I recently had a small challenge around automating a task between multiple tenants in Azure. Read all the details on https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-azure-automation-with-multiple-tenants/ba-p/1282268
Just a quick share on how to work with command line output in powershell. I was working with an organization that is still running Windows 7 and they were implementing some applications that caused some concern about WMI performance. This post from the Microsoft Ask Performance Team details how to move the service into its own process. I wrote this powershell script to check the configuration of the service as in Configuration Manager Compliance Item.
If the return is 20 then the service is configured as a shared process. If the return is 10 then the service is configured as its own process. If the return is 30 then the OS does not have the issue.
I set my CI to be compliant if the value returned was 10 or 30. Armed with the compliance data we were able to target systems for remediation.
Eventually every Configuration Manager Admin will need to cleanup IIS logs. It might take years or months to get there but left unchecked the IIS logs just keep growing. For those unaware, IIS will create a log file for each day. Depending on how active your site is these logs are several KB to hundreds of MB in size, and there is no builtin mechanism to archive or clean them up. After helping automate this again, I though it was time to share my variation on how to clean up the file. I use a simple powershell script to remove any log files over 30 days old. This is generally sufficient for troubleshooting but feel free to adjust the time period to meet your needs.
To update the time period change -30 to the number of days that you want to preserve, on the line
$oldest = (get-date).AddDays(-30)
If you run this as a scheduled task the cleanup will happen automatically.
I know the blog has been silent for a bit but there have been a lot of things happening personally and professionally. The biggest being that I am now working as a Microsoft PFE for SCCM. I started on February 5th and it has been a fantastic 2 days. Hopefully all the future days continue to be the same. I am not sure how this will impact my blogging but I will continue it just may be part of the pfe blogs.
While I love the new pace of development for Configuration Manager there are times I wish the documentation was updated just as fast. It would make somethings much easier. For example I am just stating the first round of audits on Current Branch. No problem I think I did all that documentation at the start of the migration project. Welllll stuff happens;time passes; things change; all that was done for 1511; we are finishing the project on 1702 with 1706 upgrades in a couple of small environments. So of course the audit reports list several new objects that can have permissions applied and where they have been applied. Next thing you know my calendar fills up with meeting to explain everything. So to make this easier on me and you, I created a report to list the available permissions. You can download the report from https://gallery.technet.microsoft.com/ConfigMgr-Available-6aec8017?redir=0 or https://github.com/mrbodean/Technet/blob/master/SSRS/ConfigMgr%20Permissions/RBAC%20Available%20Permissions%20by%20Object%20Type.rdl
The “RBAC Available Permissions by Object Type” report will enumerate all the available Securable Object Types and list the permissions that can be set on each object type.
Permission Type Name = The Object Type Name as it appears in the SQL tables and views
Console Name = The name of the Permission Type as it appears in the Configuration Manager console. If this is blank there are two possible reasons. First it is an internal object that is not presented in the console. Second it is a new permission that needs to be mapped to a Console Name. At the point of the initial publication the objects have been mapped for 1702. Running the report on 1706 shows several new permissions that need to be mapped.
Operation = The friendly name of the permission
Bit Flag = This is the Bit Flag require to do the math to determine if the permission is present. While I will use this value on other reports it is presented here for those that want\need to check the values.
Because of the ever changing environment be sure that you test the report. If I made a mistake mapping a object to the console let me know via technet or twitter and I will update the report.