9 June 2021

SCCM Client Actions

If you use SCCM or have ever had to mess with Configuration Manager on a computer that runs Software Center, then you have seen all of the client actions that you can run. That said, like most of us when we started using SCCM or Configuration Manager we knew we had to run some/all of the actions to make the changes we made in SCCM reflect on the computer we were trying to push something to. After a while, you start to realize that you can get by running just one or two actions instead of all of them. But, using myself as an example, aside from knowing you needed to run them you likely didn’t know what they actually did. For me, it was always something that I was going to “Google” later and figure out what they did at some future time. Well, I recently reached that future point-in-time and thought I’d share the collection (SCCM pun intended) of answers that I found. Hopeful what I’ve complied helps out someone else that finally decided to search about it…

  • Application Deployment Evaluation Cycle – This action re-evaluates the requirement rules for all deployments. If an application is required, and not installed when the Application Deployment Evaluation Cycle runs, Configuration Manager automatically triggers a re-install. The Application Deployment Evaluation Cycle only applies to applications and not to the packages. The default value is set to run every 7 days.
  • Branch Distribution Point Maintenance Task – Verifies any pre-staged packages and downloads any that do not exist on the branch distribution point. While Technet does not explicitly state it, I believe this task is useful only on branch distribution points and is ignored on normal clients.
  • Discovery Data Collection Cycle – This causes the client to generate a new discovery data record (DDR). When the DDR is processed by the site server, Discovery Data Manager adds or updates resource information from the DDR in the site database.
  • File Collection Cycle – When a file is specified for collection, the Microsoft System Center Configuration Manager 2007 software inventory agent searches for that file when it runs a software inventory scan on each client in the site. If the software inventory client agent finds a file that should be collected, the file is attached to the inventory file and sent to the site server. This action differs from software inventory in that it actually sends the file to the site server so that it can be later viewed using Resource Explorer. This is a part of SCCM inventory functionality.
  • Hardware Inventory Cycle – Collects information such as available disk space, processor type, and the operating system about each computer. This is a part of SCCM inventory functionality.
  • Machine Policy Retrieval & Evaluation Cycle – The client downloads its policy on a schedule. By default, this value is configured to every 60 minutes and is configured with the option Policy polling interval (minutes). However, there might be occasions when you want to initiate ad-hoc policy retrieval from the client—for example, in a troubleshooting scenario or when testing. This action initiates ad-hoc machine policy retrieval from the client outside its scheduled polling interval.
  • Send Unsent State Messages – This tool sends State Messages that are cached on the ConfigMgr client to the ConfigMgr server.
  • Software Inventory Cycle – Collects software inventory data directly from files (such as .exe files) by inventorying the file header information. Configuration Manager 2007 can also inventory unknown files — files that do not have detailed information in their file headers. This provides a flexible, easy-to-maintain software inventory method. You can also have Configuration Manager 2007 collect copies of files that you specify. Software inventory and collected file information for a client can be viewed using Resource Explorer. This is a part of SCCM inventory functionality.
  • Software Metering Usage Report Cycle – Collects the data that allows you to monitor and client software usage.
  • Software Updates Deployment Evaluation Cycle – Initiates a scan for software updates compliance. Before client computers can scan for software update compliance, the software updates environment must be configured.
  • Software Updates Scan Cycle – Just after a software update installation completes, a scan is initiated to verify that the update is no longer required and to create a new state message that indicates the update has been installed. When the installation has finished but a restart is necessary, the state will indicate that the client computer is pending a restart.
  • State Message Cache Cleanup – This tool clears State Messages that are cached on the ConfigMgr client.
  • User Policy Retrieval & Evaluation Cycle – Similar to Machine Policy Retrieval & Evaluation Cycle, but this action initiates ad-hoc user policy retrieval from the client outside its scheduled polling interval.
  • Windows Installer Source List Update Cycle – Causes the Product Source Update Manager to complete a full update cycle. When you install an application using Windows Installer, those Windows Installer applications try to return to the path they were installed from when they need to install new components, repair the application, or update the application. This location is called the Windows Installer source location. Windows Installer Source Location Manager can automatically search Configuration Manager 2007 distribution points for the source files, even if the application was not originally installed from a distribution point.

For anyone interested, the descriptions above are not my own. I’ve copied them from here and here.

23 April 2021

Cannot open the Outlook window. Invalid XML

Microsoft Outlook has got to be one of the most common business applications that just about everyone uses. So when it fails to open, it can feel like the start of a bad day. One error message that I have encountered a few times now is the “Invalid XML” message when trying to launch Outlook. The most common reason for this error is that the XML file that contains the settings for Outlook’s navigation pane has become corrupted. The navigation pane is the one that is on the left side of Outlook and lets you change between your mailbox, folders, calendar, contacts, tasks, etc.

So how do we fix the error? The first thing to try is to simply reset the navigation pane.

  1. Hit ‘Windows+R‘ on your keyboard to open the ‘Run‘ window.
  2. Type in the following command: Outlook.exe /resetnavpane
  3. Hit the ‘OK‘ button.
  4. Then re-launch Outlook to verify that everything is working.

If the above action did not resolve your Outlook issue, then the next course of action would be to delete the actual XML file and force Outlook to generate a new/fresh file the next time it opens. Here’s how we can do that.

  1. Hit ‘Windows+R‘ on your keyboard to open the ‘Run‘ window.
  2. Type in the following command: %AppData%\Microsoft\Outlook
  3. Hit the ‘OK‘ button.
  4. It will open ‘File Explorer’ and take you to the directory that the XML file resides in. Look for a file named ‘Outlook.xml
  5. Delete the XML file.
  6. Then re-launch Outlook to check that it is working now.

That is how to fix the Outlook ‘Invalid XML’ error. I hope one of these methods worked for you so you can get back to your emails.

17 November 2020

SCCM Device Collection from Excel

I got tired of googling this every time I make a new collection, so I figured it was time for my own post. I am now using SCCM for work, so I have had to learn a few new tricks to make life easier. One thing I’m doing often enough is creating a custom device collection of computers. The slow and tedious way to do this is to individually add each machine. Blah! What a waste of time. To make it go as fast as possible, I try to already have an excel list of the machine names I want to add to the collection.

In my excel file, my list of machine names are in column A. I’m going to be using column B for the values I’ll copy into SCCM. The formula that we’ll be using to convert the names into the format that SCCM wants is:

=char(34)&A2&char(34)&","

Lets break that down to see how it will convert the name into a format that can be used..

  • Char(34) is going to give us the quotation marks we want on either side of our computer name.
  • A2, in this instance, is the cell that contains one of my computer names. You will have to adjust this cell reference to fit your excel sheet.
  • At the very end of it, we add a comma.

Once we have that taken care of, we can drag the corner of the cell down to apply that same formula to the rest of our list.

Below is the basic query we will be using and adding our formatted list of names to.

select * from SMS_R_System where SMS_R_System.Name in ( )

The end result, using the example list of computer names above, will look like this. The one thing to note is that you need to remove the very last comma from the list of computer names or you’ll get an error message when you try to save it.

select * from SMS_R_System where SMS_R_System.Name in (
"computer001",
"computer002",
"computer003",
"computer004",
"computer005",
"computer006",
"computer007",
"computer008",
"computer009"
)

That is how you populate a SCCM device collection from an Excel list.

8 May 2020

Export/Import Putty Sessions

If you’re like me you probably use one machine heavily. You have all of the hosts and devices which you connect to regularly, saved in Putty. but what if you want to conveniently share all of those saved settings with a coworker, or back them up so you can restore them in the future to a new PC.

Putty saves all of those ‘saved’ sessions in the Windows registry. While you’re not able to export them directly from Putty, you can use the command line to export either just the sessions, or all settings, from putty.

Note: These instructions only work with the ‘regular’ installed version of Putty on Windows. They will not work with the portable version.

Export

Open a Command Prompt (or PowerShell) as an Administrator.

Export only sessions with this command:

regedit /e "%USERPROFILE%\Desktop\putty-sessions.reg" HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Export all settings with this command

regedit /e "%USERPROFILE%\Desktop\putty.reg" HKEY_CURRENT_USER\Software\SimonTatham

This will create a “reg” file on the desktop of the current user. It will not export SSH keys. Do not replace “SimonTathom” with your username, Simon is the author of Putty and that is the name that particular folder inside the registry where the settings are saved.

Import

Copy the reg file to the machine which you want to import the putty settings on.

Double-click on the .reg file and accept the import.

17 April 2020

RDS customizations

This is a bit of a long post, so I apologize in advance… Sorry, but not sorry. There are a lot of things that you can customize in a RDS / RD Web Access deployment.

I’m doing these edits, or customizations on a Windows Server 2019 deployment, they should [in theory] work though on RDS deployments as far back as Windows Server 2012/R2, though your mileage may vary – see disclaimer below.

Standard disclaimer… Make sure to backup folders and files before you start making changes. I’m not responsible for anything you break, you’ve been warned.


Eliminate “/RDWeb” from the RDS URL

When adding the RD Web Access role on your remote desktop gateway or broker, it will auto-magically create the RDWeb website in IIS for you.

RDS sets up the the url for your site in the following format: “rds.playswellwithflavors.com/RDWeb” or “example.com/RDWeb”. However, you likely are not using this IIS host to serve up any other webpages other that RDS Web Access… So you probably want to eliminate the need for user to have to enter that “/RDWeb” at the end of the url. And make it appear as just “rds.playswellwithflavors.com” or “example.com”.

Microsoft makes this very easy to accomplish with a simple redirect in IIS.

  • Open IIS.
  • Click on the ‘Default Web Site’ in the left-side pane.
  • Click on ‘HTTP Redirect’ in right-side pane.
  • Check the box for ‘Redirect requests to this destination’.
    Enter in the field under it: /RDWeb
  • Click ‘Apply’.
  • Restart IIS
  • Test your website to confirm that you can reach it with the base url, without the “/RDWeb” appended at the end.

Password Reset Link

This customization will edit the Web Access Login Page to add a password reset link where users can change their AD passwords from the main login page.

  • Open IIS
  • In the left-hand pane, drill down into “Server”->”Sites”->”Default Site”->”RDWeb”->”Pages”
  • Double-click on “Application Settings” in the right-hand pane.
  • Find the value “PasswordChangeEnabled” and double-click on it. Edit it to ‘True’.
  • Click ‘Ok’.

Now that we edited that value to ‘true’, if the user’s password expires they will be prompted to change their password. That’s handy, right!?
Well, if you liked that, then let me tell you that it is possible to go one step further and make a link on the main page for them to reset their password, anytime.

  • Open the following folder: %windir%\Web\RDWeb\
  • Since we are going to be editing stuff here, make a backup copy of the “Pages” folder.
  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • With the file open, press “Ctrl+F” and then search for “userpass”.
  • Scroll down under the table that “userpass” is in. This is where we want to add our password reset link. Copy the code below and paste it into your file, then save and close it.
<tr>
<td align="right">
Click <a href="password.aspx" target="_blank">here</a> to reset your password.
</td>
</tr>
  • Reload the page in your browser to view the password reset link.

Change “Domain\user name” to “Email”

At the Web Access login page, I like to change the prompt for “Domain\user name” to “Email Address”. Call me cynical, but I find that users can remember their email address, but will almost always call and ask what to put as the domain. I like to just change this to what the user will understand and prevent them from needing to call me.

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • Look for “L_DomainUserNameLabel_Text” on line 21.
  • Change the value “Domain\\user name:” to “Email Address:”.
  • Look for “L_DomainNameMissingLabel_Text” on line 30.
  • Change the value “You must enter a valid domain name.” to “You must enter a valid email address.”
  • Save and close the file.
  • Reload the page in your browser to view the change.

Change the “Work Resources” text on the Login page

This will let you customize the text displayed with your logo in the upper left corner of the RDWeb login page.

  • Open an administrator PowerShell window on the RD Connection Broker.
  • Enter the following command: Set-RDWorkspace -Name "<YourBrandingHere>"
  • Reload the page in your browser to view the change.

Changing the RD Logos

You can brand your RD Web Access page with your company logo. There are two logos you can change. One is in the upper left corner, and the other one is smaller and in the upper right corner.

  • Take your logo image and resize it into two .png files with the names and dimensions specified below;
    • logo_01.png – 16pixels x 16pixels
    • logo_02.png – 48pixels x 48pixels
  • Now open the folder: %windir%\Web\RDWeb\Pages\images\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Copy and paste the your logo image files into this folder.
  • Open IIS and restart the service.
  • Reload the page in your browser to view the change.
  • The “logo_01.png” file will replace the icon in the upper right corner.
  • The “logo_02.png” file will replace the icon in the upper left corner.

Change the “To protect against” message

This is the message on the login page that is beneath the “Sign In” button. You can customize it to your own message.

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • Look for “L_TSWATimeoutLabel_Text” on line 43.
  • Modify that value there to include your custom message.
  • Save and close the file.
  • Reload the page in your browser to view the change.

Change the RD Workspace name and other text

You can customize other text displayed on your RDWeb login page. Things like the page title and other small branding type changes…

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “RDWAStrings.xml” and select ‘Edit’.
  • Make changes as desired to reflect what you want displayed;
    • PageTitle, line 3
    • HeadingRDWA, line 10
    • HeadingApplicationName, line 11
    • Help, line 12
  • Reload the page in your browser to view the change.
    • Note: Chrome based browsers like to cache these… Use a private browsing tab, or flush your browser cache if the changes are not appearing after reloading the page.

Remove ‘Help’ Link

This will remove the ‘Help’ link on the RDWeb login page that links to this MS documentation.

  • Now open the folder: %windir%\Web\RDWeb\Pages\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “site.xsl” and select ‘Edit’.
  • Press ‘Ctrl+G’ and enter 150, to go to line 150
  • Select and then delete lines 150-158.
  • Open IIS and restart the service.
  • Reload the page in your browser to view the change.

Change the Server Logo on Login Page

You can remove the “Server 2012” or “Server 2016” or “Server 2019” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It won’t do much overall… But perhaps it’ll make a malicious person have to work a tad bit harder to determine what you’re OS you are on.

  • Replace the following image: %windir%\web\rdweb\pages\images\WS_h_c.png

Change the Microsoft Logo on Login Page

You can remove the “Microsoft” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It doesn’t hurt anything being there, but if you’re cleaning up and editing the branding of your site, why would you leave this logo on it?

  • Replace the following image: %windir%\web\rdweb\pages\images\mslogo_black.png

If I come across other customization tips I’ll add them here…

10 April 2020

Manually force an Azure AD Connect sync

The Azure AD Connect tool has a default sync schedule to run every 30 minutes. However sometime you need changes you make to get sync-ed NOW! So from time-to-time it’s necessary to manually force Azure AD Connect to run and sync your on-prem AD up to Azure AD. This can be done with PowerShell as either a full sync or a delta sync.


Open Powershell.

If you’re running PowerShell on the server where AD Connect Sync resides, you can skip this step. Connect to the AAD Connect Sync server by running the following command to create a PSRemoting session. Replacing <SERVERNAME> with the name of your AD Connect server.

Enter-PSSession -ComputerName <SERVERNAME>

Import the ADSync module with the following command.

Import-Module ADSync

Run one of the following command to manually force the sync.

For a Delta Sync (most commonly use cases)

Start-ADSyncSyncCycle -PolicyType Delta

For a Full Sync (less common use cases)

Start-ADSyncSyncCycle -PolicyType Initial

If you used the “Enter-PSSession” command earlier, then you need to exit that session. Otherwise it will stay open even after terminating the connection. To close the “PSSession” use the following command:

Exit

9 April 2020

Setup BGInfo on Windows

BGinfo is a great utility/tool that I really like and I literally have on every server I deploy. It is totally customize-able and able to display whatever system information that you feel is important to you, right on the desktop background making it easy to see at a glance. It could be used to display anything from the server’s name, IP addresses, hard drive usage, memory usage, OS version, or even the user that you are currently logged in as.


Download BgInfo – https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo

Create a folder, c:\utilities\, and make sure that all users have read and write access to it.

Move the BGInfo utility into the c:\utilities\ folder.
I also like to place any other Sysinternals utilities that I am using into this c:\utilities\ folder.

Run the BGinfo utility and take a few minutes to configure what information you wish to be displayed on your background.
Then save your configuration to the c:\utilities\ folder.

Create a shortcut to either Bginfo.exe (if you are on a 32-bit machine) or Bginfo64.exe (if are on a 64-bit machine).

Edit the target of that shortcut to include the name of your BGinfo configuration file.
In the picture below I’ve named mine “c:\utilities\mybgconfig.bgi”.

A few more handy suggestions to include in your shortcut’s target are:

  • /timer:0 – to avoid the typical UI popup
  • /nolicprompt – to make sure new users are not prompted with the EULA
  • /silent – to silence and errors

Which would result with the target field looking like:

c:\utilities\Bginfo64.exe c:\utilities\mybgconfig.bgi /timer:0 /nolicprompt /silent

Follow my article about finding the startup folder in Windows, and make a copy of your shortcut into that startup folder.
I prefer to copy the shortcut to the “Common Startup” folder, that way it will launch for any user that logs into the machine… But it’s up to you if you want to put it in the “User Startup” or “Common Startup” folder.

Now it’s time to test it out! Try logging out and then logging back in.

9 April 2020

Finding the Startup Folder on Windows

In recent years Microsoft has moved around where they “hide” the startup folder. That’s the folder that gets used to launch applications that start automatically when the user logs in. It’s not necessary hard to find, but it is well hidden.

There’s actually two places that startup folder lives. Each user has their own startup folder that will launch programs specific to that user. And there is also a common startup folder which will launch programs for any and all users that log into that machine.


How to find the users’ individual startup folder

  • Right click on the start menu and select ‘Run’.
  • Type “shell:startup” and click ok.
  • The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.

If you need to manually dive thru folders to get to the user’s startup folder, go to, but remember to change “<USER>” to the one you’re looking for:

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

How to find the all users’ common startup folder

  • Right click on the start menu and select ‘Run’.
  • Type “shell:common startup” and click ok.
  • The startup folder will open, and you can drag-and-drag and shortcuts or applications you need into.

If you need to manually dive thru folders to get to the common startup folder, go to:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
4 April 2020

Run Application as Different User

Windows makes it incredibly easy to run an application or script as another user on your computer. I find that I most often use this to run administrative or domain tools, when I’m logged in as just a normal user.

Method 1

This is the easiest method. While it took me a little while to remember it, I now use it almost daily and without even thinking about it.

Press and hold down the ‘Shift’ key on your keyboard, while you right-click on the program you want to launch.

This will only work on executable (EXE) files or shortcuts to executable files. If you try this and don’t see the option, then it is not an executable file.

Method 2

This method will create a shortcut that “knows” to launch an application as another user.

Create a shortcut to your executable

Right-click on the shortcut and modify the “Target” to:

runas /user:DOMAIN\USERNAME "path to executable"

Click ‘OK’. Then launch your shortcut. You will get prompted for your password everytime you launch your shortcut.

If you need to store the password with your shortcut, then modify the “Target” to this instead:

runas /savecred /user:DOMAIN\USERNAME "path to executable"

Click ‘OK’. Then right-click and select “Run as Administrator” the first time you use the shortcut. You will be prompted for the user password and it will get saved. From then on, just clicking the shortcut will launch it as your desired user.

Method 2.5

Alright this is basically the same method as above, so I didn’t feel right calling it a third method.

You can take the same trick from “Method 2” and just use it to run an application from a command prompt window.

C:\> runas /user:DOMAIN\USERNAME "path to executable"

3 April 2020

Pull Certificate from Digitally Signed Application

Most companies will use a certificate to sign their applications before they release their software to the world. This helps the user know to that the software they are running actually came from the software vendor, and hasn’t been altered or changed by someone.

Certificates are based on key pairs. There is a public key, and a private key. In terms of digitally signing an application, the public key is often just referred to as the Certificate.

How it works, in simpified terms… The software vendor holds a private key, and they guard it, keeping it safe in their organization. You can also think of is their fingerprint that they’ll use when signing something as it is unique. The public key is what we can see. Using a hash in the digitally signed application, we can use their public key, to see is if the hash value can be verified. If it checks out then we know that the digital signature is valid. If it doesn’t, well then we know the signature has been altered.

The I’ll show you below how you can pull the public half of the Certificate from an application. In this example we’ll pull Adobe’s certificate from Adobe Reader DC.


Right click on the application you want the signature of and select “Properties”

Click the “Digital Signature” tab, select the signature, then click the “Details” button.

Note: If you do not see the “Digital Signature” tab, then the file is not digitally signed.

Click the “View Certificate” button.


Click the “Details” tab and then select the “Copy to File” button.

Follow the “Certificate Export Wizard”.

After completing the export wizard, you’ll have the digital signature certificate of the digitally signed application.


Here’s an article I wrote that includes how to set a software restriction GPO policy using a certificate rule.