April 27, 2021 by Trevor Jones

A case of the unexplained: Intune password policy and forced local account password changes

Having a password policy is a best practice for security of accounts, whether domain, local or wherever passwords are used. In the Windows world, domain accounts have a default domain password policy. Azure AD accounts have the Azure AD password policy. Accounts local to Windows can have a password policy too, and you can use Intune to set this if you want. In fact, if you deploy the Windows 10 Security baseline in Intune you will be deploying a password policy to your local accounts.

However, deploying a password policy on Windows with Intune can have an unexpected side effect: it can force a local account to change the password at next logon:

If you regular rotate the password for the local administrator account using a LAPS solution, for example, this becomes a right royal pain because password rotation will fail due to the requirement to change the password at next logon.

I first came across this issue when doing Windows Autopilot deployments. Our password rotation solution would fail to rotate the password on the local admin account on some machines. After some lengthy investigation with Microsoft, we discovered there was a compliance policy created in the old Silverlight Intune portal (which we could no longer access) and targeted to these users that was setting a password policy. Compliance policies created in the new portal in Azure override the policies in the old portal, but since no new compliance policy was created for Windows 10, the old policy was still in effect and was causing this issue.

Later I came across this again when rolling out the Windows 10 security baseline in Intune, which by default has a password policy. I noticed that our password rotation solution was failing on recently deployed Azure AD-joined devices, after we enabled the baseline.

What’s going on?!

So why does this happen? Well, when Intune sets a password policy it uses the DeviceLock policies in the Policy CSP. Under the hood, this is using the Exchange Active Sync policy engine to set the password policies, which was created back in the Windows 8 era to enforce some security policies on devices that sync with Exchange. Reading through the documentation, you come across this little nugget:

When password length and complexity rules are applied, all the control user and administrator accounts are marked to change the password at the next sign in to ensure complexity requirements are met.

All you have to do is enable a password policy and some default values will get set for password length and complexity, and these polices will require that a local administrator account change its password at next logon. The reason is that the policy doesn’t know if the currently set password meets the requirements of the policy. The only way it can be sure it complies is to force you to change it, and the new password must meet the policy requirements. In this way it can truthfully report whether the device is compliant to the policy.

Sounds reasonable, but forcing the password change breaks your LAPS solution as you cannot programmatically change the password, or even remove the requirement to change the password at next logon – you’ll get some nice errors if you try.

Logon Failure: EAS policy requires that the user change their password before this operation can be performed

When a password policy is set by Intune, you’ll see some registry keys set under HKLM:\Software\Microsoft\PolicyManager\current\device\DeviceLock.

You’ll also see some Exchange Active Sync keys set under HKLM:\System\CurrentControlSet\EAS\Policies

Once the EAS policies have applied, I could not find any way to override them. Removing the Intune password policy, deleting the EAS registry keys – for me, nothing worked. I still could not programmatically change the local admin password or remove the requirement to change the password at next logon.

The only thing that worked is to satisfy the policy – ie actually log in as the local administrator and change the password when prompted, or log in as another administrator account and use Local Users and Groups to change the password.

I should emphasise that this only affects local accounts, not domain, and the issue was not seen consistently on all machines where the security baseline was applied – it seemed to affect new or recently deployed machines – even those where password rotation had previously occurred successfully.

Since having to manually and interactively change a local admin password is not a feasible option at scale, I simply cannot recommend to use Intune to set a password policy if you are using a password rotation solution. Remember that a password policy can be set in different places in Intune – as part of a Windows 10 security baseline, as a configuration profile, using OMA-URIs directly, or with a compliance policy.

Is there a fix?

A workaround that has been successful for me is to use secedit to set a password policy for local accounts. This ageing utility still works nicely to deploy a local security configuration and it doesn’t use EAS policies so it doesn’t force local accounts to change their passwords to comply with the policy.

You can open secpol.msc on a test machine and set the password policy as you desire:

Then from an admin cmd, run secedit to export the configuration:

secedit /export /areas securitypolicy /cfg C:\Temp\seceditexport.txt

Open the text file and copy the parts of the policy that you want into a PowerShell script like so:

$INF = @"
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 180
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 10
ResetLockoutCount = 60
LockoutDuration = 1440
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
[Version]
signature="`$CHICAGO`$"
Revision=1
"@

$null = New-Item -Path "$Env:SystemRoot\security\database" -Name secpolicy.inf -ItemType File -Value $INF -Force
$Process = Start-Process -FilePath Secedit.exe -ArgumentList "/configure /db secedit.sdb /cfg $Env:SystemRoot\security\database\secpolicy.inf /overwrite /quiet" -NoNewWindow -PassThru -Wait
$Process.ExitCode

Deploy this as a remediation script using Proactive remediations in Endpoint Analytics, or an MEMCM compliance item using a dummy detection method to ensure it runs regularly.

Just be careful to avoid policy conflict by only including security configurations (like password policy) that are not being set elsewhere, as for example the Windows 10 Security baseline in Intune will also set local account security policies.

April 20, 2021April 22, 2021 by Trevor Jones

Get the current patch level for Windows 10 with PowerShell

I was working on some updates to our unified reporting solution for Windows Updates (ie WUfB + MEMCM) and I wanted to figure out simply from the OS build number whether a Windows 10 workstation has the latest cumulative update installed. The only reliable and useable static list I could find for Windows 10 build numbers is Microsoft’s Windows 10 Update History web page, so I decided to build a PowerShell script that parses the page to get current patch info.

The script below can be used to report which OS build a Windows 10 workstation is currently on as well as which update is the latest update available to the device. It can also report on all Windows updates published for the version of Windows 10 a workstation is currently on.

Run the script as is to show you:

Current OS version
Current OS Edition
Current OS Build number
The installed update that corresponds to that build number, as well as the KB number and a link to the info page
The latest available update for the OS version

Get-CurrentPatchInfo

Compare the latest available update with the currently installed one to know if the OS is up-to-date.

If there are Preview or Out-of-band updates available that are more recent than the one you have installed, you can exclude those from being reported as a latest available update, so you can just focus on the cumulative updates.

Get-CurrentPatchInfo -ExcludePreview -ExcludeOutofBand

You can also list all Windows updates that Microsoft have published for your OS version like so:

Get-CurrentPatchInfo -ListAvailable

Again focus on just the cumulative updates if you want by excluding Preview and Out-of-band updates from the list:

Get-CurrentPatchInfo -ListAvailable -ExcludePreview -ExcludeOutofBand

Obviously the script does require internet access and I’ve tested it on PowerShell 5.1 and 7.1.

	[CmdletBinding()]
	Param(
	[switch]$ListAllAvailable,
	[switch]$ExcludePreview,
	[switch]$ExcludeOutofBand
	)
	$ProgressPreference = 'SilentlyContinue'
	$URI = "https://aka.ms/WindowsUpdateHistory" # Windows 10 release history

	Function Get-MyWindowsVersion {
	[CmdletBinding()]
	Param
	(
	$ComputerName = $env:COMPUTERNAME
	)

	$Table = New-Object System.Data.DataTable
	$Table.Columns.AddRange(@("ComputerName","Windows Edition","Version","OS Build"))
	$ProductName = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' –Name ProductName).ProductName
	Try
	{
	$Version = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' –Name ReleaseID –ErrorAction Stop).ReleaseID
	}
	Catch
	{
	$Version = "N/A"
	}
	$CurrentBuild = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' –Name CurrentBuild).CurrentBuild
	$UBR = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' –Name UBR).UBR
	$OSVersion = $CurrentBuild + "." + $UBR
	$TempTable = New-Object System.Data.DataTable
	$TempTable.Columns.AddRange(@("ComputerName","Windows Edition","Version","OS Build"))
	[void]$TempTable.Rows.Add($env:COMPUTERNAME,$ProductName,$Version,$OSVersion)

	Return $TempTable
	}

	Function Convert-ParsedArray {
	Param($Array)

	$ArrayList = New-Object System.Collections.ArrayList
	foreach ($item in $Array)
	{
	[void]$ArrayList.Add([PSCustomObject]@{
	Update = $item.outerHTML.Split('>')[1].Replace('</a','').Replace('—',' – ')
	KB = "KB" + $item.href.Split('/')[-1]
	InfoURL = "https://support.microsoft.com" + $item.href
	OSBuild = $item.outerHTML.Split('(OS ')[1].Split()[1] # Just for sorting
	})
	}
	Return $ArrayList
	}

	If ($PSVersionTable.PSVersion.Major -ge 6)
	{
	$Response = Invoke-WebRequest –Uri $URI –ErrorAction Stop
	}
	else
	{
	$Response = Invoke-WebRequest –Uri $URI –UseBasicParsing –ErrorAction Stop
	}

	If (!($Response.Links))
	{ throw "Response was not parsed as HTML"}
	$VersionDataRaw = $Response.Links \| where {$_.outerHTML -match "supLeftNavLink" -and $_.outerHTML -match "KB"}
	$CurrentWindowsVersion = Get-MyWindowsVersion –ErrorAction Stop

	If ($ListAllAvailable)
	{
	If ($ExcludePreview -and $ExcludeOutofBand)
	{
	$AllAvailable = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0] -and $_.outerHTML -notmatch "Preview" -and $_.outerHTML -notmatch "Out-of-band"}
	}
	ElseIf ($ExcludePreview)
	{
	$AllAvailable = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0] -and $_.outerHTML -notmatch "Preview"}
	}
	ElseIf ($ExcludeOutofBand)
	{
	$AllAvailable = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0] -and $_.outerHTML -notmatch "Out-of-band"}
	}
	Else
	{
	$AllAvailable = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0]}
	}
	$UniqueList = (Convert-ParsedArray –Array $AllAvailable) \| Sort OSBuild –Descending –Unique
	$Table = New-Object System.Data.DataTable
	[void]$Table.Columns.AddRange(@('Update','KB','InfoURL'))
	foreach ($Update in $UniqueList)
	{
	[void]$Table.Rows.Add(
	$Update.Update,
	$Update.KB,
	$Update.InfoURL
	)
	}
	Return $Table
	}

	$CurrentPatch = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'} \| Select –First 1
	If ($ExcludePreview -and $ExcludeOutofBand)
	{
	$LatestAvailablePatch = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0] -and $_.outerHTML -notmatch "Out-of-band" -and $_.outerHTML -notmatch "Preview"} \| Select –First 1
	}
	ElseIf ($ExcludePreview)
	{
	$LatestAvailablePatch = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0] -and $_.outerHTML -notmatch "Preview"} \| Select –First 1
	}
	ElseIf ($ExcludeOutofBand)
	{
	$LatestAvailablePatch = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0] -and $_.outerHTML -notmatch "Out-of-band"} \| Select –First 1
	}
	Else
	{
	$LatestAvailablePatch = $VersionDataRaw \| where {$_.outerHTML -match $CurrentWindowsVersion.'OS Build'.Split('.')[0]} \| Select –First 1
	}


	$Table = New-Object System.Data.DataTable
	[void]$Table.Columns.AddRange(@('OSVersion','OSEdition','OSBuild','CurrentInstalledUpdate','CurrentInstalledUpdateKB','CurrentInstalledUpdateInfoURL','LatestAvailableUpdate','LastestAvailableUpdateKB','LastestAvailableUpdateInfoURL'))
	[void]$Table.Rows.Add(
	$CurrentWindowsVersion.Version,
	$CurrentWindowsVersion.'Windows Edition',
	$CurrentWindowsVersion.'OS Build',
	$CurrentPatch.outerHTML.Split('>')[1].Replace('</a','').Replace('—',' – '),
	"KB" + $CurrentPatch.href.Split('/')[-1],
	"https://support.microsoft.com" + $CurrentPatch.href,
	$LatestAvailablePatch.outerHTML.Split('>')[1].Replace('</a','').Replace('—',' – '),
	"KB" + $LatestAvailablePatch.href.Split('/')[-1],
	"https://support.microsoft.com" + $LatestAvailablePatch.href
	)
	Return $Table

view raw Get-CurrentPatchInfo.ps1 hosted with ❤ by GitHub

November 23, 2020 by Trevor Jones

PowerBI Reports for Windows 10 Feature Update Compliance

This morning I saw an interesting tweet from Sandy Zeng with a Log Analytics workbook she’d created for W10 feature updates based on Update Compliance data. I’d been meaning to create a similar report for that myself in PowerBI for some time, so I took inspiration from her tweet and got to work on something!

Microsoft’s Update Compliance solution can be used to report on software updates and feature updates status across your estate from Windows telemetry data. If you use Desktop Analytics, you can even combine the data for richer reporting.

Log Analytics allows exporting of queries in Power Query M formula language, which can be imported into PowerBI to create some nice reports.

Here’s a screenshot of what I ended up with. You can filter the data to view devices with Safeguard holds, for example, which since Windows 10 2004 has been a show stopper for many wanting to upgrade…

There are pages for 2004 and 20H2, as well as a page listing some of the known Safeguard hold IDs that have been publicly disclosed by Microsoft.

You can download this report for your own use with the links below. Note I have created two reports – the first assumes you have both Update Compliance and Desktop Analytics using the same Log Analytics workspace. If this is not the case for you, download the second report which doesn’t link to DA data and just uses Update Compliance. The only data I’ve included from DA is the make and model since these can be helpful in analysing devices affected by Safeguard holds.

Windows 10 Feature Update Compliance

Windows 10 Feature Update Compliance (no DA)

To create your own report, you’ll need the latest version of PowerBI desktop installed, with preview support for dynamic M query parameters.

Open PowerBI and go to File > Options and settings > Options > Preview features and enable Dynamic M Query Parameters.

Restart PowerBI and open the downloaded PBI template. Upon opening, you’ll be prompted for the Log Analytics workspace ID. You can find this on the Overview pane of your workspace in the Azure portal.

The reports contain data with a timespan of the last 48 hours, but you can change this if you want by editing the queries in the Advanced editor, and changing the value “P2D”.

You also might want to play around with the LastScan filter so you only get devices with a recent scan date, and avoid duplicates.

Hope it’s helpful!

November 12, 2020 by Trevor Jones

Prevent Users from Disabling Toast Notifications – Can it be Done?

Another toast notifications post – this time to deal with an issue where users have turned off toast notifications. In my deployment of Windows 10 feature updates for example, I use toast notifications to inform users an update is available. Once we hit the installation deadline, the notifications become more aggressive and display more frequently and do not leave the screen unless the user actions or dismisses them. But we found that some users turn off toast notifications altogether – perhaps they just don’t like any notifications, or perhaps they don’t like being reminded to install the feature update.

In any case, since toast notifications are a key communications channel with our users, it’s important for us that they stay enabled.

Users can disable toast notifications in Settings > System > Notification & actions – simply turn off the setting Get notifications from apps and other senders.

There is also a group policy setting that can disable toast notifications and lock the setting so the user can’t turn it back on.

However, I was surprised to find no setting to do the opposite thing – turn notifications on and lock the setting preventing the user from turning them off..

What I did find is a registry key that enables or disables toast notifications in the user context, but it doesn’t take effect without restarting a service called Windows Push Notifications User Service.

Here’s the registry key. Setting it to 1 enables notifications and 0 disables.

Because this is not being done by group policy, you can’t lock the setting unfortunately. But what you can do is use a Configuration Manager compliance baseline, or even Proactive remediations in MEM, to detect and remediate and turn notifications back on if a user has turned them off. It needs to run with sufficient frequency to be effective.

Here is a detection script for MEMCM that will check the registry key and if it exists and is set to zero, will flag non-compliance.

$ToastEnabled = Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" -Name ToastEnabled -ErrorAction SilentlyContinue | Select -ExpandProperty ToastEnabled
If ($ToastEnabled -eq 0)
{
    Write-host "Not compliant"
}
Else
{
    Write-host "Compliant"
}

And here’s a remediation script that will set the registry key to the ‘enabled’ value, and restart the push notifications service.

Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" -Name ToastEnabled -Value 1 -Force
Get-Service -Name WpnUserService* | Restart-Service -Force

Remember to run these in the user context and allow remediation.

With this active, we can’t completely prevent users from turning off notifications altogether, but if they do, we’ll turn them back on. If they want to fight with the remediation, that’s on them 🙂

January 20, 2020 by Trevor Jones

Get Previous and Scheduled Evaluation Times for ConfigMgr Compliance Baselines with PowerShell

I was testing a compliance baseline recently and wanted to verify if the schedule defined in the baseline deployment is actually honored on the client. I set the schedule to run every hour, but it was clear that it did not run every hour and that some randomization was being used.

To review the most recent evaluation times and the next scheduled evaluation time, I had to read the scheduler.log in the CCM\Logs directory, because I could only find a single last evaluation time recorded in WMI.

The following PowerShell script reads which baselines are currently deployed to the local machine, displays a window for you to choose one, then basically reads the Scheduler log to find when the most recent evaluations were and when the next one is scheduled.

      
        ##############################################################
      
        ##                                                          ##
      
        ## Reads the most recent and next scheduled evaluation time ##
      
        ## for deployed Compliance Baselines from the Scheduler.log ##
      
        ##                                                          ##
      
        ##############################################################
      
        #requires -RunAsAdministrator
      
        # Get Baselines from WMI
      
        # Excludes co-management policies
      
        Try
      
        {  
      
            $Instances = Get-CimInstance –Namespace ROOT\ccm\dcm –ClassName SMS_DesiredConfiguration –Filter "PolicyType!=1" –OperationTimeoutSec 5 –ErrorAction Stop | Select DisplayName,IsMachineTarget,Name
      
        }
      
        Catch
      
        {
      
            Throw "Couldn't get baseline info from WMI: $_"
      
        }
      
        If ($Instances.Count -eq 0)
      
        {
      
            Throw "No deployed baselines found!"   
      
        }
      
        # Datatable to hold the baselines for the WPF window
      
        $DataTable = New-Object System.Data.DataTable
      
        [void]$DataTable.Columns.Add("DisplayName")
      
        [void]$DataTable.Columns.Add("IsMachineTarget")
      
        foreach ($Instance in ($Instances | Sort DisplayName))
      
        {
      
            [void]$DataTable.Rows.Add($Instance.DisplayName,$Instance.IsMachineTarget)
      
        }
      
        # WPF Window for baseline selection
      
        Add-Type –AssemblyName PresentationFramework,PresentationCore,WindowsBase
      
        $Window = New-Object System.Windows.Window
      
        $Window.WindowStartupLocation = [System.Windows.WindowStartupLocation]::CenterScreen
      
        $Window.SizeToContent = [System.Windows.SizeToContent]::WidthAndHeight
      
        $window.ResizeMode = [System.Windows.ResizeMode]::NoResize
      
        $Window.Title = "DOUBLE-CLICK A BASELINE TO SELECT"
      
        $DataGrid = New-Object System.Windows.Controls.DataGrid
      
        $DataGrid.ItemsSource = $DataTable.DefaultView
      
        $DataGrid.CanUserAddRows = $False
      
        $DataGrid.IsReadOnly = $true
      
        $DataGrid.SelectionMode = [System.Windows.Controls.DataGridSelectionMode]::Single
      
        $DataGrid.Height = "NaN"
      
        $DataGrid.MaxHeight = "250"
      
        $DataGrid.Width = "NaN"
      
        $DataGrid.AlternatingRowBackground = "#e6ffcc"
      
        $DataGrid.Add_MouseDoubleClick({
      
            $script:SelectedRow = $This.SelectedValue
      
            $Window.Close()
      
        })
      
        $Window.AddChild($DataGrid)
      
        [void]$Window.ShowDialog()
      
        If (!$SelectedRow)
      
        {
      
            Throw "No baseline was selected!"
      
        }
      
        # If the baseline is user-targetted
      
        If ($SelectedRow.row.IsMachineTarget -eq $false)
      
        {
      
            # Get Logged-on user SID
      
            $LogonUIRegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
      
            #Could also use this:
      
            #Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\CurrentUser -Name UserSID -ErrorAction Stop
      
            $Property = "LastLoggedOnUserSID"
      
            $LastLoggedOnUserSID = Get-ItemProperty –Path $LogonUIRegPath –Name $Property | Select –ExpandProperty $Property
      
            $LastLoggedOnUserSIDUnderscore = $LastLoggedOnUserSID.Replace('–','_')
      
            $Namespace = "ROOT\ccm\Policy\$LastLoggedOnUserSIDUnderscore\ActualConfig"
      
        }
      
        Else
      
        {
      
            $Namespace = "ROOT\ccm\Policy\Machine\ActualConfig"
      
        }
      
        # Get assignment info
      
        $BaselineName = $SelectedRow.Row.DisplayName
      
        $Pattern = [Regex]::Escape($BaselineName)
      
        $CIAssignment = Get-CimInstance –Namespace $Namespace –ClassName CCM_DCMCIAssignment | where {$_.AssignmentName -match $Pattern}
      
        $AssignmentIDs = $CIAssignment | Select AssignmentID,AssignmentName
      
        Write-host "Baseline: $BaselineName" –ForegroundColor Magenta
      
        foreach ($AssignmentID in $AssignmentIDs)
      
        {
      
            # Read the scheduler log
      
            $Log = "$env:SystemRoot\CCM\Logs\Scheduler.log"
      
            If ($SelectedRow.row.IsMachineTarget -eq $false)
      
            {
      
                $LogEntries = Select-String –Path $Log –SimpleMatch "$LastLoggedOnUserSID/$($AssignmentID.AssignmentID)"
      
            }
      
            Else
      
            {
      
                $LogEntries = Select-String –Path $Log –SimpleMatch "Machine/$($AssignmentID.AssignmentID)"
      
            }
      
            If ($LogEntries)
      
            {
      
                # Get the previous evaluations date/time
      
                $Evaluations = New-Object System.Collections.ArrayList
      
                $EvaluationEntries = $LogEntries | where {$_ -match "SMSTrigger"}
      
                Foreach ($Entry in $EvaluationEntries)
      
                {
      
                    $Time = $Entry.Line.Split('=')[1]
      
                    $Date = $Entry.Line.Split('=')[2]
      
                    $a = $Time.Split()[0].trimend().replace('"','')
      
                    $b = $Date.Split()[0].trimend().replace('"','').replace('–','/')
      
                    $Time = (Get-Date $a).ToLongTimeString()
      
                    $Date = [DateTime]"$b $Time"
      
                    $LocalDate = Get-Date $date –Format (Get-Culture).DateTimeFormat.RFC1123Pattern
      
                    [void]$Evaluations.Add($LocalDate)
      
                }
      
                # Get the next scheduled evaluation date/time
      
                $LastEvaluation = $EvaluationEntries | Select –Last 1
      
                $date = $LastEvaluation.Line.Split()[8]
      
                $time = $LastEvaluation.Line.Split()[9]
      
                $ampm = $LastEvaluation.Line.Split()[10]
      
                $NextEvaluation = [DateTime]"$date $time $ampm"
      
                $NextEvaluationLocal = Get-Date $NextEvaluation –Format (Get-Culture).DateTimeFormat.RFC1123Pattern
      
                # Return the results
      
                Write-Host "Assignment: $($AssignmentID.AssignmentName)" –ForegroundColor Green
      
                Write-host "Last Evaluations:"
      
                foreach ($Evaluation in $Evaluations)
      
                {
      
                    Write-host "  $Evaluation" –ForegroundColor Yellow
      
                }
      
                Write-host "Next Scheduled Evaluation:"
      
                Write-Host "  $NextEvaluationLocal" –ForegroundColor Yellow
      
            }
      
            Else
      
            {
      
                Write-Host "No log entries found!" –ForegroundColor Red
      
            }
      
        }

view raw Get-CMBaselineEvaluations.ps1 hosted with ❤ by GitHub

May 25, 2017 by Trevor Jones

Inventory Local Administrator Privileges with PowerShell and ConfigMgr

Any security-conscious enterprise will want to have visibility of which users have local administrator privilege on any given system, and if you are an SCCM administrator then the job of gathering this information will likely be handed to you!

However, this task may not be as simple as it seems. Gathering the membership of the local administrators group is one thing, but perhaps more important to know is whether the primary user of a system has administrator privileges. If that user is a member of a group that has been added to the local administrators group, then it isn’t immediately obvious whether they actually have administrator rights without also checking the membership of that group. And what if there are further nested groups – ie the user is a member of a group that’s a member of a group that’s a member of the local administrators group?! Obviously things can get complicated here, making reporting and compliance checking a challenge.

Thankfully, PowerShell can handle complication quite nicely, and ConfigMgr is more than capable as a both a delivery vehicle and a reporting mechanism, so the good news is – we can do this!

The following solution uses PowerShell to gather local administrator information and stamp it to the local registry. A Compliance item in SCCM is used as the delivery vehicle for the script and then RegKeyToMof is used to update the hardware inventory classes in SCCM to gather this information from the client’s registry into the SCCM database, where we can query and report on it.

Gathering Local Administrator Information with PowerShell

To start with, let’s have a look at some of the PowerShell code and the information we will gather with it.

First, we need to identify who is the primary user of the system. Since the script is running locally on the client computer, we will not use User Device Affinity. True, UDA information is stored in WMI in the CCM_UserAffinity class, in the ROOT\CCM\Policy\Machine\ActualConfig namespace. But this class can contain multiple instances so you can’t always determine the primary user that way.

A better way is to use the SMS_SystemConsoleUsage class in the ROOT\cimv2\sms namespace and query the TopConsoleUser property. This will give you the user account who has had the most interactive logons on the system and for the most part will indicate who the primary user is.


$TopConsoleUser = Get-WmiObject -Namespace ROOT\cimv2\sms -Class SMS_SystemConsoleUsage -Property TopConsoleUser -ErrorAction Stop | Select -ExpandProperty TopConsoleUser

Next, to find if the user is a local admin or not, we will not simply query the local administrator group membership and check if the user is in there. Instead we will create a WindowsIdentity object in .Net and run a method called HasClaim(). I describe this more in a previous blog, but using this method we can determine if the user has local administrator privilege whether through direct membership or through a nested group.


$ID = New-Object Security.Principal.WindowsIdentity -ArgumentList $TopConsoleUser
$IsLocalAdmin = $ID.HasClaim('http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid','S-1-5-32-544')
$ID.Dispose()

The SID for the local admin group (S-1-5-32-544) is used as this is the same across all systems. This will only work for domain accounts as it uses kerberos to create the identity.

Now we will also get the local administrator group membership using the following code (more .Net stuff), and filter just the SamAccountNames.


Add-Type -AssemblyName System.DirectoryServices.AccountManagement -ErrorAction Stop
$ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Machine
$PrincipalContext = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ContextType, $($env:COMPUTERNAME) -ErrorAction Stop
$IdentityType = [System.DirectoryServices.AccountManagement.IdentityType]::Name
$GroupPrincipal = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, “Administrators”)
$LocalAdminMembers = $GroupPrincipal.Members | select -ExpandProperty SamAccountName | Sort-Object
$PrincipalContext.Dispose()
$GroupPrincipal.Dispose()

Next, if the user is a local admin through nested group membership, I will call a custom function which will check the nested group membership within the local admin group, for the user account. Let’s say that Group B is a member of Group A, which is a member of the local administrators group. We will check the membership of both Groups B and A to see which ones the user is a member of, and therefore which group/s is effectively giving the user administrator privilege. We do this by querying the $GroupPrincipal object created in the previous code. The custom function will query nested membership up to 3 levels deep.

Now I will query the Install Date for the operating system, since in some cases where a machine is newly built, the TopConsoleUser may not yet be the primary user of the system, but the admin who built the machine, for example. This date helps to identify any such systems.


[datetime]$InstallDate = [System.Management.ManagementDateTimeConverter]::ToDateTime($(Get-WmiObject win32_OperatingSystem -Property InstallDate -ErrorAction Stop | Select -ExpandProperty InstallDate)) | Get-date -Format 'yyyy-MM-dd HH:mm:ss'

Now we gather all this information into a datatable, and call another custom function to write it to the local registry. I use the following registry key, but you can change this in the script if you wish:

HKLM:SOFTWARE\IT_Local\LocalAdminInfo

The script will create the key if it doesn’t exist.

Here’s an example of the kind of data that will be gathered:

You can see in this example, that my user account is a local administrator both by direct membership and through nested groups. The actual groups that grant this right are listed in the NestedGroupMembership property.

Create a Compliance Item

Now lets go ahead and create a compliance item in SCCM to run this script.

In the Console, navigate Assets and Compliance > Compliance Settings > Configuration Items.

Click Create Configuration Item

Click Next and select which OS’s you will target. Remember the Windows XP and Server 2003 may not have PowerShell installed.

Click Next again, then click New to create a new setting.

Choose Script as the setting type, and String as the data type.

Now we need to add the scripts. You can download both the discovery and remediation scripts from my Github repo here:

https://github.com/SMSAgentSoftware/ConfigMgr/tree/master/PowerShell%20Scripts/Compliance%20Settings/LocalAdministratorInfo

Click Add Script and paste or open the relevant script for each. Make sure Windows Powershell is selected as the script language.

The discovery script simply checks whether the script has been run in the last 15 minutes, and if not returns non-compliant. This allows the script to run according to the schedule you define for it, ie once a day or once a week etc, to keep the information up-to-date in the registry.

The remediation script does the hard work 🙂

Click OK to close the Create Setting window.

Click Next, then click New to create a new Compliance Rule as follows:

Click OK to close, then Next, Next and Close to finish.

Create a Configuration Baseline

Click on Configuration Baselines and Create Configuration Baseline to create a new baseline.

Give it a name, click Add and add the Configuration Item you just created.

Click OK to close.

Deploy the Baseline

Right-click the baseline and choose Deploy. Make sure to remediate noncompliance and select the collection you wish to target.

Update SCCM Hardware Inventory

Creating the MOF Files

For this part you will need the excellent RegKeyToMOF utility, which you can download from here:

https://gallery.technet.microsoft.com/RegKeyToMof-28e84c28

You will also need to do this on a machine that has either run the remediation script to create the registry keys, or has run the configuration baseline.

Open RegKeyToMOF and browse to the registry key:

HKLM:SOFTWARE\IT_Local\LocalAdminInfo

You can deselect the ‘Enable 64bits …’ option as the registry key is not located in the WOW6432Node.

Click Save MOF to save the required files.

Copy the SMSDEF.mof and the CM12Import.mof to your SCCM site server.

Update Client Settings

In the SCCM console, navigate Administration > Site Configuration > Client Settings. Open your default client settings and go to the Hardware Inventory page.

Click Set Classes…, then Import…

Browse to the CM12Import.mof and click Import.

Close the Client Settings windows.

Update Configuration.mof

Now open your configuration.mof file at <ConfigMgr Installation Directory> \inboxes\clifiles.src\hinv.

In the section at the bottom for adding extensions, which starts like this…

//========================
// Added extensions start
//========================

…paste the contents of the SMSDEF.mof file. Save and close the file.

Reporting

Now that you’ve deployed the configuration item and updated the SCCM hardware inventory, a new view called dbo.v_GS_LocalAdminInfo0 has been added to the SCCM database. Note that initially there will be no data here until your clients have updated their policies, ran the configuration baseline, and ran the hardware inventory cycle.

You can query using the Queries node in the SCCM console…

…or create yourself a custom SCCM report, create an Excel report with a SQL data connection, query the SCCM database with PowerShell – whatever method you need or prefer.

Here is a sample SQL query that will query the view and add some client health data and the chassis type to help distinguish between desktop, laptops, servers etc.


Select
  ComputerName0 as 'ComputerName',
  Case When enc.ChassisTypes0 = 1 then 'Other'
    when enc.ChassisTypes0 = 2 then 'Unknown'
    when enc.ChassisTypes0 = 3 then 'Desktop'
    when enc.ChassisTypes0 = 4 then 'Low Profile Desktop'
    when enc.ChassisTypes0 = 5 then 'Pizza Box'
    when enc.ChassisTypes0 = 6 then 'Mini Tower'
    when enc.ChassisTypes0 = 7 then 'Tower'
    when enc.ChassisTypes0 = 8 then 'Portable'
    when enc.ChassisTypes0 = 9 then 'Laptop'
    when enc.ChassisTypes0 = 10 then 'Notebook'
    when enc.ChassisTypes0 = 11 then 'Hand Held'
    when enc.ChassisTypes0 = 12 then 'Docking Station'
    when enc.ChassisTypes0 = 13 then 'All in One'
    when enc.ChassisTypes0 = 14 then 'Sub Notebook'
    when enc.ChassisTypes0 = 15 then 'Space-Saving'
    when enc.ChassisTypes0 = 16 then 'Lunch Box'
    when enc.ChassisTypes0 = 17 then 'Main System Chassis'
    when enc.ChassisTypes0 = 18 then 'Expansion Chassis'
    when enc.ChassisTypes0 = 19 then 'SubChassis'
    when enc.ChassisTypes0 = 20 then 'Bus Expansion Chassis'
    when enc.ChassisTypes0 = 21 then 'Peripheral Chassis'
    when enc.ChassisTypes0 = 22 then 'Storage Chassis'
    when enc.ChassisTypes0 = 23 then 'Rack Mount Chassis'
    when enc.ChassisTypes0 = 24 then 'Sealed-Case PC'
    else 'Unknown'
  End as 'Chassis Type',
  TopConsoleUser0 as 'Primary User',
  TopConsoleUserIsAdmin0 as 'Primary User is Admin?',
  AdminGroupMembershipType0 as 'Primary User Local Admin Group Membership Type',
  LocalAdminGroupMembership0 as 'Local Admin Group Membership',
  NestedGroupMembership0 as 'Primary User Local Admin Nested Group Membership',
  OSAgeInDays0 as 'OS Age (days)',
  OSInstallDate0 as 'OS Installation Date',
  LastUpdated0 as 'Last Updated Date',
  la.TimeStamp as 'HW Inventory Date',
  ch.ClientStateDescription,
  ch.LastActiveTime
from dbo.v_GS_LocalAdminInfo0 la
join v_R_System sys on la.ComputerName0 = sys.Name0
left join v_GS_SYSTEM_ENCLOSURE enc on sys.ResourceID = enc.ResourceID
left join v_CH_ClientSummary ch on sys.ResourceID = ch.ResourceID
where ComputerName0 is not null
  and enc.ChassisTypes0 <> 12

March 15, 2017 by Trevor Jones

New Free Tool: ConfigMgr Remote Compliance

Today I released a new free tool for ConfigMgr administrators and support staff.

ConfigMgr Remote Compliance can be used to view, evaluate and report on System Center Configuration Manager Compliance Baselines on a remote computer. It provides similar functionality to the Configurations tab of the Configuration Manager Control Panel, but for remote computers. It is a useful troubleshooting tool for remotely viewing client compliance, evaluating baselines, viewing the evaluation report or opening DCM log files from the client, without needing to access the client computer directly.

ConfigMgr Remote Compliance can be downloaded from here.

Source code for this application is available on GitHub and code contributions are welcome.

March 8, 2017 by Trevor Jones

Deploying Custom Microsoft Office Templates with System Center Configuration Manager

Some time ago a wrote a blog describing a way to deploy custom templates for Microsoft Office applications using SCCM Compliance Settings. Since then, I have re-written the solution into something much more manageable as the previous incarnation was not very clearly defined in how to update templates, and involved some considerable admin overhead. This updated solution is much improved and better manages the lifecycle of your custom templates, including updating, adding and retiring templates. Much of this process is now automated using PowerShell, and I have removed the need to manually specify all the template file names in the scripts so it is also much easier to set up and deploy.

It is relatively detailed, so instead of writing a blog I put this into a free PDF guide which you can download from here:

Deploying Custom Microsoft Office Templates with System Center Configuration Manager

February 21, 2017 by Trevor Jones

Export / Backup Compliance Setting Scripts with PowerShell

In my SCCM environment I have a number of Compliance Settings that use custom scripts for discovery and remediation, and recently it dawned on me that a lot of time has been spent on these and it would be good to create a backup of those scripts. It would also be useful to be able to export the scripts so they could be edited and tested before being updated in the Configuration Item itself. So I put to together this PowerShell script which does just that!

The Configuration Item scripts are stored in an XML definition, and this can be read from the SCCM database directly and parsed with PowerShell, so that’s what this script does. It will load all the Configuration Items into a datatable from a SQL query, then go through each one looking for any settings that have scripts defined. These scripts will be exported in their native file format.

You could then edit those scripts, or add the export location to your file/folder backup for an extra level of protection for your hard work!

Here you can see an example of the output for my “Java Settings” Configuration item. A subdirectory is created for the current package version, then subdirectories under that for each Configuration setting, then the discovery and remediation scripts for that setting.

Exported Configuration Item Scripts

Note that the script will only process Compliance Items with a CIType_ID of 3, which equates to the Operating System type you will see in the SCCM console for the Configuration Item, which is the type that may use a script as the discovery source.

Export-CMConfigurationItemScripts.ps1

<#

.Synopsis

   Exports all scripts (discovery and remediation) used in all SCCM Compliance Setting Configuration Items

.DESCRIPTION

   This script connects to the SCCM database to retrieve all Compliance Setting Configuration Items. It then processes each item looking for

   discovery and remediation scripts for the current (latest) version. It will export any script found into a directory structure.

.NOTES

    Requirements – 'db_datareader' permission to the SCCM SQL database with the account running this script.

    Parameters – set the parameters below as required

#>

################

## PARAMETERS ##

################

# Root directory to export the scripts to

$RootDirectory = "C:\temp" 

# Name of the subdirectory to create

$SubDirectory = "Compliance_Settings_CI_Scripts"

# SCCM SQL Server (and instance where applicable)

$SQLServer = 'mysqlserver\inst_sccm'

# SCCM Database name

$Database = 'CM_ABC'

##################

## SCRIPT START ##

##################

# Create the subdirectory if doesn't exist

If (!(Test-Path "$RootDirectory\$SubDirectory"))

{

    New-Item –Path "$RootDirectory" –Name "$SubDirectory" –ItemType container | Out-Null

}

# Define the SQL query

$Query = "

Select * from dbo.v_ConfigurationItems

where CIType_ID = 3

and IsLatest = 'true'"

# Run the SQL query

$connectionString = "Server=$SQLServer;Database=$Database;Integrated Security=SSPI"

$connection = New-Object –TypeName System.Data.SqlClient.SqlConnection

$connection.ConnectionString = $connectionString

$connection.Open()

$command = $connection.CreateCommand()

$command.CommandText = $Query

$reader = $command.ExecuteReader()

$ComplianceItems = New-Object –TypeName 'System.Data.DataTable'

$ComplianceItems.Load($reader)

$connection.Close()

# Process each compliance item returned

$ComplianceItems | foreach {

    # Set some variables

    $PackageVersion = "v $($_.SDMPackageVersion)"

    [xml]$Digest = $_.SDMPackageDigest

    $CIName = $Digest.ChildNodes.OperatingSystem.Annotation.DisplayName.Text

    # Create subdirectory structure if doesn't exist: configuration item name > current package version

    If (!(Test-Path "$RootDirectory\$SubDirectory\$CIName"))

    {

        New-Item –Path "$RootDirectory\$SubDirectory" –Name "$CIName" –ItemType container | Out-Null

    }

    If (!(Test-Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion"))

    {

        New-Item –Path "$RootDirectory\$SubDirectory\$CIName" –Name "$PackageVersion" –ItemType container | Out-Null

    }

    # Put each compliance item setting in XML format into an arraylist for quick processing

    $Settings = New-Object System.Collections.ArrayList

    $Digest.DesiredConfigurationDigest.OperatingSystem.Settings.RootComplexSetting.SimpleSetting | foreach {

        [void]$Settings.Add([xml]$_.OuterXml)

        }

    # Process each compliance item setting

    $Settings | foreach {

        # Only process if this setting has a script source

        If ($_.SimpleSetting.ScriptDiscoverySource)

        {

            # Set some variables

            $SettingName = $_.SimpleSetting.Annotation.DisplayName.Text

            $DiscoveryScriptType = $_.SimpleSetting.ScriptDiscoverySource.DiscoveryScriptBody.ScriptType

            $DiscoveryScript = $_.SimpleSetting.ScriptDiscoverySource.DiscoveryScriptBody.'#text'

            $RemediationScriptType = $_.SimpleSetting.ScriptDiscoverySource.RemediationScriptBody.ScriptType

            $RemediationScript = $_.SimpleSetting.ScriptDiscoverySource.RemediationScriptBody.'#text'

            # Create the subdirectory for this setting if doesn't exist

            If (!(Test-Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion\$SettingName"))

            {

                New-Item "$RootDirectory\$SubDirectory\$CIName\$PackageVersion" –Name $SettingName –ItemType container –Force | Out-Null

            }

            # If a discovery script is found

            If ($DiscoveryScript)

            {

                # Set the file extension based on the script type

                Switch ($DiscoveryScriptType)

                {

                    Powershell { $Extension = "ps1" }

                    JScript { $Extension = "js" }

                    VBScript { $Extension = "vbs" }            

                }

                # Export the script to a file

                New-Item –Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion\$SettingName" –Name "Discovery.$Extension" –ItemType file –Value $DiscoveryScript –Force | Out-Null

            }

            # If a remediation script is found

            If ($RemediationScript)

            {

                # Set the file extension based on the script type

                Switch ($RemediationScriptType)

                {

                    Powershell { $Extension = "ps1" }

                    JScript { $Extension = "js" }

                    VBScript { $Extension = "vbs" }  

                }

                # Export the script to a file

                New-Item –Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion\$SettingName" –Name "Remediation.$Extension" –ItemType file –Value $RemediationScript –Force | Out-Null

            }

        }

    }

}

<# For reference: CIType_IDs

1	Software Updates

2	Baseline

3	OS

4	General

5	Application

6	Driver

7	Uninterpreted

8	Software Updates Bundle

9	Update List

10	Application Model

11	Global Settings

13	Global Expression

14	Supported Platform

21	Deployment Type

24	Intend Install Policy

25  DeploymentTechnology

26  HostingTechnology

27  InstallerTechnology

28  AbstractConfigurationItem

60	Virtual Environment

#>

view raw
Export-CMConfigurationItemScripts.ps1
hosted with ❤ by GitHub

September 1, 2016December 4, 2017 by Trevor Jones

Removing Disabled Computer Accounts from SCCM with PowerShell

In System Center Configuration Manager there are 2 Site Maintenance tasks that help take care of stale or obsolete client records: Delete Aged Discovery Data and Delete Inactive Client Discovery Data. However in some cases some records can remain in SCCM and are not removed by these tasks, for example, when a system is no longer active but the computer account has not been deleted or disabled in Active Directory. AD System Discovery will continue to pick this system up and create a record for it, so maintenance of AD computer accounts is essential for a healthy ConfigMgr environment.

As long as a client is disabled or deleted from Active Directory and does not get picked up by any of the discovery methods, it will eventually get deleted from SCCM according to the schedule defined in these maintenance tasks.

For computer accounts that are disabled however, you might not want to wait for the maintenance tasks to remove them since you know they are no longer active and can safely be deleted from the SCCM database. Removing them sooner can improve compliance figures for deployment reporting, for example. For this scenario, I prepared a PowerShell script that can run as a scheduled task and remove any system that is marked as inactive – or does not have the SCCM client installed – and is also disabled or not present in active directory.

I’ll run through the script quickly here to explain what it does.

First we define some variables to be used in the script, such as the site code, the site server, and the email information (the script will email the SCCM admin with the list of systems it deletes):


$SiteCode = "ABC"
$SiteServer = "SCCMSERVER-01"
$EmailRecipient = "joe.blow@contoso.com"
$EmailSender = "PowerShell@contoso.com"
$SMTPServer = "SMTPServer.contoso.com"

Then we create a list of discovered systems in SCCM that are either inactive (determined by client health data) or have no SCCM client installed, using WMI on the site server:


try
{
    $DevicesToCheck = Get-WmiObject -ComputerName $SiteServer -Namespace root\SMS\Site_$SiteCode -Query "SELECT SMS_R_System.Name FROM SMS_R_System left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceID where (SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0 or SMS_R_System.Active = 0 or SMS_R_System.Active is null)" -ErrorAction Stop |
        Select -ExpandProperty Name |
        Sort
}
Catch
{
    $_
}

Next we check active directory for each system to find the status of the computer account and filter those that are either disabled or not present in AD using a custom function. Note that this function uses .Net to search AD so it is not dependent on having the RSAT tools installed.


$NotEnabledDevices = ($DevicesToCheck | foreach {
    Get-IsComputerAccountDisabled  -Computername $_
}) | where {$_.IsDisabled -ne $False}

Then we will attempt to remove each resulting system from SCCM using another custom function. This function uses WMI rather than the ConfigMgr PS cmdlets, again to remove the dependency.


$DeletedRecords = New-Object System.Collections.ArrayList
$Output = $NotEnabledDevices| foreach {
    Remove-CMRecord -Computername $_.ComputerName -DeviceStatus $_.IsDisabled -SiteCode $SiteCode -SiteServer $SiteServer
    }
$DeletedRecords.AddRange(@($Output))

Finally we send an HTML formatted email to the SCCM administrator with the list of systems that were deleted from SCCM:


If ($DeletedRecords.Count -ne 0)
{
    $Body = $DeletedRecords | ConvertTo-Html -Head $style -Body "
<h2>The following computer accounts are either disabled or not present in active directory and have been deleted from SCCM</h2>
" | Out-String
    Send-MailMessage -To $EmailRecipient -From $EmailSender  -Subject "Disabled Computer Accounts Deleted from SCCM ($(Get-Date -format 'yyyy-MMM-dd'))" -SmtpServer $SMTPServer -Body $body -BodyAsHtml
}

To verify in SCCM the systems that were deleted you can view the All Audit Status Messages from a Specific Site status message query.

IMPORTANT: As this script deletes records from the SCCM database, please be sure to understand what it does and to test it first before using it in any production environment!

Here is the full script:


$SiteCode = "ABC"
$SiteServer = "SCCMSERVER-01"
$EmailRecipient = "joe.blow@contoso.com"
$EmailSender = "PowerShell@contoso.com"
$SMTPServer = "SMTPServer.contoso.com"

#region Functions

# Function to check with the computer account is disabled
function Get-IsComputerAccountDisabled
{
  param($Computername)

  $root = [ADSI]''
  $searcher = New-Object -TypeName System.DirectoryServices.DirectorySearcher -ArgumentList ($root)
  $searcher.filter = "(&(objectClass=Computer)(Name=$Computername))"
  $Result = $searcher.findall()
  If ($Result.Count -ne 0)
  {
    $Result | ForEach-Object {
        $Computer = $_.GetDirectoryEntry()
        [pscustomobject]@{
            ComputerName = $Computername
            IsDisabled = $Computer.PsBase.InvokeGet("AccountDisabled")
        }
    }
  }
  Else
  {
      [pscustomobject]@{
      ComputerName = $Computername
      IsDisabled = "Not found in AD"
      }
  }
}

# Function to remove the device record from SCCM via WMI
function Remove-CMRecord
{
    [CmdletBinding()]

    Param
    (
        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] [string] $Computername,
        [Parameter(Mandatory = $True)] [string] $SiteCode,
        [Parameter(Mandatory = $True)] [string] $SiteServer,
        [Parameter(Mandatory = $True)] [string] $DeviceStatus

    )

    Begin
    {
        $ErrorAction = 'Stop'
    }

    Process
    {

        # Check if the system exists in SCCM
        Try
        {
            $Computer = [wmi] (Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$SiteCode" -Class sms_r_system -Filter "Name = `'$Computername`'" -ErrorAction Stop).__PATH
        }
        Catch
        {
            $Result = $_
            Continue
        }

        # Delete it
        Try
        {
            $Computer.psbase.delete()
        }
        Catch
        {
            $Result = $_
            Continue
        }

        # Check that the delete worked
        Try
        {
            $Computer = [wmi] (Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$SiteCode" -Class sms_r_system -Filter "Name = `'$Computername`'" -ErrorAction Stop).__PATH
        }
        Catch
        {

        }

        # Report result
        If ($Computer.PSComputerName)
        {
            $Result = "Tried to delete but record still exists"
        }
        Else
        {
            $Result = "Successfully deleted"
        }
    }

    End
    {
        [pscustomobject]@{
        DeviceName = $Computername
        IsDisabled = $DeviceStatus
        Result = $Result
        }
    }
}

#endregion

# Let's get the list of inactive systems, or systems with no SCCM client, from WMI
try
{
    $DevicesToCheck = Get-WmiObject -ComputerName $SiteServer -Namespace root\SMS\Site_$SiteCode -Query "SELECT SMS_R_System.Name FROM SMS_R_System left join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceID = SMS_R_System.ResourceID where (SMS_G_System_CH_ClientSummary.ClientActiveStatus = 0 or SMS_R_System.Active = 0 or SMS_R_System.Active is null)" -ErrorAction Stop |
        Select -ExpandProperty Name |
        Sort
}
Catch
{
    $_
}

# Now let's filter those systems whose AD account is disabled or not present
$NotEnabledDevices = ($DevicesToCheck | foreach {
    Get-IsComputerAccountDisabled  -Computername $_
}) | where {$_.IsDisabled -ne $False}

# Then we will delete each record from SCCM using WMI
$DeletedRecords = New-Object System.Collections.ArrayList
$Output = $NotEnabledDevices| foreach {
    Remove-CMRecord -Computername $_.ComputerName -DeviceStatus $_.IsDisabled -SiteCode $SiteCode -SiteServer $SiteServer
    }
$DeletedRecords.AddRange(@($Output))

# Finally we will send the list of affected systems to the administrator
$style = @"
<style>
body {
    color:#333333;
    font-family: ""Trebuchet MS"", Arial, Helvetica, sans-serif;}
}
h1 {
    text-align:center;
}
table {
    border-collapse: collapse;
    font-family: ""Trebuchet MS"", Arial, Helvetica, sans-serif;
}
th {
    font-size: 10pt;
    text-align: left;
    padding-top: 5px;
    padding-bottom: 4px;
    background-color: #1FE093;
    color: #ffffff;
}
td {
    font-size: 8pt;
    border: 1px solid #1FE093;
    padding: 3px 7px 2px 7px;
}
</style>

"@
If ($DeletedRecords.Count -ne 0)
{
    $Body = $DeletedRecords | ConvertTo-Html -Head $style -Body "
<h2>The following systems are either disabled or not present in active directory and have been deleted from SCCM</h2>
" | Out-String
    Send-MailMessage -To $EmailRecipient -From $EmailSender  -Subject "Disabled Computer Accounts Deleted from SCCM ($(Get-Date -format 'yyyy-MMM-dd'))" -SmtpServer $SMTPServer -Body $body -BodyAsHtml
}

smsagent

Scripts, tools and tips, mostly around Microsoft Endpoint Manager

Category / Compliance

A case of the unexplained: Intune password policy and forced local account password changes

What’s going on?!

Is there a fix?

Get the current patch level for Windows 10 with PowerShell

PowerBI Reports for Windows 10 Feature Update Compliance

Prevent Users from Disabling Toast Notifications – Can it be Done?

Get Previous and Scheduled Evaluation Times for ConfigMgr Compliance Baselines with PowerShell

Inventory Local Administrator Privileges with PowerShell and ConfigMgr

Gathering Local Administrator Information with PowerShell

Create a Compliance Item

Create a Configuration Baseline

Deploy the Baseline

Update SCCM Hardware Inventory

Creating the MOF Files

Update Client Settings

Update Configuration.mof

Reporting

New Free Tool: ConfigMgr Remote Compliance

Deploying Custom Microsoft Office Templates with System Center Configuration Manager

Export / Backup Compliance Setting Scripts with PowerShell

Export-CMConfigurationItemScripts.ps1

Removing Disabled Computer Accounts from SCCM with PowerShell

IMPORTANT: As this script deletes records from the SCCM database, please be sure to understand what it does and to test it first before using it in any production environment!

	##############################################################
	## ##
	## Reads the most recent and next scheduled evaluation time ##
	## for deployed Compliance Baselines from the Scheduler.log ##
	## ##
	##############################################################

	#requires -RunAsAdministrator

	# Get Baselines from WMI
	# Excludes co-management policies
	Try
	{
	$Instances = Get-CimInstance –Namespace ROOT\ccm\dcm –ClassName SMS_DesiredConfiguration –Filter "PolicyType!=1" –OperationTimeoutSec 5 –ErrorAction Stop \| Select DisplayName,IsMachineTarget,Name
	}
	Catch
	{
	Throw "Couldn't get baseline info from WMI: $_"
	}
	If ($Instances.Count -eq 0)
	{
	Throw "No deployed baselines found!"
	}

	# Datatable to hold the baselines for the WPF window
	$DataTable = New-Object System.Data.DataTable
	[void]$DataTable.Columns.Add("DisplayName")
	[void]$DataTable.Columns.Add("IsMachineTarget")
	foreach ($Instance in ($Instances \| Sort DisplayName))
	{
	[void]$DataTable.Rows.Add($Instance.DisplayName,$Instance.IsMachineTarget)
	}

	# WPF Window for baseline selection
	Add-Type –AssemblyName PresentationFramework,PresentationCore,WindowsBase
	$Window = New-Object System.Windows.Window
	$Window.WindowStartupLocation = [System.Windows.WindowStartupLocation]::CenterScreen
	$Window.SizeToContent = [System.Windows.SizeToContent]::WidthAndHeight
	$window.ResizeMode = [System.Windows.ResizeMode]::NoResize
	$Window.Title = "DOUBLE-CLICK A BASELINE TO SELECT"
	$DataGrid = New-Object System.Windows.Controls.DataGrid
	$DataGrid.ItemsSource = $DataTable.DefaultView
	$DataGrid.CanUserAddRows = $False
	$DataGrid.IsReadOnly = $true
	$DataGrid.SelectionMode = [System.Windows.Controls.DataGridSelectionMode]::Single
	$DataGrid.Height = "NaN"
	$DataGrid.MaxHeight = "250"
	$DataGrid.Width = "NaN"
	$DataGrid.AlternatingRowBackground = "#e6ffcc"
	$DataGrid.Add_MouseDoubleClick({
	$script:SelectedRow = $This.SelectedValue
	$Window.Close()
	})
	$Window.AddChild($DataGrid)
	[void]$Window.ShowDialog()

	If (!$SelectedRow)
	{
	Throw "No baseline was selected!"
	}

	# If the baseline is user-targetted
	If ($SelectedRow.row.IsMachineTarget -eq $false)
	{
	# Get Logged-on user SID
	$LogonUIRegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
	#Could also use this:
	#Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\CurrentUser -Name UserSID -ErrorAction Stop
	$Property = "LastLoggedOnUserSID"
	$LastLoggedOnUserSID = Get-ItemProperty –Path $LogonUIRegPath –Name $Property \| Select –ExpandProperty $Property
	$LastLoggedOnUserSIDUnderscore = $LastLoggedOnUserSID.Replace('–','_')
	$Namespace = "ROOT\ccm\Policy\$LastLoggedOnUserSIDUnderscore\ActualConfig"
	}
	Else
	{
	$Namespace = "ROOT\ccm\Policy\Machine\ActualConfig"
	}

	# Get assignment info
	$BaselineName = $SelectedRow.Row.DisplayName
	$Pattern = [Regex]::Escape($BaselineName)
	$CIAssignment = Get-CimInstance –Namespace $Namespace –ClassName CCM_DCMCIAssignment \| where {$_.AssignmentName -match $Pattern}
	$AssignmentIDs = $CIAssignment \| Select AssignmentID,AssignmentName
	Write-host "Baseline: $BaselineName" –ForegroundColor Magenta

	foreach ($AssignmentID in $AssignmentIDs)
	{
	# Read the scheduler log
	$Log = "$env:SystemRoot\CCM\Logs\Scheduler.log"
	If ($SelectedRow.row.IsMachineTarget -eq $false)
	{
	$LogEntries = Select-String –Path $Log –SimpleMatch "$LastLoggedOnUserSID/$($AssignmentID.AssignmentID)"
	}
	Else
	{
	$LogEntries = Select-String –Path $Log –SimpleMatch "Machine/$($AssignmentID.AssignmentID)"
	}

	If ($LogEntries)
	{
	# Get the previous evaluations date/time
	$Evaluations = New-Object System.Collections.ArrayList
	$EvaluationEntries = $LogEntries \| where {$_ -match "SMSTrigger"}
	Foreach ($Entry in $EvaluationEntries)
	{
	$Time = $Entry.Line.Split('=')[1]
	$Date = $Entry.Line.Split('=')[2]
	$a = $Time.Split()[0].trimend().replace('"','')
	$b = $Date.Split()[0].trimend().replace('"','').replace('–','/')
	$Time = (Get-Date $a).ToLongTimeString()
	$Date = [DateTime]"$b $Time"
	$LocalDate = Get-Date $date –Format (Get-Culture).DateTimeFormat.RFC1123Pattern
	[void]$Evaluations.Add($LocalDate)
	}

	# Get the next scheduled evaluation date/time
	$LastEvaluation = $EvaluationEntries \| Select –Last 1
	$date = $LastEvaluation.Line.Split()[8]
	$time = $LastEvaluation.Line.Split()[9]
	$ampm = $LastEvaluation.Line.Split()[10]
	$NextEvaluation = [DateTime]"$date $time $ampm"
	$NextEvaluationLocal = Get-Date $NextEvaluation –Format (Get-Culture).DateTimeFormat.RFC1123Pattern

	# Return the results
	Write-Host "Assignment: $($AssignmentID.AssignmentName)" –ForegroundColor Green
	Write-host "Last Evaluations:"
	foreach ($Evaluation in $Evaluations)
	{
	Write-host " $Evaluation" –ForegroundColor Yellow
	}
	Write-host "Next Scheduled Evaluation:"
	Write-Host " $NextEvaluationLocal" –ForegroundColor Yellow
	}
	Else
	{
	Write-Host "No log entries found!" –ForegroundColor Red
	}
	}

	<#
	.Synopsis
	Exports all scripts (discovery and remediation) used in all SCCM Compliance Setting Configuration Items
	.DESCRIPTION
	This script connects to the SCCM database to retrieve all Compliance Setting Configuration Items. It then processes each item looking for
	discovery and remediation scripts for the current (latest) version. It will export any script found into a directory structure.
	.NOTES
	Requirements – 'db_datareader' permission to the SCCM SQL database with the account running this script.
	Parameters – set the parameters below as required
	#>




	################
	## PARAMETERS ##
	################

	# Root directory to export the scripts to
	$RootDirectory = "C:\temp"

	# Name of the subdirectory to create
	$SubDirectory = "Compliance_Settings_CI_Scripts"

	# SCCM SQL Server (and instance where applicable)
	$SQLServer = 'mysqlserver\inst_sccm'

	# SCCM Database name
	$Database = 'CM_ABC'




	##################
	## SCRIPT START ##
	##################

	# Create the subdirectory if doesn't exist
	If (!(Test-Path "$RootDirectory\$SubDirectory"))
	{
	New-Item –Path "$RootDirectory" –Name "$SubDirectory" –ItemType container \| Out-Null
	}

	# Define the SQL query
	$Query = "
	Select * from dbo.v_ConfigurationItems
	where CIType_ID = 3
	and IsLatest = 'true'"

	# Run the SQL query
	$connectionString = "Server=$SQLServer;Database=$Database;Integrated Security=SSPI"
	$connection = New-Object –TypeName System.Data.SqlClient.SqlConnection
	$connection.ConnectionString = $connectionString
	$connection.Open()
	$command = $connection.CreateCommand()
	$command.CommandText = $Query
	$reader = $command.ExecuteReader()
	$ComplianceItems = New-Object –TypeName 'System.Data.DataTable'
	$ComplianceItems.Load($reader)
	$connection.Close()

	# Process each compliance item returned
	$ComplianceItems \| foreach {

	# Set some variables
	$PackageVersion = "v $($_.SDMPackageVersion)"
	[xml]$Digest = $_.SDMPackageDigest
	$CIName = $Digest.ChildNodes.OperatingSystem.Annotation.DisplayName.Text

	# Create subdirectory structure if doesn't exist: configuration item name > current package version
	If (!(Test-Path "$RootDirectory\$SubDirectory\$CIName"))
	{
	New-Item –Path "$RootDirectory\$SubDirectory" –Name "$CIName" –ItemType container \| Out-Null
	}

	If (!(Test-Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion"))
	{
	New-Item –Path "$RootDirectory\$SubDirectory\$CIName" –Name "$PackageVersion" –ItemType container \| Out-Null
	}

	# Put each compliance item setting in XML format into an arraylist for quick processing
	$Settings = New-Object System.Collections.ArrayList
	$Digest.DesiredConfigurationDigest.OperatingSystem.Settings.RootComplexSetting.SimpleSetting \| foreach {
	[void]$Settings.Add([xml]$_.OuterXml)
	}

	# Process each compliance item setting
	$Settings \| foreach {

	# Only process if this setting has a script source
	If ($_.SimpleSetting.ScriptDiscoverySource)
	{
	# Set some variables
	$SettingName = $_.SimpleSetting.Annotation.DisplayName.Text
	$DiscoveryScriptType = $_.SimpleSetting.ScriptDiscoverySource.DiscoveryScriptBody.ScriptType
	$DiscoveryScript = $_.SimpleSetting.ScriptDiscoverySource.DiscoveryScriptBody.'#text'
	$RemediationScriptType = $_.SimpleSetting.ScriptDiscoverySource.RemediationScriptBody.ScriptType
	$RemediationScript = $_.SimpleSetting.ScriptDiscoverySource.RemediationScriptBody.'#text'

	# Create the subdirectory for this setting if doesn't exist
	If (!(Test-Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion\$SettingName"))
	{
	New-Item "$RootDirectory\$SubDirectory\$CIName\$PackageVersion" –Name $SettingName –ItemType container –Force \| Out-Null
	}

	# If a discovery script is found
	If ($DiscoveryScript)
	{
	# Set the file extension based on the script type
	Switch ($DiscoveryScriptType)
	{
	Powershell { $Extension = "ps1" }
	JScript { $Extension = "js" }
	VBScript { $Extension = "vbs" }
	}

	# Export the script to a file
	New-Item –Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion\$SettingName" –Name "Discovery.$Extension" –ItemType file –Value $DiscoveryScript –Force \| Out-Null
	}

	# If a remediation script is found
	If ($RemediationScript)
	{
	# Set the file extension based on the script type
	Switch ($RemediationScriptType)
	{
	Powershell { $Extension = "ps1" }
	JScript { $Extension = "js" }
	VBScript { $Extension = "vbs" }
	}

	# Export the script to a file
	New-Item –Path "$RootDirectory\$SubDirectory\$CIName\$PackageVersion\$SettingName" –Name "Remediation.$Extension" –ItemType file –Value $RemediationScript –Force \| Out-Null
	}
	}
	}
	}

	<# For reference: CIType_IDs

	1 Software Updates
	2 Baseline
	3 OS
	4 General
	5 Application
	6 Driver
	7 Uninterpreted
	8 Software Updates Bundle
	9 Update List
	10 Application Model
	11 Global Settings
	13 Global Expression
	14 Supported Platform
	21 Deployment Type
	24 Intend Install Policy
	25 DeploymentTechnology
	26 HostingTechnology
	27 InstallerTechnology
	28 AbstractConfigurationItem
	60 Virtual Environment

	#>