I recently encountered an application that uses the Inno Setup installer. Part of my process when I deploy an application is to also create an uninstaller. While creating the uninstaller, I decided to make a function for uninstalling Inno Setup installed applications.
The way I have written this function is that you need to use the exact name as displayed in the add/remove programs for the AppName parameter. The function will then query the Add/Remove programs registry entries to get the quiet uninstall string and execute it.
You can download the function from my GitHub site.
While building out the Windows 10 reference image task sequence, it dawned on me that I should be making sure the latest Dell Application Component Updates are installed. Since this is a reference image, the system drivers being up-to-date is not essential to me because they will be stripped during the Sysprep process. This does require that you already have the Dell applications installed before executing this one-liner.
I devised this one-liner that can be implemented as a command line task sequence to check for the latest application component updates only. To limit this down to just application component updates, you will need to open the Dell Command | Update GUI application to create an XML file to reference from the command line. Once in the GUI app, click on the Settings icon. Click on Update Filter. Under Recommendation Level, I checked everything. Under Update Type, I checked Application Software. Everything else is left unchecked. Configure every other settings tab the way you want. Now click on Import/Export and click Export. Export the XML to the desired UNC path in which the one-liner below can access. You can also download the XML file I use from my GitHub site.
As for the one-liner below, update the <UNC Path> to the location where the Applications.XML file is located. It does not need to be called Applications.XML. That was my choice.
Putting this into MDT or SCCM is easy. Once you have the one-liner customized and tested, copy and paste it into a Run Command Line task sequence as shown below. That is all it takes to implement this.
Recently, Dell released the BIOS updates covering systems starting with the Intel Family 6 Model 42 and later processors. This is the first part of the patching process. The second part is to apply all windows updates, which I also included all optional updates. That was my personal preference. The third step is to apply the appropriate KB4088878 patch.
The first two systems, Dell Optiplex 990s with Windows 7 64-Bit, I did these patches on were successful. GRC's InSpectre tool was executed and returned the following.
The next two failed. These systems were Windows 7 32-Bit installed on Dell Optiplex 990s with 64-Bit processors. The BIOS was patched with the latest A23 version Dell had published. The windows updates were all installed. When the windows6.1-kb4088878-x86_7512ab54d6a6df9d7e3d511d84a387aaeaeef111.msu was applied, the following crash screen appeared when the OS booted back up.
One tactic I tried was to configure the registry to clear out the page file when the system shuts down by changing the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown to a 1. The next thing I did was to boot the system into safe mode to execute the patch. I got the following message.
In conclusion, the only solution is to have the hardware architecture match the OS architecture. If they match then applying the appropriate patch will be successful.
Here is a note on patching. Applying the latest BIOS does not pass the GRC Inspectre test. The Microsoft OS patch must also be applied for the system to pass the test.
Ever since the Spectre and Meltdown issues arose, we have been waiting on patching, at least reliable patching. Microsoft has taken it on itself to patch systems for the vulnerability. ExtremeTech wrote an excellent article on Microsoft's solution which gave me the thought to write a script for telling which systems are compatible. To determine the minimum family and model compatible with the patch, I used the data from this Intel page that associates family and model to the microarchitecture code name. I converted the family and model from hexadecimal to decimal. That is how I came up with the bare minimum being Family 6 Model 42.
NOTE: The ExtremeTech article includes the Haswell processor as also being compatible. We do not have any Haswell processors in my environment, so I am not able to know what the minimum family and model are for Haswell. If you do have Haswell processors in your environment, I would appreciate you running the following PowerShell cmdlet and reply here with the output so that I can include it in the script. Thanks.
(Get-WmiObject win32_processor).Caption
The script can be executed using the new Scripts tool in SCCM, which is how this was done in my environment.
While working on the Windows 10 upgrade project, I ran into a situation which I needed the information from an MSU file for the task sequence. Specifically, I needed the KB number. The first thing I did was to try and use the same method used in retrieving info from MSI and MSP files by trying to query the database. That does not work with an MSU file. An MSU is nothing more than a zipped up file of several files. In each MSU file, there is a *Properties.txt file which contains all of the info.
This script contains the function Get-MSUFileInfo which will retrieve all available info on the MSU. I designed it so that it creates an extracted folder in the relative path of the script. The MSU is then extracted to that extracted folder. Next, the script will read all of the contents of the *Properties.txt file into an object. Finally, the extracted folder is deleted.
Here is an example of the script retrieving the info into an object:
You can download the script which contains the function from my GitHub site. I put the function into a full script for easy testing in your environment.
Below is a video on how to add ShareThis to Blogger. It is a very easy process. Apparantly the process has changed since other instuction pages were created. I spent a few hours trying to figure out why injecting the javascript into the HTML code was not working. I cover how to implement both the sticky and inline buttons. As you will see, the bar works on my blog with no problems. Also, at the end of the video, it does show the sticky share buttons turn off. I turned them back on and they are working perfectly.
Here is a picture of this blog page after it was implemented:
This script function will uninstall an MSI installed application by specifying the GUID and the switches. I have included the ability for the script to query the registry for the name of the application to display for user output. The function also will exit the script if there was a failure.
NOTE: The script uses write-host for user output so that if it is manually executed, the admin will be able to easily see if it was successful by success being in yellow, not installed in green, and failure in red. Write-Host is the only option for being able to display in multiple colors and the ability to not start a new line when it displays "Uninstalling Java 8 u 161....." as it waits for the exit code of the uninstall to show one of the three outputs above in the designated colors. If you do not want to use write-host for this, you are welcome to rewrite the code, which is being openly shared.
Here is an example of the function running in the script provided below. This is not in color because it was executed within PowerShell Studio. This is in a script format so you can easily test this out before using the function in another script.
Here is a function that will uninstall an MSI installed application by the name of the app. You do not need to input the entire name either. For instance, say you are uninstalling all previous versions of Adobe Reader. Adobe Reader is always labeled Adobe Reader X, Adobe Reader XI, and so forth. This script allows you to do this without having to find out every version that is installed throughout a network and then enter an uninstaller line for each version. You just need to enter Adobe Reader as the application name and the desired switches. It will then search the name fields in the 32 and 64 bit uninstall registry keys to find the associated GUID. Finally, it will execute an msiexec.exe /x {GUID} to uninstall that version.
Update:
This is the third revision of the function that will uninstall an MSI by its application name. The last revision was an efficiency improvement. This revision adds the ability to uninstall all instances of an application. For instance, if several versions of Java 8 are installed, this function can uninstall all of them by just defining Java 8. The function covers both x86 and x64 based apps. The previous versions of this function could only uninstall one app at a time. This will uninstall all of them.
Here is a visual on the script uninstalling multiple versions of Java 8.
You can download the code from my GitHub site located here.
As we all know, Mozilla Firefox is not the easiest application to deal with when it comes to deploying it in an enterprise environment. I have finally taken the time to write a PowerShell script that will install it using the executable provided by Mozilla.
This installer will kill all instances of firefox, execute the uninstaller helper file, and then delete the programdata folder. Next, it will run the Firefox installer, create the autoconfig file and the Mozilla config file. The autoconfig.js file will point firefox to the mozilla.js file. I have written the script, so it creates and injects the configuration information within the CFG files. If you do not want this, you can comment out the New-AutoConfigFile and New-MozillaConfig lines. I also created a Configuration.ini file to configure the desktop shortcut during the installation.
Also, we still have some 32-bit machines, so I set up the script and file structure as shown below with the individual executable in the appropriate architecture folder.
You are installing RSAT in a build, and you want to check if it is installed if it is included in the windows updates. Recently, there has been the issue in Windows 10 where RSAT cannot be found in the Windows Features. It is also not found in the Win32_OptionalFeature. To work around this, I have this one-liner incorporate checking for the feature first and if that turns up nothing, it then checks for the active directory module, which exists if RSAT has been installed. It will return an exit code of 0 for success and 1 for failure which can be used to either pop up a warning or kill a build if not present. This has been tested on both Windows 7 and Windows 10.
As you have probably seen recently in my latest blog entries, I am working on a bunch of PowerShell one-liners to do away with the actual scripts and be able to implement the PowerShell process as a command line task sequence.
This one-liner will add the necessary registry entry to allow for a user to run a PowerShell script as administrator. This has been tested in a task sequence.
Recently, I have been revisiting our task sequence for our base build. One of the tasks it does it to set the PowerShell executionpolicy. Yes, we do have a GPO that does this, but this being the base build that generates the golden image, GPOs are not applied during the build process.
Originally, I had the simple command line task that implemented the following command line: powershell.exe set-executionpolicy RemoteSigned. I know that should work with no problems, but I wanted to have PowerShell verify that was set. To do that, I created this one-liner that checks if the executionpolicy is set to the defined policy specified in the variable $Policy. All you need to do is change the value assigned to the $Policy variable. If it does not match that, then it sets the executionpolicy and checks again. If it is set to the defined policy, then the script returns an exit code of 0, otherwise, it returns an exit code of 1 which will fail the build.
While writing this package for the BIOS updates on our systems to negate the Spectre and Meltdown, we decided we wanted all laptop systems to be docked. This is an extra precaution we are taking, along with deployment during the early hours of the morning, to minimize the possibility of the BIOS update being interrupted during the installation process by human error.
The first thing I found that designated if a system was docked was this registry key supposedly changing when a system was docked.
I quickly realized this may have worked a long time ago, but it does not work anymore. The next thing I did was watch the event viewer logs. The only changes I noted there were with the ethernet when docked. The next thing I checked was the device manager and Voilà . The device manager changes when a laptop is docked. Specifically, the human interface devices add HID-compliant devices. I really thought the changes would be under system devices. Under the Human Interface Devices, I only included the devices that are labeled HID-compliant, in the HIDClass, are not vendor defined, and where the status of each filtered device is not OK, meaning it is not docked. This was all put in a one-liner that returns an exit code of 1 if any of the devices do not exist.
This one-liner is being used in the task sequence. If a return code of 1 is returned, meaning the system is not docked, the task sequence fails.
NOTE: For the systems this has been tested and run against, they are all Dell Latitudes. I do not have access to any other vendor systems to test against. If your company uses another vendor, you will need to possibly modify this script, or it may not work the same way. Also, it has been verified that this is different on varying models of Dell systems. I received a response on one of the Facebook groups saying he had to make some changes to the code for the Latitudes his company uses.
Over the past three years, I have not had a need to use the Microsoft PowerShell Gallery on the Windows 7 machines. While working on the Spectre/Meltdown issue, it finally hit me that I needed to use it on the Windows 7 machines. It was kind of hard to find clear and concise instructions on installing it on those machines. Windows 10 is a breeze, but there were extra steps. Luckily, all of the Windows 7 machines already met the required criteria. The following are the requirements and steps you need to take to use the PowerShell Gallery on Windows 7 machines.
Requirements:
Windows .Net Framework 4.5 or later
PowerShell 3.0 or later
Once you have these requirements met, here are the steps to gaining access to the PowerShell Gallery in operating systems earlier than Windows 10:
Download the PackageManagement_x64.msi and/or PackageManagement_x86.msi from the Microsoft Download Center. Place the x86 and x64 versions in the same directory as the PowerShell script.
Deploy the appropriate PackageManagement version to each machine
Now that Install-PackageProvider cmdlet is available, execute the following Install-PackageProvider nuget -force -verbose
You will now have access to the PowerShell Gallery using the install-module cmdlet.
The script for installing and configuring the system to access the gallery is located on my GitHub site.
While writing the solution for a secure and safe deployment of BIOS updates, I had to come up with a one-liner to backup the Bitlocker recovery password to a file named <computer name>.txt in a secured UNC path. Yes, we already have MBAM, but I wanted an extra layer of safety in the event something went wrong when applying the BIOS updates to the Bitlockered machines, thereby requiring the recovery password. Also, there are a lot of admins who work at companies which do not have products such as SCCM and MBAM. The reason the PowerShell Bitlocker CMDLETS were not used is that this is designed to run on Windows 7, 8, 8.1, and 10 operating systems.
To use the one-liner below, you will need to update the portion in yellow to the UNC path of your desire. This can be used deployed through SCCM to machines to backup their recovery keys. I used this in a task sequence.
I needed to install .Net Framework 4.7 on all systems. We no longer manage windows updates via SCCM, so we needed to deploy it as an application. I downloaded the two MSU files, 32-bit and 64-bit, from the Microsoft Update Catalog.
This script checks the system architecture and then knows which installer to execute. I have included the return codes for reboot required and already installed. The script converts those to normal SCCM return codes, 0 and 3010.
<#
.SYNOPSIS
Install .Net Framework 4.7
.DESCRIPTION
This script will install .Net Framework 4.7 using the MSU file. It is written to accommodate both x86 and x64 versions. The script will also convert the WUSA.EXE return codes to standard SCCM return codes.
.NOTES
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2017 v5.4.143
Created on: 9/15/2017 10:45 AM
Created by: Mick Pletcher
Filename: installDotNet47.ps1
===========================================================================
#>
[CmdletBinding()]
param ()
function Get-Architecture {
<#
.SYNOPSIS
Get-Architecture
.DESCRIPTION
Returns whether the system architecture is 32-bit or 64-bit
.EXAMPLE
Get-Architecture
.NOTES
Additional information about the function.
#>
[CmdletBinding()][OutputType([string])]
param ()
$OSArchitecture = Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture
$OSArchitecture = $OSArchitecture.OSArchitecture
Return $OSArchitecture
#Returns 32-bit or 64-bit
}
function Get-RelativePath {
<#
.SYNOPSIS
Get the relative path
.DESCRIPTION
Returns the location of the currently running PowerShell script
.NOTES
Additional information about the function.
#>
[CmdletBinding()][OutputType([string])]
param ()
$Path = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"
Return $Path
}
function Install-MSUFile {
<#
.SYNOPSIS
Install Windows Update
.DESCRIPTION
This function installs windows update MSU files.
.PARAMETER FileName
Name of MSU file
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()][string]$FileName
)
$RelativePath = Get-RelativePath
$Executable = $env:windir + "\System32\wusa.exe"
$Parameters = $RelativePath + $FileName + [char]32 + "/quiet /norestart"
$ErrCode = (Start-Process -FilePath $Executable -ArgumentList $Parameters -Wait -Passthru).ExitCode
Return $ErrCode
}
$Architecture = Get-Architecture
If ($Architecture -eq "32-Bit") {
$ReturnCode = Install-MSUFile -FileName Windows6.1-KB4019990-x86.msu
} else {
$ReturnCode = Install-MSUFile -FileName Windows6.1-KB4019990-x64.msu
}
#Exit Return Codes
#2359301 -- Reboot Required
#2359302 -- Already Installed
If ($ReturnCode -eq 2359301) {
$ReturnCode = 3010
}
If ($ReturnCode -eq 2359302) {
$ReturnCode = 0
}
$ReturnCode
Exit $ReturnCode
I have been coming to the Microsoft Ignite convention since it's inception in 2015. The first conference held in Chicago had a lot of fallacies. It was the first time Microsoft had combined the conferences into one. Since then, Microsoft has steadily improved. Atlanta was significantly better and this year's conference in Orlando was awesome! I am sharing my experiences on the conference and what I suggest might be good for first-timers. It is overwhelming the first time you attend. It was for me the first year and I have had first-timers tell me the same thing.
Registration
Registration is pretty straightforward. It requires paying up front when you register. This is the website for Ignite registration. If you are a Microsoft MVP, registration will be cheaper and you can register earlier.
MVPs & Ignite
If you are an MVP, Registration will be cheaper. You will also have the chance to submit a proposal for speaking at Ignite. There will be a pre-day conference for MVPs while also getting the MVP sticker for your badge.
Boarding
When Microsoft opens up the registration for Ignite, they will have a set number of hotels reserved for the conference. There are pros and cons to this. The first year in Chicago, the set of hotels they had reserved were all very expensive. Personally, I appreciate the firm I work at paying my way each year to the conference, so I try to be very conservative on my charges. I ended up using AirBNB that year and it was a great experience as I was close to the McCormick Place and the entire week cost less than one night did at the select hotels. Atlanta, the hotels were nicely priced, so I stayed in one of the select hotels. Finally, Orlando, I ended up staying in a hotel that was close to a select hotel. I did not like the billing policies of the hotels in Orlando, which I will talk about later.
If you stay in select hotels, a shuttle, which is a full-size motorcoach, comes by to pick you up in the mornings and take you back in the evenings. It does not run midday.
As for booking your hotel, if you decide to use a select hotel and register during your Ignite registration, here are some facts about it:
You are only reserving it. You will have to pay for the room when you arrive. Some of the hotels will allow you to pre-pay, but as with my experience in Orlando, I did not like how they handle pre-payment. Several of the hotels I called send an authorization form to you and have you fill out the credit card information to fax back. When I questioned what happens to that form, they permanently file it. Yeah, I don't want my credit card information permanently filed. They don't take credit card information over the phone either. That is why I ended up using Priceline to book my hotel near one of the select hotels so I could walk over and take the shuttle.
While reserving on the Ignite registration site, if your card expires before the conference, it will not let you register for a hotel since it is only reserving the room. It requires the card be valid past the date of your stay.
Some of the select hotels do have activities going on in the evenings.
Food and Drink
Breakfast and lunch are provided at Ignite. Since the first year there, the food has greatly improved. I still hear complaints about it but with the vast size of the conference, you can't expect to feed 23,000+ with restaurant style accommodations. This is the typical lunch tray. They do accommodate for food allergies and specific diets such as vegan. Supper is not served, but there will be food stands set up a few times during the conference late in the afternoon that I thought was more than ample for supper. There are refrigerators setup throughout the conference that has lots of canned and bottled drinks free of charge. There are also tables with snacks such as cracker packs.
Sessions
The main reason you are coming to Ignite is for the sessions. They provide you with continuing education on new ideas and new products, while also providing training on existing products. The sessions vary widely. They consist from beginner to advanced. The best thing is to log in to the Ignite registration website and go through the list of sessions to see what you want to attend. As you select them on the website, they will also be able to sync with the Ignite mobile app. The mobile app can add the sessions you choose to your calendar for alerts. You are likely thinking, what can possibly be the downside to the sessions. Size of the conference is number one. The conference area is so big that you may not have time to get from one session to another. Some sessions are closed after the session has begun. There is often more than one occurrence for a specific session allowing you to get to that session in the event the first one coincides at the same time. One thing Microsoft did for the sessions that has helped a lot is live streaming that helps with not having to physically go to a session and be able to sit there and watch it on your smart device.
Microsoft also had hands-on labs that are great for getting hands-on experience with apps that you may want to check out or need more time with.
Attire
People vary vastly in their attire. It goes from business casual to casual.
Vendor Stands
The vendor stands open up on Monday at 12:00 pm after the Keynote. There are lots of vendors there. There are giveaways from motorcycles to shirts. It is a great place to approach vendors for specific questions on their products. If you are having problems with a product at your company and have questions, most of the vendors have a technical person there to answer them for you. At the least, they can put you in touch with the right person at their company which can answer your question(s). Part of the vendor stands is Microsoft. This means you can go to them for questions about Microsoft products.
After-Hour Vendor Parties
Some of the vendors hold after-hour parties, and from my experience, some are extraordinary. They go all out. The parties are not held at the conference center. They are held at different locations. For instance, one party I attended was in an airplane hanger. Another was at the John Hancock Signature Bar. The problem a lot have is knowing about the parties.
There are a few ways to learn about them. The first is to go to the vendor tables and some will have party sign-up sheets. Some will post on Twitter with the hashtag #MS_Ignite. Another is to follow Harjit Dhaliwal on Twitter. He posts a lot of the parties taking place. The times and length of the parties vary. If the party is held at a facility that is outside of walking distance, the vendors often supply transportation to and from the party.
Celebration
The celebration is a lot of fun. The first year of Ignite, the celebration was a total disaster. There were 30 food tables for 20,000+ attendees. Yeah, it took up to an hour for a small serving of food. Since then, Microsoft has done very well. The last two celebrations have been great. The celebration in Atlanta was held at the Centennial Olympic Park. It was a lot of fun. The celebration in Orlando was held at Universal Studios and it was fantastic! They cordoned off part of the park for the celebration.
For the celebration, you can bring a significant other with you. The cost is $150 and is booked when you book for Ignite. One thing I learned this last year was that there are only 1,500 openings for a significant other. Apparently, others did not know this either as I saw one attendee walking around the conference with a piece of paper on his back asking to purchase an armband for his spouse. My suggestion to you is to book fairly early if you want to bring someone with you to the celebration.
Navigating the Conference
It takes time to get accustomed to the enormous area of the conference. There are Microsoft employees standing around to help you find where you are going. There will be a LOT of walking. Bring comfortable shoes. It is a must! Last two years, I logged 29 miles in Atlanta and 34 miles in Orlando. The Ignite app will help you greatly in getting around the conference.
Connections
Microsoft Ignite is just as much social as it is educational. You are likely to get a lot of connections with other IT professionals. If you have business cards, bring your box with you. I learned this last year that taking a picture of someone's badge with the iPhone 7 Plus also reads their QR code. That was pretty cool to learn by accident.
Finally, 1E interviewed me at Ignite and here is the video on how to get around.
This weekend, I listened to Security Now's KRACKing WiFi podcast Episode 633 where they discussed the TPM vulnerability. Finding out exactly what to look for was tedious. I finally ran across Lode Vanstechelman's blog entry that told exactly what to look for. The only thing it does not address is using SCCM to find vulnerable systems. Since you are looking for specific TPM manufacturer IDs and Versions, SCCM is a great tool to find the systems across a large network.
As listed on Lode's site, you are looking for Manufacturer ID 1229346816. If that ID is present, then the following versions are affected:
4.00 to 4.33
4.40 to 4.42
5.00 to 5.61
6.00 to 6.42
7.00 to 7.61
133.00 to 133.32
NOTE: The firm I work at did not have any systems that met the manufacturer ID criteria. The WQL below is written without the ability to test it. Treat it as a template. I would appreciate if you could leave feedback on whether it needs to be modified or not.
Here is the WQL query:
select SMS_R_System.Name, SMS_G_System_TPM.ManufacturerId, SMS_G_System_TPM.ManufacturerVersion from SMS_R_System inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_TPM.ManufacturerId = 1096043852 and ((SMS_G_System_TPM.ManufacturerVersion >= "4" and SMS_G_System_TPM.ManufacturerVersion <= "4.33") or (SMS_G_System_TPM.ManufacturerVersion >= "4.40" and SMS_G_System_TPM.ManufacturerVersion <= "4.42") or (SMS_G_System_TPM.ManufacturerVersion >= "5" and SMS_G_System_TPM.ManufacturerVersion <= "5.61") or (SMS_G_System_TPM.ManufacturerVersion >= "6" and SMS_G_System_TPM.ManufacturerVersion <= "6.42") or (SMS_G_System_TPM.ManufacturerVersion >= "7" and SMS_G_System_TPM.ManufacturerVersion <= "7.61") or (SMS_G_System_TPM.ManufacturerVersion >= "133" and SMS_G_System_TPM.ManufacturerVersion <= "133.32")) order by SMS_G_System_TPM.ManufacturerId
With the advent of mass deployment errors such Emory University and CommBank, there needs to be a master kill switch. I also read several months ago about a University in one of the Scandinavian countries that did the same thing. The last two years at Microsoft Ignite, I have also talked to SCCM professionals who experienced the same thing, one in Oklahoma at an oil company and another in Michigan at a financial services company. The last company with more than 100,000 systems abandoned SCCM for imaging purposes and went to MDT to assure this would never happen again.
Over the past three years, I have contemplated a new method for resolving this. At first, I started writing a tool that would shut down all pertinent services on machines such as windows installer and would kill certain task sequences, along with several other things. While having partially written this, a much easier solution came to my mind. This solution is very basic but is also most effective.
I also want to point out one thing here. My solution does not compete with Adaptiva's. Adaptiva has a much more robust solution, but if you choose to not use their solution, this solution can do a good job at stopping an image or even an application from installing.
The solution I have come up with uses a simple text file. In the task sequence list, you will want this to be before the system partitions are wiped. I took a screenshot of this in MDT, which you obviously would not need this fuse unless you have a team that images machines and you want the process to stop right now. In SCCM, you would make sure it is before the system reboots into WinPE to wipe the partitions.
As you can see from the pic, I used a command line task sequence. I used a PowerShell one-liner to test if the file is present. If it is not present, then it returns an error code 1. This error code kills the build.
The file I created is an empty text file which I removed the .TXT extension.
When I started my image, the picture below shows what happened when the file was not present.
This could also be incorporated into a software deployment in the event you accidentally deploy an application and realize it needs to stop NOW! If you deploy apps like I do using script files (PowerShell), you could add a line in the script to check for the file before proceeding. This would kill the installation if it has started, but not reached the point of installation yet.
It is obvious that if the admin does not realize there was a mistake made, the image will continue.
Recently, I built and published the Dell driver update script that may or may not require a reboot. I instituted the script as a task sequence in MDT and then made the following task sequence a reboot. Thinking about it, the reboot may not be required and therefore that would be a waste of time. To get around this, I decided to investigate a conditional reboot.
In order to institute this, I used the standard Restart Computer task sequence and I added conditional parameters to the Options tab shown below.
Here is a screenshot of each of the three keys:
I have tested this by injecting the specified registry keys and these work great. One thing you will encounter when creating these to test just for the existence of the key without a value is a requirement for a value as shown below. I entered a blank space in that field and it worked.
There is one additional attribute to look at and that is a pending reboot via the configuration manager client. It is the following:
So far, I have not been able to get this incorporated as a condition using a WQL query. Apparently, you can only use WQL for the class root\cimv2 and no others. I am likely going to have to create an additional task sequence that creates an MDT/SCCM variable with a boolean value using PowerShell. That is on my list.
Recently, we had to add a new trusted site to the trusted sites GPO. As you may know, if the GPO contains a lot of trusted sites, it can be cumbersome to determine if a site is in there. I wrote this PowerShell script that will generate a report listing all trusted sites. This script will grab both user and local machine based trusted sites. It separates those in the report. The report is displayed on the screen with the option to write it to a text file by specifying the FileOutput parameter switch.
You can download the script from my GitHub site located here.
<#
.SYNOPSIS
Trusted Sites Report
.DESCRIPTION
This script will retrieve a list of trusted sites pushed out via GPO and write the list to a text file in the same directory as the script.
.PARAMETER FileOutput
Specifies to write output to a file
.PARAMETER FileName
Name of the file to write the output to
.NOTES
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2017 v5.4.143
Created on: 10/3/2017 2:23 PM
Created by: Mick Pletcher
Filename: TrustedSitesReport.ps1
===========================================================================
#>
[CmdletBinding()]
param
(
[switch]$FileOutput,
[ValidateNotNullOrEmpty()][string]$FileName = 'TrustedSitesReport.txt'
)
function Get-RelativePath {
<#
.SYNOPSIS
Get the relative path
.DESCRIPTION
Returns the location of the currently running PowerShell script
.NOTES
Additional information about the function.
#>
[CmdletBinding()][OutputType([string])]
param ()
$Path = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"
Return $Path
}
#User based trusted sites
$HKCU = $(get-item "HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey" -ErrorAction SilentlyContinue).property | Sort-Object
#Local machines based trusted sites
$HKLM = $(get-item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey" -ErrorAction SilentlyContinue).property | Sort-Object
#Get the location where this script is being executed from
$RelativePath = Get-RelativePath
#Define the path to the output file
$File = $RelativePath + "TrustedSitesReport.txt"
#Delete the output file if it exists
If ((Test-Path $File) -eq $true) {
Remove-Item -Path $File -Force
}
#Create output file
New-Item -Path $File -ItemType File -Force
#Add HKCU trusted sites to the output file if they exist
If ($HKCU -ne $null) {
#Create Screen Header
"HKEY_CURRENT_USERS" | Out-File -FilePath $File -Append
#Display to the screen
$HKCU
If ($FileOutput.IsPresent) {
$HKCU | Out-File -FilePath $File -Append
}
#Input seperator"
" "| Out-File -FilePath $File -Append
}
#Add HKLM trusted sites to the output file if they exist
If ($HKLM -ne $null) {
#Create Screen Header
"HKEY_LOCAL_MACHINE" | Out-File -FilePath $File -Append
#Display to the screen
$HKLM
If ($FileOutput.IsPresent) {
$HKLM | Out-File -FilePath $File -Append
}
}
I purchased the SpaceMonkey back when it first came out. It has been a so-so NAS device that also backed up to the cloud. Vivint bought them out and I ran into real problems when the HDD had failed on the device and the cloud backup was lost during the transition to Vivint. Luckily, I overnighted it to them and they were able to retrieve all contents and back it up to the Vivint drive.
Recently, Vivint changed how the drive works and abandoned the tool that you install. They decided to go all web based on retrieving your files. I contacted them and they verified the tool is no longer available to download. This is not good because I have a LOT of files on the SpaceMonkey that are enormous. As you might know, browser downloading is not dependable for very large files. I have some files that are tens of gigabytes in size. Supposedly the drive detects if your browser and the smart drive are on the same network. If so, it is supposed to work flawlessly and download directly from the device to your machine. Browser downloading typically fails after a few gigabytes, so no, it has not been flawless. In fact, downloading several gigs worth of pictures from different trips was a hit or miss thing. Some would not download correctly and were corrupted. Luckily, my wife's old computer was resurrected and it had the Spacemonkey tool installed. The tool still works with the Vivint drive. It maps the drive to your machine to allow for robocopy to be used. Since they have removed it from their site, you can download it from my GitHub site located here.
This script will initiate a hardware inventory. It scans the InventoryAgent.log file for the initiation of the hardware inventory and then for the completion. The script will return an error code 1 if the initiation was ignored or it exceeded five minutes. The purpose of this is to verify a hardware inventory was actually initiated. I have had instances where I would execute a hardware inventory multiple times not knowing if it actually occurred. This script verifies that.
You can download the script from my GitHub site located here.
<#
.SYNOPSIS
Initiate SCCM Hardware Inventory
.DESCRIPTION
This script will initiate an SCCM hardware inventory and return a 1 if it fails to initiate or a 0 if it is a success. The script works by scanning the InventoryAgent. log file for the status of the hardware inventory.
.EXAMPLE
powershell.exe -executionpolicy bypass -file SCCMActions.ps1
.NOTES
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2016 v5.2.122
Created on: 5/20/2016 2:28 PM
Created by: Mick Pletcher
Filename: SCCMActions.ps1
===========================================================================
#>
[CmdletBinding()]
param ()
function Get-CurrentDate {
<#
.SYNOPSIS
Get the current date and return formatted value
.DESCRIPTION
Return the current date in the following format: mm-dd-yyyy
.NOTES
Additional information about the function.
#>
[CmdletBinding()][OutputType([string])]
param ()
$CurrentDate = Get-Date
$CurrentDate = $CurrentDate.ToShortDateString()
$CurrentDate = $CurrentDate -replace "/", "-"
If ($CurrentDate[2] -ne "-") {
$CurrentDate = $CurrentDate.Insert(0, "0")
}
If ($CurrentDate[5] -ne "-") {
$CurrentDate = $CurrentDate.Insert(3, "0")
}
Return $CurrentDate
}
function Invoke-HardwareInventoryCycle {
<#
.SYNOPSIS
Hardware Inventory Cycle
.DESCRIPTION
This function will invoke a hardware inventory cycle and it waits until the cycle is completed.
.EXAMPLE
PS C:\> Invoke-HardwareInventoryCycle
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param ()
$Completed = $false
$StartTime = Get-Date -UFormat %R
$CurrentDate = Get-CurrentDate
Write-Host "Running Hardware Inventory Cycle....." -NoNewline
Start-ConfigurationManagerClientScan -ScheduleID "00000000-0000-0000-0000-000000000001"
Do {
Start-Sleep -Seconds 1
$CurrentTime = Get-Date -UFormat %R
$TimeDifference = New-TimeSpan -Start $StartTime -End $CurrentTime
$Log = Get-Content $env:windir"\ccm\logs\InventoryAgent.log"
$Count = $Log.count
$Count = $Count - 1
$Log = $Log[$Count]
$LogTable = $Log.split("<")[-1]
$LogTable = $LogTable.Substring(0, $LogTable.length - 1) -replace ' ', ';'
$LogTable = "@{$($LogTable)}" | Invoke-Expression
$LogTime = $LogTable.time.Substring(0, 5)
[datetime]$StringTime = $LogTable.time
If (($Log -like "*End of message processing*") -and ($CurrentDate -eq $LogTable.date) -and ($LogTime -ge $StartTime)) {
Write-Host "Completed" -ForegroundColor Yellow
$Success = $true
$Completed = $true
}
If (($Log -like "*already in queue. Message ignored.*") -and ($CurrentDate -eq $LogTable.date) -and ($LogTime -ge $StartTime)) {
Write-Host "Ignored" -ForegroundColor Red
$Success = $false
$Completed = $true
}
If ($TimeDifference.Minutes -ge 5) {
Write-Host "Failed" -ForegroundColor Yellow
$Success = $false
$Completed = $true
}
} while ($Completed -eq $false)
Return $Success
}
function Start-ConfigurationManagerClientScan {
<#
.SYNOPSIS
Initiate Configuration Manager Client Scan
.DESCRIPTION
This will initiate an SCCM action
.PARAMETER ScheduleID
GUID ID of the SCCM action
#>
[CmdletBinding()]
param
(
[ValidateSet('00000000-0000-0000-0000-000000000121', '00000000-0000-0000-0000-000000000003', '00000000-0000-0000-0000-000000000010', '00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000021', '00000000-0000-0000-0000-000000000022', '00000000-0000-0000-0000-000000000002', '00000000-0000-0000-0000-000000000031', '00000000-0000-0000-0000-000000000108', '00000000-0000-0000-0000-000000000113', '00000000-0000-0000-0000-000000000111', '00000000-0000-0000-0000-000000000026', '00000000-0000-0000-0000-000000000027', '00000000-0000-0000-0000-000000000032')]$ScheduleID
)
$WMIPath = "\\" + $env:COMPUTERNAME + "\root\ccm:SMS_Client"
$SMSwmi = [wmiclass]$WMIPath
$Action = [char]123 + $ScheduleID + [char]125
[Void]$SMSwmi.TriggerSchedule($Action)
}
Clear-Host
$Success = Invoke-HardwareInventoryCycle
If ($Success -eq $false) {
Exit 1
}
Recently, I wanted to clean up SCCM of a bunch of systems that still reside in active directory, but are also disabled. The first thing I did was to try and query SCCM for a list of systems that were populated via AD, but have a userAccountControl attribute of 4098. The attribute is normally 4096, but it changes to 4098 when the account is disabled. I learned the userAccountControl is populated in SCCM via AD, but there is a catch. It is only populated while the account is active. If the account is deactivated, SCCM cannot read the 4098 value, therefore it will still read inside SCCM as 4096.
The next thing was to use PowerShell as the connector between AD and SCCM to clean these items out of SCCM. The script below queries the designated $SCCMCollection, preferably 'All Systems', for a list of all systems in the All Systems collection. That collection is populated by Active Directory. Once it gets a list of all systems within that collection, it will then check if the -ReportOnly parameter is selected and will only display a report of the systems with the system name and if it is enabled or not.
If -ReportOnly is not defined, then the script will go through the list and remove machines from SCCM that are disabled in AD.
After I ran this script, I ran the Active Directory System Discovery against AD. The deleted systems did not return in SCCM.
To run this script, you will need RSAT installed. I have included the SCCM module locator in the script that will locate the .psd1 module to use with the script. All you need to do is to define the $SCCMServer with the SCCM server name, $SCCMDrive with the SCCM drive name, and the name of the desired collection in $SCCMCollection; I used All Systems. I ended up using Orchestrator to execute the script once a week. You could also use a scheduled task. Also, you will need RSAT installed on the system this script is executed on.
You can download this script from my GitHub site located here.
<#
.SYNOPSIS
SCCM AD Cleanup
.DESCRIPTION
This script removes systems from SCCM that are populated via active directory, but have been disabled in AD.
.PARAMETER SCCMServer
Name of the SCCM server
.PARAMETER SCCMDrive
SCCM Drive
.PARAMETER SCCMCollection
SCCM collection to query for cleanup
.PARAMETER ReportOnly
Produce a report only
.NOTES
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2017 v5.4.143
Created on: 8/3/2017 9:07 AM
Created by: Mick Pletcher
Filename: SCCMADCleanup.ps1
.EXAMPLE
powershell.exe -file SCCMADCleanup.ps1 -SCCMServer AtlantaSCCM -SCCMDrive ATL
===========================================================================
function Get-RelativePath {
<#
.SYNOPSIS
Get the relative path
.DESCRIPTION
Returns the location of the currently running PowerShell script
.NOTES
Additional information about the function.
#>
[CmdletBinding()][OutputType([string])]
param ()
$Path = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"
Return $Path
}
function Import-SCCMModule {
<#
.SYNOPSIS
Import SCCM Module
.DESCRIPTION
Locate the ConfigurationManager.psd1 file and import it.
.PARAMETER SCCMServer
Name of the SCCM server to connect to.
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()][string]$SCCMServer
)
#Get the architecture of the specified SCCM server
$Architecture = (get-wmiobject win32_operatingsystem -computername $SCCMServer).OSArchitecture
#Get list of installed applications
$Uninstall = Invoke-Command -ComputerName $SCCMServer -ScriptBlock { Get-ChildItem -Path REGISTRY::"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" -Force -ErrorAction SilentlyContinue }
If ($Architecture -eq "64-bit") {
$Uninstall += Invoke-Command -ComputerName $SCCMServer -ScriptBlock { Get-ChildItem -Path REGISTRY::"HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -Force -ErrorAction SilentlyContinue }
}
#Get the registry key that specifies the location of the SCCM installation drive and directory
$RegKey = ($Uninstall | Where-Object { $_ -like "*SMS Primary Site*" }) -replace 'HKEY_LOCAL_MACHINE', 'HKLM:'
$Reg = Invoke-Command -ComputerName $SCCMServer -ScriptBlock { Get-ItemProperty -Path $args[0] } -ArgumentList $RegKey
#Parse the directory listing
$Directory = (($Reg.UninstallString).Split("\", 4) | Select-Object -Index 0, 1, 2) -join "\"
#Locate the location of the SCCM module
$Module = Invoke-Command -ComputerName $SCCMServer -ScriptBlock { Get-ChildItem -Path $args[0] -Filter "ConfigurationManager.psd1" -Recurse } -ArgumentList $Directory
#If more than one module is present, use the latest one
If ($Module.Length -gt 1) {
foreach ($Item in $Module) {
If (($NewModule -eq $null) -or ($Item.CreationTime -gt $NewModule.CreationTime)) {
$NewModule = $Item
}
}
$Module = $NewModule
}
#format the $Module unc path
[string]$Module = "\\" + $SCCMServer + "\" + ($Module.Fullname -replace ":", "$")
#Import the SCCM module
Import-Module -Name $Module
}
function Get-SCCMCollectionList {
<#
.SYNOPSIS
Retrieve Collection List
.DESCRIPTION
Query the specifies collection in SCCM for a list of all systems residing in that collection.
.PARAMETER CollectionName
Name of SCCM collection to query
.EXAMPLE
PS C:\> Get-SCCMCollectionList
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()][string]$CollectionName
)
#FQDN of SCCM Server
$FQDN = ([System.Net.Dns]::GetHostByName($SCCMServer)).HostName
#Create new SCCM drive
New-PSDrive -Name $SCCMDrive -PSProvider "AdminUI.PS.Provider\CMSite" -Root $FQDN -Description $SCCMDrive"Primary Site" | Out-Null
#Add colon at end of SCCMDrive if it does not exist
If ($SCCMDrive[$SCCMDrive.Length - 1] -ne ":") {
$SCCMDrive = $SCCMDrive + ":"
}
#Change to SCCM drive
Set-Location $SCCMDrive
#Get the collection ID for retrieving the list of systems
$CollectionID = (Get-CMDeviceCollection | Where-Object { $_.Name -eq $SCCMCollection }).CollectionID
#Get list of systems from the specified collection
$CollectionSystems = (Get-CMDevice -CollectionId $CollectionID).Name | Where-Object { $_ -notlike "*Unknown Computer*" } | Sort-Object
#Change location to the local drive
Set-Location $env:HOMEDRIVE
#Create Collection array
$Collection = @()
foreach ($System in $CollectionSystems) {
try {
$ADSystem = (Get-ADComputer $System).Enabled
} catch {
$ADSystem = $false
}
$objSystem = New-Object System.Object
$objSystem | Add-Member -MemberType NoteProperty -Name Name -Value $System
$objSystem | Add-Member -MemberType NoteProperty -Name Enabled -Value $ADSystem
$Collection += $objSystem
}
Return $Collection
}
function Remove-Systems {
<#
.SYNOPSIS
Remove Disabled Systems
.DESCRIPTION
Remove disabled active directory systems from SCCM
.PARAMETER Collection
List of all machines in the $SCCMCollection
.EXAMPLE
PS C:\> Remove-Systems
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()]$Collection
)
#Add colon at end of SCCMDrive if it does not exist
If ($SCCMDrive[$SCCMDrive.Length - 1] -ne ":") {
$SCCMDrive = $SCCMDrive + ":"
}
#Change to SCCM drive
Set-Location $SCCMDrive
#Parse through list and delete systems from SCCM
foreach ($System in $Collection) {
If ($System.Enabled -eq $False) {
Remove-CMDevice -Name $System.Name -Force
}
}
#Change location to the local drive
Set-Location $env:HOMEDRIVE
}
Clear-Host
Import-Module ActiveDirectory
Import-SCCMModule -SCCMServer $SCCMServer
$Collection = Get-SCCMCollectionList -CollectionName "All Systems"
If (!($ReportOnly.IsPresent)) {
Remove-Systems -Collection $Collection
$Collection
$Collection | Out-File -FilePath $File -Encoding UTF8 -NoClobber -force
} else {
#Get execution path of this script
$RelativePath = Get-RelativePath
#Location and name of .CSV to write the output to
$File = $RelativePath + "DisabledSystems.csv"
#Delete file if it exists
If ((Test-Path $File) -eq $true) {
Remove-Item -Path $File -Force
}
$Collection
$Collection | Out-File -FilePath $File -Encoding UTF8 -NoClobber -force
}
Recently, we ran into a problem when we discovered some of the newer laptops were not automatically disabling the WiFi when connected to ethernet. What made the task even more difficult was that all of our Dell Latitude 7480 systems were already deployed. Being in the legal industry, it is more difficult to ask for time to troubleshoot problems when attorneys bill by the hour.
We knew there was either a new BIOS setting for the 7480 or it had been taken away. To get a list of all the BIOS settings for the 7480, I wrote the script below that uses the Dell Command | Configure to get the BIOS options, settings, and descriptions. You can use the Dell Command | Configure GUI application, but that also requires getting time on the remote machine. This script will grab the info in the background without any interruption to the user.
The script first gets a list of all the available BIOS settings and filters out the following items since I did not see the need for these in the reports:
help
version
infile
logfile
outfile
ovrwrt
setuppwd
sysdefaults
syspwd
The next thing it does it to grab the set value for each setting and then it retrieves the description of the setting. The script formats this data into a table that is exported to a .CSV file for easy viewing. In future models, there will likely be new data, so the script will likely need to be updated. There may also be some data the script did not have access to as the firm I work at only has 8 models of Dell systems.
The first thing you need to do is to get a list of all systems with their BIOS version. You will want to run this in SCCM in order to find the systems with the latest BIOS version to generate the report on. Here is the WQL code for performing a query in SCCM.
select SMS_G_System_COMPUTER_SYSTEM.Manufacturer, SMS_G_System_COMPUTER_SYSTEM.Model, SMS_G_System_PC_BIOS.SMBIOSBIOSVersion, SMS_R_System.Name from SMS_R_System inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId order by SMS_G_System_COMPUTER_SYSTEM.Manufacturer, SMS_G_System_PC_BIOS.SMBIOSBIOSVersion, SMS_G_System_COMPUTER_SYSTEM.Model
Once you get a list of the systems and choose which one to execute the script on, you have some options. You could either deploy the script through SCCM or you could execute it remotely using PSEXEC. Personally, I used PSEXEC. The only parameter you will need to define is the FilePath, which is the location where the .CSV will be written to.
Here is an example of a .CSV file I ran on my own machine. Some values are left blank because the output exceeded a reasonable amount for this spreadsheet, such as hddinfo. Some are also blank due to security, such as hddpwd.
You can download the script from my GitHub repository located here.
<#
.SYNOPSIS
BIOS Reporting Tool
.DESCRIPTION
This script will query the BIOS of Dell machines using the Dell Command | Configure to report the data to SCCM via WMI.
.PARAMETER FilePath
UNC path where to write the file output
.NOTES
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2017 v5.4.141
Created on: 7/18/2017 9:31 AM
Created by: Mick Pletcher
Filename: DellBIOSReportingTool.ps1
===========================================================================
#>
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()][string]$FilePath
)
function Get-Architecture {
<#
.SYNOPSIS
Get-Architecture
.DESCRIPTION
Returns whether the system architecture is 32-bit or 64-bit
.EXAMPLE
Get-Architecture
.NOTES
Additional information about the function.
#>
[CmdletBinding()][OutputType([string])]
param ()
$OSArchitecture = (Get-WmiObject -Class Win32_OperatingSystem | Select-Object OSArchitecture).OSArchitecture
Return $OSArchitecture
#Returns 32-bit or 64-bit
}
function Get-RelativePath {
<#
.SYNOPSIS
Get the relative path
.DESCRIPTION
Returns the location of the currently running PowerShell script
.NOTES
Additional information about the function.
#>
[CmdletBinding()][OutputType([string])]
param ()
$Path = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent) + "\"
Return $Path
}
function Get-CCTK {
<#
.SYNOPSIS
Find CCTK.EXE
.DESCRIPTION
Find the Dell CCTK.EXE file.
.EXAMPLE
PS C:\> Get-CCTK
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param ()
$Architecture = Get-Architecture
If ($Architecture -eq "64-bit") {
$Directory = ${env:ProgramFiles(x86)} + "\Dell\"
$File = Get-ChildItem -Path $Directory -Filter cctk.exe -Recurse | Where-Object { $_.Directory -like "*_64*" }
} else {
$Directory = $env:ProgramFiles + "\Dell\"
$File = Get-ChildItem -Path $Directory -Filter cctk.exe -Recurse | Where-Object { $_.Directory -like "*x86" }
}
Return $File
}
function Get-ListOfBIOSSettings {
<#
.SYNOPSIS
Retrieve List of BIOS Settings
.DESCRIPTION
This will get a list of all BIOS settings
.PARAMETER Executable
CCTK.exe
.EXAMPLE
PS C:\> Get-ListOfBIOSSettings
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()]$Executable
)
#Get the path this script is executing from
$RelativePath = Get-RelativePath
#Get list of exclusions to omit from list of BIOS settings
$File = $RelativePath + "BIOSExclusions.txt"
$BIOSExclusions = Get-Content -Path $File | Sort-Object
#Rewrite list of sorted exclusion back to text file
$BIOSExclusions | Out-File -FilePath $File -Force
#Get list of BIOS settings -- Script must be executed on a local machine and not from a UNC path
$Output = cmd.exe /c $Executable.FullName
#Remove instructional information
$Output = $Output | Where-Object { $_ -like "*--*" } | Where-Object { $_ -notlike "*cctk*" }
#Format Data and sort it
$Output = ($Output.split("--") | Where-Object { $_ -notlike "*or*" } | Where-Object{ $_.trim() -ne "" }).Trim() | Where-Object { $_ -notlike "*help*" } | Where-Object { $_ -notlike "*version*" } | Where-Object { $_ -notlike "*infile*" } | Where-Object { $_ -notlike "*logfile*" } | Where-Object { $_ -notlike "*outfile*" } | Where-Object { $_ -notlike "*ovrwrt*" } | Where-Object { $_ -notlike "*setuppwd*" } | Where-Object { $_ -notlike "*sysdefaults*" } | Where-Object { $_ -notlike "*syspwd*" } | ForEach-Object { $_.Split("*")[0] } | Where-Object { $_ -notin $BIOSExclusions }
#Add bootorder back in as -- filtered it out since it does not have the -- in front of it
$Output = $Output + "bootorder" | Sort-Object
Return $Output
}
function Get-BIOSSettings {
<#
.SYNOPSIS
Retrieve BIOS Settings Values
.DESCRIPTION
This will retrieve the value associated with the BIOS Settings
.PARAMETER Settings
List of BIOS Settings
.PARAMETER Executable
CCTK.exe file
.EXAMPLE
PS C:\> Get-BIOSSettings
.NOTES
Additional information about the function.
#>
[CmdletBinding()]
param
(
[ValidateNotNullOrEmpty()]$Settings,
[ValidateNotNullOrEmpty()]$Executable
)
#Create Array
$BIOSArray = @()
foreach ($Setting in $Settings) {
switch ($Setting) {
"advbatterychargecfg" {
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "--" + $Setting
$Value = (cmd.exe /c $Arguments).split("=")[1]
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + "--" + $Setting
$Description = (cmd.exe /c $Arguments | Where-Object { $_.trim() -ne "" }).split(":")[1].Trim()
}
"advsm" {
$Value = ""
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + $Setting
$Description = ((cmd.exe /c $Arguments) | where-object {$_.trim() -ne ""}).split(":")[1].Trim().split(".")[0]
}
"bootorder" {
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + $Setting
$Output = (((((cmd.exe /c $Arguments | Where-Object { $_ -like "*Enabled*" } | Where-Object { $_ -notlike "*example*" }) -replace 'Enabled', '').Trim()) -replace '^\d+', '').Trim()) | ForEach-Object { ($_ -split ' {2,}')[1] }
$Output2 = "bootorder="
foreach ($item in $Output) {
[string]$Output2 += [string]$item + ","
}
$Value = $Output2.Substring(0,$Output2.Length-1)
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + $Setting
$Description = ((cmd.exe /c $Arguments) | where-object { $_.trim() -ne "" }).split(":")[1].Trim().split(".")[0]
}
"hddinfo" {
$Value = ""
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + $Setting
$Description = ((cmd.exe /c $Arguments) | where-object {$_.trim() -ne ""}).split(":")[1].trim().split(".")[0]
}
"hddpwd" {
$Value = ""
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + $Setting
$Description = ((cmd.exe /c $Arguments) | Where-Object {$_.trim() -ne ""}).split(":")[1].split(".")[0].trim()
}
"pci" {
$Value = ""
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + $Setting
$Description = ((cmd.exe /c $Arguments) | Where-Object { $_.trim() -ne "" }).split(":")[1].split(".")[0].trim()
}
"propowntag" {
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "--" + $Setting
$Value = ((cmd.exe /c $Arguments).split("=")[1]).trim()
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + $Setting
$Description = ((cmd.exe /c $Arguments) | Where-Object { $_.trim() -ne "" }).split(":")[1].trim()
}
"secureboot" {
$Arguments = [char]34 + $Executable.FullName + [char]34 + " --" + $Setting
$Output = cmd.exe /c $Arguments
if ($Output -like "*not enabled*") {
$Value = "disabled"
} else {
$Value = "enabled"
}
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + $Setting
$Description = ((cmd.exe /c $Arguments) | where-object { $_.trim() -ne "" }).split(":")[1].Trim().split(".")[0]
}
default {
#Get BIOS setting
$Output = $null
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "--" + $Setting
$Output = cmd.exe /c $Arguments
#Get BIOS Description
$Arguments = [char]34 + $Executable.FullName + [char]34 + [char]32 + "-h" + [char]32 + "--" + $Setting
$Description = ((cmd.exe /c $Arguments) | Where-Object { $_.trim() -ne "" }).split(":").Trim()[1]
$Value = $Output.split("=")[1]
}
}
#Add Items to object array
$objBIOS = New-Object System.Object
$objBIOS | Add-Member -MemberType NoteProperty -Name Setting -Value $Setting
$objBIOS | Add-Member -MemberType NoteProperty -Name Value -Value $Value
$objBIOS | Add-Member -MemberType NoteProperty -Name Description -Value $Description
$BIOSArray += $objBIOS
}
Return $BIOSArray
}
#Find the CCTK.exe file
$CCTK = Get-CCTK
#Get List of BIOS settings
$BIOSList = Get-ListOfBIOSSettings -Executable $CCTK
#Get all BIOS settings
$BIOSSettings = Get-BIOSSettings -Executable $CCTK -Settings $BIOSList
#Add Computer Model to FileName
$FileName = ((Get-WmiObject -Class win32_computersystem -Namespace root\cimv2).Model).Trim()
#Add BIOS version and .CSV extension to computer name
$FileName += [char]32 + ((Get-WmiObject -Class win32_bios -Namespace root\cimv2).SMBIOSBIOSVersion).Trim() + ".CSV"
#Get full path to the output .CSV file
If ($FilePath[$FilePath.Length - 1] -ne "\") {
$FileName = $FilePath + "\" + $FileName
} else {
$FileName = $FilePath + $FileName
}
#Delete old .CSV if it exists
If ((Test-Path $FileName) -eq $true) {
Remove-Item -Path $FileName -Force
}
#Screen output
$BIOSSettings
#File output
$BIOSSettings | Export-Csv -Path $FileName -NoTypeInformation -Force
