SCCM Script: Fix Software Update Store

Overview

I developed this tool, Fix-DGMSCCMUpdateStore.ps1, to assist in fixing Windows UpdateStore Corruption (Datastore.edb) on SCCM Client Computers. On the SCCM client machine, the Windows UpdateStore Datastore.edb in Windows\Software Distribution\.. contains scan results. Over time, this may become corrupted which can stop updating from occurring on the client machine. Additionally, an error might be seen on the client application log reporting wuaueng.dll (1668) SUS20ClientDataStore: Database C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb requires logfiles xx-yy in order to recover successfully.

Fix-DGMSCCMUpdateStore Tool

The tool ill automatically attempt to fix the Windows Update Store on an array of SCCM client computers imported via a .CSV file. When run, the tool will perform the following tasks on each computer within the .CSV:

Stop the Windows Update Service
Move SoftwareDistribution to a backup location
Start Windows Update Service
Recreate SoftwareDistribution

The tool requires the –csvfile argument, which is the path to a .CSV file containing one column, Hostname, with the hostnames listed in the column and can be run as in the example below.

Fix-DGMSCCMUpdateStore Log File

The utility will create a log file that is compatible with the CMTrace tool, which includes the thread, time, state and component for each process.


PowerShell Script: Fix-DGMSCCMUpdateStore.ps1
<#
.Synopsis
   Fix the Windows UpdateStore on an array of SCCM clients.
.DESCRIPTION
   The Windows UpdateStore Datastore.edb in Windows\Software Distribution\.. contains scan results. This may become corrupted. This tool will fix it on an array of computers imported.
.EXAMPLE
   Fix-DMGSCCMUpdateStore -CSVFile .\Fix-DMGSCCMUpdateStore-Import.csv

#>

function New-DGMLogFile
{
  param (
  [Parameter(Mandatory=$true)]
  $message,
  [Parameter(Mandatory=$true)]
  $component,
  [Parameter(Mandatory=$true)]
  $type )

  switch ($type)
  {
    1 { $type = "Info" }
    2 { $type = "Warning" }
    3 { $type = "Error" }
    4 { $type = "Verbose" }
  }

  if (($type -eq "Verbose") -and ($Global:Verbose))
  {
    $toLog = "{0} `$$<{1}><{2} {3}>" -f ($type + ":" + $message), ($Global:ScriptName + ":" + $component), (Get-Date -Format "MM-dd-yyyy"), (Get-Date -Format "HH:mm:ss.ffffff"), $pid
    $toLog | Out-File -Append -Encoding UTF8 -FilePath ("filesystem::{0}" -f $Global:LogFile)
    Write-Host $message
  }
  elseif ($type -ne "Verbose")
  {
    $toLog = "{0} `$$<{1}><{2} {3}>" -f ($type + ":" + $message), ($Global:ScriptName + ":" + $component), (Get-Date -Format "MM-dd-yyyy"), (Get-Date -Format "HH:mm:ss.ffffff"), $pid
    $toLog | Out-File -Append -Encoding UTF8 -FilePath ("filesystem::{0}" -f $Global:LogFile)
    if ($type -eq 'Info') { Write-Host $message }
    if ($type -eq 'Warning') { Write-Host $message -ForegroundColor Yellow}
    if ($type -eq 'Error') { Write-Host $message -ForegroundColor Red}
    

  }
  if (($type -eq 'Warning') -and ($Global:ScriptStatus -ne 'Error')) { $Global:ScriptStatus = $type }
  if ($type -eq 'Error') { $Global:ScriptStatus = $type }

  if ((Get-Item $Global:LogFile).Length/1KB -gt $Global:MaxLogSizeInKB)
  {
    $log = $Global:LogFile
    Remove-Item ($log.Replace(".log", ".lo_"))
    Rename-Item $Global:LogFile ($log.Replace(".log", ".lo_")) -Force
  }
} 

function GetScriptDirectory
{
  $invocation = (Get-Variable MyInvocation -Scope 1).Value
  Split-Path $invocation.MyCommand.Path
} 

function Fix-DMGSCCMUpdateStore
{
    [CmdletBinding()]
    [Alias()]
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0,
                   ParameterSetName='Parameter Set 1')]
                   [ValidateScript({(Test-Path $_)})]
                   $CSVFile,
        # Param2 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0,
                   ParameterSetName='Parameter Set 2')]
                   [ValidateScript({(Get-ADComputer -Identity $_).objectclass -eq 'computer' })]
                   [String]$Hostname
    )

    Begin
    {
        
        if ($CSVFile -ne $null){
            Write-Host Importing $CSVFile...
            $csv = import-csv "$CSVFile"
        }else{
            $csv = [PSCustomObject]@{
                Hostname = $Hostname}
        }
        $service1 = "wuauserv"
        $service2 = "bits"
        Write-Host =========================================
        Write-Host SCCM Fix Windows Update Store by dmaiolo
        Write-Host =========================================
        Write-Host "v0.2 (2017-12-11)"
        New-DGMLogFile -message ("Starting Logging for Fix-DMGSCCMUpdateStore") -component "Main()" -type 1 
    }
    Process
    {
        $computers = @();
        
        $csv | foreach-object {
            $h = $_.Hostname
            
            
            #Test if machine is online
            if(Test-Connection -ComputerName $h -count 2 -quiet){
                Write-Host "Online: $h" -ForegroundColor Green

                #Stop Windows Update service
                try{
                    (get-service -ComputerName $h -Name $service1 -ErrorAction Stop).Stop()
                    New-DGMLogFile -message ("Stopped $service1 service on $h.") -component "Main()" -type 1
                }
                catch{
                    New-DGMLogFile -message ("Could NOT Stop $service1 service on $h.") -component "Main()" -type 3
                }
                
                #Sleep 10 seconds to give service enough time to react
                Write-Host "Sleeping 5 Seconds..."
                Start-Sleep -s 5

                #Stop BITS service
                try{
                    (get-service -ComputerName $h -Name $service2 -ErrorAction Stop).Stop()
                    New-DGMLogFile -message ("Stopped $service2 service on $h.") -component "Main()" -type 1
                }
                catch{
                    New-DGMLogFile -message ("Could NOT Stop $service2 service on $h.") -component "Main()" -type 3
                }
                #Sleep 5 seconds to give service enough time to react
                Write-Host "Sleeping 5 Seconds..."
                Start-Sleep -s 5

                #Rename the software update store
                
                $sourcepath = "\\$($h)\c$\Windows\SoftwareDistribution"
                $destinationpath = "\\$($h)\c$\Windows\SoftwareDistribution_$(Get-Date -Format dd-MM-yyyy)"
                $destinationpath2 = "\\$($h)\c$\Windows\SoftwareDistribution_$(Get-Date -Format dd-MM-yyyy)"

                #Appending destination path if script already run today
                if (Test-Path $destinationpath){
                    $n=0
                    while ((Test-Path $destinationpath2) -eq $true){  
                        New-DGMLogFile -message ("Backup location $destinationpath2 already exists.") -component "Main()" -type 1
                        ++$n
                        $destinationpath2 = $destinationpath + "-" + $n
                    }
                    $destinationpath = $destinationpath2
                    
                }

                Write-Host "Renaming $sourcepath..."
                try{
                    Move-Item -Path $sourcepath -Destination $destinationpath -Force
                    New-DGMLogFile -message ("Renamed SoftwareDistribution to $destinationpath.") -component "Main()" -type 1
                }
                catch{
                    New-DGMLogFile -message ("Could NOT Rename SoftwareDistribution to $destinationpath.") -component "Main()" -type 3
                }
                
                #Start the Windows Update service
                try{
                    (get-service -ComputerName $h -Name $service1 -ErrorAction Stop).Start()
                    New-DGMLogFile -message ("Started $service1 service on $h.") -component "Main()" -type 1
                }
                catch{
                    New-DGMLogFile -message ("Could NOT Start $service1 service on $h.") -component "Main()" -type 3
                }

                #Start the BITS service
                try{
                    (get-service -ComputerName $h -Name $service2 -ErrorAction Stop).Start()
                    New-DGMLogFile -message ("Started $service2 service on $h.") -component "Main()" -type 1
                }
                catch{
                    New-DGMLogFile -message ("Could NOT Start $service2 service on $h.") -component "Main()" -type 3
                }

                #Give the services 5 seconds to wake up and create new folders
                Start-Sleep -s 5

                #Verify new folder was created
                Write-Host "Checking new folder recreation..."
                if(Test-Path("\\$($h)\c$\Windows\SoftwareDistribution")){
                    New-DGMLogFile -message ("\\$($h)\c$\Windows\SoftwareDistribution was recreated.") -component "Main()" -type 1
                }
                else{
                    New-DGMLogFile -message ("\\$($h)\c$\Windows\SoftwareDistribution could NOT be recreated.") -component "Main()" -type 3
                }

            }
            else{
                #Machine is offline
                New-DGMLogFile -message ("Offline: $h.") -component "Main()" -type 2
            }

        }
    }
    End
    {
       Write-Host ===============================================================
       Write-Host Log File of Results Generated at $path\Fix-DMGSCCMUpdateStore_$(Get-Date -Format dd-MM-yyyy).log VIEW WITH CMTRACE.EXE
       New-DGMLogFile -message ("Ending Logging for Fix-DMGSCCMUpdateStore") -component "Main()" -type 1
    }
}

$VerboseLogging = "true"
[bool]$Global:Verbose = [System.Convert]::ToBoolean($VerboseLogging)
$Global:LogFile = Join-Path (GetScriptDirectory) "Fix-DMGSCCMUpdateStore_$(Get-Date -Format dd-MM-yyyy).log"
$Global:MaxLogSizeInKB = 10240
$Global:ScriptName = 'Fix-DMGSCCMUpdateStore.ps1' 
$Global:ScriptStatus = 'Success'

February 5, 2018/0 Comments/by David Maiolo

Legacy, Legacy Tools, MECM

Windows Management Framework 5.1 Deployment

Overview

This upgrade strategy will allow you to update your Server environment to the version of Windows Management 5.1 via SCCM. Use this recommended project management guide to help build your deployment workflow. I used this method to upgrade a 400+ server environment which completed smoothly.

Purpose

The purpose of this Deployment Strategy and Plan article is to help you define a deployment strategy and plan for a Windows Management Framework 5.1 upgrade. This article is comprised of two sections: the Deployment Strategy and the Deployment Plan. The Deployment Strategy section is used to formulate a deployment approach for Windows Management Framework 5.1. The Deployment Plan section contains recommended schedule, resource, technical, and support information necessary for successful deployment of Windows Management Framework 5.1.

About Windows Management Framework

Windows Management Framework (WMF) is the delivery mechanism that provides a management interface across the various versions of Windows and Windows Server. With the installation of WMF 5.1, increases security and feature sets will become available to our servers.

Components For Upgrade

The following components should be scheduled for upgrade during this project to version 5.1. This WMF installation adds and/or updates the following features:

Windows PowerShell
Windows PowerShell Desired State Configuration (DSC)
Windows PowerShell Integrated Script Environment (ISE)
Windows Remote Management (WinRM)
Windows Management Instrumentation (WMI)
Windows PowerShell Web Services (Management OData IIS Extension)
Software Inventory Logging (SIL)
Server Manager CIM Provider

Deployment Strategy

The Deployment Strategy section of this article provides an overview of the deployment strategy planned for Windows Management Framework 5.1. Included in the deployment strategy is recommended timeline information, a description of the deployment approach, and associated benefits, assumptions and risks.

Deployment Overview

Phases	Sites	Computers	Scheduled Dates
PRE-PILOT	Select Servers	15	October 2, 2017 – October 24, 2017
PILOT	Pilot Server Group	106	January 16, 2018 – January 31, 2018
PRODUCTION	Production Server Group	258	February 6, 2018 – February 28, 2018

Total Servers Targeted: 364

Exclusions to Upgrade

38 systems will not be targeted for the upgrade for various reasons. The exclusions include:

Exchange 2010 Mailbox Servers / CAS/HUB Servers (MBX) (CAS)
SharePoint 2007, 2010 and 2013 Servers (SPS)
Proxy and Application Servers (SAS)
SCCM Servers (SCM)
VMM Cluster Node, Library and Failover Name Account Servers (VMM)
Lync Servers (LNC)
Operations Manager 2016 Servers (OPS)

Deployment Phases

The Deployment Dates referenced below are the date Windows Management Framework 5.1 would attempt to begin installation on the selected servers in your environment. This does not indicate the completion date for this phase, which could take an additional 2 weeks.

Pilot Phase

Sub Phases	Sites	Computers	Deployment Date
Server 2008 R2	Pilot Server Group	23	January 16, 2018
Server 2012	Pilot Server Group	12	January 16, 2018
Server 2012 R2	Pilot Server Group	71	January 16, 2018
		106

Production Phase

Sub Phases	Sites	Computers	Deployment Date
Server 2008 R2	Production Server Group	45	February 6, 2018
Server 2012	Production Server Group	188	February 6, 2018
Server 2012 R2	Production Server Group	25	February 6, 2018
		258

Deployment Plan

Deployment Approach

System Center Configuration Manager (SCCM) will be used to deploy Windows Management Framework 5.1. When each phase is approached, the servers will be instructed to execute the installation in Parallel, within their maintenance window.

Because WMF 5.1 has specific installation requirements based on the Operating System, both the PILOT and PRODUCTION phase can be broken into the 2008 R2, 2012 and 2012 R2 sub phases. This is simply used for application targeting and reporting purposes, and as we can see earlier, does not require a shift in deployment date for the parent phase.

Assumptions and Risks

Assumptions

The servers targeted for deployment are assumed to be left on and connected to your corporate network during their maintenance windows. Additionally it is expected that a reboot will likely occur after the installation, during the maintenance window.

Risks

JEA endpoints and session configurations configured to use virtual accounts in WMF 5.0 will not be configured to use a virtual account after upgrading to WMF 5.1. This means that commands run in JEA sessions will run under the connecting user’s identity instead of a temporary administrator account, potentially preventing the user from running commands which require elevated privileges. To restore the virtual accounts, we would need to unregister and re-register any session configurations that use virtual accounts.

This is unlikely to be an issue in your environment.

Pilot Deployment Statistics

A sample pilot phase might be completed successfully with results broken down in the following phases

PILOT Server 2008 R2

PILOT Server 2012

PILOT Server 2012 R2

Benefits to Upgrade

PowerShell Editions

Starting with version 5.1, PowerShell is available in different editions which denote varying feature sets and platform compatibility.

Catalog Cmdlets

Two new cmdlets have been added in the Microsoft.PowerShell.Security module; these generate and validate Windows catalog files.

New-FileCatalog
Test0FileCatalog

Module Analysis Cache

Starting with WMF 5.1, PowerShell provides control over the file that is used to cache data about a module, such as the commands it exports.

Specifying module version

In WMF 5.1, using module behaves the same way as other module-related constructions in PowerShell. Previously, you had no way to specify a particular module version; if there were multiple versions present, this resulted in an error.

Engagement and Promotion Strategy

During each deployment phase, you can send an email to communicate the associated deployment phase. Members in your team may choose to notify specific application owners if they feel the need.

Testing Methods and Monitoring

The Windows Management Framework 5.1 deployment should be passed through a pre-pilot and pilot phase, where hopefully no issues would be observed. In the event an issue is determined, a rollback to the previous version can be deployed through the uninstall command on the application.

Monitoring The Deployment

Basic Monitoring

Central monitoring of the Windows Management Framework 5.1 rollout can be viewed from your computer by visiting your SCCM report server and searching for the report ‘All application deployments (basic)’.

Choose By: Application

Select Application Based on OS (Collection):

WMF 5.1 (For Windows Server 2008 R2)
WMF 5.1 (For Windows Server 2012)
WMF 5.1 (For Windows Server 2012 R2)

Select Collection (Application): All

The application metrics will be divided into the respective phases:

Clicking the “View Current” data for the phase will allow you to further drill down, even to the computer and user level if necessary:

The monitoring works by determining the following registry value was created:

Server 2008 R2 and Server 2012 WMF 5.1 Detection

Key: HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine

Value: PowerShellVersion [String]

Rule: Must begin with “5.1”

2012 R2 WMF 5.1 Detection

Key: HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine

Value: PowerShellVersion [String]

Rule: Must begin with “5.1”

Key: HKLM\SOFTWARE\Microsoft\PowerShell\4\PowerShellEngine

Value: PowerShellVersion [String]

Rule: Must begin with “5.1”

Key: HKLM\SOFTWARE\Microsoft\PowerShell\5\PowerShellEngine

Value: PowerShellVersion [String]

Rule: Must begin with “5.1”

Advanced Monitoring

To assure a technician or technical contact has as much data as possible to troubleshoot Windows Management Framework 5.1 deployment issues, compliance items and baselines were written which assess Windows PowerShell versioning directly in a baseline. To see the advanced monitoring that this baselines provide, again go to your SCCM report server and search for the report: Compliance 1.2 – Compliance Details for all CIs of a specific Baseline (report available through a special Microsoft PFE program).

Configuration Baselines Name: CB.Powershell.Version.5

Clicking ‘View Report’ will allow you to drill down and see each compliance item and reason for failure.

There are similar baselines to track all of the versions prior to the upgrade:

CB.Powershell.Version.4
CB.Powershell.Version.3
CB.Powershell.Version.2

Reference Documents

Include Your Reference Documents Here

February 5, 2018/0 Comments/by David Maiolo

Legacy, MECM

SCCM Overview

Overview

I created this article to provide an overview of some of the most popular SCCM current, and upcoming components.

SCCM Sites and Scaling

The key driver of the type and count of sites that you use in a hierarchy is usually the number and type of devices you must support. “500 users is not enough numbers to justify a secondary site. The key decision factor is the amount of users involved.”

Stand-alone primary site

This topology is successful when your different geographic locations can be successfully served by this single primary site. To help manage network traffic, you use preferred management points and a carefully planned content infrastructure.

SQL Server is required.
Additional primary sites provide support for a higher number of clients.
Cannot be tiered below other primary sites.
Participates in database replication.

Scope of Standalone Site

Supports up to 250 distribution points.
Supports up to 15 management points
175,000 total clients and devices, not to exceed:
- 150,000 desktops (computers that run Windows, Linux, and UNIX)
- 25,000 devices that run Mac and Windows CE 7.0
- One of the following, depending on how your deployment supports mobile device management:
  - 50,000 devices that you manage by using on-premises MDM
  - 150,000 cloud-based devices

Central administration site with one or more child primary sites

The recommended location for all administration and reporting for the hierarchy. You would move to this topology if you require more than one primary site to support management of all your devices and users. It’s required when you need to use more than a single primary site.

SQL Server is required.
Does not process client data.
Does not support client assignment.
Not all site system roles are available.
Participates in database replication.

Scope of Central Administration Site

Supports up to 25 child primary sites
700,000 desktops (computers that run Windows, Linux, and UNIX)
25,000 devices that run Mac and Windows CE 7.0
One of the following, depending on how your deployment supports mobile device management (MDM):
- 100,000 devices that you manage by using on-premises MDM
- 300,000 cloud-based devices

Scope of Child Primary Site

Supports up to 250 secondary sites
Supports up to 250 distribution points.
Supports up to 15 management points
150,000 total clients and devices

Secondary Site

Manages clients in remote locations where network bandwidth control is required.

SQL Server Express or a full instance of SQL Server is required. If neither is installed when the site is installed, SQL Server Express is automatically installed.
A management point and distribution point are automatically deployed when the site is installed.
Secondary sites must be direct child sites below a primary site, but can be configured to send content to other secondary sites.
Participates in database replication.

Scope of Secondary sites

Don’t support child sites.
Supports 1 management point
15,000 desktops (computers that run Windows, Linux, and UNIX)

Other Roles and Scaling

Application Catalog web service point: 50,000 per installed instance (can install more than one)
Distribution Point: Connections from up to 4,000 clients. (250 DPs can be installed at each primary site). Supports a combined total of up to 10,000 packages and applications.
Fallback status point: Support up to 100,000 clients
Software Update Point: can support up to 25,000 clients
Management points: 25,000 total clients and devices

SCCM Site System Roles

SCCM uses site system roles to support operations at each site. Servers that host the Configuration Manager site are named site servers, and computers that host the other site system roles are named site system servers. The site server is also a site system server. Although we have only one site, AS1, the principal is the same.

For example, your site server could be SITESERV005PRD and a site system server would be a distribution point such as DIST002DT02.

Site Communication

Site system servers within the same site communicate with each other by using server message block (SMB), HTTP, or HTTPS, depending on the site configuration selections that you make. Because these communications are unmanaged and can occur at any time without network bandwidth control, it is important that you review your available network bandwidth before you install site system servers and configure the site system roles.

Default Site System Roles

These roles are installed automatically on the site system.

Configuration Manager site server: Automatically installed on the server from which you run setup when you install a central administration site or primary site
Configuration Manager site system: Assigned during site installation or when you add an optional site system role to another server.
Configuration Manager component site system role: Required to support other roles, such as a management point.
Configuration Manager site database server: Runs a supported version of Microsoft SQL Server
SMS Provider: Interface between the console and the site database

Optional Site System Roles

Application Catalog web service point: provides software information to the Application Catalog website from the Software Library.
Application Catalog website point: provides users with a list of available software from the Application Catalog.
Asset Intelligence synchronization point: connects to Microsoft to download Asset Intelligence catalog information. Can only be installed on the central administration site or a stand-alone primary site
Certificate registration point: Communicates with a server that runs the Network Device Enrollment Service to manage device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP).
Distribution point: Contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. You can control content distribution by using bandwidth, throttling, and scheduling options.
Fallback status point: Helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point.
Management point*: Provides policy and service location information to clients and receives configuration data from clients.
Endpoint Protection point: Accept the Endpoint Protection license terms and to configure the default membership for Microsoft Active Protection Service.
Enrollment point: Uses PKI certificates for Configuration Manager to enroll mobile devices and Mac computers, and to provision Intel AMT-based computers
Enrollment proxy point: Manages Configuration Manager enrollment requests from mobile devices and Mac computers.
Out of band service point: Provisions and configures Intel AMT-based computers
Reporting services point: Integrates with SQL Server Reporting Services to create and manage reports
Software update point: Integrates with Windows Server Update Services (WSUS) to provide software updates to clients.
State migration point: Stores user state data when a computer is migrated to a new operating system.
System Health Validator point: Validates Network Access Protection (NAP) policies
Microsoft Intune connector: Uses Microsoft Intune to manage mobile devices

Using the SCCM PowerShell Console

Importing the Configuration Manager PowerShell Module

Open PowerShell as an administrator


CD  C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\


import-module .ConfigurationManager.psd1 - verbosecd A

Loading PowerShell from the Configuration Manager Console

Launch the Configuration Manager console. In the upper left corner, there’s a blue rectangle. Click the white arrow in the blue rectangle, and choose “Connect via Windows PowerShell”.
You’ll see a prompt that contains our site code: PS NNN:\>

Optionally you can open PowerShell as administrator and CD NNN:

Update Configuration Manager PowerShell Help File

update-help –module configurationmanager

Basic Cmdlets


Get-CMSite
Get-CMManagementPoint
Get-CMDistributionPoint
Get-Command –module ConfigurationManager –noun *managementpoint* #retrieve the cmdlets that have a name that contains “managementpoint.”

Example SCCM Applications that Utilize PowerShell

These are some examples of applications that I have created which utilize different SCCM PowerShell cmdlets:

Unlocking SCCM Objects

Here is a quick example of where SCCM’s cmdlets come to the rescue. Prior to 2012 SP1, objects needed to be unlocked in SQL, via the following procedure.

Unlocking in SQL

Connect to your SCCM SQL Server via RDP
SQL Management Studio -> CM_NNN -> New Query!
select * from SEDO_LockState where LockStateID <> 0
DELETE from SEDO_LockState where LockID = ‘

Unlocking Via PowerShell

Now, we can easily perform the same task with this PowerShell cmdlet that is designed to unlock objects!


Unlock-CMObject -InputObject $(Get-CMApplication -Name application_name)

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems.

Exploring WMI on Your SCCM Server

Download/Open WMI Explorer and Connect to: \\siteserver\root\SMS
Browse away. There are also other namespaces to browse other than what is listed.

Testing Queries

Open WBEMTEST
Connect to \\siteserver\root\SMS\SITE_NNN
Click ‘Query’. Here you can run the same queries that SCCM runs in collections, etc.
Click Apply

SMS Provider

The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read and write access to the Configuration Manager database at a site:

Each central administration site and primary site require at least one SMS Provider. You can install additional providers as needed.
The SMS Admins security group provides access to the SMS Provider. Configuration Manager automatically creates this group on the site server, and on each computer where you install an instance of the SMS Provider.
Secondary sites do not support the SMS Provider.

Configuration Manager administrative users use an SMS Provider to access information that is stored in the database. To do so, admins can use the Configuration Manager Console, Resource Explorer, tools, and custom scripts. The SMS Provider does not interact with Configuration Manager Clients. When a Configuration Manager console connects to a site, the Configuration Manager console queries WMI on the site server to locate an instance of the SMS Provider to use.

The SMS Provider helps enforce Configuration Manager security. It returns only the information that the administrative user who is running the Configuration Manager console is authorized to view.

Querying SCCM’s WMI through PowerShell

Here is a WMI query snippet to the SCCM database from the Threaded Computer Details Aggregator application I created that returns computer details


$qry = "select * from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_PC_BIOS on SMS_G_System_PC_BIOS.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_LOGICAL_DISK on SMS_G_System_LOGICAL_DISK.ResourceID = SMS_R_System.ResourceId where ResourceID = '$ResourceID'"

$objComputerSystemProduct = Get-WmiObject -ComputerName $ProviderMachineName -Namespace $SCCMnameSpace -Query $qry

Endpoint Protection Overview

Antimalware policies
Windows Firewall settings
Windows Defender Advanced Threat Protection (1606+) (Windows 10 1607+)

Download the latest antimalware definition files, Send email notifications, use in-console monitoring, and view reports

Endpoint Protection Client

Windows 10 / Server 2016: Windows Defender is already installed. A management client for Windows Defender is installed when the Configuration Manager client installs.

Windows XP / 7 / 8 / Server 2008: Endpoint Protection client is installed with the Configuration Manager client.

Hyper-V: Endpoint Protection client can be installed on Hyper-V Host and on VM. Actions have a built-in randomized delay

Malware and spyware detection and remediation
Rootkit detection and remediation
Critical vulnerability assessment and automatic definition and engine updates
Network vulnerability detection through Network Inspection System
Integration with Cloud Protection Service to report malware to Microsoft.

Anti-Malware Policies

Assets and Compliance -> Endpoint Protection -> Antimalware Policies
Default Client Antimalware Policy OR Create Antimalware Policy
1. Scheduled Scans Settings
2. Scan Settings
3. Default Actions Settings
4. Real-time Protection Settings
5. Exclusion Settings
6. Advanced Settings
7. Threat Overrides Settings
8. Cloud Protection Service
9. Definition Updates Settings
Deploy Policy to Collection

Windows Firewall

Assets and Compliance -> Endpoint Protection -> Windows Firewall Policies
Create Windows Firewall Policy
1. For Every Network Profile:
  1. Enable Windows Firewall
  2. Block all incoming connections
  3. Notify the user when Windows Firewall blocks a new program
Deploy Policy to Collection

Windows Defender Advanced Threat Protection

Subscription to Windows Defender Advanced Threat Protection (https://securitycenter.windows.com/)
Windows 10 1607+
SCCM 1610+

Windows Defender ATP is a service in the Windows Security Center. By adding and deploying a client onboarding configuration file, Configuration Manager can monitor deployment status and Windows Defender ATP agent health.

Logon to the Windows Defender ATP online service
1. Endpoint Management -> System Center Configuration Manager -> Download Configuration File.zip
Onboard devices for ATP
1. Assets and Compliance > Overview > Endpoint Protection > Windows Defender ATP Policies -> Create Windows Defender ATP Policy
2. Browse to Configuration File.zip
Monitor ATP Agent
1. Monitoring > Overview > Security -> Windows Defender ATP
  1. Windows Defender Agent Deployment Status
  2. Windows Defender ATP Agent Health (Healthy, Inactive, Etc)

Internet Based Client Management (IBCM)

Internet-based client management, or IBCM, allows you to manage clients when they are not connected to your network, but have an Internet connection. Cloud Management Gateways (CMG) and Cloud Distribution Points (CPD) are used as the cloud infrastructure to support IBCM.

IBCM Requirements

In order to implement IBCM into your environment, you need an Azure subscription.
It also requires clients and the site system servers that the clients connect to use PKI certificates

Not Supported in IBCM

Actual Client installation deployment over the Internet (do it manually)
Wake-on-LAN
OS deployment (you can deploy task sequences that do not deploy an OS)
Remote control
Software deployment (unless the Internet-based management point can authenticate the user in AD)
Roaming

How IBCM Works with a Software Update Point

Scan:against this software update point.
Download: from Microsoft Update

Setting up an IBCM

Prerequisites:

Site Server Must be in DMZ – UPDATE, now you have CMG (Cloud Management Gateway) and this is no longer necessary.
Site systems must be connected to the Internet and must be in AD
1. Distribution point, Software update point, etc
The FQDN of site server needs to be on public DNS server as host record

Setup

Create 3 certificates
1. WEB SERVER (IIS) CERTIFICATE (Web Server Template)
2. CLIENT CERTIFICATE (Workstation Authentication Template)
3. DISTRIBUTION POINT SITE SERVER CERTIFICATE (Workstation Authentication Template)
Issue 3 certificates
1. CA Server -> Certificate Authority -> right-click Certificate Templates, click New, and then click Certificate Template to Issue -> Select all 3
Configure 3 certificates
1. CLIENT CERTIFICATE
2. DISTRIBUTION POINT SITE SERVER CERTIFICATE
3. WEB SERVER (IIS) CERTIFICATE
Setup in SCCM
1. Administration -> Sites and Servers -> Internet DP
  1. General -> Import Cert -> DISTRIBUTION POINT SITE SERVER CERTIFICATE.PFX
  2. General -> HTTPS and “Allow Internet-Only connections”
2. Administration -> Sites and Servers -> Internet MP
  1. General -> HTTPS and “Allow Internet-Only connections”
  2. SCCM -> Administration –> Sites –> Right, properties
  3. client computer communication –> Choose use HTTPS or HTTP
  4. Check the “Use PKI client certificate when available
  5. Import the Root CA certificate
Install Client Manually
1. Option 1: manually add the new MP FQDN in the “Network” tab of the client property
2. Option 2: include the Client.msi property of CCMHOSTNAME=<Internet FQDN of the MP>

Office 365 Client Management

The Office 365 client can now be deployed and managed in your SCCM console.

The O365 Dashboard (appeared in 1610)

To enable the dashboard you must first select the Office 365 ProPlus Configurations hardware inventory class:

Administration > Client Settings > Default Client Settings -> Device Settings list, click Set Classes -> Hardware Inventory Classes -> Office 365 ProPlus Configurations.

Dashboard Location: Software Library > Overview > Office 365 Client Management -> <CHOOSE COLLECTION>

Number of Office 365 clients
Office 365 client versions
Office 365 client languages
Office 365 client channels

How to Deploy Office 365 Apps (started in 1702)

Software Library > Overview > Office 365 Client Management.
Click Office 365 Installer in the upper-right pane.
Give it Name, XML (Optional), Select the Office 365 suite, select the applications
Deploy Now or Just Create Application

How to Deploy Office 365 Updates

Configure WSUS
1. Administration > Site Configuration > Sites -> WSUS Point -> Classifications tab
  1. Classification: Updates
  2. Product: Office 365 Client
Enable O365 Update Client Setting
1. Administration > Overview > Client Setting -> Software Updates -> Enable management of the Office 365 Client Agent: YES

Office 2016 vs. Office 365

Office 2016 is the traditional Office product, sold for a one-time fee. You pay once to buy a version of Office 2016 you can install on a single PC.

Office 365, on the other hand, requires you to pay a monthly or yearly fee which gives you access to the latest version of Office for as long as you pay the fee.

Mobile Device Management (MDM) with Intune

Microsoft Intune is a cloud service that provides mobile device management (MDM). There are two modes of device management, Intune standalone and Hybrid MDM with Configuration Manager.

Intune is managed in SCCM under the Cloud Services node.

In a standalone environment, the devices are managed in the Intune web console. In the hybrid environment, the devices are integrated into SCCM and would automatically be added to the All Mobile Devices collection.

Co-Management Model Released at Microsoft Ignite

A device cannot typically be managed in both. Once the device is managed in Hybrid, the Intune web console is no longer available. An exception to this is in SCCM 1710 where a new mode, co-managed, was released. This allows SCCM and Intune to both manage a Windows 10 device at the same time.

Azure Active Directory (Azure AD)

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory and identity management service. It can be synchronized with your on-premises AD to provide seamless login credentials while clients are on the web.

Configuration Manager Advanced Dashboard

Available through a custom Microsoft engagement is the ability to add an advanced dashboard to your SCCM reporting console.

The dashboard contains over 160 reports. Included in the dashboard are reports on

Asset Inventory
Software Update Management
Application Deployment
Compliance Settings
Infrastructure Monitoring
Site Replica
Content replication
Software Distribution
Clients Health
Servers Heath
SCEP

Dashboard Installation

In order to install the dashboard in your environment, the following variables need to be recorded:

Site Name: NNN
Reporting URL: http://sqlreportserver:80/ReportServer/
Server hosting reporting service point: sqlreportserver

A backup should then made of the SQL server database pertaining to reporting services, in addition a snapshot taken on the site server.

To install the dashboard the POPCMAD_Tool.exe was used with the variables above:

As seen above, the new report path, Advanced Dashboard, would be created which is the new root for the dashboard reports.

As an example, one dashboard now available to you would be the Client Health Statistics dashboard:

Disaster Recovery

A whitepaper for disaster recover, “System Center 2012 Configuration Manager R2 – Disaster Recovery for Entire Hierarchy and Standalone Primary Site” is available.

A copy of the whitepaper can be found here:

https://www.microsoft.com/en-us/download/details.aspx?id=44295

Most Important Disaster Recover Items

Although many topics are discussed and can be viewed in the whitepaper, of most importance to you are the ways in which SCCM can be recovered. Because Microsoft does not officially release SCCM in every release cycle, it is possible you could be on a version that can only be installed by updating an officially released version. Incremental updates can only be found on the site server with a cd.latest directory:

\\siteserver\c$\Program Files\Microsoft System Center Configuration Manager\cd.latest

Therefore, backup of this directory is crucial in order to perform an SCCM recovery. Fortunately, an automated task to backup this folder is now available in SCCM by enable backups in site maintenance at Administration > Overview > Site Configuration> Sites > (Right Click) NNN – Contoso, Inc. > Site Maintenance

Even if you have not enabled this task, it is important to understand its functionality. If you are handling these disaster recovery efforts outside of SCCM using a different backup solution, you may not need to enable this task in your environment. For example, VEEAM could be used to backup your SCCM site server:

SCCM Site Server siteserver: Backed up in VEEAM as the whole server
SCCM SQL Servers SQLSERVER1 and SQLSERVER2: Back up your SQL Servers as an application aware backup (via a volume shadow copy writer). This application aware backup allows SQL to gracefully end all SQL transactions before taking the backup.

To restore an SCCM server, open your Veeam Backup & Replication Console on your backup server VEEAMBACKUP would allow the areas to be restored as you see here in with the SQL server backups

Role Based Administration

The role-based administration model in SCCM centrally defines security access settings for all sites and site settings by using the following:

Security roles are assigned to administrative users to provide those users (or groups of users) permission to different Configuration Manager Objects.
Security scopes are used to group specific instances of objects that an administrative user is responsible to manage.
Collections are used to specify groups of user and device resources that the user can manage.

Each of these components are collectively combined to create the necessary security changes for user access.

Management of SCCM security is handled in Administration > Overview > Security > Administrative Users

Associating Users, Roles, Scopes and Collections Together

To get started with Role Based Administration, you will add the different user groups to the console at Administration > Overview > Security > Administrative Users. Think of these as the users that you will be dividing permissions amongst.

Next you will add a Security Role to this group. There are built-in security roles and also roles you can create, called custom roles. For this example, let’s add the built-in Read-only Analyst role to the SCCM-Report-Vieyours group:

Finally, you will add the security scopes and collections this group can view:

The security scopes are set elsewhere but only represent a name. “Securable objects” throughout SCCM are then configured to either be viewable or not viewable by this security scope.

Securable vs Non-Securable Objects

When building the security model for objects in SCCM, the idea of securable objects is important. When clicking certain objects in SCCM, you may notice a lock icon allowing the security scope to be set:

This allows the object to only be viewed by those in certain security scopes. For example, clicking the lock icon while selecting an alert subscription will allow you to limit only a specific team to see this object. Other users would not see this object within their console.

On the other hand, objects such as the alerts are non-securable and must be delineated with a security role. Security roles allows the associate objects to not be entirely hidden from a user, but can customized with what permissions apply to the object as seen in the security role properties for a custom role:

When creating new security roles, it is recommended to take one of the Built-in roles and copy it. This copy will become a custom role:

Built-in roles cannot be modified and are thought of generally as templates for custom roles.

Securable Objects managed by Security Scope	Non-Securable Objects managed by Security Role
Alert Subscriptions	Active Directory forests
Antimalware Policies	Administrative users
Applications	Alerts
Boot Images	Boundaries
Boundary groups	Computer associations
Configuration items	Default client settings
Distribution points and distribution point groups	Deployment templates
Driver packages	Device drivers
Global conditions	Exchange Server connector
Migration jobs	Migration site-to-site mappings
Operating system images	Mobile device enrollment profiles
Operating system installation packages	Security roles
Packages	Security scopes
Queries	Site addresses
Sites	Site system roles
Software metering rules	Software titles
Software Update Groups	Software updates
Software update packages	Status messages
Task sequence packages	User device affinities
Windows CE device setting items and packages

Associating Configuration Items to Dynamic Collections for Automated Remediation

Configuration Items (CI’s) are useful for detecting compliance for a multitude of events and states on the computers within the company environment. For example, configuration items could be created and combined in a Configuration Baseline (CB’s) that detect the all of the required components to be compliant for Cisco AnyConnect:

Anyone of these configuration items can be used as the query for a collection. For example, you can create collections that represent the computers that are not compliant for each of these items:

you can then target a remediation deployment to this collection, or in this example, why not combine the configuration item collections into a configuration baseline collection, much like the logic for the actual CI’s and CB’s:

Creating Dynamic Collections Based off Configuration Items

Creating a dynamic collection based off computers that fail compliance for a configuration item is as simple as creating a collection by the same name as the CI and using this custom query to target your CI. Simply replace the area boldened with the name of your CI:


select SMS_R_SYSTEM.ResyourceID,SMS_R_SYSTEM.ResyourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResyourceDomainORWorkgroup,SMS_R_SYSTEM.Client
from SMS_R_System where SMS_R_System.ResyourceID 
in (select SMS_CI_COMP.ResyourceID from SMS_CI_CurrentComplianceStatus 
as SMS_CI_COMP inner join SMS_ConfigurationItem 
as SMS_CI on SMS_CI.ci_id=SMS_CI_COMP.ci_id 
where ((SMS_CI_COMP.DisplayName = "CI.Name.Of.Yyour.CI" and SMS_CI.islatest = 1  and SMS_CI_COMP.ComplianceState != 1) ))

Antivirus Exclusions for SCCM

In order to exclude SCCM from its own System Center Endpoint Protection scans, the following AV policies should be applied under Assets and Compliance > Overview > Endpoint Protection > Antimalware Policies

SERVER – SCCM Site Server
SERVER– SCCM SQL Servers

These policies should be deployed to collections with their respective names and associated servers. To configure the exclusions, the following Microsoft article can be referenced, which will assist you in targeting SCCM current branch:

https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/24/configuration-manager-current-branch-antivirus-update/

Test-DGMSCEPPathsTool

This tool, Test-DGMSCEPPaths.ps1, was written by David Maiolo which is a small utility to test the paths of folders before adding them to SCEP policies.

The tool requires the –csvfile argument, which is the path to a csv file containing one column, Path, with the paths listed in the column and can be run as in the example below.

This tool can be useful to verify input. Perhaps you find an additional “space” in your default installation directory between “Configuration” and “Manager” as in D:\Program Files\Microsoft System Center Configuration Manager\

Core Function of the Test-DGMSCEPPaths.ps1 tool

February 5, 2018/0 Comments/by David Maiolo

Legacy, MECM

SCCM / WSUS Software Update Best Practices

Overview

This article contains a recommended set of procedures and schedules you can follow in your environment to obtain great WSUS compliance within SCCM. I developed these best practices and helped a client implement them to improve their compliance.

Schedule

I recommend that you create a schedule in your environment to check/complete the following WSUS components/tasks.

Weekly

All Software Update Cleanup of Superseded and Expired

Software Update Groups Cleanup

Monthly

Set MaxExecutionTime on Specific SCCM Software Updates

Cleanup Packages from DPs that are not Needed at DPs

Remediate Updates that are required but not deployed

Notification of Network Segment Creation

Quarterly

Verify Packages and Applications are NOT Updated to DPs on a Schedule

Manage SCCM Deployment Threads

Manage SCCM Distribution Point Rate Limits (Time-Slice Based Throttling)

Manage SCCM Distribution Point Priority Schedules

Enable Binary Differential Replication on Deployment Packages

Project Based

Maximize Performance and Coverage of Automatic Deployment Rules

Allow Site Server and Microsoft to be used as fallback Update locations for Updates

Network Segment Creation

Overview

When a new network segment is created within your environment, be sure the new segment is communicated.

Procedure

Work with your Network engineers to be included in communication when new network segments are created.

Set MaxExecutionTime on Specific SCCM Software Updates

Overview

Every update in SCCM has a maximum amount of time that it is allowed to run. If the amount of time it takes to install the update exceeds the MaxExecutionTime variable set for the update, the update will fail to install. Increasing this execution time can allow a greater installation success rate.

Procedure

Run from NNN(Your SCCM Sever): Powershell:
```
Get-CMSoftwareUpdate -name  "*Cumulative Update*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
Get-CMSoftwareUpdate -name "*Cumulative Security Update*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
Get-CMSoftwareUpdate -name "*Security Monthly Quality Rollup*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 60
Get-CMSoftwareUpdate -name "*Security and Quality Rollup*" -Fast | ? {$_.MaxExecutionTime -lt '1800'} | Set-CMSoftwareUpdate -MaximumExecutionMins 30
```
Examples

Figure 1 Maximum Run Time on a Software Update

Cleanup Packages from DPs That are Not Needed

Overview

Overtime, SCCM Distribution Points out will accumulate updates and applications that are no longer applicable to the particular DP. For example, if an older version of Adobe Reader were needed in 2015, leaving the installation files on the DP is using unnecessary space.

Procedure
1. View Active Deployments
  1. Within the SCCM Console, open Monitoring\Overview\Deployments
  2. Sort by Date Created
2. Cross Reference Active Deployments with DP Content, And Remove Unneeded
  1. Administration\Overview\Distribution Point Groups -> Branch Distribution Groups [Right Click -> Properties]
  2. Content Tab -> Click Unneeded Updates -> Remove
Examples

Figure 2 Removing DP Content

Verify That Applications are NOT Updated to DPs on a Schedule

Overview

Within the SCCM Console there is an option to have content automatically redistribute itself to distribution points on a schedule. When found to be enabled on content, the processes unnecessarily consumes SCCM traffic.

Procedure
1. Open a suspected offending application or package
2. For example, open Software Library\Overview\Application Management\Packages\Workstations\
  System Configurations\NCI
3. [Right Click] Properties -> Data Source -> Update Distribution points on a schedule
4. Verify this is unchecked
Examples

Figure 3 Verifying content is not updated on schedule

Manage SCCM Deployment Threads

Overview

SCCM controls the number of packages it will attempt to distribute at one time, and the number of distribution points it will attempt to distribute the packages to. Adjusting these controls will allow maximum throughput of traffic while maintaining throttling constraints.

Figure 4 SCCM Content Threads

Procedure
1. Within the SCCM Console go to Administration\Overview\Site Configuration\Sites\XXX
2. [Right Click] Configure Site Components -> Software Distribution
3. Adjust Maximum Threads
Monitoring Threads
1. Download and Install the System Center 2012 R2 Configuration Manager Toolkit
2. Open the DP Job Manager Tool at C:\Program Files (x86)\ConfigMgr 2012 Toolkit R2\ServerTools\DPJobMgr.exe
3. Use the Manage Jobs tab to monitor
Figure 5 DP Job Manager Tool

Examples

Figure 6 Adjusting Content Threads

Manage DP Rate Limits (Time-Sliced Throttling)

Overview

Distribution Point Rate limits are a form throttling which applies to content distribution. Adjusting these throttles can help maximize performance while minimizing disruption during the workweek.

Procedure
1. Within the SCCM Console go to Administration\Overview\Distribution Points [Right Click DP] Properties
2. Open the Rate Limits tab
3. Adjust accordingly
Examples

Figure 7 Adjusting DP Rate Limits

Manage SCCM Distribution Point Priority Schedules

Overview

Distribution schedules allow low, medium and high priority deployments to adhere to certain schedules. Adjusting these schedules can help maximize performance while minimizing disruption during the workweek.

Procedure
1. Within the SCCM Console go to Administration\Overview\Distribution Points [Right Click DP] Properties
2. Open the Schedule tab
3. Adjust accordingly
Examples

Figure 8 Adjusting DP Priority Schedules

Maximize Performance and Coverage of Automatic Deployment Rules

Overview

When creating SCCM ADRs, it is important that no rule duplicates another, and also that combined rules do not miss any critical or security updates for an environment (such as Prod or Pilot)

Figure 9 Optimizing ADRs in SCCM

How Microsoft Deploys Software Updates

Security Only Quality Update (Released every month)
- Includes Critical and Security for That Month
Security Monthly Quality Rollup (Released every month)
- Includes Critical, Security and Updates*, Cumulative for Year
  
  * Feature patches (non-security)
Procedure
1. Within the SCCM Console go to Software Library\Overview\Software Updates\Automatic Deployment Rules
2. A Deployment Packages are updated via an ADR no more frequently than necessary. For example, a pilot ADR may update weekly, whereas a Production ADR may update monthly.
Enable Binary Differential Replication on Deployment Packages

Overview

Binary Differential Replication, sometimes known as “delta replication,” is used by SCCM to update package source files with a minimum of additional network traffic. This minimizes the network traffic between sites, especially when the package is large and the changes are relatively small.

Procedure
1. Within the SCCM Console go to Software Library\Overview\Software Updates\Deployment Packages
2. [Right Click Package] and check Enable binary differential replication
Examples

Figure 10 Enabling Binary Differential Replication

Allow Site Server and Microsoft to be used as Fallback Update Locations

Overview

If there is no distribution point assigned to a client, updates can fail to deploy. Allowing a fallback source to be used, which increases the chances your clients will receive their required updates.

Procedure
1. Within the SCCM Console go to Software Library\Overview\Software Updates\Automatic Deployment Rules
2. Click an ADR, and then go to the Deployment Settings tab at the bottom of the screen
3. [Right Click] Properties
4. Open the Download Settings tab and check If software updates are not available…
Examples

Figure 11 Configuring Failback Sources for ADRs

Remediate Updates That Are required but not deployed

Overview

There is a prebuilt SCCM report that can help identify updates that are required, but have not been distributed. I have further configured the ability automate this portion in a different project. Please see SCCM: Automate Deployment of Required Updates for more details.

Procedure
1. Using Internet Explorer, browse to the Reports path at http://vconscm005prd/Reports
2. Find the report Management 2 – Updates required but not deployed and run it
3. Collection: ‘Production Workstation’ and ‘Production Server’ (one report for each)
4. Vendor: Microsoft
5. Update Class: Critical and Security (one report for each)
6. Export each report as updates_nn.csv
7. Connect to NNN: PowerShell console and use the report to update Software Update Groups accordingly:
```
$updates =import-csv -path updates_nn.csv

$undeployedupdates=$updates | %{Get-CMSoftwareUpdate -ArticleId $_.update -Fast | ?{$_.nummissing -ge 1}} 
$PilotSoftwareUpdategroup=Get-CMSoftwareUpdateGroup -Name "Production Servers Updates - All other Products* nnn"
$undeployedupdates | %{Add-CMSoftwareUpdateToGroup -SoftwareUpdateId $_.CI_ID -SoftwareUpdateGroupName "Production Servers Updates - All other Products* nnn"}
```
Examples

Figure 12 Checking Critical Updates

Figure 13 Checking Security Updates

Software Update Cleanup of Superseded and Expired

Overview

Superseded and Expired updates need to periodically be cleaned up from Software Update Groups.

Superseded Updates Procedure
1. Within the SCCM Console go to Software Library\Overview\Software Updates\All Software Updates
2. Add Criteria -> Superseded + Deployed
3. [Right Click] Edit Membership -> Uncheck from each Deployment Package
Expired Procedure
1. Within the SCCM Console go to Software Library\Overview\Software Updates\All Software Updates
2. Add Criteria -> Expired + Deployed
3. [Right Click] Edit Membership -> Uncheck from each Deployment Package
Examples

Figure 14 Removing Expired Updates From SUG

Software Update Groups Cleanup

Overview

Once an Update Group has been automatically created, used and replaced by a new Update Group of the same exact type, the old group can safely be deleted. This helps keep the environment clean and remove unnecessary Software Update Group deployments.

Procuedure
1. Within the SCCM Console go to Software Library\Overview\Software Updates\Software Update Groups
2. Sort by Name
3. Delete the older of identical Software Update Groups if no longer user
Examples

Figure 15 Deleting Old Software Update Groups

February 5, 2018/0 Comments/by David Maiolo

Legacy, Legacy Tools, MECM

Cisco ISE/AnyConnect Deployment and Remediation

Overview

Purpose

The purpose of this article is to help you define a deployment strategy and plan for a Cisco AnyConnect upgrade. I used a similar procedure to help a 3000+ client environment transition successfully to the latest version of Cisco Anyconnect by utilizing SCCM and a custom upgrade program I created just for the purpose. For demonstration purposes I will show an upgrade procedure to version 4.5.02036. This article is comprised of two sections: the Deployment Strategy and the Deployment Plan. The Deployment Strategy section is used to formulate a deployment approach for Cisco AnyConnect. The Deployment Plan section contains recommended schedule, resource, technical, and support information necessary for a successful deployment of Cisco AnyConnect.

About AnyConnect

AnyConnect refers to a set of network security tools provided by Cisco that can be used to provide your users VPN access and to prevent non-compliant devices from accessing your network.

This set of tools can installed on all of the workstation computers at your company and is usually visible to the user as a small

Cisco icon which they could also use to open your VPN tunnel.

Components For A Succesful Upgrade

The following sample components are recommended for upgrading to version 4.5.02036:

Cisco AnyConnect Start Before Login Module 4.3.03086
Cisco AnyConnect Diagnostics and Reporting Tool 4.3.03086
Cisco AnyConnect Network Access Manager 4.3.03086
Cisco AnyConnect Secure Mobility Client 4.3.03086

The ISE compliance module might not need to be upgraded during your project which is the component used to prevent noncompliant devices:

Cisco AnyConnect ISE Compliance Module 4.2.426.0

Deployment Strategy

The Deployment Strategy section of this article provides you the recommended deployment strategy for Cisco AnyConnect 4.5.02036. Included in the deployment strategy is recommended timeline information, a description of the deployment approach, and associated benefits, assumptions and risks.

Deployment Overview

Phases	Sites	Computers	Scheduled Dates
PRE-PILOT	SITE 1	27	October 2, 2020 – October 24, 2020
PILOT	SITE 2	169	October 30, 2020 – November 17, 2020
PRODUCTION	All Locations	1,500	November 15, 2020 – December 20, 2020

The Deployment Date’s referenced below are the date Cisco AnyConnect 4.5.02036 would attempt to begin installation on the selected computers. This does not indicate the completion date for this phase, which could take an additional 2 weeks.

Production Phase 1 (Site 1)

Sub Phases	Sites	Computers	Deployment Date
PHASE 1A	Site 1	243	November 15, 2020
PHASE 1B	Site 2	272	November 20, 2020
PHASE 1C	Site 3	295	November 27, 2020
		810

Production Phase 2 (Site 2)

Sub Phases	Sites	Computers	Deployment Date
PHASE 2A	Site A 1/2	246	November 29, 2020
PHASE 2B	Site A 2/2	248	December 4, 2020
PHASE 2C	Other Sites	185	December 6, 2020
		679

Production Phase 3 (Executive Staff)

Sub Phases	Sites	Computers	Deployment Date
PHASE 3	Executive Staff	11	Custom Arrangements

Deployment Approach

System Center Configuration Manager (SCCM) should be used to deploy Cisco AnyConnect. When each phase is approached, the computers would be instructed to execute the installation in Parallel, within their maintenance window.

A deployment will require a software reboot once completed. Users have an option to install the software outside of their maintenance window via the Software Center found on the start menu, and if they do, will also require a restart, even if during the middle of the day. The software could be displayed as shown on the right.

Assumptions and Risks

Assumptions

The computers targeted for deployment are assumed to be left on and connected to your corporate network during the maintenance window at least a couple of the nights during the scheduled deployment. Additionally, the computer is assumed to currently have no currently known issues with the version of AnyConnect installed prior to upgrade.

Deployment Targeting and IP Scopes

Deployments can be targeting based on DHCP scopes correlating to client’s active IP addresses. Active scopes and IP address mappings can be seen by having a server administrator run Get-DhcpServerv4Scope –ComputerName ADCSERVER| Select ScopeID, Name

Risks

Because AnyConnect is used as the primary means to authenticate a computer for compliance against your network, failed installations can result in a device not having any network connectivity until the installation is resolved or ISE compliance is turned off on the network port associated to the computer by a Network Engineer.

Benefits to Deployment

A client I worked with was running Cisco AnyConnect 4.3, which was two major versions behind the latest version released in late October 2017, 4.5.02036. Amongst multiple security fixes that were introduced since this version, some important ones include patches for the WPA2 KRACK vulnerability.

Additionally, developing your upgrade strategy will provide a more refined path and plan for future AnyConnect upgrades.

Deployment Plan

The Deployment Plan section provides recommended information on the deployment of Cisco AnyConnect. Included in the Deployment Plan are schedule and resource information, the engagement and promotion strategy, deployment methods, technology infrastructure and support considerations, deployment testing and training requirement, and any known conflicts or issues with the software.

Deployment Schedule and Resources

Pre-Pilot Schedule

Phase	Sites	Computers	Deployment Date*	Server Resource	Network Resource
PRE-PILOT PHASE 1	Site 1	10	October 2, 2020	David Maiolo	Elon Musk
PRE-PILOT PHASE 2	Site 2	3	October 9. 2020	David Maiolo	Elon Musk
PRE-PILOT PHASE 3	Site 3	14	October 20, 2020	David Maiolo	Bill Gates

Pilot Schedule

Phase	Sites	Computers	Deployment Date*	Server Resource	Network Resource
PILOT PHASE 1	Site 1 Pilot	59	October 30, 2020	David Maiolo	Elon Musk
PILOT PHASE 2	Site 2 Pilot	51	November 6. 2020	David Maiolo	Bill Gates
PILOT PHASE 3*	Site 3 Pilot	118	November 13, 2020	David Maiolo	Elon Musk

Production Phase 1 (Site 1)

Sub Phases	Sites	Computers	Deployment Date*	Server Resource	Network Resource
PHASE 1A	Site 1	243	November 15, 2020	David Maiolo	Elon Musk
PHASE 1B	Site 2	272	November 20, 2020	Elon Musk	Elon Musk
PHASE 1C	Site 3	295	November 27, 2020	Elon Musk	Elon Musk

Production Phase 2 (Site 2)

Sub Phases	Sites	Computers	Deployment Date*	Server Resource	Network Resource
PHASE 2A	Produce a xlsx attachment	246	November 29, 2020	Elon Musk	Elon Musk
PHASE 2B	Produce a xlsx attachment	248	December 4, 2020	David Maiolo	Elon Musk
PHASE 2C	See xlsx attachment	185	December 6, 2020	David Maiolo	Elon Musk

Production Phase 3 (Executive Staff)

Sub Phases	Sites	Computers	Deployment Date*	Server Resource	Network Resource
PHASE 3	Executive Staff	7	Custom Arrangements	David Maiolo	Elon Musk

Resource Requirements

Helpdesk Team

Throughout the deployment process it is additionally considered there should be Technology Helpdesk Team resources available to provide immediate remediation efforts via the helpdesk. Your helpdesk technician should walk the user through starting the AUTOMATED REMEDIATION TOOL as shown later in this article and assist with other troubleshooting steps.

Endpoint Team

Additionally, your Endpoint Team can be considered as a Tier 2 resources to assist the helpdesk via requests in the Ticketing system. The Endpoint Team engineer should attempt the steps and tools outlined in the section ADVANCED TECHNICAL SUPPORT

Server Infrastructure Team

Your Network Engineers Team and Server Infrastructure Team resources not listed above should also be thought to be available for emergencies and Tier 3 escalations from either your Endpoint or Helpdesk team. Your Server Infrastructure Team resource should be available for any and all requests for assistance from the Helpdesk Team and Endpoint Team to assist with remediation, and work on additional remediation efforts if these teams do not have the resources available.

Network Engineers Team

Your Network Engineers Team resource should assist in remediation and would likely be the first point of contact to disable ISE on the port where the customer is having a connection issue.

Engagement and Promotion Strategy

This recommended engagement and promotion strategy should be used for deploying Cisco AnyConnect 4.5.02036.

During each production phase, Technology Support should be used as the method to communicate the strategy to associated Managers during the phases and management staff during the executive phases.

E-Mail Template

Colleagues:

The Technology department has successfully completed testing of Cisco AnyConnect 4.5.02036 and is ready to begin the deployment portion of the project. The target date for deployment in your area is [Scheduled time per phase] between the hours of TIME1 and TIME. <--include times from your maintenance window

This deployment is only an upgrade to the preexisting application on the computers in this area.

The Cisco AnyConnect software enables the streamlining of authentication, access controls and privileges, and network systems at this company NNN. For the most part, deployment and streamlined authentication and authorizations services occurs “behind the scenes” with minimal, if any, user disruption.

You should not notice any operational changes when the software is deployed to your computer, other than a reboot during the hours indicated above. However, our engineers and technicians are available to assist in the event the software installation causes an issue with a user accessing our network. Please call the helpdesk at xNNNN immediately if you run into any VPN or network connectivity issues during this deployment.

Thank You for your cooperation,

[Technology Signature]

Testing Methods and Customer Acceptance

You should pass the Cisco AnyConnect 4.5.02036 deployment through a pre-pilot and pilot phase, where some issues could be observed. In those instances, it was of utmost importance that the customers’ issues would be resolved quickly. In the event the Cisco AnyConnect 4.5.02036 installation failed, it would be vitally important that the Network Engineers Team be available to “disable ISE” on the user’s network port so that the AnyConnect requirements would not be needed during the resolution.

With additional support, proper remediation strategies from Endpoint Team, Technology Helpdesk Team and Server Infrastructure Team would likely be required to bring the users’ computer back into compliance with the proper installation of Cisco AnyConnect 4.5.02036.

Monitoring The Deployment

Basic Monitoring

Central monitoring of the Cisco AnyConnect 4.5.02036 rollout could be viewed from your computer by visiting your SCCM SQL report link and searching for the report ‘All application deployments (basic)’.

Choose By: Application

Select Application (Collection): Cisco AnyConnect 4.5.02036 (All Applications)

Select Collection (Application): All

The application metrics should be divided into the respective phases:

Clicking the “View Current” data for the phase would allow you to further drill down, even to the computer and user level if necessary:

The monitoring works by comparing Product installation UIs for each Cisco component with reported installed components on the workstations.

Advanced Monitoring

To assure your technician or technical contact has as much data as possible to troubleshoot Cisco AnyConnect 4.5.02036 deployment issues, several compliance items and baselines were written which assess specific values on the computers. These basslines look to see that certain conflicting software is not installed, required certificates are in place and not expired and all required components are installed successfully. These could be viewed within you SCCM SQL Server by searching for the report: Summary compliance by configuration baseline

Configuration Baselines Name: CB.AnyConnect.4.5.02036.Full.Compliance

Clicking ‘View Report’ will allow you to drill down and see each compliance item and reason for failure.

Advanced Technical Support

If an installation of Cisco AnyConnect 4.5.02036 fails, the user is likely not to have any network access. During the planning and testing of Cisco AnyConnect 4.5.02036, many advanced methods, tools and configurations have been written to help support the rollout, monitor its progress, and provide technical staff (and users’) remediation options.

Compliance Checking

I developed algorithms that can developed as SCCM configuration items to provide a detection service to track centralized deployment success and failures. By use from a technician, these compliance metrics are available to a computer with or without network access to show if a device passed or failed the installation and if so, identify where the installation failed.

This would available to the technician in the Control Panel -> Configuration Manager -> Configurations -> CB.AnyConnect 4.5.02036.Full.Compliance -> Evaluate -> View Report

Success and failures can be further clicked to elaborate on details.

Conflict Resolution Flow-Chart

I developed this flow-chart to help a technician work with customers if they run into issues.

Automated Remediation Tool

I further developed the Cisco AnyConnect Remediation Tool, which should allow a user or technician a first-line defense to components in the flowchart above. The remediation tool was written in PowerShell and attempts to identify and resolve common issues.

The helpdesk or technician should first attempt to use the remediation tool before performing next steps. Network connectivity is NOT required to use the tool.

If pre-deployed to user computers as a required deployment (but far off in the future), it will cache locally on the client. Use of the tool only requires the user to open Software Center and find the Cisco AnyConnect (REMEDIATION TOOL) and clicking Install as shown below. No user interaction is required. If the tool was successful, the user will be asked to restart their computer. If not, the tool will prompt to retry.

Advanced mode

For technicians using the tool, a more advanced and verbose mode is available. The technician would find the tool inside of c:\windows\ccmcache\xx\Invoke-DMGAnyConnect.ps1. If run as an administrate account, the tool will show progress and will log attempts for remediation.

Removing Computers From The Deployment

If a computer needs to be removed from your Cisco AnyConnect deployment, you should include an exclusion collection to your project. This would allow an SCCM administrator add the computer to the collection:

\Assets and Compliance\Overview\Device Collections\Cisco AnyConnect 4.5.02036 Upgrade Project\EXCLUSIONS\Cisco AnyConnect 4.5.02036 Upgrade Project (EXCLUSIONS ONLY)

Further, the Phase collection, such as Cisco AnyConnect 4.5.02036 Upgrade Project (PRODUCTION PHASE 1A), would need to be updated (right click-> Update Membership) to reference the new exclusion.

Reference Documents

Be sure to include reference documents

Custom PowerShell Remediation Solution
After the application is deployed through SCCM, the Cisco installation could fail for a multitude of reasons. After working with several clients, and determining the most common reasons for failure, the following “Remediation” application was developed and made available so that end users could install the tool in the event the standard SCCM application did not work.

In my scenarios, this method became so much more successful than the MSI installations provided by Cisco, that it was eventually modified to be the sole Cisco AnyConnect automated deployment through SCCM.


$toolslocation=(get-item -Path .).FullName 
$global:errorsleft = 0
$global:RestartPending = 0
$programversion = "1.4"
$programauthor = "c-dmaiolo"

Start-Transcript -Append -Path "C:\admin\Fix-DMGAnyConnect-$programversion-$(Get-Date -Format dd-MM-yyyy).log"

Function Get-DMGWelcomeScreen($Title){
    Write-Host ==============================================================
    Write-Host Title: $Title                                          
    Write-Host Version: $programversion
    Write-Host Author: $programauthor
    Write-Host ==============================================================

}

Function Get-DMGTitleScreen($Title){
    Write-Host ============================================================== -ForegroundColor Cyan
    Write-Host $Title  -ForegroundColor Cyan
    Write-Host ============================================================== -ForegroundColor Cyan
}

function Get-ConfigurationFileStatus
    {
    [CmdletBinding()]
    
    [OutputType([int])]


    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$true,
                   Position=0)]
        $ConfigurationFilePath="c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\configuration.xml",
        $BadConfigurationFilePath="c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\configuration_bad.xml",
        $GoodConfigurationFileDay = 20,
        $GoodConfigurationFileMonth = 10,
        $GoodConfigurationFileYear = 2016

    )


    Begin
    {
    
    }
    Process
    {
        if (Test-Path $ConfigurationFilePath){
            $ConfigurationFilelastModifiedDate = (Get-Item "$ConfigurationFilePath").LastWriteTime
            if ($ConfigurationFilelastModifiedDate.Day.Equals($GoodConfigurationFileDay) -and $ConfigurationFilelastModifiedDate.Month.Equals($GoodConfigurationFileMonth) -and $ConfigurationFilelastModifiedDate.Year.Equals($GoodConfigurationFileYear)){
                $result = 1
                Write-Verbose "Debug: $(Get-Date) - GOOD Configuration File was found: $ConfigurationFilelastModifiedDate"
                Write-Host "Success: $(Get-Date) - Configuration File Found With Good Date: $ConfigurationFilelastModifiedDate (needs to be $GoodConfigurationFileYear-$GoodConfigurationFileMonth-$GoodConfigurationFileDay)" -ForegroundColor Green
            }else {
                $result = 2
                Write-Verbose "Debug: $(Get-Date) - Bad Date Configuration File was found: $ConfigurationFilelastModifiedDate"
                Write-Host "Error: $(Get-Date) - Configuration File Found With Bad Date: $ConfigurationFilelastModifiedDate (needs to be $GoodConfigurationFileYear-$GoodConfigurationFileMonth-$GoodConfigurationFileDay)" -ForegroundColor Red
                $global:RestartPending++
            }
        }
        elseif (Test-Path $BadConfigurationFilePath) {
            $result = 2
            Write-Verbose "Debug: $(Get-Date) - BAD Configuration File was found"
        }
        else{
            $result = 3
            Write-Verbose "Debug: $(Get-Date) - NO Configuration File was found"
        }
    }
    End
    {
        $result
    }

}


function Set-ConfigurationFile
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$false,
                   ValueFromPipeline=$true,
                   Position=0)]
                   $var
        
    )

    Begin
    {
        Get-DMGTitleScreen ("CHECKING CISCO ANYCONNECT CONFIGURATION.XML...")
        $ConfigurationFileStatus = Get-ConfigurationFileStatus
        $ConfigurationFileDestination = "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system\"
        $ConfigurationFileSource = "$toolslocation\tools\configuration.xml"
        
    }
    Process
    {
        if ($ConfigurationFileStatus -eq 1){
            Write-Host Success: $(Get-Date) - Configuration File is GOOD! -ForegroundColor Green
        }elseif ($ConfigurationFileStatus -eq 2){
            Write-Host Error: $(Get-Date) - Configuration File is Bad. Attempting to fix... -ForegroundColor Yellow
             if (Test-Path $ConfigurationFileDestination){
                Copy-DMGFile -filesource $ConfigurationFileSource -filedestination $ConfigurationFileDestination
                Restart-DMGService -Service nam -Verbose
	        } else{
                Write-Host Error: $(Get-Date) - Could not fix. AnyConnect is not installed! -ForegroundColor Red
            }
        }elseif ($ConfigurationFileStatus -eq 3){
            Write-Host Error: $(Get-Date) - No configuration file was found! Is AnyConnect installed? Attempting to fix... -ForegroundColor Red
             if (Test-Path $ConfigurationFileDestination){
                Copy-DMGFile -filesource $ConfigurationFileSource -filedestination $ConfigurationFileDestination
                Restart-DMGService -Service nam -Verbose
	        }else{
                Write-Host Error: $(Get-Date) - Could not fix. AnyConnect is not installed! -ForegroundColor Red
                }
        }
    }
    End
    {
        $result
    }
    
 }

 function Copy-DMGFile
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $filesource,
        $filedestination
    )

    Begin
    {
        Write-Host "Copying $filesource..."
    }
    Process
    {
        try{
            copy $filesource $filedestination
            Write-Host "Success: $(Get-Date) - Copied $filesource" -foregroundcolor green
        }
        catch{
            Write-Host "Error: $(Get-Date) - Could Not Copy $filesource" -foregroundcolor red
            $global:errorsleft++
        }
    }
    End
    {

    }
    
 }


 function Restart-DMGService
    {
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $service
    )

    Begin
    {
        Write-Host Restarting $service Service...
    }
    Process
    {
        try{
            Restart-Service $service
            Write-Host "Success: $(Get-Date) - Restarted $service Service" -foregroundcolor green
        }
        catch{
            Write-Host "Error: $(Get-Date) - Could Not Restart $service Service" -foregroundcolor red
        }
    }
    End
    {
        $result
    }
    
 }


 function Is-DMGProgramInstalled {

    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $program,
        $version
    )

    Begin
    {

    }
    Process
    {
        $x86 = ((Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue) |
            Where-Object { $_.GetValue( "DisplayName" ) -like "$program" -and $_.GetValue( "DisplayVersion" ) -like "$version"} );

        $x64 = ((Get-ChildItem "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -ErrorAction SilentlyContinue) |
            Where-Object { $_.GetValue( "DisplayName" ) -like "$program" -and $_.GetValue( "DisplayVersion" ) -like "$version"} );

        if($x86){
            Write-Host "Success: $(Get-Date) - x86 Version Found at $x86" -foregroundcolor green
            $result = $TRUE
            }
        elseif($x64){
            Write-Host "Success: $(Get-Date) - x64 Version Found at $x64" -foregroundcolor green
            $result = $TRUE
        }
        else{
            Write-Host "Error: $(Get-Date) - No x64 or x86 version found" -foregroundcolor green
            $result = $FALSE
        }
    }
    End
    {
        return $result
    }
}


function Is-DMGAllProgramInstalled {


    Begin
    {

        Get-DMGTitleScreen ("CHECKING FOR INSTALLED COMPONENTS")
        $csv = import-csv $toolslocation\tools\anyconnect_programs.csv 

    }
    Process
    {
        
        $csv | foreach-object {
          $Program = $_.Program
          $Version =$_.Version
          $Required =$_.Required
          $MSI =$_.MSI
          $RestartRequired =$_.RestartRequired

          Write-Host Checking $Program $Version $MSI ...
          
          if (Is-DMGProgramInstalled -program $Program -version $Version){
             Write-Host "Success: $(Get-Date) - $Program $Version is installed. Re-installing anyway just to make sure." -foregroundcolor green
             Install-DMGProgram -Program $Program -Version $Version -Required $Required -MSI $MSI -RestartRequired FALSE
          }else{
             Write-Host "Error: $(Get-Date) - $Program $version NOT installed" -foregroundcolor red
             Install-DMGProgram -Program $Program -Version $Version -Required $Required -MSI $MSI -RestartRequired $RestartRequired
          }
        }

    }
    End
    {
        
    }
}

Function Install-DMGProgram{
    [CmdletBinding()]
    
    [OutputType([int])]
    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipeline=$true,
                   Position=0)]
        $Program,
        $Version,
        $Required,
        $MSI,
        $RestartRequired

    )

    Begin
    {
        $csv = import-csv $toolslocation\tools\anyconnect_programs.csv
        $n=1

    }
    Process
    {
        
                       
        while($n -lt 3){

        Write-Host "Installing $Program $Version $MSI (Try $n of 2)..."
        Start-Process msiexec.exe -Wait -ArgumentList "/i `"$toolslocation\tools\Cisco AnyConnect 4.5.02036\$MSI`" REBOOT=ReallySupress /passive /qb"

        if(Is-DMGProgramInstalled -program $Program -version $Version){
           Write-Host "Success: $(Get-Date) - $Program $Version installed succesfully" -foregroundcolor green
           if ($RestartRequired -eq $TRUE){
                $global:RestartPending++
            }
            $n=4
        }else{
            $n++;
            Write-Host "Error: $(Get-Date) - $Program $Version could not be installed" -foregroundcolor red
            Remove-DMGHKCRRegKey -Program $Program
        }
    }

    }
    End
    {
        Write-Verbose "Debug: $(Get-Date) - Install-DMGProgram Exit Level: $n"
        if($n -eq 3){
            $global:errorsleft++
        }
    }
}


function Get-DMGErrorsLeft{

    Begin
    {

    }
    Process
    {
        if ($global:errorsleft -gt 0){ 
				$return = $TRUE
		}
		else{
			$return = $FALSE
			$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Fix-DMGAnyConnect"
			$name = "Installed"
			$value = "1"
			$name2 = "Version"
			$value2 = "4.5.02036"

			if(!(Test-Path $registryPath))
			{
				New-Item -Path $registryPath -Force | Out-Null

				New-ItemProperty -Path $registryPath -Name $name -Value $value `
				-PropertyType DWORD -Force | Out-Null
				New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 `
				-PropertyType String -Force | Out-Null
			}
			else {
				New-ItemProperty -Path $registryPath -Name $name -Value $value `
				-PropertyType DWORD -Force | Out-Null

				New-ItemProperty -Path $registryPath -Name $name2 -Value $value2 `
				-PropertyType String -Force | Out-Null
			}
		}
    }
    End
    {
        $return
    }

}
 

 function Get-FinalReport{

	 Get-DMGTitleScreen("FINAL REPORT")

	 if (Get-DMGErrorsLeft){
		 Write-Host "Error: $(Get-Date) - There were $global:errorsleft errors that could not be resolved!" -ForegroundColor Red
	 }else{
		 Write-Host "Success: $(Get-Date) - All Errors were resolved!" -ForegroundColor Green
	 }
     if ($global:RestartPending -gt 0){
        Write-Host "Warning: $(Get-Date) - A reboot is required!" -ForegroundColor Yellow
		#[System.Environment]::Exit(3010)
     }else{
        Write-Host "Success: $(Get-Date) - No reboot is required. The user may safely use the computer." -ForegroundColor Green
        #[System.Environment]::Exit(0)
     }
 }
 
 <#
 .Synopsis
    Short description
 .DESCRIPTION
    Long description
 .EXAMPLE
    Example of how to use this cmdlet
 .EXAMPLE
    Another example of how to use this cmdlet
 #>
 function Remove-DMGHKCRRegKey
 {
     [CmdletBinding()]
     
     Param
     (
         # Param1 help description
         [Parameter(Mandatory=$true,
                    ValueFromPipeline=$true,
                    Position=0)]
         $Program
     )
 
     Begin
     {

     }
     Process
     {

        New-PSDrive -PSProvider registry -Name HKCR -Root HKEY_CLASSES_ROOT -ErrorAction SilentlyContinue | Out-Null
        $PRODUCTS = Get-ChildItem "HKCR:Installer\Products"

        foreach ($PRODUCT in $PRODUCTS)
        {
            $PRODUCT_NAME = (Get-ItemProperty -Path ("HKCR:Installer\Products\" + $PRODUCT.PSChildName))."ProductName"

            if ($PRODUCT_NAME -like "*$Program*")
            {
                Write-Host "Removing Key: $Product.PSChildName "-" $PRODUCT_NAME ..." -ForegroundColor Yellow
                Remove-Item ("HKCR:Installer\Products\" + $PRODUCT.PSChildName) -Recurse
                Write-Host "Success: $(Get-Date) - $Product.PSChildName - $PRODUCT_NAME Removed" -foregroundcolor green
            }
        }

     }
     End
     {

     }
 }

function Stop-DMGServices
 {
     Begin
    {
        Get-DMGTitleScreen ("STOPPING SERVICES")
        $csv = import-csv $toolslocation\tools\anyconnect_services.csv
    }
    Process
    {
        $csv | foreach-object {
          $Service = $_.Service
          $Description =$_.Description
          Write-Host "Checking Service: $Description ($Service)..."
          try{
            (get-service -Name $Service).Stop()
            Write-Host "Success: $(Get-Date) - $Description ($Service) Stopped" -foregroundcolor green
            $result = $TRUE
            }
          catch{
            Write-Host "Error: $(Get-Date) - $Description ($Service) could not be Stopped" -foregroundcolor red
            $result = $FALSE
            }
        }
    }
    End
    {
        
    }
 }

function Invoke-DMGRemediateAnyConnect{
 Get-DMGWelcomeScreen("Cisco AnyConnect Fix Utility")
 Stop-DMGServices
 Is-DMGAllProgramInstalled
 Set-ConfigurationFile
 Get-FinalReport
}

February 5, 2018/0 Comments/by David Maiolo

Legacy, Legacy Tools, Random Scripts, etc.

UniversityLite Overview

UniversityLite Design Overview

I developed UniversityLite as a rapid deployment e-commerce tool to market university products and information to university students over the web using PHP. In other words, UniversityLite creates, deploys and maintains university websites automatically using custom PHP function. As of 2016, this tool has generated and maintains over 7.000 websites with each receiving about 1,000 views a month. The tool is based on the Model-View-Controller (MVC) architectural programming framework.

UniversityLite as a Function f

In its simplest form, UniversityLite can be understood as a function, where the input is simply the name of a university and the output is a full and complete website tailored to that university. Therefore the job of the function is to automatically create the database and website code for a full and complete website. The method by which this is accomplished is through the systematic gathering of information and the resulting interpretation and presentation of that information based on complex, but predictable logic.

UniversityLite is written primarily in PHP and uses SQL, Javascript and BASH to collect data automatically from sources such as Wikipedia, Google, Bing, Youtube, Amazon, eBay and NCES (and other governmental data sources) to slowly build an understanding about the environment in which to create the site. Most data is gathered through open APIs, such as Bing’s Image API which is used to automatically gather relevant images to a topic, or Amazon’s AWS API to generate products.

UniversityLite Sample API REST Request with Amazon AWS

Generating Variables

As the base input for content generation, the tool was fed 7,000 university names that I gathered from the National Center for Education Statistics (NCES).

Let’s look at one of those university names, “Monroe Community College”, as an example to see how the tool generates basic information about the university.

–

Insert “Monroe Community College” into Algorithm

First, the tool must determine basic information about the string, “Monroe Community College”. We can reasonably assume this will be the name of a university and will develop an array of queries we will use that represent how the university might be referenced on the internet. First, the tool sees the substring, “Community College” and can reasonably determine we might also call the college by its acronym, “MCC”. This logic is used to generate up to four different unique names each university might go by, such as “Brockport University” from the string “State University of New York at Brockport”.

Now that the tool has an array of search terms, it can get to work using intelligent functions with several of the open APIs mentioned to build a SQL database of variables associated with this university. It would be exhaustive to go through the process of all variables generated as each university name generates thousands of variables. Yet, here are some obvious ones along with the techniques used to gather them:

Preferred subdomain such as “mcc.universitylite.com” (query NCES API for website address and strip out the subdomain, ‘mcc’)
University Colors such as “Blue and Gold”, as hex values (strippng relevant color names from wikipedia_infobar_request function and sending them to a color_names_to_hex function).
City, State and Zip of university, such as “Rochester”, “NY” and “14626” (query NCES API for these values)

…and this process goes on and on to gather such information as demographics, weather, local attractions (such as “Monroe County Museum”), apparel categories (such as “MCC Men’s Pants”), degree programs and product categories based on degree programs (such as “Nursing Supplies”).

UniversityLite builds the SQL database with these variables, organizing each major category into a relevant table. To streamline access and storage, we break each table into the data, a data dictionary describing the data and a variable dictionary (as indicated by the VARS and DD tables below).

Universitylite Database Sample

Generating Content

Now that UniversityLite has created our SQL database of a couple thousand variables associated to “Monroe Community College”, we can begin to generate content associated to Monroe County College as a university.

For starters, the functions will begin to create the skeleton content for the website, such as colors, titles, logos and basic content. When displaying products, for example men’s apparel, we use variables such as the university’s name, colors, demographics and degree programs to query the Amazon AWS API.

Function for Sports Weight

In this example, we determine the university total student population is 52% male, which indicates it is fine to go ahead and generate the REST request to Amazon for a male category (as opposed to an all female university, for example). The variables also show us this university has several sports teams, so we decide to put weight on men’s apparel that is sports related. This weight comes in the form of an array of possible search terms that are given mathematical weights to them based on the funding the sports teams receive (aka their size relative to the overall university’s budget).

The chosen array search term, which let’s say is “MCC Men’s Basketball Activewear” is used to build an Amazon REST request by referencing a custom REST generator build for Men’s Apparel (to assure we are only returning items we want within a certain scope of Men’s apparel). This logic will be repeated across the scope of probability we determine from the sports weight function (and other similarly performing functions) to generate a product list which reflects the weight of sports and other variables actually represented by university statistical data.

REST Request URI Generation

Once we finally have created our REST request as a string to send to Amazon’s API, we pass it to Amazon, which will in turn provide us an XML database of product information. This will then be imported into the UniversityLite server as a local file for speed in calling the same product string again (dumped after 24 hours for the sake of having relevant pricing models). Each XML comes back between 10MB-30MB, which can quickly grow to over 10GB of XML data in a couple days, depending on how actively the site is being used by actual users. Management of this data with 7,000 active sites (not to mention all the other data generated such as images) requires tight tolerances of data purging to assure the servers that run UniversityLite do so smoothly.

Merging all of the XMLs related to the probability function for sports weight, etc. (using a custom XML Merge function just for this purpose) creates a final XML locally on our server that represents the final collection of information that will be used to display one collection of MCC apparel (in this case, MCC Men’s Apparel).

A sampled section of such a merged XML can be seen below.

Amazon XML Data Return Sample

This type of process is used for a couple dozen different product categories which are used through the site. In Monroe Community College’s case, it used for both men and women apparel and merchandise, in addition to several product categories that relate to variables relatable to the university.

Of the greatest importance is applying this logic to textbooks a student could purchase. Because we don’t know what textbooks a student might desire, the search query becomes the basis for the REST request. The only major difference is that the query is passed to a function expecting book titles or ISBNs specifically. One unique aspect, however, is the inclusion of the UniversityLite Aggresearch™. This is a very custom solution I put in place to assure that when UniversityLite Aggresearch™ is chosen, the very lowest priced book opportunities are returned. The basis for this logic is searching several possibilities from multiple vendors and inserting those into an array where we can sort it by the lowest price. The result in many cases is that UniversityLite Aggresearch™ often returns books at competitive prices versus other book searching algorithms found on the internet.

UniversityLite Aggresearch (TM) Search Example

One other major area of the site that falls into the same category is the ability for students to post and sell their own books. Although the process is intended to look seamless to a user, this area has completely different functionality. The buying and selling mechanism is based off the WPAdverts – Classifieds Plugin. A major change I made to the plugin is the ability to automatically fill in the classified posting with Author, Title, ISBN, pictures of the book and suggested prices of the book so the user does not have to. Simply entering in either the ISBN or Title will auto populate all relevant fields. This is a major improvement to the WPAdverts Plugin, and one that makes the plugin unique to UniversityLite. In addition, the e-mail domain variable is used to force users to login with a valid university email to sell a book. This creates a niche and protected market for students at a particular university where they know books are being bought and sold by verified students.

UniversityLite Automated Book Sale Feature

Aside from product generation, UniversityLite also determines useful characteristics about the university that create community pages that automatically update. One such page displays recent YouTube sports videos associated to the university, while another displays recent videos from university students based on a geolocation search to the API. In the former case, the sports team used for the YouTube API search is determined using the wikipedia API and in the geolocation is based on an NCES API call where we query the longitude and latitude. The resulting geolocation is passed to the code snippet below which in turns builds a list of YouTube videos we can insert.

UniversityLite Youtube GeoLocation Code Snippet

Another major component of the generated site are dozens of articles, reports and graphs that are automatically “written” for the purpose of displaying information about the university. This is used to drive traffic and interest to the site with unique content. A sample of such an article can be seen below.

UniversityLite News Article Generation Sample

The many graphs for the article are created using several different methods, most of which use the NCES and Wikipedia variable results now in the SQL Database. In the sample below, we iterate through available variables to build the foundation for a JPEG graph that will be displayed on the site.

A sentence within the article might follow logic something like this code snippet below.

UniversityLite Sentence Generation Sample

Load Balancing

UniversityLite is load balanced across three Ubuntu 14.04 LTS virtual servers located in New York, NY with one backup server in Webster, NY. The three primary servers are balanced alphabetically by university name. There are 7,000 websites available as subdomains off of the universitylite.com domain (such as rit.universitylite.com). Each subdomain is given resources by the server only if actively being viewed. As seen in the image below, an arbitrary university named ‘David’s University College’ would be hosted on Server1. Because the functions and algorithms to create any of the A-Z universities resides on each ot the servers, the balancing is done for resource balancing, not necessarily content balancing.

UniversityLite Server Balance

Because of the large set of active subdomains, load balancing through DNS would be cumbersome and time consuming as partial wildcards (such as a*.universitylite.com) in a DNS zone are not defined behavior within the RFC. Manually adding a record for rit.universitylite.com, for example, would also require us to add a manual record for the 6,999 other subdomains. Therefor a DNS zone can only practicaly be used with full wildcards such as *.universitylite.com to to one of the universitylite.com servers. As a result, load balancing is handled first by the Apache virtualhost file, and then subsequently by PHP logic once the subdomain is called.

As seen in the function below, we can query the SQL table once a subdomain passed to the UniversityLite webserver. If the subdomain is found as a SQL entry, we can go ahead and assume the server referenced is the correct load balanced server. However, if it isn’t, we a) either can assume it’s load balanced on one of the other servers or b) it is simply not a valid subdomain anywhere on the site. For example, trying to go to gaboldygooky.universitylite.com will fail all load balancing checks and return an error to the browser.

UniversityLite PHP Load Balance Example

In this way, I have created a dynamic load balancing system that allows sites to be added and removed ad-hoc without having to alter DNS. Of course, this is just general domain load balancing, and we must further balance the content itself. There are, afterall, 7,000 different subdomains with uniquely generated HTML, photos, graphs, etc. The easiest way I found to handle this is by having UniversityLite just be one central source of programming code, and to allow other content to be displayed dynamically when required. That is not to say, however, that each site can be dynamically created each time it is viewed, but we can remove some redundancy from the equation.

Below are areas of dialy generated content that CAN be shared between them, assuming the same calculator with description, etc. might be viewed by more than one subdomain. This data alone amounts to about 10GB of freshly generated content for a 24 hour period for the sites on server1. If we did not consolidate this data, this could easily have grown to 23TB of data in just 24 hours on one server.

Directory List of ~/www/universitylite.com/public_html/sites/shared$:
drwxr-xr-x 2 maiolo99 maiolo99 4096 Oct 20 16:49 adpics drwxr-xr-x 7 maiolo99 maiolo99 4096 Oct 20 21:29 amazon_xml drwxr-xr-x 2 maiolo99 maiolo99 4096 Sep 23 18:07 apparel_images drwxrwx--- 2 maiolo99 maiolo99 4096 Sep 18 16:54 avatars drwxrwx--- 2 maiolo99 maiolo99 4096 Jul 26 23:29 holidays drwxr-xr-x 356 maiolo99 maiolo99 20480 Oct 8 00:30 ms_images drwxr-xr-x 2 maiolo99 maiolo99 7966720 Oct 21 16:51 product_images

However, sometimes there is only so much we can do. As seen in the directory listing below, these files are created uniquely for one of the subdomains (mcc.universitylite.com) below. This information is perfectly unique to Monroe Community College, and there is nothing we can really do about it.

Directory Listing of ~/www/universitylite.com/public_html/sites/MCCTextbooks:
./daily_message: MonroeCommunityCollege_20161019_daily.txt


./graphs-2016-09-19:

graph_MCC_1473753800.jpg

graph_MCC_1473813698.jpg

graph_MCC_1474457188.jpg

graph_MCC_1474581272.jpg

graph_MCC_All Instructional Staff Total_1473662381.jpg

graph_MCC_All Instructional Staff Total_1473662723.jpg

graph_MCC_All Instructional Staff Total_1473722731.jpg

graph_MCC_All Instructional Staff Total_1473773589.jpg

graph_MCC_All Instructional Staff Total_1473791287.jpg

graph_MCC_All Instructional Staff Total_1473813691.jpg

graph_MCC_All Instructional Staff Total_1474227934.jpg

graph_MCC_All Instructional Staff Total_1474457249.jpg

graph_MCC_All Instructional Staff Total.jpg

graph_MCC_Assistant Professor_1473662380.jpg

graph_MCC_Assistant Professor_1473662722.jpg

graph_MCC_Assistant Professor_1473722730.jpg

graph_MCC_Assistant Professor_1473773588.jpg

graph_MCC_Assistant Professor_1473791286.jpg

graph_MCC_Assistant Professor_1473813690.jpg

graph_MCC_Assistant Professor_1474227933.jpg

graph_MCC_Assistant Professor_1474457248.jpg

graph_MCC_Assistant Professor.jpg

graph_MCC_Associate Professor_1473662379.jpg

graph_MCC_Associate Professor_1473662722.jpg

graph_MCC_Associate Professor_1473722730.jpg

graph_MCC_Associate Professor_1473773588.jpg

graph_MCC_Associate Professor_1473791286.jpg

graph_MCC_Associate Professor_1473813690.jpg

graph_MCC_Associate Professor_1474227932.jpg

graph_MCC_Associate Professor_1474457248.jpg

graph_MCC_Associate Professor.jpg

graph_MCC_degrees_by_race.jpg

graph_MCC_demographics_1474316106.jpg

graph_MCC_demographics_1474316169.jpg

graph_MCC_demographics_1474316231.jpg

graph_MCC_demographics_1474316252.jpg

graph_MCC_demographics_1474316321.jpg

graph_MCC_demographics_1474316741.jpg

graph_MCC_demographics_1474316754.jpg

graph_MCC_demographics_1474316757.jpg

graph_MCC_demographics_1474316908.jpg

graph_MCC_demographics_1474317796.jpg

graph_MCC_demographics_1474318228.jpg

graph_MCC_demographics_1474318400.jpg

graph_MCC_demographics_1474318536.jpg

graph_MCC_demographics_1474318968.jpg

graph_MCC_demographics_1474318969.jpg

graph_MCC_demographics_1474321987.jpg

graph_MCC_demographics_1474323294.jpg

graph_MCC_demographics_1474329291.jpg

graph_MCC_demographics_1474329312.jpg

graph_MCC_demographics_1474332642.jpg

graph_MCC_female_students_by_age.jpg

graph_MCC_graduates_to_enrolled_by_race_ratio.jpg

graph_MCC_Instructor_1473662380.jpg

graph_MCC_Instructor_1473662722.jpg

graph_MCC_Instructor_1473722731.jpg

graph_MCC_Instructor_1473773588.jpg

graph_MCC_Instructor_1473791286.jpg

graph_MCC_Instructor_1473813690.jpg

graph_MCC_Instructor_1474227933.jpg

graph_MCC_Instructor_1474457249.jpg

graph_MCC_instructor_annual_income.jpg

graph_MCC_Instructor.jpg

graph_MCC_Lecturer_1473662380.jpg

graph_MCC_Lecturer_1473662722.jpg

graph_MCC_Lecturer_1473722731.jpg

graph_MCC_Lecturer_1473773589.jpg

graph_MCC_Lecturer_1473791287.jpg

graph_MCC_Lecturer_1473813691.jpg

graph_MCC_Lecturer_1474227933.jpg

graph_MCC_Lecturer_1474457249.jpg

graph_MCC_Lecturer.jpg

graph_MCC_male_students_by_age.jpg

graph_MCC_Professor_1473662379.jpg

graph_MCC_Professor_1473662721.jpg

graph_MCC_Professor_1473722730.jpg

graph_MCC_Professor_1473773588.jpg

graph_MCC_Professor_1473791286.jpg

graph_MCC_Professor_1473813690.jpg

graph_MCC_Professor_1474227932.jpg

graph_MCC_Professor_1474457247.jpg

graph_MCC_Professor.jpg

graph_MCC_students_by_age.jpg

staff_sallary_report_graph_MCC_0.jpg
./weather:

Rochester_NY_Weather_2016-09-19.txt
./wiki_infobox-2016-10-19:

Bevier20Memorial20Building(BevierMemorialBuilding)_intro_request_phase2.xml

Bevier20Memorial20Building_intro_request_phase1.xml

Bridge20Square20Historic20District(BridgeSquareHistoricDistrict)_intro_request_phase2.xml

Bridge20Square20Historic20District_intro_request_phase1.xml

Campbell-Whittlesey20House(Campbell-WhittleseyHouse)_intro_request_phase2.xml

Campbell-Whittlesey20House_intro_request_phase1.xml

First20Presbyterian20Church20(Rochester20New20York)(FirstPresbyterianChurch(RochesterNewYork))_intro_request_phase2.xml

First20Presbyterian20Church20Rochester20New20York_intro_request_phase1.xml

Hervey20Ely20House(HerveyElyHouse)_intro_request_phase2.xml

Hervey20Ely20House_intro_request_phase1.xml

Immaculate20Conception20Church20(Rochester20New20York)(ImmaculateConceptionChurch(RochesterNewYork))_intro_request_phase2.xml

Immaculate20Conception20Church20Rochester20New20York_intro_request_phase1.xml

Jonathan20Child20House2020BrewsterBurke20House20Historic20District_intro_request_phase1.xml

Jonathan20Child20House2020BrewsterBurke20House20Historic20District(JonathanChildHouseampBrewsterBurkeHouseHistoricDistrict)_intro_request_phase2.xml

Main2020Oak20RIRTR20station_intro_request_phase1.xml

Main2020Oak20(RIRTR20station)(Main)_intro_request_phase2.xml

Monroe20Community20College20_intro_request_phase1.xml

Monroe20Community20College20(MonroeCommunityCollege)_intro_request_phase2.xml

Monroe20Community20College20Sports_intro_request_phase1.xml

Monroe20Community20College20Sports(UniversityofLouisianaatMonroe)_intro_request_phase2.xml

Monroe20Community20College20Team_intro_request_phase1.xml

Monroe20Community20College20Team(UniversityofLouisianaatMonroe)_intro_request_phase2.xml

Monroe20Community20College20Tribunes20_intro_request_phase1.xml

Monroe20Community20College20Tribunes20(ListofcollegeathleticprogramsinNewYork)_intro_request_phase2.xml

Monroe20Community20College20Tribunes_intro_request_phase1.xml

Monroe20Community20College20Tribunes(ListofcollegeathleticprogramsinNewYork)_intro_request_phase2.xml

Monroe20Community20College_intro_request_phase1.xml

Monroe20Community20College(MonroeCommunityCollege)_intro_request_phase2.xml

MonroeCommunityCollege_infobox.xml

Nick20Tahou20Hots_intro_request_phase1.xml

Nick20Tahou20Hots(NickTahouHots)_intro_request_phase2.xml

RochesterNewYork_infobox.xml

RochesterNY_geosearch.json

Third20Ward20Historic20District20Rochester20New20York_intro_request_phase1.xml

Third20Ward20Historic20District20(Rochester20New20York)(ThirdWardHistoricDistrict(RochesterNewYork))_intro_request_phase2.xml

./youtube-2016-10-19: BevierMemorialBuildingRochesterNY_youtube_2016-10-19.txt BridgeSquareHistoricDistrictRochesterNY_youtube_2016-10-19.txt Campbell-WhittleseyHouseRochesterNY_youtube_2016-10-19.txt FirstPresbyterianChurchRochesterNewYork_youtube_2016-10-19.txt geosearch-431012652C-77608488--searchquery-_youtube.txt geosearch-Rochester-NY--searchquery-RochesterNYMusic_youtube.txt HerveyElyHouseRochesterNY_youtube_2016-10-19.txt ImmaculateConceptionChurchRochesterNewYork_youtube_2016-10-19.txt JonathanChildHouseBrewsterBurkeHouseHistoricDistrictRochesterNY_youtube_2016-10-19.txt MainOakRIRTRstationRochesterNY_youtube_2016-10-19.txt MonroeCommunityCollegeSports_youtube_2016-10-19.txt MonroeCommunityCollege_youtube_2016-10-19.txt NickTahouHotsRochesterNY_youtube_2016-10-19.txt ThirdWardHistoricDistrictRochesterNewYork_youtube_2016-10-19.txt

The best we can do with this data is purge it (beyond what we might want to keep for historical purposes). We do this by adding historically usable data into a SQL table for that university, and simply deleting the rest.

The load balancing techniques used on UniversityLite have allowed us to maintain 7,000 unique websites, on only three servers.

Summary

In all, UniversityLite was written in over 800 PHP functions and algorithms, in conjunction with Javascript, SQL, BASH and HTML to provide the automated creation of a website based on a search string such as “Monroe Community College”. The result is a collection of over 7,000 automatically created and maintained websites that generate traffic and income in a most automatically landscape.

Now that I have the groundwork for this structure in place, I am already applying it to other markets such as automobile parts and niche Hawaiian products.

For more information, or a closer demo of my work or code, please feel free to contact me.

October 21, 2016/0 Comments/by David Maiolo

Legacy, Legacy Tools, Random Scripts, etc.

Network Image Deployment System

I have created a new system for deploying Microsoft operating systems called Network Image Deployment (NID). NID is a centralized deployment system that captures, maintains, and deploys computer images in corporate or educational environments, with hardware independence natively supported. The system is designed to reduce the costs associated with traditional deployment platforms, and can be used in a network environment with subnetworks for data segregation.

NID includes a DVD Boot compile for driver injection and custom scripting, making it easy to set up full-scale deployment environments on remote client machines. Additionally, NID is able to capture and deploy settings and supports various functions such as map drive, mount wim, and generate key.

This project was written entirely from scratch, using PowerShell and other technologies. It highlights my skills in Microsoft operating systems, network deployment systems, and software development. Please note that my previous version of NID, based on Microsoft’s deployment technologies, was used by companies like Xerox and The Write Source.

Documentation Thumbnails

Click the link at the top of this page for the full documentation manual.

Automated ISO and EXE Compiling Based On User Variables

September 5, 2016/0 Comments/by David Maiolo

Legacy, Random Scripts, etc.

Function Points – Mathematical Analysis

This mathematical analysis by David Maiolo explains the use of function points in software engineering system designs. Function points are a unit of measurement used to express the amount of business functionality an information system provides to a user. The cost of a single unit is calculated based on past projects.

The analysis uses a hypothetical example of a cap and gown ordering system to explain how function points are used to compute a functional size measurement (FSM) of software. A data flow diagram is provided to show the flow of data through the system.

The analysis includes the use of COCOMO, an algorithmic software cost estimation model, to further refine the function point calculations. The calculations are performed using the Early Design model in COCOMO. The total adjusted function points (TAFP) are based on the product of the Value Added Adjustment Factor (VAF) and the Unadjusted Function Point (UAF).

The analysis also includes source lines of code (SLOC) for each module and total SLOC for the entire project. COCOMO can automatically estimate the maintenance activity duration and the average maintenance staffing level.

In conclusion, COCOMO provides an automated calculation of many important project development formulas. The values calculated include the total SLOC count for the project, the total estimated effort, schedule, productivity, cost, cost per instruction, full-time software programmers, and risk.

This mathematical analysis was used as a development tool in the NID (Network Image Deployment) system I created, which can also be seen on this website.

Documentation Thumbnails

Click the link at the top of the page to see the full resolution document.

October 23, 2015/0 Comments/by David Maiolo