Use Group Policy to force Windows 10 clients to pull updates from SCCM, but allow Microsoft Store

THE PROBLEM: My company is shifting control of our Windows Updates from WSUS to SCCM. At Techmentor this year, I got the vibe that MS is looking to deprecate WSUS long-term, and that the best options for companies to deploy updates going forward are either to use Windows Update for Business (WUfB), or SCCM. Wanting the extra control and reporting that SCCM offers, that is the route we chose. However, finding reliable and up-to-date info on how best to utilize the available controls is a frustrating task at the time of writing this article (Sept 2017) – especially because MS has been changing around their own verbiage (Rings? Channels? Branches?) and releasing new Group Policy admx templates so frequently.

THE CHALLENGE: Configure Windows 10 clients in the following manner:

  • Pull Windows 10 updates from SCCM
  • DO NOT pull updates from Windows Update internet servers
  • ALLOW access to Microsoft Store

THE SOLUTION: The following Group Policy settings:

  • To force clients to check in with SCCM:
    • Computer Configuration/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates = ENABLED
    • Computer Configuration/Administrative Templates/Windows Components/Windows Update/Specify intranet Microsoft update service location = ENABLED
      • Set the intranet update service for detecting updates: enter the correct server address and port
      • Set the intranet statistics server: enter the correct server address and port
  • To prevent clients from pulling updates from Windows Update internet servers:
    • Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings/Turn off access to all Windows Update features = ENABLED
  • You must also make sure the following is set to NOT CONFIGURED or DISABLED:
    • Computer Configuration/Administrative Templates/Windows Components/Windows Update/Do not connect to any Windows Update Internet locations

ManageEngine ADManager Plus: Automatically Create Hybrid Office 365 Accounts

THE PROBLEM: We have a hybrid Office 365 and on-prem Exchange environment and needed a better way to handle creating accounts for newly on-boarded users. The old workflow was as follows:

  1. Help Desk technician creates on-prem Exchange and AD account using EMC
  2. DirSync must occur (either automatically or by Powershell on a configured Exchange server) to sync the AD account to our cloud tenant
  3. Exchange team migrates the mailbox to the cloud tenant
  4. Account is ready to be set up on a workstation

THE CHALLENGE: Trim the fat on the above workflow to save time and effort being spent on a relatively mundane task

THE SOLUTION(S): This actually required blending ManageEngine’s product AD Manager Plus and some custom scripting. ADManager is exactly what it sounds like — a web based portal that connects to your Active Directory and allows you to automate account management and easily audit AD. Although you can use ADManager to manage some aspects of Office 365 (like assigning/removing licenses and creating accounts in your cloud tenant), we found that even accounts that were created as “DirSync Enabled” Hybrid accounts would not work nicely with Autodiscover, and e-mail flow would not be complete externally. The only way to fix this is to edit the attributes of the AD account using ADSI Edit or something equivalent. Since the goal was to reduce overhead and NOT to add more complexity, we needed a way to automate this step as well. Enter Powershell and the Enable-RemoteMailbox cmdlet. By calling the below .ps1 script during account creation (which is a built in functionality of ADManager), we can fully automate account creation without having to involve the Exchange team and reduce what could take as long as a couple of days, depending on workload, to a matter of minutes.

THE SCRIPTClick here to see it on pastebin

Upgrading any version of Microsoft Office to Office 365 Click-to-Run using SCCM 2012

THE PROBLEM: My shop recently purchased E4 licensing and we are in the process of converting our infrastructure from local Exchange to hosted, along with upgrading the Office suite on all of our workstations to Office 365 click-to-run. Our users are currently spread across several versions of MS Office. Most are running 2010, some are still on 2007, newer users have been given MSI 2013, and there are even some legacy 2003 installs out there. On top of that, we are rolling out Skye for Business 2015 as included in E4. Some of our groups of users have been piloting Lync/Skype with the free “basic” version of the application (Lync Basic or Lync Entry depending on who you ask). We need to upgrade these users to the full version as well. Sounds painful, I know.

THE CHALLENGE(S): Create an SCCM 2012 Application that will automatically handle any of the following:

  1. Uninstalling Lync Basic 2013
  2. Uninstalling Skype for Business Basic 2015
  3. Uninstalling Office 2003
  4. Uninstalling Office 2007
  5. Uninstalling Office 2010
  6. Uninstalling Office 2013
  7. Installing Office 365 using click-to-run CAB files and custom XML

THE SOLUTION: Microsoft’s Office Scrub utilities (2003/2007/2010 and 2013), different device collections based on hardware inventories that query all the different use-cases (ex: Office 2010; Office 2010 w/Lync Basic; Office 2007; Office 2013; Office 2013 w/Lync Basic), some basic batch scripting, and LOTS of trial and error testing. Keep on reading to find out exactly how I did this.
Continue reading

OS X: AppleScript to Rename Mac and Bind to Active Directory

The Challenge: As part of our deployment process for Macs in an AD environment, technicians are expected to rename the computer using a combination of Preferences panes as well as command line. The steps involved are considerably more tedious than joining AD on a Windows machine.

The Solution: An AppleScript application that accomplishes all of the following:

  • Set Computer Name (normally done in Sharing prefs)
  • Set Local Host Name (normally done in Sharing prefs)
  • Set NetBIOS name (normally done in Network prefs)
  • Verify FQHN
  • Set system HostName (normally done via Terminal with scutil)
  • Bind to AD (normally done through Directory Utility)

Below is the script! OR, click here for pastebin!

Continue reading

Powershell: AD Report for computer accounts not logged in for 30+ days

The following PS script will query a given AD OU for computer accounts that have not been logged into for at least 30 days, export them to a CSV, and e-mail the CSV as an attachment. This script assumes you have an SMTP server configured for email relay. Otherwise, you could simply export it to a CSV and leave it at that. I’m lazy, and prefer to run this as a scheduled task every day, so I have an automated audit.

See below for script, or click here for pastebin!

Continue reading

TeamViewer: Deploy on OS X standard image

If you work in an enterprise shop with a sizable number of Macs, and use TeamViewer for remote management, then like me, you might be looking for a way to deploy the unattended host module to your endpoints.

TeamViewer’s engineers offer nice ways of deploying to Windows machines (using AD GPOs, or a custom msi installer which is what I use). I use this as a post-flight task in my Kace K2000 after deploying a disk image. However, on the Macs, deployment requires attention from an admin to configure the unattended password. This is not scalable into the dozens to hundreds of Mac endpoints, however. I have engaged TV support several times wondering what support there is for Macs…and there basically isn’t any.

My Method:

  • Install TeamViewer Host on the “golden image”
  • Delete the preferences file located here: /Library/Preferences/com.teamviewer.teamviewer9.plist
  • Shut down the computer and capture your image
  • When you deploy the image, and log in for the first time, you should be prompted by TeamViewer to set a password for unattended access.

While annoying because it requires attention to configure, it’s the most automated way I have come up with. Hopefully this helps someone “solve” this problem!

OS X: Automatic Rsync to Network Volume

BACKGROUND: Our Windows machines use a combination of Folder Redirect and Offline Files (pushed out via GPO) to sync our users’ ‘My Documents’ folders to a network share. From there, the network share(s) get backed up. In combining this with training the users to save important work related data to their ‘My Documents’ folders, we have a nice little automated backup system. However, this does nothing for our Mac users.

CHALLENGE: Find a way to sync data from Mac users’ ~/Documents folders to our file server. Portable Home Directories (PHDs) took too long, and didn’t handle errors well.

SOLUTION: A bash script that checks for connectivity to the server, mounts the destination folder, and runs an rsync to run a differential copy from the ~/Documents folder. I call this using launchd framework.

Click below to see the script, or click here for pastebin!

Continue reading