Nov 232014
 

The following detection script accomplishes the following.

  • Determines if virtual memory is automatically managed. The desired configuration according to the script is that the pagefile should be managed manually (true can be changed to false if you want to go the automagic route).
  • If the pagefile is not automatically managed, the script determines if the size of the page file is at least double the amount of visible physical memory.

I’m working on a remediation script, but for now I figure’d I would share the love.

# This script simply checks to see if Windows is handling the page file
# automagically. Then if no, it verifies to make sure that the swap file
# is set at or over twice the available memory. 

$system = get-wmiobject -Class win32_ComputerSystem

if ($system.AutomaticManagedPagefile -eq $true) {
    write-host FALSE
    } else {  

    $mem = get-wmiobject -Class win32_OperatingSystem | select-object TotalVisibleMemorySize,TotalVirtualMemorySize

    [int64]$vismem = $mem.TotalVisibleMemorySize
    [int64]$vrtmem = $mem.TotalVirtualMemorySize

    if ($vrtmem -ge ($vismem * 2)) {
        write-host TRUE
        } else {
        write-host FALSE
    }
}

 

Nov 112014
 

Here is a way for you to keep your EMIE site list up to date using CI. Enterprise Mode IE is Microsoft’s method for allowing backwards compatibility with sites that do not fully support Internet Explorer 11’s Edge mode. I don’t go into detail about how to set up EMIE, more information on how to set it up can be found via MSDN.

First we start with the detection script. This script returns the version number of your site list XML. Be sure to replace the $file string listed with the correct path and file name of your EMIE list XML.

 
# EMIE XML Version Check (Detection) Script for CM12 Compliance Settings
# by Robert Hollingshead

# November 11th, 2014
# Find more CM12 Compliance Setting scripts at occurative.com!

# Supress error messages.
$ErrorActionPreference = "SilentlyContinue"

# Enter the path and name of the XML file here. 
$file = '{enter path and filename here}'

# Get the XML Content and then unwrap its tags into individual lines.
# We could leave out the split method and just go by the entire InnerXml,
# but IMHO, this way makes more sense and is friendly to ANY 
# odd modifications of the remediation script should they be needed. 

Try {
    [xml]$sites = Get-Content $file
    $unwrappedsites = $sites.innerxml.split('</>')

    # Look for the rules version, split out the line, 
    # and output the second string which will be the
    # version itself. 

    ForEach($line in $unwrappedsites) {
        if ($line -like "*rules version*") {
            write-host $line.split('"')[1]
            break
        }
    }

    # If the split of $sites failed, we'll catch it and
    # spit out versin 0 to indicate the file doesn't exist.

    } catch {   
    write-host 0
}

The detection script is going to return the current version of the XML file on the client, not a true or false. So your compliance rule will be equal to the version you want all your clients to be at. How to get that updates can be done via this remediation script. First thing, there are two values that must be changed, the $version, and the $file strings. $version will be the equal to the version you want all your clients to be at. Make sure  you have it set to the same version as in your compliance rule or you’ll never be compliant. The second is the $file string, which will be the same as in the detection script.

Next  you will add all the domains. There are four lines beginning with “$domain = New-Object PSOBject.” We are building an array of Domains as well as if they are to be excluded or included in EMIE. Each domain will be a TLD. True means “exclude this site from EMIE” and is useful for preventing an intranet site from running in compatibility mode. False means “include this site in EMIE” and is useful for placing a site on the internet in compatibility mode, or if the site is setting its compatibility via META tag and you wish to override. Here is the script, stay tuned after the script for a few notes.

# EMIE XML Update (Remediation) Script for CM12 Compliance Settings
# by Robert Hollingshead

# November 11th, 2014
# Find more CM12 Compliance Setting scripts at occurative.com!

# This script keeps your EMIE (Enterprise Mode IE 11) XML up to date.

# Enter the resultant version here. This is your XML list version.
# Increment when there are changes. 
# Make sure that you change the compliance rule to match. 
$version = "{enter version number here}"

# Enter the path and name of the XML file here. 
$file = '{enter path and filename here}'

# Setup Array for domains and the resulting xml 

[system.array]$domains = $null
[system.array]$sitesxml = $null

#Add domain here.
#False indicates that EMIE should run for non-intranet site. 
#False also indicates that EMIE should run for intranet sites that are saying they are
#compatible via server meta tag.
#True indicates that EMIE should not run for intranet site. 
# Copy the following four lines for each new domain. Don't forget to increment the version
# if you make any changes. 
$domain = New-Object PSObject
$domain | Add-Member -membertype noteproperty -Name Domain -Value "{tld like microsoft.com}"
$domain | Add-Member -membertype noteproperty -Name Exclude -Value "{false or true}"
$domains = $domains + $domain


#Now let's write out the XML. We build an array that will be written out to file. 

# Compile the version line and the opening EMIE tag.
$line = New-Object PSObject
$line = ''
$sitesxml = $line
$line = '  '
$sitesxml = $sitesxml + $line

# Compile the domain tags.
ForEach ($domain in $domains) {
    $line = '    ' + $domain.Domain + ''
    $sitesxml = $sitesxml + $line
}

# Compile the closing tags.
$line = '  '
$sitesxml = $sitesxml + $line
$line = ''
$sitesxml = $sitesxml + $line

# Output to the file. 
$sitesxml | out-file $file

write-host TRUE

Obviously there is some room for improvement in this script. While I can include TLD’s right now, I cannot include subdomains just yet, that ability will be forthcoming in another update of this script, or if you wish to update it yourself and contribute back that is fine too.

Enjoy!

Nov 062014
 

As I learn more about writing SQL queries, I have discovered that revisiting a utility script such as one that I have modified previously, and then adding to or rewriting it again, to be a very fun exercise.

In this incarnation of my PC Fleet Vitals query script. I have added both a Chassis type and a very rough video card lookup. There’s probably a better way to look up video card’s but the table I build in this query works for now. It isn’t showing some built in cards unfortunately, but it can catch discreet video cards like nvidia. It would be worth it to modify that little bit to your own environment, and perhaps contribute snippits back to me so I can add to the table. 🙂

The table for chassis type is lifted from Jon Marcum’s answer to a chassis lookup table question in this technet forum thread. I can’t claim that little snippit of query for my own, but it is quite useful for translating chassis type codes over to human readable form.

Enjoy, and please by all means let me know if you find this useful or if there’s something you think I should add.

-- PC Profile query for CM12
-- By Robert Hollingshead (roberthollingshead.net)
-- 
-- Profile of all PC's in your environment with Processor, Hard Drive, Chassis type, Memory, etc. 
-- Now includes video card, but this is experimental and may need tweaking by you. 


select distinct

CS.Manufacturer0 [Make],
CS.Model0 [Model],
CH.Chassis [Chassis],
CS.Name0 [Hostname], 
-- Replace {your domain here} below with YOURDOMAIN\
replace(CS.UserName0,'{your domain here}','') [Primary User],
REPLACE(SUBSTRING(USR.manager0,4,CHARINDEX(',OU',USR.manager0,3)-4),'\,',',') [Manager],
OS.Caption0 [OS],
OS.InstallDate0 [Image Date],
cast(CPU.MaxClockSpeed0/1000.00 as decimal(10,2)) [Speed (GHz)],
CPU.Name0 [CPU],
CPU.NumberOfCores0 [Cores],
CPU.IsHyperthreadCapable0 [Hyperthread],
DSK.Caption0 [HDD],
cast(DSK.Size0/1000.00 as decimal(10,2)) [HDD Capacity (GB)],
cast(LDSK.Size0/1000.00 as decimal(10,2)) [C Size (GB)],
cast(LDSK.FreeSpace0/1000.00 as decimal(10,2)) [C Free (GB)],
cast((LDSK.FreeSpace0 * 100.00)/(LDSK.Size0 * 1.00) as decimal(10,2)) [C %Free],
cast(OS.TotalVirtualMemorySize0/1000.000 as decimal(10,3)) [Virtual Memory (GB)],
cast(OS.TotalVisibleMemorySize0/1000.000 as decimal(10,3)) [Visible Memory (GB)],
vid.Description0 as [Display Controller]

from v_GS_COMPUTER_SYSTEM CS

left join v_GS_PROCESSOR CPU on CS.ResourceID = CPU.ResourceID
left join v_GS_DISK DSK on CS.ResourceID = DSK.ResourceID
left join v_GS_OPERATING_SYSTEM OS on CS.ResourceID = OS.ResourceID
left join v_GS_SYSTEM SYS on CS.ResourceID = SYS.ResourceID
left join v_GS_LOGICAL_DISK LDSK on CS.ResourceID = LDSK.ResourceID
left join v_R_User USR on CS.UserName0=USR.Unique_User_Name0

-- This creates a table of display drivers. It is very customized so it may need adjustments later.
left join (
select distinct * from dbo.v_GS_PNP_DEVICE_DRIVER PNPDD

where (Manufacturer0 like 'nvidia' and Name0 not like '%audio%')
		or (PNPDD.Name0 like '%graphics%' and PNPDD.PNPDeviceID0 not like 'ROOT\LEGACY%')
		or (PNPDD.Name0 like '%vga%' and DeviceID0 not like 'ROOT\LEGACY_VGASAVE%' and PNPDD.Name0 not like '%usb%'))
	  VID on CS.ResourceID=VID.ResourceID

-- This creates a table of chassis types.
-- Based on John Marcum's answer to a chassis lookup table in the following forum:
-- https://social.technet.microsoft.com/Forums/systemcenter/en-US/7abf9a9a-a160-4462-9676-3028957944b4/creating-a-chassis-type-lookup-table-in-sccm-db?forum=configmgrreporting
left join (select 

			CS.Name0,
			Chassis = CASE SE.ChassisTypes0
			WHEN '1' THEN 'Other' WHEN '2' THEN 'Unkown' 
			WHEN '3' THEN 'Desktop' WHEN '4' THEN 'LowProfileDesktop'
			WHEN '5' THEN 'Pizza Box' WHEN '6' THEN 'Mini-Tower' 
			WHEN '7' THEN 'Tower' WHEN '8' THEN 'Portable' 
			WHEN '9' THEN 'Laptop' WHEN '10' THEN 'Notebook' 
			WHEN '11' THEN 'Hand - Held' WHEN '12' THEN 'Docking Station' 
			WHEN '13' THEN 'ALL- IN -One' WHEN '14' THEN 'Sub Notebook' 
			WHEN '15' THEN 'Space Saving Chassis' WHEN '16' THEN 'Lunch Box' 
			WHEN '17' THEN 'Main System  Chassis' WHEN '18' THEN 'Expansion Chassis' 
			WHEN '19' THEN 'Sub Chassis' WHEN '20' THEN 'Bus Expansion Chassis' 
			WHEN '21' THEN 'Peripheral Chassis' WHEN '22' THEN 'Storage Chassis' 
			WHEN '23' THEN 'Rack Mounted Chassis' WHEN '24' THEN 'Sealed  CASE PC' 
			WHEN '25' THEN 'Tablet -PC'
			END

			from v_GS_SYSTEM_ENCLOSURE SE

			left join v_GS_COMPUTER_SYSTEM CS on SE.ResourceID=CS.ResourceID
		  ) CH on CS.Name0=CH.Name0

where 
SYS.SystemRole0 like 'Workstation'  and
LDSK.Caption0 like 'C:' and
DSK.DeviceID0 like '\\.\PHYSICALDRIVE0'


-- order by Make, Model, Hostname
order by [Make],[Model],[Hostname]
Nov 052014
 

EDIT 11/10/14: I found and corrected a bug in the detection script. There is a chance in certain configurations that the detection script might miss cards. I modified it so that wouldn’t happen.

The following detection and remediation scripts are designed to be placed into as compliance settings in a configuration item in CM12. They are heavily modified from an original powershell function published on the TechNet gallery. Where the original powershell script is a run-once affair, these two scripts will enable you to establish compliance on all desktops, laptops, and especially servers where it is generally not a good idea to power manage your NICs.

I recommend testing before deployment. Note that the remediation script will run and the detection script will show compliance, but where the original script could force a reboot, the remediation script here does no such thing. This is intentional as I believe it would be better in practice to let the compliant machines reboot through other means, such as during a patch cycle or when the end user shuts down for the evening.

The detection script (copy and paste, the lines will remain intact):

# NIC Power Management Detection Script for CM12 Compliance Settings

# Based off of the script found at https://gallery.technet.microsoft.com/scriptcenter/Disable-turn-off-this-f74e9e4a
# Modified by Robert Hollingshead
# November 10th, 2014
# Find more CM12 Compliance Setting scripts at occurative.com!

# This script detects power management status for all physical NICs.

#Original scripts comments:
#find only physical network,if value of properties of adaptersConfigManagerErrorCode is 0,  it means device is working properly. 
#even covers enabled or disconnected devices.
#if the value of properties of configManagerErrorCode is 22, it means the adapter was disabled. 

# This is to calculate compliance. If both of these are equal at the end then all NICs are compliant.
$SettingChecksum = 0
$NICCount = 0

$PhysicalAdapters = Get-WmiObject -Class Win32_NetworkAdapter|Where-Object{$_.PNPDeviceID -notlike "ROOT\*" `
	-and $_.Manufacturer -ne "Microsoft" -and $_.ConfigManagerErrorCode -eq 0 -and $_.ConfigManagerErrorCode -ne 22} 
	
Foreach($PhysicalAdapter in $PhysicalAdapters) {
	$PhysicalAdapterName = $PhysicalAdapter.Name
	
    #check the unique device id number of network adapter in the currently environment.
	$DeviceID = $PhysicalAdapter.DeviceID
	If([Int32]$DeviceID -lt 10) {
		$AdapterDeviceNumber = "000"+$DeviceID
		} Else {
		$AdapterDeviceNumber = "00"+$DeviceID
	}

	#check whether the registry path exists.
	$KeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\$AdapterDeviceNumber"
	
    If(Test-Path -Path $KeyPath) {
		$PnPCapabilitiesValue = (Get-ItemProperty -Path $KeyPath).PnPCapabilities
		If($PnPCapabilitiesValue -eq 0){
			#This adapter isn't compliant!
            $SettingChecksum++		
		}
		If($PnPCapabilitiesValue -eq $null) {
            #This adapter isn't compliant!
		    $SettingChecksum++				
		}
    }			
}


# Are we compliant?
If ($SettingChecksum -eq 0) {
    write-host TRUE
    } else {
    write-host FALSE
}

The remediation script (copy and paste, the lines will remain intact):

# NIC Power Management Remediation Script for CM12 Compliance Settings

# Based off of the script found at https://gallery.technet.microsoft.com/scriptcenter/Disable-turn-off-this-f74e9e4a
# Modified by Robert Hollingshead
# November 5h, 2014
# Find more CM12 Compliance Setting scripts at occurative.com!

# This script turns off power management for all physical NICs.

#Original scripts comments:
#find only physical network,if value of properties of adaptersConfigManagerErrorCode is 0,  it means device is working properly. 
#even covers enabled or disconnected devices.
#if the value of properties of configManagerErrorCode is 22, it means the adapter was disabled. 

$PhysicalAdapters = Get-WmiObject -Class Win32_NetworkAdapter|Where-Object{$_.PNPDeviceID -notlike "ROOT\*" `
-and $_.Manufacturer -ne "Microsoft" -and $_.ConfigManagerErrorCode -eq 0 -and $_.ConfigManagerErrorCode -ne 22} 
	
Foreach($PhysicalAdapter in $PhysicalAdapters) {
    
    $InterfaceChecksum++
	$PhysicalAdapterName = $PhysicalAdapter.Name
		
    # Check the NIC ID Number.
	
    $DeviceID = $PhysicalAdapter.DeviceID
	
	If([Int32]$DeviceID -lt 10) {
		$AdapterDeviceNumber = "000"+$DeviceID
	} Else {
		$AdapterDeviceNumber = "00"+$DeviceID
	}
		
	# See if the registry path exists.
	$KeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\$AdapterDeviceNumber"
		
    If(Test-Path -Path $KeyPath) {
		$PnPCapabilitiesValue = (Get-ItemProperty -Path $KeyPath).PnPCapabilities
		If($PnPCapabilitiesValue -eq 0){
			#setting the value of properties of PnPCapabilites to 24, it will disable save power option.
			Set-ItemProperty -Path $KeyPath -Name "PnPCapabilities" -Value 24 | Out-Null			
		}
		If($PnPCapabilitiesValue -eq $null) {
                #setting the value of properties of PnPCapabilites to 24, it will disable save power option.
				New-ItemProperty -Path $KeyPath -Name "PnPCapabilities" -Value 24 -PropertyType DWord | Out-Null				
		}
	}		
}

write-host TRUE

 

I am always open to improvements to these scripts. If you find something that could use improvement just let me know via the comments below!