PowerShell

Auto MDM Enroll: Failed (The system tried to delete the JOIN of a drive that is not joined.)

Posted on Updated on

When setting up hybrid Azure AD join with on-premises Windows 10 environments, if you encounter the an error that “The system tried to delete the JOIN of a drive that is not joined.“, then there is a good chance that the device has not yet synchronized into Azure AD.

Event76

A few tips to help you isolate the cause and get past this issue:

  1. First, confirm the device exists in Azure Active Directory (or not).  In the Azure portal, navigate to Azure Active Directory > Devices > All devices.
    AzureDevicesList
  2. Review the steps in Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices.  Note that this article points back to another article on How to configure hybrid Azure Active Directory joined devices, which presently contains way more helpful information to help you troubleshoot.
  3. In the most current Azure AD Connect releases, use the built-in Troubleshooter.  Then in the PowerShell windows which launches, use both options to troubleshooting options for Object Sync and Password Hash Sync.
    AADC_troubleshooter

In my case, the troubleshooting guides were useful to confirm that I had configured everything correctly.  Then the Azure AD Connect troubleshooter reported an error that “Password Hash Synchronization cloud configuration is disabled”.  Searching that issue on the Internet led me to discover that the cause was likely due to mismatched passwords between the Azure AD account “On-Premises Directory Synchronization Service Account” with the password currently set in the local synchronization service.

To fix that, first set a new password for the “On-Premises Directory Synchronization Service Account”.  To do that, try setting it in Azure directly.  However, given that it’s a special account, it may be necessary to reset the password through PowerShell with the MSOL cmdlets.  While I’m not getting into the full end-to-end setup and use of those add-on Azure PowerShell cmdlets, the command could be as simple as:

Connect-AzureAD
Set-AzureADUserPassword -ObjectId abc123def456xyz980 -Password MyP@ssw0rd! -ForceChangePasswordNextLogin $false

Next, start program Synchronization Service Manager, then click on Connectors.  Locate the Windows Azure Active Directory Account and click Properties.

syncservice

Finally, set the password.  Voila, devices will now sync to Azure AD on the next synchronization!

AADsyncProperties

Advertisements

Automating Web URLs as Start Menu Links

Posted on Updated on

In my previous post on Creating Web URLs as Start Menu Links, I outlined details how to manually create links to URLs (as seen in the images below).  While this does work, most folks in the systems management community would prefer to automate this link creations.  The following PowerShell script can be used to create a custom start menu link for all users.

Note that a problem that you may encounter is the link not being displayed in the grouping.  This could be caused by having two .lnk files with the same target path pointing to the same URL.


# Create a Shortcut with Windows PowerShell
$oWScriptShell = New-Object -ComObject WScript.Shell
$sTargetFile = "C:\Windows\explorer.exe"
$sShortcutFile = $oWScriptShell.SpecialFolders("AllUsersPrograms") + "\Links\t3chn1ck.lnk"
# Note: to open URL in a specific browser like Edge, add in front of the URL Microsoft-edge:
$sURL = "http://t3chn1ck.com"

#Delete existing shortcut if exists
If (Test-Path $sShortcutFile){
Remove-Item $sShortcutFile
}

$oShortcut = $oWScriptShell.CreateShortcut($sShortcutFile)
$oShortcut.IconLocation = "explorer.exe,20"
$oShortcut.TargetPath = $sTargetFile
$oShortcut.Arguments = $sURL
$oShortcut.Save()

urldemo5 urldemo4

Windows 10 Full Device Wipe via PowerShell

Posted on Updated on

One of the new capabilities of Windows 10 is the ability to manage it like a mobile device using Configuration Service Providers.  One of those functions is the ability to perform a full wipe (restore to factory default) of the device using the RemoteWipe CSP.  While this capability can be accomplished using a MDM provider such as Microsoft Intune, you may at some point have the need to demonstrate it without a device being managed.

!!! WARNING !!! CAUTION !!! DISCLAIMER !!!
Using the script below will cause the Windows 10 system to immediately perform a reset of Windows to factory default.  No data and no applications are saved.  Use extreme caution when testing this script.  Setting it up for deployment with a tool (such as ConfigMgr) could come with extreme consequences if incidentally deployed.
!!! WARNING !!! CAUTION !!! DISCLAIMER !!!

Now that you’ve been fully warned, to demonstrate how to use the RemoteWipe and invoke the doWipeMethod, please reference the example script at https://msdn.microsoft.com/en-us/library/windows/desktop/dn948434.aspx.  Also, it could be good to add a user input for a “password” to continue and it can easily be added to front of the script.  For example:

$pass = Read-Host 'Enter the password to perform a full wipe of Windows 10 to factory defaults.'

if ($pass -eq '1-2-3-4-5') {
    write-host -ForegroundColor Green 'Password accepted ... That''s amazing. I''ve got the same combination on my luggage!!' }
else {
    write-host -ForegroundColor Red 'Wrong password, terminating script'
    exit
}

 

Testing Windows 10 Assigned Access

Posted on Updated on

Based upon the information in article Set up a kiosk on Windows 10, it is possible to quickly setup a Windows 10 UWP app to run with Assigned Access.  From that article, I’ve outlined (below) the quick-start steps for testing purposes.

  1. Login to Windows with an account that has local admin rights.
  2. Create a local user account (such as “kiosk”) with a password and do not grant the account local admin privileges.
  3. Sign out of Windows.
  4. Login to Windows with the kiosk user account so that it builds the profile.
  5. If the tablet has physical keyboard capabilities, then change that user to use Tablet Mode and log out.  Otherwise, skip this step.
  6. Login to Windows with the local admin account.
  7. Edit the registry to enable auto login of the kiosk account.
  8. Use the PowerShell script in this article to get the AUMID for the UWP app.
    • If you’re just looking for a quick example, use the MSN News app with ID – Microsoft.BingNews_8wekyb3d8bbwe!AppexNews
  9. Based upon the information in the previous step, run a PowerShell command in this article to set the kiosk user to have assigned access to your UWP app.
  10. Verify that the user was properly assigned to launch the application by:
    • Start > Settings > User accounts > Family and other users
    • Under the “Other Users” section, select “Set up assigned access”
    • Ensure the user shows the application

Also, to sideload a UWP application, see this information: https://msdn.microsoft.com/en-us/windows/uwp/packaging/packaging-uwp-apps#sideload-your-app-package.

More information on best practices for developing UWP apps for Assigned Access: https://msdn.microsoft.com/en-us/library/windows/hardware/mt633799.aspx

Remove Universal Apps During ConfigMgr OSD

Posted on Updated on

As part of a systems management strategy for Windows 10, many organization may choose to uninstall Universal Apps. During OSD for ConfigMgr, this uninstall process use a simple PowerShell script (as shown below) to execute the commands for removing the targeted Universal Apps.  While this does command does “remove” the Apps as seen in the event logs (Apps and Services > Microsoft > Windows > AppXDeployment-Server) the Apps are regenerated upon the first logon of a user.

Get-AppXPackage -Name *bing* -AllUsers | Remove-AppXPackage

Furthermore, there is an option (UniversalAppUninstall) within a WICD Provisioning Package.  There are times when this option would be a better approach, but I have not been successful in having it function to uninstall Apps.  Unfortunately, information is scant on this topic.

A Solution

Stumbling around for other who may have found other means to address this situation,  Jörgen Nilsson (Microsoft MVP) has a PowerShell script which does completely remove those undesired Universal Apps.  The key difference is that his script uses the Remove-AppxProvisionedPackage cmdlet against the full package name.

The variable for AppList that I use this:

$AppsList = "Microsoft.BingFinance","Microsoft.BingNews","Microsoft.BingWeather","Microsoft.XboxApp","Microsoft.SkypeApp","Microsoft.MicrosoftSolitaireCollection","Microsoft.BingSports","Microsoft.ZuneMusic","Microsoft.ZuneVideo","Microsoft.Windows.Photos","Microsoft.People","Microsoft.MicrosoftOfficeHub","Microsoft.WindowsMaps","microsoft.windowscommunicationsapps","Microsoft.Getstarted","Microsoft.3DBuilder"

To execute the script as part of a Task Sequence in ConfigMgr, it’s as easy as having placing the script file in a classic Package, and having the step “Execute PowerShell Script” with the Bypass option set.

UninstUnivApps.JPG

 

ConfigMgr 2012 R2 PowerShell to Install SMP Role

Posted on Updated on

In a recent customer engagement, we needed to mass deploy the State Migration Point (SMP) role to nearly 70 servers.  After completing about a dozen of these one by one, I thought PowerShell would be a much faster way to accomplish the end goal.  The below script can be used as an example for finding existing site systems that do not have the SMP role installed, while allowing it to skip servers with certain names (in this example, it skips servers that begin with TEST in the name).

 

import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + '\ConfigurationManager.psd1')
# Site Code + :
$SiteCode = "GAL:"
Set-Location $SiteCode

#Properties for Setting the SMP Role
$UsmtDrivePath = "F:\USMT"
$MaxNumClients = 100
$MinFreeSpace = 3
$TimeDeleteAfterDays = 5

$SiteSystemServers = Get-CMSiteSystemServer
write-host $SiteSystemServers.Count

ForEach ($Server in $SiteSystemServers) {
    $ServerName = $Server.NetworkOSPath.Replace("\\", " ")

    $CheckSMP = Get-CMSiteRole -RoleName "SMS State Migration Point" -SiteSystemServerName $ServerName
    #write-host $CheckSMP.Count

	# If SMP Count is zero, SMP not installed
    If ($CheckSMP.Count -eq 0) {
        If ($ServerName.ToUpper().StartsWith("TEST")) {
            # Do Nothing, skip this type of server
        } Else {
            Write-host "No SMP Role, installing on" $ServerName

            $Folder = New-CMStorageFolder -StorageFolderName $UsmtDrivePath -MaximumClientNumber _
				$MaxNumClients -MinimumFreeSpace $MinFreeSpace -SpaceUnit Gigabyte

			Add-CMStateMigrationPoint -SiteSystemServerName $ServerName -StorageFolder $Folder _
				-AllowFallbackSourceLocationForContent $False -EnableRestoreOnlyMode $False -SiteCode $SiteCode _
				-TimeDeleteAfter $TimeDeleteAfterDays -TimeUnit Days
        }
    } Else {
        Write-host "SMP Role installed, skipping server" $ServerName
    }
}

Finding ConfigMgr Collections with Queries

Posted on Updated on

Using ConfigMgr 2012 R2 (and newer), the following PowerShell script can be used to identify which device collections have a query in them, and those that do not.

Example output:

Output_Collections_With_Queries

 

import-module ($Env:SMS_ADMIN_UI_PATH.Substring(0,$Env:SMS_ADMIN_UI_PATH.Length-5) + '\ConfigurationManager.psd1')
# Site Code + :
Set-Location "GAL:"

$CollectionList = Get-CMDeviceCollection

ForEach ($Collection in $CollectionList) {
    $RuleName = (Get-CMDeviceCollectionQueryMembershipRule -CollectionId $Collection.CollectionID).RuleName

    If ([string]::IsNullOrEmpty($RuleName)) {
        write-host "NO Query: " $Collection.CollectionID "," $Collection.Name -foregroundcolor Red
    } Else {
        write-host "YES Query:" $Collection.CollectionID "," $Collection.Name ", Query name:" $RuleName
    }
}