How to identify ConfigMgr collections that take long to refresh

I’ve put together the below PowerShell script this week to identify collections in ConfigMgr that require the longest time to refresh. If you ever experience a decrease in ConfigMgr collection update performance, you might want to run this script to find potential collections that have a long refresh duration.

 

Thanks to Roger Zander and Claude Henchoz for the SQL query to find these collections.

PowerShell Script to retrieve content from Internet Explorer ActiveX blocking log

In preparation of the Internet Explorer out of date ActiveX control blocking activities I wrote the below script that retrieves the content of the log stored under LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv

You can download the script from here

 

New IE Group Policy Settings for blocking out-of-date ActiveX controls

As anounced by Microsoft last week on their IEBlog Internet Explorer will start blocking out of date ActiveX controls For managed environments there are updated administrative templates for Internet Explorer to control the behaviour of the ActiveX blocking feature.

Although the link brings you to a site called “Administrative Templates for Internet Explorer 11” the settings are set to work for Internet Explorer 8,9, 10 and 11. If you haven’t updated your administrative templates since a while, beware of the missing IE maintenance settings.

The new settings are located under Computer Configuration or User Configuration | Administrative Templates | Windows Components | Internet Explorer | Security Features | Add-In Management

Setting

Description

Turn on ActiveX control logging in Internet Explorer

This policy setting determines whether Internet Explorer saves log information for ActiveX controls.

If you enable this policy setting, Internet Explorer logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don’t configure this policy setting, Internet Explorer won’t log ActiveX control information.

Note that you can turn this policy setting on or off regardless of the “Turn off blocking of outdated ActiveX controls for Internet Explorer” or “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” policy settings.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Remove “Run this time” button for outdated ActiveX controls in Internet Explorer

This policy setting allows you to stop users from seeing the “Run this time” button and from running specific outdated ActiveX controls in Internet Explorer.

If you enable this policy setting, users won’t see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

If you disable or don’t configure this policy setting, users will see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Turn off blocking of outdated ActiveX controls for Internet Explorer

This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

If you disable or don’t configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won’t be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

1. “domain.name.TLD”. For example, if you want to include *.contoso.com/*, use “contoso.com”
2. “hostname”. For example, if you want to include http://example, use “example”
3. “file:///path/filename.htm”. For example, use “file:///C:/Users/contoso/Desktop/index.htm”

If you disable or don’t configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

At the registry side the settings are as following (User or Computer)

  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|AuditModeEnabled
  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|RunThisTimeEnabled
  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|VersionCheckEnabled
  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|ListBox_DomainAllowlist

PowerShell Script – Get-CMInstalledSoftware

ConfigMgr 2012 comes with a lot of build-in reports, but often it just does not contain all the information I want. Creating a custom report takes more time than just writing a script.

The Get-CMInstalledSoftware script retrieves all computers that have the specified software installed. Like it? Get your copy of the script from here

 

 

Have a good day

PowerShell Script – Get Group Policy events by CorrelationID

Update: 22. August 2014: I have posted an updated version of the script here.

During his Group Policy: Notes from the Field – Tips, Tricks, and Troubleshooting session at TechEd Group Policy MVP Jeremy Moskowitz demonstrates how to filter the event log using the correlation ID. Now because I love using PowerShell I thought I create a function for that using Jeremy’s XMLquery.

 

Greetings form the sunny beaches at Sardinia.

ConfigMgr – How to find the Application Name for a ContentID

While reviewing ConfigMgr status messages for clients reporting problems acquiring package content (Message ID 10025) I found some code snippets on sccmfaq.ch that maps the ContentID to the name of the application. As i had to do several lookups, I decided to create a function for it.

SNAGHTML11ce803

ConfigMgr – PowerShell Script to list Image Binary Delta Replication Setting

Here’s a script that lists all Boot and Operating system images stored within Configuration Manager and shows whether the Binary Delta Replication Setting is enabled or not.

SNAGHTML3132c3

 

New Group Policy Settings for Office 365

On April 28th 2014 Microsoft finally released an fix for the Office 2013 SP1 Office customization tool as the version released with SP1 caused some issues with Lync 2013 and OneDrive for Business. But there’s more in this update.A few new Group Policy settings for Office 365 are included as well.

SNAGHTML7561b1

Important. These new Group Policy settings only apply to Office 365 (click to run installations) and not to Office 2013 MSI based installations. The reason for this is because the settings relate to the update mechanism that’s build in to the Office 365 product.

These are the new settings

Setting Description
Hide Update Notifications

This policy setting allows you to hide notifications to users that updates to Office are available.

When automatic updates are enabled for Office, in most cases updates are applied automatically in the background without any user input. However, updates can’t be applied if an Office program is open. If an Office program is open, other attempts are made to apply the updates at a later time. If, after several days, updates haven’t been applied, only then will users see a notification that an update to Office is available.

If you enable this policy setting, users won’t see notifications that updates to Office are ready to be applied.

If you disable or don’t configure this policy setting, users will see notifications that updates to Office are ready to be applied.

This policy setting does not apply to notifications associated with update deadlines.

Important:  This policy setting only applies to Office products that are installed by using Click-to-Run. It doesn’t apply to Office products that use Windows Installer (MSI).

Update Deadline

This policy setting allows you to set a deadline by when updates to Office must be applied.

Prior to the deadline, users will receive multiple reminders to install the updates. If Office isn’t updated by the deadline, the updates are applied automatically. If any Office programs are open, they’ll be closed, which might result in data loss.

We recommend that you set the deadline at least a week in the future to allow users time to install the updates.

If you enable this policy setting, you set the deadline in the format of MM/DD/YYYY HH:MM in Coordinated Universal Time (UTC). For example, 05/14/2014 17:00.

If you disable or don’t configure this policy setting, no deadline is set, unless you specify one by using the Office Deployment Tool.

You can use this policy setting with the Target Version policy setting to ensure that Office is updated to a particular version by a particular date.

The deadline only applies to one set of updates. If you want to ensure that Office is always up-to-date, you need to update the deadline in this policy setting every time a new update for Office is available.

Important:  This policy setting only applies to Office products that are installed by using Click-to-Run. It doesn’t apply to Office products that use Windows Installer (MSI).

Update Path

This policy setting allows you to specify the location where Office will get updates from.

If you enable this policy setting, you can specify one of the following for the update location:  a network share, a folder on the local computer where Office is installed, or an HTTP address. Mapped network drives aren’t supported.

If you enable this policy setting, but you leave the update location blank, Office will get updates from the Internet.

If you disable or don’t configure this policy setting, Office will get updates from the Internet, unless you specify a different location by using the Office Deployment Tool.

Important: This policy setting only applies to Office products that are installed by using Click-to-Run. It doesn’t apply to Office products that use Windows Installer (MSI).

Target Version

This policy setting allows you to specify a version number that you want to update Office to.  For example, version 15.0.4551.1512.

If you enable this policy setting, you specify the version that you want to update Office to. The next time Office looks for updates, Office will try to update to that version. The version must be available where Office is configured to look for updates (for example, on a network share).

If you enable this policy setting, but you leave the version blank, Office is updated to the most current version that’s available at the update location for Office.

If you disable or don’t configure this policy setting, Office is updated to the most current version that’s available at the update location for Office, unless you specify a different version by using the Office Deployment Tool.

Important:  This policy setting only applies to Office products that are installed by using Click-to-Run. It doesn’t apply to Office products that use Windows Installer (MSI).

The latest Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool released on 28.04.2014 can be downloaded from here

PowerShell Script – List Scheduled Tasks

Here’s a simple script I put together to list the scheduled tasks including the description, status and whether the task is set to hidden or not. When deploying a new operating system I find it important to understand what scheduled tasks are enabled to run, as sometimes there might be some potential to improvie the systems performance by disabling those you feel are not needed in your environment.

Within the Scheduled Tasks UI, by default you will not see the contents of Tasks that are set to hidden. But this can be enabled. Open the Task Scheduler with taskschd.msc and within the View Menu select “Show Hidden Tasks”.

2014-04-28_16h41_50

Managing Windows Defender / System Center Endpoint Security with PowerShell

I just read a blog post from Ed Wilson (Scripting Guy) about Use PowerShell to Configure Windows Defender Preferences and wondered if there’s more here. And yes there is. If you have a default insallation of Windows 8 and have defender enabled or work in an enterprise environment and use Configuration Manager with the  System Center Endpoint Security agent deployed on your clients then you the below listed cmdlets available.

Windows Defender

To get a list of all available Defender cmdlets just run the following command within a powershell console

Get-command -Module defender

System Center Endpoint Protection

For a list of all available SCEP cmdlets, run the following command within a powershell console.

Get-command -Module MpProvider

If no cmdlets are returned try first loading the module using the following command
Import-Module “$env:ProgramFiles\Microsoft Security Client\MpProvider”

You will notice that the cmdlet names are quite similar, the only difference is that the cmdlets for SCEP have “Prot” within the name.

Windows Defender System Center Endpoint Protection
Cmdlet ModuleName Cmdlet ModuleName
Add-MpPreference Defender Add-MProtPreference MpProvider
Get-MpComputerStatus Defender Get-MProtComputerStatus MpProvider
Get-MpPreference Defender Get-MProtPreference MpProvider
Get-MpThreat Defender Get-MProtThreat MpProvider
Get-MpThreatCatalog Defender Get-MProtThreatCatalog MpProvider
Get-MpThreatDetection Defender Get-MProtThreatDetection MpProvider
Remove-MpPreference Defender Remove-MProtPreference MpProvider
Remove-MpThreat Defender Remove-MProtThreat MpProvider
Set-MpPreference Defender Set-MProtPreference MpProvider
Start-MpScan Defender Start-MProtScan MpProvider
Update-MpSignature Defender Update-MProtSignature MpProvider

So what can we do here?

Update definitions

Antivirus and Spyware definitions can be updates as following:

Update-MProtSignature -UpdateSource MicrosoftUpdateServer

Starting a Scan

To start a scan use the following command. Available Scantypes are QuickScan, FullScan and CustomScan)

Start-MProtScan -ScanType QuickScan

When using the CustomScan option an the path must be provied using the -Scanpath parameter

Computer Protection Status

Computer protection status information is retrieved with the following command

Get-MpComputerStatus

Defender / SCEP Settings

Configuration settings can be gathered using

Get-MProtPreference

Find information about actual threat

To find out information about an actual threat on a client, run

Get-MProtThreat

2014-04-08_15h06_33

Removing Threats

Although there is a Remove-MProtThreat cmdlet, it doesn’t seem to recognize the active threat, as i received the following message when executing it.

2014-04-08_15h13_13

Configuration Changes

For configuratin settings, please refer to Ed Wilson’s blog post Use PowerShell to Configure Windows Defender Preferences

That’s it for today, now it has stopped raining and the sun starts to shine, so let’s get out of here Smile