My Useful SCCM Queries

You can find lots of these lists on various blogs, but I wanted to share some of the more useful non-standard queries I use.


Quick and dirty list of clients to show primary user and OS:

select SMS_R_System.LastLogonUserName, SMS_R_System.Name, SMS_R_System.LastLogonTimestamp, SMS_R_System.operatingSystem, SMS_G_System_COMPUTER_SYSTEM.SystemType from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId


Bitlocker – Unencrypted Clients:

select SMS_R_System.Name, SMS_R_System.LastLogonUserName from SMS_R_System inner join SMS_G_System_ENCRYPTABLE_VOLUME on SMS_G_System_ENCRYPTABLE_VOLUME.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ENCRYPTABLE_VOLUME.DriveLetter = “C:” and SMS_G_System_ENCRYPTABLE_VOLUME.ProtectionStatus = 0


Bitlocker – Encrypted Clients:

select SMS_R_System.Name, SMS_R_System.LastLogonUserName from SMS_R_System inner join SMS_G_System_ENCRYPTABLE_VOLUME on SMS_G_System_ENCRYPTABLE_VOLUME.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ENCRYPTABLE_VOLUME.DriveLetter = “C:” and SMS_G_System_ENCRYPTABLE_VOLUME.ProtectionStatus = 1


Bitlocker – TPM Info for Unencrypted Machines:

select SMS_R_System.Name, SMS_R_System.LastLogonUserName, SMS_G_System_TPM.* from SMS_R_System inner join SMS_G_System_ENCRYPTABLE_VOLUME on SMS_G_System_ENCRYPTABLE_VOLUME.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_TPM on SMS_G_System_TPM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ENCRYPTABLE_VOLUME.DriveLetter = “C:” and SMS_G_System_ENCRYPTABLE_VOLUME.ProtectionStatus = 0


Hardware – Desktops:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in (“3″,”4″,”6″,”7”)


Hardware – Laptops:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in (‘8’, ‘9’, ’10’, ’11’, ’12’, ’14’, ’18’, ’21’)


Hardware – Microsoft Surfaces:

select SMS_R_System.Name, SMS_R_System.LastLogonUserName from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like “%Surface%”


Hardware – Physical Servers:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SYSTEM_ENCLOSURE on SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes in (’17’, ’22’, ’23’, ’28’)


Hardware – Virtual Machines:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System
inner join SMS_G_System_COMPUTER_SYSTEM on
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId
where SMS_G_System_COMPUTER_SYSTEM.Model like “%Virtual%”


Installed Role – Domain Controller:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client
FROM SMS_R_System
INNER JOIN SMS_G_System_COMPUTER_SYSTEM ON
SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId
WHERE SMS_G_System_COMPUTER_SYSTEM.Roles LIKE “%Domain_Controller%”


Installed Role – Hyper-V:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client
from SMS_R_System
inner join SMS_G_System_SERVICE on SMS_G_System_SERVICE.ResourceID = SMS_R_System.ResourceId
where SMS_G_System_SERVICE.DisplayName like “Hyper-V Virtual Machine Management”


Preventative – Clients with <10gb Free Space

select SMS_R_System.Name, SMS_R_System.LastLogonUserName, SMS_G_System_LOGICAL_DISK.FreeSpace from SMS_R_System inner join SMS_G_System_LOGICAL_DISK on SMS_G_System_LOGICAL_DISK.ResourceID = SMS_R_System.ResourceId where SMS_G_System_LOGICAL_DISK.DeviceID = “C:” and SMS_G_System_LOGICAL_DISK.FreeSpace <= 10000


Preventative – Predicted Hard Drive Failure:

select SMS_R_System.Name, SMS_R_System.LastLogonUserName
from SMS_R_System
inner join SMS_G_System_DISK on SMS_G_System_DISK.ResourceId = SMS_R_System.ResourceId
where SMS_G_System_DISK.Status = “Pred Fail” order by SMS_R_System.Name DESC


Preventative – Reboot Pending\Required

select SMS_R_SYSTEM.Name, SMS_R_System.LastLogonUserName from SMS_R_System AS SMS_R_System
inner join SMS_UpdateComplianceStatus as c on c.machineid=sms_r_system.resourceid
where c.LastEnforcementMessageID = 9

0 Comments
January 14, 2019

Patch your Stuff

0 Comments
May 15, 2017

I Passed my Azure Exams!

Last week I attended the Microsoft Tech Summit in Chicago.  It was a fantastic event that offered tons of free training sessions, free exam preparation, and free Azure exams.  On top of all that free stuff, the whole event was free.  All I really had to pay for was transportation, hotel, and dinner (since I was coming from St. Louis).  I can’t recommend strongly enough that you should go to one of these events if you’re an IT professional and one is anywhere near you.  Check out the details here: https://www.microsoft.com/en-us/techsummit

Luckily I studied my butt off, went to the extremely helpful exam prep sessions, and passed both 70-533 and 70-534 over the two days.  Those two exams netted me MCSE: Cloud Platform and Infrastructure, MCSA: Cloud Platform, and Microsoft Specialist: Implementing Microsoft Azure Infrastructure Solutions, and Microsoft Specialist: Architecting Microsoft Azure Solutions.  That’s right, I snagged 4 certs by taking 2 completely free exams.  Winning.

Nowadays you get these fancy little badges too!

 

Seriously, if you’re near one of these events, go to it.  At minimum you will learn things that prove useful.  If you bite into the prep work, you can walk away with some free certifications.  Not to mention the schwag and friends you’ll make.

0 Comments
January 24, 2017

Turn on That Scary DC (aka handling an Orphan Domain Controller)

I just wanted to share this post from the “Ask Premier Field Engineering” blog: https://blogs.technet.microsoft.com/askpfeplat/2017/01/17/turn-on-that-scary-dc/

In the past I had clients with similar issues, but I’d removed the DC and done metadata cleanup as if it were a long lost irretrievable DC.  What if there was a need to get data off of the orphan domain controller?  I’d never run into that problem, but if you do, here’s a handy way to spin up a scary DC without blowing up AD.

0 Comments
January 18, 2017

KB3118374 Breaking SharePoint Online Calendar and Task Sync to Outlook

UPDATE – This issue is reportedly fixed with the January Office patches.  See https://support.microsoft.com/en-us/kb/3141473 for details.

Thanks to Janis for pointing this out!


After installation of KB3118374, users that have sync’d calendars and\or task lists from SharePoint Online to their local install of Outlook 2016 are experiencing authentication errors.  Symptoms are a popup that reads “The server you are trying to access is using an authentication protocol not supported by this version of Office.”brokencalendarsyncUsers will also notice Send/Receive errors  in Outlook, where they will see the calendar and\or task list causing the errors listed.  If you don’t need the sync’d item, simply disconnect them from Outlook by right clicking and choosing Delete (it won’t actually delete anything, just remove it from Outlook).

If you’re reading this, you already know that this is a huge pain in the ass if you have a lot of users syncing calendars and task lists.  Many users rely on accessing this info from Outlook as part of their usual workflows, and since this is a user-configurable feature, it is different for everyone with no simple universal fix (other than uninstalling the KB).

What is interesting is that this affects only the full, traditional installation of Office 2016, not Click-to-Run installations.

There is an ongoing discussion on this issue on TechNet.  It appears no official word has come from Microsoft, but that users have uninstalled the KB in the meantime and can resume successful syncing.

If I see an update on the issue, I will update this post.

2 Comments
November 7, 2016

Windows 10 Deployment and Management Lab Kit

In case you missed it, Microsoft has released a really nice lab rollup that is pre-configured with tons of functionality.  The unsexily titled “Windows 10 Deployment and Management Lab Kit” is actually really cool, and will save you tons of time.

  • Want to test deploying Windows 10 with SCCM?  Included.
  • Want to test a BitLocker deployment?  Included.
  • Want to test App-V?  Included.
  • Want to test an upgrade from SCCM 1511 to 1606?  Included.

Plus there’s a whole slew of Test Lab Guides that can walk you through all sorts of deployments and testing of Windows 10, aplications, apps, and features.

Check it out here: https://technet.microsoft.com/en-us/windows/mt604890.aspx  It is a 32gb download though, so get ready to feel like it’s 1999 and you’re waiting for Napster to finish your Weezer download…

Easier Way to Create a Windows 10 Assigned Access Web Browser App

Almost a year ago I made a post about creating detailing the steps to create a Windows 10 Assigned Access Web Browser App for use in a kiosk computer scenario.  That post has remained the most popular one on my blog, and has yielded the most questions.  Well, I’m happy to say there’s now a much easier way to do it.

Microsoft’s Windows App Studio now lets you create Universal Windows apps without the need to really do anything at all with code!  You don’t need Visual Studio at all, unless you want to do your own customizations.

So how do you do it?

Step 1:

Go to the Windows App Studio site, log in with your Microsoft account, and click on New Project.  You have an option for “Hosted Web App” – click that.
Windows 10 Assigned Access Web Browser App

Step 2:

Feed it the URL of the site you want displayed, like so:

Windows 10 Assigned Access Web Browser App

Don’t be alarmed if the little preview on the right (not in the screenshot) doesn’t update, as it never would for me in testing this on a few different sites.  In the end, it works just fine.

Step 3 (optional):

This seems to be optional, and is certainly not necessary if only using the app for Assigned Access, but on the Tiles tab you can customize the tiles that your app would show in the Start Menu on machines where it is installed.  Note that in this simple template we don’t get the ability to create live tiles – bummer.  But again, for Assigned Access, we don’t care – the user will never see the tiles.

Windows 10 Assigned Access Web Browser App

You’re basically done, so you can go to the Settings tab, ignore the parts about publishing to the Store (again, not necessary if we’re just using Assigned Access), click on Finish, choose your screen layout, click Generate, and choose an installable package.  The machine you want to run this on will need the Windows App Studio Installer App in order to install your package (it’s free, don’t worry).  Once you install your package on the machine, set up Assigned Access as usual (see Steps 8 and 9 in my first post on this topic to see how I do it).

That’s it!  So much easier than dealing with installing Visual Studio and stumbling through code.

The Billable Life’s Very Own App

I jumped through all the hoops to make an app for this site, and get it published to the Store.  You can find it here, if you’d like.  The Store certification process took about 48 hours from submission to availability for download via the Store.  It was pretty painless, and I can see using this as a base app to expand upon with other features.

August 17, 2016

SCCM 1602 Upgrade – Easiest SCCM Yet

Just a followup to my last post.  I ran through the upgrade myself this morning without issue.  In fact, it was the easiest thing I think I’ve ever done with a System Center product.  Good job, Microsoft.  Total time was about 30 minutes for our basic two server implementation – your mileage may vary.

Instead of doing a screenshot-filled walkthrough, I’ll just send you over to the System Center Dudes blog where they’ve already made a great one.

The most obvious and immediately handy new feature is a visual online/offline status indicator for your devices.  You’ll also now be able to manage updates for O365 click-to-run installations of office that are on your machines, which we weren’t able to do before.  To read about all of the new features, check out this post from the SCCM Team Blog.

Don’t put this off like I did for the last few weeks.  This is very easy.  Not only will your clients update themselves (if you choose to let them), but so will your management consoles.  See?  Easy.

0 Comments
Tags:
April 4, 2016

SCCM 1602 Rolling Out!

The new quarterly update for SCCM is rolling out now – SCCM 1602!  I read this blog post from the SCCM team last week, but only today received this notification when opening my SCCM console:

SCCM Update Notification

After clicking OK, we can make our way over to the Administration > Cloud Services > Updates and Servicing node, where we see:

SCCM Update Notification

Right clicking the new update item gives you the ability to run a prerequisite check, or run the update, as shown below.

SCCMUpdate3

I haven’t yet done the install, but I will make a post about my experience once I do.

 

0 Comments
Tags:
March 22, 2016

Local Administrator Password Solution (LAPS)

I had done a project to implement a local admin account password management system a few years ago, and just today stumbled across “Local Administrator Password Solution” aka LAPS – a free, officially supported Microsoft solution for managing local admin passwords within Active Directory.  You can download it from Microsoft here.  And here is a comprehensive writeup on some of the gotchas and tips for implementing LAPS.

Most IT departments have a common local admin account with a common password.  This makes the one-off administrative change on a machine convenient, but it is a HUGE security threat.  Not only can you not easily change the password on all your client PCs if someone that knows the password leaves the company, but hacker-types will target this type of account for brute force attacks (remember it’s a local account, so your AD password lockouts don’t apply).  Once that hacker has that password, they have the administrator password to as many client PCs as this account is on (probably all of them?).  ::shudder::

I hope to be doing this soon myself, and will make my own post once I do.

0 Comments
Tags:
February 24, 2016