This post was updated on October 18th, 2020. This post discusses how to manage Lenovo BIOS passwords using WMI. My goal was to have a script that could change or clear existing passwords and could display a prompt to the screen when manual intervention was required. In this post, I’ll cover the basics of how the script works. I’ll also talk about some limitations of the script and some areas it could be improved in the future ...
The out of the box Windows 10 experience has improved over the years, but I still find most clients I work with want to make various tweaks and modifications to the default settings. In the past I would add these customizations to a Configuration Manager task sequence as individual steps. But I’m lazy, and I didn’t want to have to continually add each individual step over and over. Plus I like to keep task sequences shorter when I can. The solution was to create a PowerShell script that allows the admin to select which of the common Windows customizations to run in their environment. ...
I was working with a client that had a requirement where each computer that was deployed needed to be paired with a physical document that had information about the computer. The solution I used to automate this process was to use a PowerShell script to take information from a running task sequence, then write and print a Word document. Here is a high level outline of the process. Information about the computer and deployment is collected by a PowerShell script during the task sequence The same PowerShell script then copies that information to a network share as a CSV file A separate computer or server has a Windows Scheduled Task set to run a second PowerShell script on a schedule The second PowerShell script takes any CSV files in the network location as input. It uses the data from the CSV files to build a Word document and then sends that document to a printer. This is the script that runs during the task sequence to collect information and write it to a CSV file on a network share. This example script is collecting the Serial Number, Asset Tag, and Computer Model. ...
Lately I have been helping many people with moving their update workloads from Configuration Manager and WSUS to Windows Update for Business. The one thing I get the most questions about with the move to Windows Update for Business is how to monitor update compliance. The computers are now pointing to the internet for updates, and as a result, no longer report update compliance information to Configuration Manager or WSUS. The answer to this is the Update Compliance solution in Azure Log Analytics. ...
I was setting up a Configuration Manager environment in HTTPS mode and I was running into issues with the server selecting a client authentication certificate. I was seeing these messages in the MPControl.log. I was seeing this message in the IIS log. I was getting a 2148204809 error which translates to A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. That told me something was wrong with the root CA trust. Some searching online brought up a few useful posts on the subject. ...
This is an updated version of a post I made on the Now Micro blog last year. The original version of this post can be read Here. Why is Local Administrator Password Management Needed? The question of how to deal with users having administrative rights on computers or other network resources is one that has many different answers and has evolved over time. While the scenarios around network and domain administrative access may be more complex, the local administrative rights scenario should be very similar for almost everyone. ...
This post is the second part of a two-part series on configuring and deploying the Microsoft Local Administrator Password Solution (LAPS). The First Post covered the steps needed to configure Active Directory to support LAPS. This post will cover the steps needed to enable the LAPS functionally on devices. In order for the local administrator password to be randomized on devices, two conditions need to be met. The client needs to have a group policy object linked that enables LAPS The client needs to have the LAPS group policy client-side extensions installed so it knows what LAPS is Configure Group Policy to Deploy LAPS Settings Group Policy is used to configure LAPS settings and to enable the LAPS functionally on targeted devices. The LAPS settings can be added to an existing group policy object, however in this example, a new group policy object will be created to deploy the settings. ...
As I spend time working in many different Configuration Manager environments, I find myself regularly needing to create Antimalware Policies. Most of the settings in the antimalware policies can be configured quickly, however the setting that always takes me the most time is the Exclusion Settings. There needs to be different policies with different exclusion settings for different types of devices. Each of these separate policies have 3 different areas for adding file paths, file types, and processes. And for some reason, unknown to me, the dialog window for adding exclusions has a 260 character limit. This means that even if all the exclusion settings are in a list, you can’t just copy the whole list in at once. All this adds up to make this process time consuming and inconsistent. ...
I was recently deploying an application that required Windows Firewall rules to be created for an executable that ran from each user’s AppData folder. The way I accomplished this was to use a combination of PowerShell scripts and the Windows Task Scheduler. I created two PowerShell scripts for this solution. Create_Scheduled_Task.ps1 and Create_Firewall_Rules.ps1. The Create_Scheduled_Task.ps1 script copies the Create_Firewall_Rules.ps1 script to a subfolder in C:\Users\Public and creates a scheduled task to run that script each time a user logs onto the computer. You will need to set the $appName, $scriptName, and $folderPath variables. ...
I encountered a scenario where I needed to add or remove domain users from the local administrators group on an individual computer basis. The Run Script feature in Configuration Manager worked great for this. I used an Add script and a Remove script. Both scripts have a $Member parameter that takes the name of a domain user or group and adds it to or removes it from the local administrator group on selected computers. ...