ConfigMgr
ConfigMgr / SCCM Scripts: Best Feature of ConfigMgr?
Topics: ConfigMgr
There is a long story behind why I think Run Scripts is my new favorite feature within Configuration Manager (SCCM / ConfigMgr / ConfigMgr). One day, I was troubleshooting a problem with a computer that’s located in another office from where I work. In order to go onsite, I needed to drive 20+ minutes there, spend another 5-minutes fixing the problem, and then drive another 20+ minutes back to my office. That seemed to be a waste of valuable time. Instead, using Remote Desktop (RDP) to log in and access the computer made more sense.
When I attempted to use RDP to access the computer, however, it was encountering an error, so I quickly determined that the problem was the firewall. It was blocking me from accessing the system. In order to overcome this problem, I used an ConfigMgr / SCCM Run Script to turn off the firewall, which then allowed me to use RDP. Below are the steps I took to turn off the firewall. Always remember, though, to put the firewall back on afterwards!
STOP!
When I first published this blog, I did in fact turn on the firewall to solve my problem. BUT it was quickly pointed out on Twitter by a friend that even though this solution works, there was a better way. Generally, ConfigMgr administrators like to forget to re-enable the firewall, which is a big no-no. The better way involves only opening the RDP ports.
I will keep the notes on how to disable the Firewall below, BUT I encourage you to use the updated RDP rules instead.
Turning On RDP Windows Firewall Rules Using ConfigMgr / SCCM PowerShell Scripts
I will provide two scripts, one to turn on RDP for just the Domain and a second to turn on RDP for all firewall profiles. Generally, you should only turn on RDP for a Domain, but in some cases you will want to turn it on for all profiles.
Domain Script
Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetControlTerminal Server’-name “fDenyTSConnections” -Value 0
Get-NetFirewallRule | Where {$_.Name -eq “Remote Desktop” -and $_.Profile -eq “Domain”} | Enable-NetFirewallRule
All Profiles Script
Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetControlTerminal Server’-name “fDenyTSConnections” -Value 0
Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
Since this is an update to the original post, I’m not going to do new screenshots for the steps to add these scripts to ConfigMgr. They are the same steps as the turning off the firewall steps below.
Turn Off a Windows Firewall by Using ConfigMgr / SCCM PowerShell Scripts
A quick Google search revealed that the following PowerShell command turns off all firewalls on a Microsoft Windows computer, so I am going to use it in my script.
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
How to Create ConfigMgr / SCCM Scripts
In ConfigMgr / SCCM, deploy PowerShell script commands by starting in the ConfigMgr console, under Software Library, select the Scripts node and then click on Create Script from the ribbon.
Enter the ConfigMgr / SCCM script’s name. In my case, I called it, “Turn off Firewall.” Then in the script text box, I copied/pasted the PowerShell script I showed you earlier. Click Next.
Click Next.
Click Close.
Back in the console, you notice that the script needs to be approved before it can be used.
How to Approve ConfigMgr / SCCM Scripts
Note: By default, the person who created a script CANNOT approve their own script. Why? Most companies have change controls, so this helps with that, but it is a site setting option that can be changed. If you want to change this setting, check out the next section, “How to Change the Approval Settings.”
Below are the steps on how to approve ConfigMgr / SCCM scripts.
Right-click on the script and select Approve/Deny.
Review the script and click Next.
Select Approve and enter a comment before clicking on the Next button.
Confirm the details and click Next.
Click Close.
How to Change the Approval Settings
In the console, under Administration | Overview | Site Configuration | Sites, select Hierarchy Settings from the ribbon.
Unselect the Script authors require additional script approver check box and then click on the OK button.
How to Use a Run Script on a Device
Select the device that you are going to run a script on by right-clicking on it and then selecting Run Script.
Select the script and click Next.
Confirm the summary and click Next.
Wait for the script to run. Generally, it takes less than 30-seconds. Once the script is completed, click Close.
How to Run a Script on a Collection
This is where the Run Scripts feature is extremely powerful! You need to be careful here otherwise this can cause you problems.
Locate the collection that you want to run the script against. Right-click on the collection and select Run Script.
Select the script and click Next.
Review the summary, paying particular attention to the number of resources you are targeting! Then click Next.
If the computer is offline, the script attempts to run for 1-hour before timing out. Click Close after reviewing the results.
Remember that you can always see the results within the Script Status node on the Monitoring node in the console.
Official Run Scripts Documentation
The documentation is always being updated, so for the most up-to-date content, please review the official documentation.
Summary
Believe me when I tell you that it took me far less time to research, write, approve and deploy the run script to my problem computer (approx. 5 minutes) than it would have taken me to drive across town to our other office! Ultimately, the Run Scripts feature saved me about 35-minutes of travel time. It also meant that the end-user wasn’t interrupted, so no down-time, and their problem was resolved behind the scenes. Not to mention eliminating the commuting experience entirely!
Please remember that if you are running the same script as me, don’t forget to turn the firewall back on! One of the tricks that I use for this is a CI that detects if a firewall is off. See my blog post, How to Create a Compliance Setting to Detect If the Firewall Is Off, for help maximizing your server’s security.
Running ConfigMgr / SCCM scripts is simple and deployment is easy to learn. If you have any questions or want more SCCM script examples, please feel free to contact me @GarthMJ.
Additional ConfigMgr / SCCM Resources
Learn more about how to better use ConfigMgr / SCCM.
Overview
Inventory
Reporting
- How Can I Install Report Builder?
- How to Install a SCCM Reporting Services Point
- Dynamic Images to SSRS Report for SCCM
- Editing SCCM Reports with Report Builder
- Fixing the SCCM Reporting Services Point
Security/Permissions
Software
External Integration
