ConfigMgr

Configuration Manager Scripts: Best Feature of ConfigMgr?

Topics: ConfigMgr

There is a long story behind why I think Run Scripts is my new favorite feature within Microsoft Configuration Manager (ConfigMgr). One day, I was troubleshooting a problem with a computer that’s located in another office from where I work. In order to go onsite, I needed to drive 20+ minutes there, spend another 5-minutes fixing the problem, and then drive another 20+ minutes back to my office. That seemed to be a waste of valuable time. Instead, using Remote Desktop (RDP) to log in and access the computer made more sense.

When I attempted to use RDP to access the computer, however, it was encountering an error, so I quickly determined that the problem was the firewall. It was blocking me from accessing the system. In order to overcome this problem, I used an ConfigMgr Run Script to turn off the firewall, which then allowed me to use RDP. Below are the steps I took to turn off the firewall. Always remember, though, to put the firewall back on afterwards!

STOP!

When I first published this blog, I did in fact turn on the firewall to solve my problem. BUT it was quickly pointed out on Twitter by a friend that even though this solution works, there was a better way. Generally, ConfigMgr administrators like to forget to re-enable the firewall, which is a big no-no. The better way involves only opening the RDP ports.  

I will keep the notes on how to disable the Firewall below, BUT I encourage you to use the updated RDP rules instead.  

Turning On RDP Windows Firewall Rules Using ConfigMgr PowerShell Scripts 

I will provide two scripts, one to turn on RDP for just the Domain and a second to turn on RDP for all firewall profiles. Generally, you should only turn on RDP for a Domain, but in some cases you will want to turn it on for all profiles.  

Domain Script

Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetControlTerminal Server’-name “fDenyTSConnections” -Value 0 

Get-NetFirewallRule | Where {$_.Name -eq “Remote Desktop” -and $_.Profile -eq “Domain”} | Enable-NetFirewallRule  

All Profiles Script

Set-ItemProperty -Path ‘HKLM:SystemCurrentControlSetControlTerminal Server’-name “fDenyTSConnections” -Value 0 

Enable-NetFirewallRule -DisplayGroup “Remote Desktop”  

Since this is an update to the original post, I’m not going to do new screenshots for the steps to add these scripts to ConfigMgr. They are the same steps as the turning off the firewall steps below.  

Right Click Tools banner

Turn Off a Windows Firewall by Using ConfigMgr PowerShell Scripts

A quick Google search revealed that the following PowerShell command turns off all firewalls on a Microsoft Windows computer, so I am going to use it in my script.

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

How to Create ConfigMgr Scripts

Run Scripts - Create Script

In ConfigMgr, deploy PowerShell script commands by starting in the ConfigMgr console, under Software Library, select the Scripts node and then click on Create Script from the ribbon.

Run Scripts - Specify Script Details

Enter the ConfigMgr script’s name. In my case, I called it, “Turn off Firewall.” Then in the script text box, I copied/pasted the PowerShell script I showed you earlier. Click Next.

Run Scripts - Script Details - Summary Node

Click Next.

Run Scripts - Script Details - Completion Node

Click Close.

Run Scripts - Select Script

Back in the console, you notice that the script needs to be approved before it can be used.

How to Approve ConfigMgr Scripts

Note: By default, the person who created a script CANNOT approve their own script. Why? Most companies have change controls, so this helps with that, but it is a site setting option that can be changed. If you want to change this setting, check out the next section, “How to Change the Approval Settings.”

Below are the steps on how to approve ConfigMgr scripts.

Run Scripts - Approve-Deny

Right-click on the script and select Approve/Deny.

Run Scripts - Approve or Deny - Script Details

Review the script and click Next.

Run Scripts - Approve

Select Approve and enter a comment before clicking on the Next button.

Run Scripts - Approve or Deny - Summary Node

Confirm the details and click Next.

Run Scripts - Approve or Deny - Completion Node

Click Close.

How to Change the Approval Settings

Run Scripts - Hierarchy Settings

In the console, under Administration | Overview | Site Configuration | Sites, select Hierarchy Settings from the ribbon.

Run Scripts - Hierarchy Settings Properties

Unselect the Script authors require additional script approver check box and then click on the OK button.

How to Use a Run Script on a Device

Run Scripts - Run Script

Select the device that you are going to run a script on by right-clicking on it and then selecting Run Script.

Run Scripts - Select Script

Select the script and click Next.

Run Scripts - Run Script - Summary Node

Confirm the summary and click Next.

Run Scripts - Script Status

Wait for the script to run. Generally, it takes less than 30-seconds. Once the script is completed, click Close.

How to Run a Script on a Collection

This is where the Run Scripts feature is extremely powerful! You need to be careful here otherwise this can cause you problems.

Run Scripts - Collection - Run Script

Locate the collection that you want to run the script against. Right-click on the collection and select Run Script.

Run Scripts - Collection - Select Script

Select the script and click Next.

Run Scripts - Collection - Summary Node

Review the summary, paying particular attention to the number of resources you are targeting! Then click Next.

Run Scripts - Collection - Script Status

If the computer is offline, the script attempts to run for 1-hour before timing out. Click Close after reviewing the results.

Remember that you can always see the results within the Script Status node on the Monitoring node in the console.

Official Run Scripts Documentation

The documentation is always being updated, so for the most up-to-date content, please review the official documentation.

Summary

Believe me when I tell you that it took me far less time to research, write, approve and deploy the run script to my problem computer (approx. 5 minutes) than it would have taken me to drive across town to our other office! Ultimately, the Run Scripts feature saved me about 35-minutes of travel time. It also meant that the end-user wasn’t interrupted, so no down-time, and their problem was resolved behind the scenes. Not to mention eliminating the commuting experience entirely!

Please remember that if you are running the same script as me, don’t forget to turn the firewall back on! One of the tricks that I use for this is a CI that detects if a firewall is off. See my blog post, How to Create a Compliance Setting to Detect If the Firewall Is Off, for help maximizing your server’s security.

Running ConfigMgr scripts is simple and deployment is easy to learn. If you have any questions or want more SCCM script examples, please feel free to contact me @GarthMJ.


Additional ConfigMgr Resources

Learn more about how to better use ConfigMgr.

Overview

Inventory 

Reporting 

Security/Permissions 

Software 

External Integration 

Back to Top