PS: Remotely updating devices

I recently had to force a collection of PCs to update – they were configured using Windows Update for Business, all the policies and settings were telling them when to update and how, yet they just hadn’t – whether there was something on the UI that the primary user was just ignoring, I’m not sure. Anyway they were stuck on Windows 10 2004, and on the July update.

As they’re all configured for WUfB there wasn’t anything I could realistically do through Config Manager, besides maybe run these steps as a PowerShell Script and push out that way. Instead I decided to look at PSWindowsUpdate. In this post I’ll go through what I did, and share the scripts I used. My aim here was to get the rogue devices patched and updated to 21H1. I did still use Config Manager to help with this task – to wake devices using either the Client Notification > Wake, or the Recast Right Click Tools Wake on LAN feature. I’m not going to go into all the features of PSWindowsUpdate in any detail, there are plenty of good posts on the Internet about this already which can be found with a quick search.

The first step here was installing the PSWindowsUpdate module on the device I wanted to manage things from. While you can pass a Credentials parameter to these commands I found it much easier to just run the PowerShell window as an admin user (which has admin privileges on all target devices). I’ve assumed that in the scripts and not included a Credential parameter. We also need an array of computers that we wish to update. Continue reading “PS: Remotely updating devices”

Teams: Recover deleted team memberships

We recently had to perform the year-end tasks in Teams/SchoolDataSync which should be easy really – run through the cleanup process to archive all of last year’s teams, then update the SDS profiles with the new term dates, and resume syncing with the new data. Unfortunately ours messed up and removed all members from the archived teams – presumably as I forgot to hit “Reset Sync” before feeding it the new year’s data.

Luckily there’s a solution to get these memberships back – we need to go and search the Azure AD audit log for group membership removal events. Head to the Compliance Admin Centre > Audit > Audit Search, and search for the activity “Azure AD group administration: Removed member from group”. Put the date range in, and click Search. You should hopefully get some results, all performed by the ServicePrincipal account. If you click onto one of these results and examine the data, you’ll notice we can discover the username, team name and the team’s group ID, which is all contained in the JSON formatted data associated with the log entry. Continue reading “Teams: Recover deleted team memberships”

Azure Cloud Shell

Azure Cloud Shell is a great feature which gives you a PowerShell (or Bash) window in the browser. Whilst you can’t access on-premise resources from the shell you can manage anything cloud based. By default there’s a huge selection of Azure modules loaded, plus things like Teams.

There’s no specific licensing for using the Cloud Shell – however you will need an Azure subscription and a storage account. This is required for it to store any settings, plus you can store your own scripts in this storage if you like.

The Cloud Shell is available from some of the admin portals, including:

  • Azure Portal
  • Office 365 Admin Centre
  • Exchange Admin Centre (new version)

Continue reading “Azure Cloud Shell”

Automatically syncing Teams/SharePoint libraries

There’s been a Group Policy setting to sync Team/SharePoint libraries for a while although last time I looked at it the functionality didn’t actually work yet – I think it was meant to be available from Windows 10 1909 but didn’t quite make it. Besides the fact that the setting didn’t do anything, all the documentation claimed it could take “up to 8 hours” for the library to appear in the user’s sync client/Explorer – clearly this is no use especially if you’re in an environment where people hot desk and share machines. I’ve had another look at it to see if it’s any better now.

Continue reading “Automatically syncing Teams/SharePoint libraries”

Active Directory: Recovering Deleted Items

A while ago we accidentally deleted a leaving staff member’s account instead of disabling it – and pure bad luck means this particular member of staff came back a week later to cover a staff illness. Not wanting to have to re-create the account I discovered that the Active Directory Recycle Bin had not been enabled in the forest – oh no! Luckily we can still get the account back. Objects deleted in AD are tombstoned for 180 days (by default). Continue reading “Active Directory: Recovering Deleted Items”

Automating Teams School Data Sync – iSAMS

My two SDS profiles, automatically updated from the MIS

I don’t like things that can’t be automated. I started looking at School Data Sync (SDS) last year, however the templates provided by iSAMS, which is our school Management Information System, just gave a set of CSVs and you had to manually click to get them, then click to upload them into SDS. Since iSAMS has an API, I thought this was a bit of a silly way of doing things – who wants to go through a manual process every time a pupil changes class? So instead I wrote my own powershell to pull the data through the iSAMS API, then run through the New-Team cmdlet to create a team per class, and populate it with teachers and students.

As we’re a school we need our new teams to be running the Edu_Class template, but the template parameter on New-Team only exists in the preview (and in Graph, on the beta endpoint) where it has much harsher limitations on how often and fast you can call it – a nightmare trying to call it in a loop. Anyway with the addition of “Start-Sleep 30” in the loop I eventually got them all created. However this time I am having another look at SDS and using Power Automate (previously known as Flow) to make the process completely automatic.

Continue reading “Automating Teams School Data Sync – iSAMS”

Wireless Guest Account Management

Wireless Guest Account creator – this is installed at both our receptions

One of my C# projects is an application to create guest accounts for the school wireless network. The wireless network is set up with 802.1X authentication, so we can log in using Active Directory user accounts.

The main parts of this system are:

  • Pass Generator application (C#) – creates the user accounts and prints tickets with instructions
  • Epson T88 based receipt printers – either USB or networked – to print the tickets
  • Powershell script to clean up any old accounts

Continue reading “Wireless Guest Account Management”

Delving into the “Last PXE Advertisement” flag

This post has actually come from having a look at the search queries coming up in my blog visit stats – “all active pxe flag deployements” – which seems like a good thing to look into.

If you’re trying to make a device collection you’ll find the LastPXEAdvertisement doesn’t appear to be available through the query builder UI. Here I’ll look into getting the data through PowerShell and then also putting it into a Device Collection within MEMCM. Continue reading “Delving into the “Last PXE Advertisement” flag”

PaperCut Print Release using RFID cards

RFID reader fitted to copier

A couple of years ago we replaced our copier fleet and moved to PaperCut MF, with a single print queue for the entire site and users had to go to their nearest copier and enter their code to release their printing. Almost perfect setup but people struggle to remember 5 digit codes, so I had a look at using their existing student/staff ID cards instead. We already sync Active Directory to PaperCut so the ideal solution would be storing the RFID codes in Active Directory, and using that data as the user’s login code in PaperCut.

Continue reading “PaperCut Print Release using RFID cards”

Powershell Printer Script

Some detail is shown to the user, this form isn’t modal so won’t take over the screen, and if they close it the script carries on in the background.

Over the last 15 years I’ve tried pretty much every method of adding printers at logon there is – KIXTART script, VBS, Group Policy Preferences and Powershell. As part of speeding up logon, and investigating a weird issue with Windows 10 printers, I moved away from GPP and to Powershell shortly after we upgraded from Windows 8.1 to Windows 10.

The issue being – roughly 5% of the time, on random user/computer combinations, printers would take a long time adding and then fail to add, with a non-specific error message. My first go at this was a basic powershell script which had a hard coded list of location/printer mapping, and it would run the “add printer” command repeatedly until the error went away. (It always added fine on the 2nd go). The problem with this is that it’s a complicated script for technicians to update, and being a single threaded script the nice form it displays showing people what’s happening would freeze while it was working in the background.

My new script does the bulk of the work in background jobs – so printers add quicker (as it can do more than one at once), and the UI doesn’t lock up and freeze. More importantly, it uses Group Policy Preferences by reading the XML file generated and applies that – so technicians have the familiar interface for adding/removing printers from the script.  Continue reading “Powershell Printer Script”