Use PowerShell to find all collections where the specified device has a membership

Yesterday I deployed a computer with ConfigMgr and then wondered why it got certain software installed. And so another script was born.

The Get-CMCollectionOfDevice command retrieves all collections where the specified device has a membership

image

The Script can be downloaded from here

 

Analysing the file content of Windows Installer files using PowerShell

A few weeks ago we have started with the preparation for introducing Microsoft Office 2013 and Internet Explorer 11. As with every introduction of new software it’s all about compatibility. During the course of testing applications we were informed that some of them caused an issue due to hard coded paths. Each application is going to be installed anyway so that application owners can conduct testing, but at the same time I thought, it would be nice if we could identify potentially affected applications upfront without having to go through an actual install.

Here’s an example of an application that has a hard coded path to Microsoft Office 2010. The Directory is defined as Office14 which translates to the Office 2010 Installation directory.
SNAGHTMLeaddfff

As most of you probably know, a Windows Installer file is a database that contains all the necessary information for the installation of an application. In order to query the files referenced within the Windows Installer database, we have to look at the following database tables.

Let’s start with the File Table. In the below example we see that this Application consists of two files. The File Table contains the following attributes: File, Component_, FileName, FileSize, Version, Language, Attributes and Sequence.

SNAGHTMLebbd2f5

To find out in which directory this file installs, we first have to look at the Component table which has the following attributes: Component, ComponentId, Directory_, Attributes, Condition and KeyPath.

SNAGHTMLebf68cd

To link these two tables, we use the FileName attribute of the file table and Component attribute of the Component table. So far we know that the file iPublish_.dotm.lnk is going to be stored into the STARTUP folder. Now we only need to find out where the STARTUP folder is going to be, so we are going to look at the Directory table.

SNAGHTMLec3abc6

And there it is, the STARTUP directory. But we still don’t know where the file is going to be stored, as we first need to resolve the other Directory entries. If you study the directory table for a while, you notice that there is some logic in here.

SNAGHTMLec5a08f

To link the Directory table with the File and Component data, we join the Component table Directory_ attribute with the Directory table Directory attribute. However this still doesn’t give us the information where the file is going to be stored on the system, unless we would try to resolve the various entries within the Directory table, that to be honest would end up in a complex script (at least for me).

But then I found this forum post on stackoverflow discussing how to resolve MSI paths programmatically by calling the CostInitialize and CostFinalize Actions. The result of calling these actions is that the full file paths are resolved.

So now that we know what pieces need to be tied together, let’s turn this into a PowerShell script. I had a few challenges here. When calling the Windows installer object to invoke the CostInitialize and CostFinalize actions directly from within the PowerShell script that contains the Get-MSIFileInfo function, the Windows installer session would not close. So had to launch this in a separate process and then process the results within the calling script. This is why you find a complete PowerShell script defined in the $launchmsiscript variable.

When running the function against one or multiple Windows installer databases, the results are exported into a text file containing the following attributes for each file.

MSIFileFullname
MSIProductName
MSIProductVersion
Manufacturer
MSIProductCode
File
Component
FileName
FileSize
Version
Directory
Directory_Parent
DefaultDir
TargetPath

Example:
image

The entire script can be downloaded from here

 

Use PowerShell to Troubleshoot Group Policy

While I was on vacation last summer Ed Wilson aka Microsoft Scripting Guy asked me if I would like to write a guest post for the Hey Scripting Guy Blog. Of course !! was my immediate response.

And here it is:
Weekend Scripter: Use PowerShell to Troubleshoot Group Policy

The script referenced can be downloaded from here
http://gallery.technet.microsoft.com/scriptcenter/Get-GPProcessingTime-a124aaf5

How to identify ConfigMgr collections that take long to refresh

I’ve put together the below PowerShell script this week to identify collections in ConfigMgr that require the longest time to refresh. If you ever experience a decrease in ConfigMgr collection update performance, you might want to run this script to find potential collections that have a long refresh duration.

 

Thanks to Roger Zander and Claude Henchoz for the SQL query to find these collections.

PowerShell Script to retrieve content from Internet Explorer ActiveX blocking log

In preparation of the Internet Explorer out of date ActiveX control blocking activities I wrote the below script that retrieves the content of the log stored under LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv

You can download the script from here

 

New IE Group Policy Settings for blocking out-of-date ActiveX controls

As anounced by Microsoft last week on their IEBlog Internet Explorer will start blocking out of date ActiveX controls For managed environments there are updated administrative templates for Internet Explorer to control the behaviour of the ActiveX blocking feature.

Although the link brings you to a site called “Administrative Templates for Internet Explorer 11” the settings are set to work for Internet Explorer 8,9, 10 and 11. If you haven’t updated your administrative templates since a while, beware of the missing IE maintenance settings.

The new settings are located under Computer Configuration or User Configuration | Administrative Templates | Windows Components | Internet Explorer | Security Features | Add-In Management

Setting

Description

Turn on ActiveX control logging in Internet Explorer

This policy setting determines whether Internet Explorer saves log information for ActiveX controls.

If you enable this policy setting, Internet Explorer logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don’t configure this policy setting, Internet Explorer won’t log ActiveX control information.

Note that you can turn this policy setting on or off regardless of the “Turn off blocking of outdated ActiveX controls for Internet Explorer” or “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” policy settings.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Remove “Run this time” button for outdated ActiveX controls in Internet Explorer

This policy setting allows you to stop users from seeing the “Run this time” button and from running specific outdated ActiveX controls in Internet Explorer.

If you enable this policy setting, users won’t see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

If you disable or don’t configure this policy setting, users will see the “Run this time” button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Turn off blocking of outdated ActiveX controls for Internet Explorer

This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

If you disable or don’t configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won’t be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

1. “domain.name.TLD”. For example, if you want to include *.contoso.com/*, use “contoso.com”
2. “hostname”. For example, if you want to include http://example, use “example”
3. “file:///path/filename.htm”. For example, use “file:///C:/Users/contoso/Desktop/index.htm”

If you disable or don’t configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

For more information, see “Outdated ActiveX Controls” in the Internet Explorer TechNet library.

At the registry side the settings are as following (User or Computer)

  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|AuditModeEnabled
  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|RunThisTimeEnabled
  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|VersionCheckEnabled
  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext|ListBox_DomainAllowlist

PowerShell Script – Get-CMInstalledSoftware

ConfigMgr 2012 comes with a lot of build-in reports, but often it just does not contain all the information I want. Creating a custom report takes more time than just writing a script.

The Get-CMInstalledSoftware script retrieves all computers that have the specified software installed. Like it? Get your copy of the script from here

 

 

Have a good day

PowerShell Script – Get Group Policy events by CorrelationID

Update: 22. August 2014: I have posted an updated version of the script here.

During his Group Policy: Notes from the Field – Tips, Tricks, and Troubleshooting session at TechEd Group Policy MVP Jeremy Moskowitz demonstrates how to filter the event log using the correlation ID. Now because I love using PowerShell I thought I create a function for that using Jeremy’s XMLquery.

 

Greetings form the sunny beaches at Sardinia.

ConfigMgr – How to find the Application Name for a ContentID

While reviewing ConfigMgr status messages for clients reporting problems acquiring package content (Message ID 10025) I found some code snippets on sccmfaq.ch that maps the ContentID to the name of the application. As i had to do several lookups, I decided to create a function for it.

SNAGHTML11ce803

ConfigMgr – PowerShell Script to list Image Binary Delta Replication Setting

Here’s a script that lists all Boot and Operating system images stored within Configuration Manager and shows whether the Binary Delta Replication Setting is enabled or not.

SNAGHTML3132c3