PS: Remotely updating devices

I recently had to force a collection of PCs to update – they were configured using Windows Update for Business, all the policies and settings were telling them when to update and how, yet they just hadn’t – whether there was something on the UI that the primary user was just ignoring, I’m not sure. Anyway they were stuck on Windows 10 2004, and on the July update.

As they’re all configured for WUfB there wasn’t anything I could realistically do through Config Manager, besides maybe run these steps as a PowerShell Script and push out that way. Instead I decided to look at PSWindowsUpdate. In this post I’ll go through what I did, and share the scripts I used. My aim here was to get the rogue devices patched and updated to 21H1. I did still use Config Manager to help with this task – to wake devices using either the Client Notification > Wake, or the Recast Right Click Tools Wake on LAN feature. I’m not going to go into all the features of PSWindowsUpdate in any detail, there are plenty of good posts on the Internet about this already which can be found with a quick search.

The first step here was installing the PSWindowsUpdate module on the device I wanted to manage things from. While you can pass a Credentials parameter to these commands I found it much easier to just run the PowerShell window as an admin user (which has admin privileges on all target devices). I’ve assumed that in the scripts and not included a Credential parameter. We also need an array of computers that we wish to update. Continue reading “PS: Remotely updating devices”

Teams: Recover deleted team memberships

We recently had to perform the year-end tasks in Teams/SchoolDataSync which should be easy really – run through the cleanup process to archive all of last year’s teams, then update the SDS profiles with the new term dates, and resume syncing with the new data. Unfortunately ours messed up and removed all members from the archived teams – presumably as I forgot to hit “Reset Sync” before feeding it the new year’s data.

Luckily there’s a solution to get these memberships back – we need to go and search the Azure AD audit log for group membership removal events. Head to the Compliance Admin Centre > Audit > Audit Search, and search for the activity “Azure AD group administration: Removed member from group”. Put the date range in, and click Search. You should hopefully get some results, all performed by the ServicePrincipal account. If you click onto one of these results and examine the data, you’ll notice we can discover the username, team name and the team’s group ID, which is all contained in the JSON formatted data associated with the log entry. Continue reading “Teams: Recover deleted team memberships”

Active Directory: Recovering Deleted Items

A while ago we accidentally deleted a leaving staff member’s account instead of disabling it – and pure bad luck means this particular member of staff came back a week later to cover a staff illness. Not wanting to have to re-create the account I discovered that the Active Directory Recycle Bin had not been enabled in the forest – oh no! Luckily we can still get the account back. Objects deleted in AD are tombstoned for 180 days (by default). Continue reading “Active Directory: Recovering Deleted Items”

Automating Teams School Data Sync – iSAMS

My two SDS profiles, automatically updated from the MIS

I don’t like things that can’t be automated. I started looking at School Data Sync (SDS) last year, however the templates provided by iSAMS, which is our school Management Information System, just gave a set of CSVs and you had to manually click to get them, then click to upload them into SDS. Since iSAMS has an API, I thought this was a bit of a silly way of doing things – who wants to go through a manual process every time a pupil changes class? So instead I wrote my own powershell to pull the data through the iSAMS API, then run through the New-Team cmdlet to create a team per class, and populate it with teachers and students.

As we’re a school we need our new teams to be running the Edu_Class template, but the template parameter on New-Team only exists in the preview (and in Graph, on the beta endpoint) where it has much harsher limitations on how often and fast you can call it – a nightmare trying to call it in a loop. Anyway with the addition of “Start-Sleep 30” in the loop I eventually got them all created. However this time I am having another look at SDS and using Power Automate (previously known as Flow) to make the process completely automatic.

Continue reading “Automating Teams School Data Sync – iSAMS”

CM: Delving into the “Last PXE Advertisement” flag

This post has actually come from having a look at the search queries coming up in my blog visit stats – “all active pxe flag deployements” – which seems like a good thing to look into.

If you’re trying to make a device collection you’ll find the LastPXEAdvertisement doesn’t appear to be available through the query builder UI. Here I’ll look into getting the data through PowerShell and then also putting it into a Device Collection within MEMCM. Continue reading “CM: Delving into the “Last PXE Advertisement” flag”

Automated shutdown of devices

Scheduled Tasks to shutdown pushed out through Group Policy Preferences

In a drive to reduce power usage, I’ve tried a few times over the years at a way to shutdown computers but not if they are in use. I’ve tried using scheduled tasks set to only run when idle – in reality this doesn’t really work as we tend to have quite a lot of mice that move ever so slightly on their own, so the PCs never think they are idle. Even wrote a client/server application where the client reports when someone logs on, logs off, or switches user and when prompted to shutdown by the server, the client asks the logged on user if they want to go a head or cancel. This worked fine for a while but when we updated to Windows 10 it stopped working and needed a lot of time spent on working out what had changed. So I moved away from that method. Continue reading “Automated shutdown of devices”

Powershell Printer Script

Some detail is shown to the user, this form isn’t modal so won’t take over the screen, and if they close it the script carries on in the background.

Over the last 15 years I’ve tried pretty much every method of adding printers at logon there is – KIXTART script, VBS, Group Policy Preferences and Powershell. As part of speeding up logon, and investigating a weird issue with Windows 10 printers, I moved away from GPP and to Powershell shortly after we upgraded from Windows 8.1 to Windows 10.

The issue being – roughly 5% of the time, on random user/computer combinations, printers would take a long time adding and then fail to add, with a non-specific error message. My first go at this was a basic powershell script which had a hard coded list of location/printer mapping, and it would run the “add printer” command repeatedly until the error went away. (It always added fine on the 2nd go). The problem with this is that it’s a complicated script for technicians to update, and being a single threaded script the nice form it displays showing people what’s happening would freeze while it was working in the background.

My new script does the bulk of the work in background jobs – so printers add quicker (as it can do more than one at once), and the UI doesn’t lock up and freeze. More importantly, it uses Group Policy Preferences by reading the XML file generated and applies that – so technicians have the familiar interface for adding/removing printers from the script.  Continue reading “Powershell Printer Script”

Removing Windows User Profiles

Just a quick one for today. I’m going through a bunch of laptops which have loads of old directories in C:\Users, in the form of Username, Username.Domain, Username.Domain.000, 001 etc. Most of these don’t exist as profiles if you query CIM for win32_userprofile (and aren’t in the registry at the HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList.

So I’ve knocked up a script which goes through the “official” profile list, deletes everything that isn’t System/LocalService/NetworkService or the user running the script, and then goes through clearing anything that is left on disk (excluding the above plus the Public folder). Continue reading “Removing Windows User Profiles”

Applying Teams Policies to a group

(Updated 4th Sept 2020: Use New-CsBatchPolicyPackageAssignmentOperation instead of Grant-CsUserPolicyPackage now)

Teams Policy Packages

I’ve recently needed to apply a PolicyPackage to a group of users (well 2 packages to 2 groups) using PowerShell – as the Teams Admin centre only allows you to apply to users by typing in all the names one at a time and pressing Add and discovered the New-CsGroupPolicyAssignment cmdlet, which looks good – however this applies a policy to a group, but I want to apply a policy package.

Instead we can use New-CsBatchPolicyPackageAssignmentOperation and pass it an array of UPNs (max 5000 in one go) along with the policy package name.
Continue reading “Applying Teams Policies to a group”

Powershell Remoting

I recently discovered one of my deployment scripts does not work on Win 10 1809 any more (it ran dism to install the dot Net Framework 3.5 – just errors out) however that the powershell version (Add-WindowsCapability) works fine. Had to get this rolled out to a handful of PCs ASAP in order for a legacy application to successfully run. As time was of the essence, I ended up running round the 24 PCs like an idiot, logging on and running the command, but I thought “Why don’t I just enable PS Remoting, then I could at least do this from my desk scripted”. Obviously the ideal solution would be to deploy the Netfx3 install via SCCM but PS Remoting will still be handy.

Continue reading “Powershell Remoting”