Prolog

Most enterprises, with highly adapted deployment solutions, use either scripts or web services to enhance the capabilities of Microsoft endpoint manager (MEMCM). Common enhancements include the possibility of adding or removing computers to and from Collections and AD groups during deployment.

Other examples would be to move a successfully deployed machine to a production OU or disable the computer account in the event of a failed deployment.

Due to an increasing use of Cloud management gateways (CMG) more and more Task sequences are run over the internet, something that effectively cripples these traditional methods. Due to lack of connectivity; scripts can no longer reach the Active directory and a web service running on the local intranet is of little use.

Onevinn TSCommander offers a solution to the dilemma by embedding the functionality in MEMCM’s internal status message queue, eliminating the need for anything but the CMG itself. The solution is not new, an earlier version was available on Technet Gallery (RIP), as part of the <<SCCM Extensions>> package. It has, however, overgone a significant facelift, etw-logging has been added, Framework lifted to 4.7.2 and more.

Even thou the main motivator to start using TSCommander would be to extend old functionality to the internet, the solution works equally good on the local intranet and could, in many cases, replace previous solutions entirely.

Components

The solution consists of two components, both MSI installers.

1. An extension to the Task sequence editor in the MEMCM console.
2. A Windows service.

Functionality 

1. A Run server command step is executed in the TS.
2. A custom message containing the <<order>> is posted on the status message queue.
3. MEMCM transfers the message to the site DB. 4. The Onevinn TSCommand Service catch the message and performs the <<order>>.

Several Action are supported, let us know if you miss something crucial:

Service account

The Onevinn TSCommand service is run under a service account, it can perform action on AD object and on devices in MEMCM. It is also requiring select permissions on a View in the site Database (CM_xxx), << v_StatMsgWithInsStrings >>.

This post will not describe how to create a custom RBAC role in MEMCM or how to delegate permissions in Active Directory.

To cover the requirements, we recommend:

MEMCM:

Role <<Operations Administrator>>, all Scopes.

Database:

Make the account a member of the local user group <<ConfigMgr_DViewAccess>>, this group resides on the DB server, so if you are using a remote SQL, that is where to look.

Active Directory:

This completely depends on which Actions you wish to be able to perform from the Task sequence. If you for example intend to use the action <<MoveToOU>> you will have to allow the service account to perform the move. Same rule applies to all other available AD actions, the service account must be allowed to perform the action. As always, it is recommended to keep all permissions at a minimum level.

Download and Install

Download

The solution (TSCOMMANDER) can be downloaded from: Onevinn - Featured (schrewelius.it) You will find it on the Applications tab.

Make sure you right-click and UNBLOCK the zip-file once it has been downloaded; several potential inconveniences are avoided by this simple move. Then extract the archive and verify the content:

Service setup

Before installing the service make sure you have performed the necessary role assignment and group membership explained above, otherwise the service will not be able to start and the installation fail. 

3. 1. 1. 1. 3. Double click the msi, click Next, accept EULA and click Next again.
4. On the setting page fill in “Script Folder”, this is the location where the service will expect to find custom scripts called from the Task sequence, and you service account and password.
   
5. Proceed by clicking Next, Next, Install and Finish.
6. Examen the Eventlog for possible errors.
   

Task sequence editor extension setup

The TS Editor extension will have to installed on every computer running the MEMCM console. At locations where you do not require the possibility to view or edit Task sequences it can be skipped.

Make sure not to have any running instances of the MEMCM console during the installation.

1. Double click the installer (msi) and follow the instructions on screen, no configuration is required.
2. Start the MEMCM console and open a Task sequence for editing, a new custom step should now be available:
   

Usage

Once a <<Run server command>> step has been added to the Task sequence chose which <<Action>> should be performed and provide the necessary argument for it.

Example #1: <<Remove From OSD Collection>>

The “Note” box will provide basic help regarding necessary argument(s), in this case we need to fill in one or more CollectionIDs. If more than one, separate by colon.

Example #2: <<ADD To AD Group(s)>>

Example #3: <<Move Computer To OU>>

In this case the distinguishedName of the OU has been stored in a TS variable, one could equally well put in the actual DN: “OU=Desktops,OU=Clients,OU=eKlient,DC=eklient,DC=lab”

Example #2 and #3 uses different computer name variables to illustrate the possibilities, use what is relevant in your environment.

Example #4: <<Run custom script>>

In the event the built-in commands are not enough it’s possible to run custom scripts.

In this case a script called “TEMPLATE_AD.ps1” is run with parameters -OSDComputerName and -ResourceID.

Any script in the “Scipts Folder” can be invoked the same way.

The service account used for TS Commander will, depending on which functionality is invoked, need matching permissions in AD, MEMCM or any other external system related to the functionality of the script.

Conclusion

Installing the Onevinns TSCommander will in a few simple steps let you regain control over the whereabouts of your deployed computers, on internet as well as on intranet.

The setup is very straight forward and the usage is in most perspective simpler than traditional alternatives; all functionality is pre-defined within a custom TS editor step, and easily picked from a drop down list.

Download the Software here: Onevinn Marketplace