Hey, Working on a script lately, to create CM collections from OU structure, also with a query that looks into the OU to collect the machines.

So let say you have a OU structure like above,

So you want collections in CM like “SBS Computers” and “SBSServers” collections will be created and gathering all the computers into that. And if you put this script on a schedule task, if the Active directory people doing new OU, they will pop up in CM automatically

the script looking like this.)

#Synopsis
#CreateCollectionsfromAD.ps1
#DESCRIPTION
#Created: 2018-11-13
#Version: 1.0

#Author : Pontus Wendt
#Twitter: @pontuswendt
#Blog : https://pontuswendt.blog

#Disclaimer: This script is provided "AS IS" with no warranties, confers no rights and
#is not supported by the author.
#EXAMPLE
#NA

#Import Modules
Import-Module ConfigurationManager
Import-Module ActiveDirectory

#Variables
#The logpath of your script
$Logpath = "C:\Logging\Log.log"
#Domain
$Domain = "test.pontus.com"
#Domain in ADSI
$DomainADSI ="DC=test,DC=pontus,DC=com"
#Gather the OU folders, that will be created, every folder you search for will be created.
$GADOU = Get-ADOrganizationalUnit -LDAPFilter '(name=*)' -SearchBase $DomainADSI -SearchScope OneLevel -Properties CanonicalName | Select Name
#SCCM Query
$query="select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName like '$domain/Computers%'"
#Specify the sitecode of your SCCM
$SiteCode = "X01:"
#SCCM folder you want to move your collections to (you need to create this folder before you run)
$CMFolderPath = "$SiteCode\DeviceCollection\Computers from OU"
#You need to mofidy one more step is under the Add collection function

#Change Location to primary site
CD $SiteCode

#Functions
#WriteLog function
Function WriteLog ($message)
{
    $TZbias = (Get-WmiObject -Query “Select Bias from Win32_TimeZone”).bias
    $Time = Get-Date -Format “HH:mm:ss.fff”
    $Date = Get-Date -Format “MM-dd-yyyy”
    $Output = "<time>"
    Out-File -InputObject $Output -Append -Encoding Default –FilePath "$Logpath"
}

#AddCollection function
Function AddCollection
{
#Check if name already exists
if ((Get-CMDeviceCollection -Name "$Collectionname") -ne $null)
{
WriteLog "$Collectionname exists. Skipping."
return
}

#Check if OU structure have XX
if ($Collectionname -eq "XX")
{
WriteLog "$Collectionname have equals name as XX. Skipping."
return
}

Try
{
WriteLog "Adding $Collectionname"

$Schedule = New-CMSchedule -RecurInterval Hours -RecurCount 1
WriteLog "Created Schedule: $Schedule"

WriteLog "Creating collection $Collectionname"
$newcollection=New-CMDeviceCollection -Name "$Collectionname" -LimitingCollectionName "All systems" -RefreshSchedule $Schedule

##MODIFY THIS ALSO##
$query="select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName like '$domain/$names/Clients/XX/%'"

WriteLog "Creating $Collectionname with query $query"
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "$Collectionname" -QueryExpression $query -RuleName "$Collectionname"
WriteLog "Moving $Collectionname"

$CollID = Get-CMDeviceCollection -Name $Collectionname
Move-CMObject -FolderPath $CMFolderPath -ObjectId $CollID.CollectionID

#Wait a bit
Start-Sleep 10

}
catch
{
Write-Host "Failed to create collection $($_.Exception.Message) $($_.Exception.ItemName)"
}
}

#------------------------------------------------------------
#OU from csv foreach in foreach
foreach ($Collectionname in $GADOU.Name) {

WriteLog "Adding $Collectionname"

Get-ADOrganizationalUnit -Identity "OU=$Collectionname,$DomainADSI"
AddCollection $Collectionname
}
WriteLog "Done with the script"

Have the script here also, if you want to download it. CreateCollectionsfromAD

/Pontus

Hey! I work with a company, that the customers, come and go pretty much. So sometimes they gonna install the CM-agent and sometimes some customers leaves. Then we need to uninstall the CM-Agent remotely of course! God forbidden manually!

You need
* Server 2008 R2 or above
* Windows 7 With PowerShell 3.0 installed or above
* CM2012

1. Create a Collection.

2. Create a Configuration item

2.1 Then the “Setting step”, Modify like below

2.2 Choose Script like this:

2.3 Edit “Discovery Script”: Then you post in this:

function Get-ccmexec-service
{
    [CmdletBinding()]
    param ()

    Begin
    {
    }
    Process
    {
    Try {
    Get-Service -Name CcmExec |
        ForEach-Object {
            If($_.Name -eq "none") {
                $State = 0 }
            ElseIf($_.Name -eq "ccmexec") {
                $State = 1}
            }

     }
   catch {
   # Error handling

   }
   $state

    }
    End
    {
    }
}
Get-ccmexec-service

2.4 Then “Remediation Script” you post in this:
C:\Windows\ccmsetup\ccmsetup.exe /uninstall

2.5 Then in the Compliance Rules tab, Add this:

2.4. The Finish the Configuration Item Wizard.

3. Create a Baseline to this, And put the deployment to your Collection.

4. And you are Done

Good Luck

/Pontus

Hey!
Recently I got and a mission to inventory the ServicepackMajorversion on our servers. So ive made a script that you can use in a CI if you want.

Discovery Script

function Get-ServicePackMajorVersion
{
    [CmdletBinding()]
    param ()

    Begin
    {
    }
    Process
    {
    Try {

# Get Operating System Info
$sOS =Get-WmiObject -class Win32_OperatingSystem -computername Localhost

foreach($sProperty in $sOS)
{}
        ForEach-Object {
            If($sProperty.ServicePackMajorVersion -match "0") {
                $State = 0}
            ElseIf($sProperty.ServicePackMajorVersion -match "1") {
                $State = 1}
            }
     }
   catch {
   # Error hantering
   }
   $state

    }
    End
    {
    }
}
Get-ServicePackMajorVersion

Compliance Rule
Equals 1 ( which is “a Service pack is installed”)

Good luck!

/Pontus

When I was at the MMS this year, I asked the Microsoft product team if the CCMCache is OK to clean up, because a lot of files is in the folder, and there is no built-in to do so.

This is a standard Configuration Item, pretty easy when you get into it.

Let say, we want to delete all content in C:\Windows\ccmcache if its 60 days or older.

Discovery script:

$MinDays = 60
$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
($Cache.GetCacheElements() |
where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} |
Measure-object).Count

Like this:

If i just test this on a machine. It gonna look like this

The result is the number of files that are older than 60 days.

Remediation script:

<#
$MinDays = 60
$UIResourceMgr = New-Object -ComObject UIResource.UIResourceMgr
$Cache = $UIResourceMgr.GetCacheInfo()
$Cache.GetCacheElements() |
where-object {[datetime]$_.LastReferenceTime -lt (get-date).adddays(-$mindays)} |
foreach {
$Cache.DeleteCacheElement($_.CacheElementID)
}

Like this:

Compliance rule:

Deploy this to some machines that you want to clean up, And you are good to go.

/Pontus

Hey! Sooner or late some upper management come to you and ask if you can check your machines if they are infected of a registry key (often a virus). They also ask if you can post a nice report of this. So how do you do? Well, in my opinion, This is the best way. Configuration Item (In this case I’m looking for “HKLM:\Software\Classes\MJ” exist or not)

1. First, Go to your console -> Assets and Compliance -> Configuration Item

2. Right click “Create Configuration Item”

3. Pick a good name for your CI

4. Go With Default settings, Next, Next, Summary, Close.

5. Right click on the CI, go to Properties> Settings and New

6. Do the settings like this
6.1 Name it to ” Check for a Registry Value”
6.2 Change Setting type to Script
6.3 Change Data type to String

6.4 Click on Discovery script
6.5 Script language to Windows Powershell, then copy this

function Get-Registrykey
{
    [CmdletBinding()]
    param ()

    Begin
    {
    }
    Process
    {
    Try {
    $Result = Test-Path "HKLM:\Software\Classes\MJ"

    ForEach-Object {
            If($Result -match "True") {
                $State = 1}
            ElseIf($Result -match "False") {
                $State = 0}
                    }
     }
   catch {
   # Error hantering

   }
   $state

    }
    End
    {
    }
}
Get-Registrykey

6.6 Click on Ok
7. Go to the Compliance Rule Tab

8. Click on New
9. Then change the Following value to 1, and Check the box “Report noncompliance if this setting instance is not found. Then click on OK

10. Apply, Apply, Ok.
11. Go to Configuration Baselines, Create Configuration Baseline

12. Name it to ” Check for a Registry Value
13. Click on Add, Configuration Item
14. Ok.

15. Right click on the baseline, then Deploy

16. Do the settings like this,
16.1 “Check Remediate noncompliant rules when supported”
16.2 “Check Allow remediation outside the maintenance window”
16.3 Select a Collection that you want to run the script on.
16.4 Simple Schedule, 1 Time each day.

16.5 Ok.
17. Now we are done, The clients will report back if the registry exists or not.

Also shared the Files here, if you just want to import the CI
CI – Check for a Registrykey

Thanks for reading.
/Pontus