Using SCCM client center functionality to import local policy

Tired of waiting for collection evaluation and policy updates when advertising programs in SCCM? There is a function in SCCM client center that imports local machine policies, but it requires that an elevated user runs the program and there is not batch functionality.

By referencing the smsclictr.automation.dll this functionality can be reused to build workflow activities/batch programs that calls the same logic as SCCM client center uses. Example code:


SMSClient client = new SMSClient(computerName);
client.Connection.Connect();
if (client.Connection.mScope.IsConnected)
{
//Connect to the clients managementPoint SQL server
SqlConnectionStringBuilder sqlConnectionBuilder = new SqlConnectionStringBuilder("Integrated Security=True");
sqlConnectionBuilder.DataSource = client.ManagementPoint;
sqlConnectionBuilder.InitialCatalog = "SMS_" + client.SiteCode;

SqlConnection sqlConnection = new SqlConnection(sqlConnectionBuilder.ToString());
try
{
sqlConnection.Open();
SqlCommand command = new SqlCommand();
command.CommandText = "SELECT PolicyID, Body FROM Policy WHERE (PolicyID LIKE '%" + advertisementID + "%') ORDER BY PolicyID";
command.Connection = sqlConnection;

SqlDataReader dataReader = command.ExecuteReader();
while (dataReader.Read())
{
byte[] policyBody = dataReader[1] as byte[];
client.SoftwareDistribution.ImportSCCMPolicy(policyBody, false);
Logging.Log("Policy imported on computer '" + computerName + "' (AdvertisementID: " + advertisementID + ")", System.Diagnostics.EventLogEntryType.Information);
break;
}
sqlConnection.Close();
}
catch (Exception ex)
{
Logging.Log("Failed to get policy from SQL for advertisement '" + advertisementID + "'. Error: " + ex.ToString(), System.Diagnostics.EventLogEntryType.Error);
}
}


Disable XP security warning (to avoid hanging SCCM advertisement)

When running a install program, some times the XP security warning blocks the advertisement from running. The dialog box should only popup for applications starting from an "untrusted" source, and including the path as trusted in IE should disable that check.

For some reason, this does not seem to make any difference at all times. The popup blocks the program and the advertisement will eventually time out and fail.

To avoid this the security check can be disabled before running the program and re-enabled when its done by calling the setup from a vbscript. In the script below the exit code from the program is parsed to translate the exit code from the vendors "reboot needed" to 3210 which is the code SCCM uses to wait for reboot.



Option Explicit
Dim oFSO,oWsh,oEnv
Set oWsh=CreateObject("Wscript.Shell")
Set oFSO=CreateObject("Scripting.FileSystemObject")
Set oEnv = oWsh.Environment("Process")

Dim sProgram
sProgram = GetPath(Wscript.ScriptFullName) & "\Setup.exe"

If oFSO.FileExists(sProgram) Then
'Disable the security warning when starting the program
oEnv("SEE_MASK_NOZONECHECKS") = 1
Dim sCmd
sCmd = """" & sProgram & """ -s -overwrite"
wscript.echo sCmd
Dim iRet
On Error Resume Next
iRet = oWsh.Run(sCmd, 0, True)
'Enable security warnings
oEnv.Remove("SEE_MASK_NOZONECHECKS")

If Err Then
Wscript.Quit iRet
End If
If iRet = 14 Then
Wscript.Quit 3010
End If
Wscript.Quit iRet
Else
Wscript.Quit 1
End If

'*********************************************************
' Purpose: Return Path for filename
' Inputs: FullFileName
' Returns: PathName
'*********************************************************
Function GetPath(FileName)
Dim iPos

iPos=InStrRev(FileName,"\")
If iPos>0 Then
GetPath=Mid(FileName,1,iPos-1)
Else
GetPath=FileName
End If
End Function

Automated self-service and identity repository

Many companies are putting a lot of effort in managing their identity repository which is supposed to represent the current user and organizational information. Keeping the identity repository up to date is often time consuming and hard work since organizations is constantly transforming. New employees are introduced, existing employees move between business units and some quit. Moreover the organizational structure transforms in the same way adding yet another dimension of complexity.

Some companies have succeeded in managing this type of identity repository to a desirable degree. Some may even have succeeded in doing this with technical, automated solution that doesn’t even require people behind the controls. If you are not part of one of these organizations I hope that this post will bring a new perspective to the situation and contribute on your path towards a fully automated and managed identity repository.

Now the identity repository is merely one part of the two key components in this post. The other one; self-service is the other. I won’t preach about self-service in itself (I'll do that later) but rather bring it up in relation to the identity repository. A self-service solution is often built on top of, and dependent on, a more or less existing architecture of which the identity repository is one part. When introducing self-service some may have the perception that the identity repository have to be complete in order to succeed. That is the perception that I don’t share and would like to put in different light. The reason is my belief of synergy between these two rather complex parts in which the self-service solution could contribute in bringing the identity repository closer to a complete state.

Standardize the input controls in the self-service solution, require user input and validate the data as much as possible. Then use the information to fill the gaps in the identity repository and let it apply until there is a more reliable way of retrieving information with higher quality.          

Letting the user repository be updated in parallel with the introduction of a automated self-service solution you will:

1. Get started with the self-service solution independently of the quality of the identity repository, giving the employees the possibility to gain from the self-service solution benefits.

2. Get your identity repository updated and closer to a complete state until a better way of doing this exist.

The degree of options for the employees and validation of input is- of course – determining the quality of the information brought in from the employee.

Either if you are an employee of one of the companies that have a complete identity repository or if you’re fighting problems on your way getting there, I think that you are in the possession of many great experiences and knowledge in this topic. In that case I welcome your feedback and encourage you to stay tuned and keep in touch to discuss more on this topic.