr Ticker WMI Log Errors
Errors in the log caused by WMI permission problems.

I had a quick look on the product forum and found someone with the same issue.

The problem is the Ticker App install adds a permission to the following WMI Class, which at times SCCM resets back to default.

ROOT\ccm\Policy\Machine\RequestedConfig

You can check the permissions on this class using “wmimgmt.msc” -> right click on “WMI Control (local)” -> Properties -> Security Tab -> Expand tree to the class above -> Security. It should look like the screenshot below with the “HOSTNAME\Users” group having the “Enable Account” permission.

Screenshot of wmimgmt.msc permissions for Cireson ConfigMgr Ticker
Screenshot of wmimgmt.msc permissions for Cireson ConfigMgr Ticker

In certain circumstances, SCCM client repair and Windows 10 In-Place upgrade changes the permissions on this WMI class and it reverts back to default (the Users group is removed.) This breaks the Cireson Ticker App client.

Using a few blog posts I created a script to detect and remediate these permissions using a Configuration Manager Baseline.

Create a Configuration Item with a discovery script and remediation script

Discovery Script :
$namespace = "ROOT\ccm\Policy\Machine\RequestedConfig"
$computer = "localhost"
$compliance = "No"

Function Get-PermissionFromAccessMask($accessMask) {
    $WBEM_ENABLE            = 1
	$WBEM_METHOD_EXECUTE         = 2
    $WBEM_FULL_WRITE_REP           = 4
    $WBEM_PARTIAL_WRITE_REP     = 8
    $WBEM_WRITE_PROVIDER          = 0x10
    $WBEM_REMOTE_ACCESS            = 0x20
    $READ_CONTROL = 0x20000
    $WRITE_DAC = 0x40000

    $WBEM_RIGHTS_FLAGS = $WBEM_ENABLE,$WBEM_METHOD_EXECUTE,$WBEM_FULL_WRITE_REP,$WBEM_PARTIAL_WRITE_REP,$WBEM_WRITE_PROVIDER,$WBEM_REMOTE_ACCESS,$WBEM_RIGHT_SUBSCRIBE,$WBEM_RIGHT_PUBLISH,$READ_CONTROL,$WRITE_DAC
    $WBEM_RIGHTS_STRINGS ="Enable","MethodExecute","FullWrite","PartialWrite","ProviderWrite","RemoteAccess","Subscribe","Publish","ReadSecurity","WriteSecurity"

    $permission = @()
    for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {
        if (($accessMask -band $WBEM_RIGHTS_FLAGS[$i]) -gt 0) {
            $permission += $WBEM_RIGHTS_STRINGS[$i]
        }
    }
    $permission
}

$INHERITED_ACE_FLAG = 0x10

$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@";Name="GetSecurityDescriptor";ComputerName=$computer}

if ($credential -eq $null) {
    $credparams = @{}
} else {
    $credparams = @{Credential=$credential}
}

$output = Invoke-WmiMethod @invokeparams @credparams
if ($output.ReturnValue -ne 0) {
    throw "GetSecurityDescriptor failed: $($output.ReturnValue)"
}

$acl = $output.Descriptor
$usercoll = @()
foreach ($ace in $acl.DACL) {
    $user = New-Object System.Management.Automation.PSObject
    $user | Add-Member -MemberType NoteProperty -Name "Name" -Value "$($ace.Trustee.Domain)\$($ace.Trustee.Name)"
    $user | Add-Member -MemberType NoteProperty -Name "Permission" -Value (Get-PermissionFromAccessMask($ace.AccessMask))
    $user | Add-Member -MemberType NoteProperty -Name "Inherited" -Value (($ace.AceFlags -band $INHERITED_ACE_FLAG) -gt 0)
    if (($user.Name -eq "BUILTIN\Users") -and ($user.Permission -eq "Enable"))
    {
        $compliance = "Yes"
    }
}
$compliance
Remediation Script :
$namespace = "ROOT\ccm\Policy\Machine\RequestedConfig"
$operation = "Add"
$account = "BUILTIN\Users"
$allowInherit = $false
$deny = $false
$computer = "localhost"
[string[]] $permissions = "Enable"

$ErrorActionPreference = "Stop"

Function Get-AccessMaskFromPermission($permissions) {
 $WBEM_ENABLE = 1
 $WBEM_METHOD_EXECUTE = 2
 $WBEM_FULL_WRITE_REP = 4
 $WBEM_PARTIAL_WRITE_REP = 8
 $WBEM_WRITE_PROVIDER = 0x10
 $WBEM_REMOTE_ACCESS = 0x20
 $WBEM_RIGHT_SUBSCRIBE = 0x40
 $WBEM_RIGHT_PUBLISH = 0x80
 $READ_CONTROL = 0x20000
 $WRITE_DAC = 0x40000

 $WBEM_RIGHTS_FLAGS = $WBEM_ENABLE,$WBEM_METHOD_EXECUTE,$WBEM_FULL_WRITE_REP,$WBEM_PARTIAL_WRITE_REP,$WBEM_WRITE_PROVIDER,$WBEM_REMOTE_ACCESS,$READ_CONTROL,$WRITE_DAC
 $WBEM_RIGHTS_STRINGS ="Enable","MethodExecute","FullWrite","PartialWrite","ProviderWrite","RemoteAccess","ReadSecurity","WriteSecurity"

 $permissionTable = @{}

 for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {
 $permissionTable.Add($WBEM_RIGHTS_STRINGS[$i].ToLower(),$WBEM_RIGHTS_FLAGS[$i])
 }

 $accessMask = 0

 foreach ($permission in $permissions)
 {
 if (-not $permissionTable.ContainsKey($permission.ToLower())) {
 throw "Unknown permission: $permission`nValid permissions: $($permissionTable.Keys)"
 }
 $accessMask += $permissionTable[$permission.ToLower()]
 }
 $accessMask
}

if ($PSBoundParameters.ContainsKey("Credential")) {
 $remoteparams = @{ComputerName=$computer;Credential=$credential}
} else {
 $remoteparams = @{}
}

$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@"} + $remoteParams

$output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor
if ($output.ReturnValue -ne 0) {
 throw "GetSecurityDescriptor failed: $($output.ReturnValue)"
}

$acl = $output.Descriptor
$OBJECT_INHERIT_ACE_FLAG = 0x1
$CONTAINER_INHERIT_ACE_FLAG = 0x2

$computerName = (Get-WmiObject @remoteparams Win32_ComputerSystem).Name

if ($account.Contains('\')) {
 $domainaccount = $account.Split('\')
 $domain = $domainaccount[0]
 if (($domain -eq ".") -or ($domain -eq "BUILTIN")) {
 $domain = $computerName
 }
 $accountname = $domainaccount[1]
} elseif ($account.Contains('@')) {
 $domainaccount = $account.Split('@')
 $domain = $domainaccount[1].Split('.')[0]
 $accountname = $domainaccount[0]
} else {
 $domain = $computerName
 $accountname = $account
}

$getparams = @{Class="Win32_Account";Filter="Domain='$domain' and Name='$accountname'"} + $remoteParams

$win32account = Get-WmiObject @getparams

if ($win32account -eq $null) {
 throw "Account was not found: $account"
}

switch ($operation) {
 "add" {
 if ($permissions -eq $null) {
 throw "-Permissions must be specified for an add operation"
 }
 $accessMask = Get-AccessMaskFromPermission($permissions)

 $ace = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance()
 $ace.AccessMask = $accessMask
 if ($allowInherit) {
 $ace.AceFlags = $OBJECT_INHERIT_ACE_FLAG + $CONTAINER_INHERIT_ACE_FLAG
 } else {
 $ace.AceFlags = 0
 }

 $trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()
 $trustee.SidString = $win32account.Sid
 $ace.Trustee = $trustee

 $ACCESS_ALLOWED_ACE_TYPE = 0x0
 $ACCESS_DENIED_ACE_TYPE = 0x1

 if ($deny) {
 $ace.AceType = $ACCESS_DENIED_ACE_TYPE
 } else {
 $ace.AceType = $ACCESS_ALLOWED_ACE_TYPE
 }

 $acl.DACL += $ace.psobject.immediateBaseObject
 }

 "delete" {
 if ($permissions -ne $null) {
 throw "Permissions cannot be specified for a delete operation"
 }

 [System.Management.ManagementBaseObject[]]$newDACL = @()
 foreach ($ace in $acl.DACL) {
 if ($ace.Trustee.SidString -ne $win32account.Sid) {
 $newDACL += $ace.psobject.immediateBaseObject
 }
 }

 $acl.DACL = $newDACL.psobject.immediateBaseObject
 }

 default {
 throw "Unknown operation: $operation`nAllowed operations: add delete"
 }
}

$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams

$output = Invoke-WmiMethod @setparams
if ($output.ReturnValue -ne 0) {
 throw "SetSecurityDescriptor failed: $($output.ReturnValue)"
}

Settings for the CI :

baseline_config

Remove annoying Cortana Audio after 1703 OSD

When you build a W10 1703 machine with SCCM OSD, you may notice that once its complete you hear an audile voice saying something like ‘OK I got connected let’s check for updates’.

You can disable this with a simple command line task sequence step  :

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OOBE" /v DisableVoice /t REG_DWORD /d 1 /f

SCCM Application Dependency Graph / Tree

Sometimes we have very complicated apps we have to deploy and need to view the application dependency tree to help investigate failed deployments. I found the built in view in the SCCM console clunky, buggy and annoying. So I wrote a small script to query WMI, list app dependencies and then output this visually using graphviz dot language.

The first thing the script does is query all the apps on your site server WMI for a search term. It then displays a list of applications in a grid view. You then choose which Application you want to create a dependency graph for. Once you have chosen one, the script will recurse through all the dependencies and build a graph.

It’s still in its infancy, it doesn’t highlight AND / OR relations and may have some redundant code that needs tiding up… But I find it useful to demonstrate to support staff why some applications take a while to deploy due to the complexity and amount of pre-reqs required!

  • Install graphviz for windows from here
  • Add an entry in your PATH environment varibale to the location of dot.exe – on Windows 10 for me it was : “C:\Program Files (x86)\Graphviz2.38\bin”
  • Download the script from Github Gist Here
  • Edit the variables in the script
    • $server – should be the management point server with the WMI Provider for your SCCM Site
    • $sitecode – should be the sitecode for your site
    • $graph_filetype – filetype of the output (I’ve only tested png, svg and pdf so far…)
    • $query – should be an application search string, the first thing the script will do is search and list the applications found using this. You can then choose which app you want to see the dependency tree for.
  • Run the script!
  • You should get two output files in the output directory
    • AppName.gv
    • AppName.(pdf/png/svg – depending on selected output filetype)
An example output png from the SCCM App Dependency Graph script.
An example output png from the SCCM App Dependency Graph script.

 

Filter SMSTS.logs to view only the main action steps (using cmtrace)

If you have a long Task Sequence with lots of steps and want to pinpoint when specific actions ran, you can filter the log using Entry Text contains “The action (” in cmtrace.

If some steps are missing you may need to merge in the rolled over logs which are named smsts-xxxxx.log

SMSTS Filter