PowerShell Version 5, What’s new!

PowerShell native switch configuration

I’m not going to dig into this too deeply, instead, read Jeffrey Snover’s great post on the topic here.

APT-GET comes to PowerShell!

The Coolest new feature is OneGet, which is PowerShell’s adaptation of the community-based software repository Chocolatey.  Chocolatey supports a tremendous catalog of software, allowing you to silently install software directly from the command line.  Some examples of software found in the Chocalatey gallery:

  • 7Zip
  • NotePad++
  • Google Chrome
  • Java
  • Flash
  • VLC Player
  • Microsoft C++
  • Puddy
  • Fiddler
  • DotNet Framework
  • Virtual Box
  • Virtual Clone Drive
  • FoxIT

You can see a full catalog of software here, http://chocolatey.org/packages.

 Sample of using OneGet to install packages

First and foremost, you’ll need to temporarily allow remote script execution in order to use this version of OneGet.  That is because behind the scenes to install a program using OneGet, PowerShell will download a Chocolatey install script and execute it, and if your execution policy prohibits it from running, you won’t be having any fun. To get started, first install WMF 5.0, available here.  This may or may not require a restart for you.  Now, launch PowerShell and check out the version of PowerShell you’re running with Get-Host.


Aw, yeah…Upgrayedd

Now, let’s Import the OneGet module and see what new commands are available. 02   PowerShell exposes some very nice functionality here.  Out of the box, we’re able to add our own corporate PackageSource repository, and do some other interesting things:

Command Purpose
Add-PackageSource Add your own Package Source other than Chocolatey
Find-Package Search your package sources for software
Get-Package Get information about packages installed locally
Get-PackageSource Get a listing of Package Sources available
Install-Package Install a package
Remove-PackageSource Remove a Package Source
Uninstall-Package Uninstall a package from your system

Let’s say that we needed a tool to work with PDFs, and had never heard of Adobe before.  We might run Find-Package, and pipe that into Where-Object to filter.


You could potentially discover software to install from the command line.

Let’s choose Foxit Reader.  Remember when I said to allow script execution?  Well this is why.  If you try to install without specifying this, you’ll get the following error.


The install script can’t run if you don’t allow for UnSigned Scripts during your Install-Package session

This is what is really happening when you use OneGet to install FoxitReader.  PowerShell first downloads the configuration script (C:\Chocalatey\lib\FoxitReader\tools\ChocolateyInstall.ps1) that looks like this:

  Install-ChocolateyPackage 'FoxitReader6010.1213_L10N_Setup.exe' 'EXE' '/quiet' 'http://cdn01.foxitsoftware.com/pub/foxit/reader/desktop/win/6.x/6.0/L10N/FoxitReader6010.1213_L10N_Setup.exe'

Which as you can see, downloads the .EXE from the CDN for the provider, then passes quiet install parameters on to the exe. So, hopefully you’ve launched an administrative session of PowerShell and set your execution policy to UnRestricted for the moment.  Assuming you’ve done so, you should see the following when you run your install for 7Zip or FoxitReader.  If you’re not running as an administrative user, you’ll get a UAC prompt, which I personally feel is good behavior, then the install will continue.  Since these scripts are configured by the application owners, some will be silent installs, some will not. 05 For instance, if you run the install of Visual C++ 2010 from an administrative PowerShell prompt, the application will install with no prompt whatsoever. All in all, very powerful stuff, and finally brings App-Get like functionality to PowerShell.  10/10 would download again. EDIT: I’ve noticed that Install-Packages has parameters to pass your switches along to the .exe files, and you can see there are a lot of parameters available.  However, it’s early in the game and as of this writing the help files don’t exist for this and other PowerShell v5 resources.   PARAMETERS -AllVersions   -AllowPrereleaseVersions   -Confirm   -Force   -ForceX86   -Hint <string>   -IgnoreDependencies   -InstallArguments <string>   -InstallationOptions <hashtable>   -LeavePartialPackageInstalled   -LocalOnly   -MaximumVersion <string>   -Metadata <hashtable>   -MinimumVersion <string>   -Name <string[]>   -OverrideArguments   -Package <SoftwareIdentity[]>   -PackageParameters <string>   -Provider <string>   -RequiredVersion <string>   -Source <string[]>   -WhatIf

SCCM: Dealing with an out of sync child primary

Hi all,

Recently I had a client in which one primary seemed to gradually fall behind in reporting on the central site.   Eventually, clients would be listed as ‘Not Approved’ in the Central Site, and this would cause advertisements and requests for policy to fail with frequent messages like this one:


MP has rejected a policy request from GUID:XXXXX-XXXX-XXX-XXX-XXXXXXXXXXXXXX because it was not approved.

It’s pretty straightforward here, advertisements from the central site will not register in many cases on these clients from the child primary sites.  In this case, this communication issue is serious.

There are many causes for situations like this, either an unreliable communication link to the primary, or address and sender settings being set too strictly.  Regardless, here is the method to fix this issue quickly.

  1. Connect to the affected Child primary and make a backup of all of the files in the replmgr.box folder (in case they are needed).
    Then delete all of those items, getting rid of the backlog.  We don’t need these files as we’re about to instruct ConfigMan to seriously overshare and re-report pretty much everything.

    I’m actually not convinced you need to do this.  If your replication issue isn’t fixed at first go, give this a shot and then repeat the remaining steps.
  2. Next, connect to the central site, and from an administrative command prompt, browse to your SCCM install directory.  From there, browse to \bin\i3860000409\ and run preinst.exe /SyncChild [ChildSiteCode]
  3. Finally, connect back to the Child Primary site and runn preinst.exe /SyncParent

If all works as expected, grab some popcorn and then get ready for some excitement in the log files.  Open up sender.log/replmgr.log on the central site, as well as despool/replmgr.log on the Child, and you should see a flurry of replication activity.

When things settled down, refresh the SCCM console from the Primary, and all of the clients from the Child primary should now be listed as Approved.

Big thanks to Xin from the MS forums for setting me on the appropriate path to solving this.


Desired State Configuration – What it is and why you should care

If you’ve been following Microsoft management news, you’ve no doubt heard of Desired State Configuration.  You might be wondering what it is.

Let’s start with what it’s not.  Many believe that DSC is a feature of PowerShell v4, but this is actually a misconception, as the feature really stems from the Windows Management Framework, but implemented using PowerShell, WMI and WMF.  You can use it on any OS compatible with WMF 4.0, which currently includes Server 2008 R2 SP1, Server 2012, 2012 R2, Windows 7 SP1 and Windows 8.1 but not Windows 8, for some reason.

Well, what is it?  I hope to explain that and by the end give you a practical example that isn’t the typical ‘install a web server’ sample you’ve probably seen elsewhere.   I’m writing this to expand my own knowledge, and to help share with any who may stumble upon this.  If you catch an error I’ve made, please let me know.

[Desired State Configuration is] Microsoft’s Fresh Start for Configuration… -Don Jones

When Don Jones makes a pronouncement like this, I tend to listen.  The idea behind DSC is to simplify the configuration of Windows, and to eliminate the overlap that exists between GPO, SCCM’s Desired Configuration Manager, Logon Scripts, and other options, and to make it all easy.   In the end, ensuring your server configuration doesn’t deviate away from the company standard should be easy, and should be reliable.

In the end, instead of having five or ten GPOs to look through when trying to determine how a particular setting is being inherited, there is one configuration file.  This configuration file is an industry standard Managed Object Framework document, commonly referred to as a MOF file.  Reading and creating MOF files should be an easy and accessible task even for junior level IT people.

It’s as important as Group Policy – Don Jones

DSC extends very deeply into the operating system.  It is still quite new, so as time goes on the possibilities for configuration will become greater and greater.  Eventually you’ll be able to configure your servers cradle-to-grave with DSC, and roll out complex products with it too.  Out of the box, you can use the following DSC Resources to control various aspects of your systems.

What do the default DSC Resources allow you to configure?

Registry Ensure that a registry key is present, or not
Script Provides a mechanism to run scripts and evaluate conditions
Archive Zip or unzip files
File Ensure files are present or not
WindowsFeature Ensure that Windows Features are or are not present
Package Install or remove an Application, MSI or Setup.exe
Environment Set Environmental variables
Group Make changes to localgroups
User Make changes to local users
Log Provides a mechanism to log changes enacted by DSC
Service Ensures a service is or is not running
WindowsProcess Ensures that a process is or is not running

In the last few weeks, the PowerShell team has been churning out more and more configuration possibilities.  Just two weeks ago, this new Module hit TechNet, allowing for the configuration of VHDs, VM switches and all aspects of Hyper-V.  If you’d like to see more, check out the DSC Resource Kit Wave #2, which expands the options even further, allowing for the configuration of Domain Controllers, installation of SQL and much, much more.

Stephen’s Practical Example

Now that I’ve hopefully got some of the explanation out of the way, let’s get into a practical example of the  power of DSC.

Continue reading

Nomad Question : How do I push content out ahead of an advertisement?

Hi all,

Recently I recieved a question about 1E Nomad that I wanted to answer.

 In SCCM, it is a common practice to distribute content to your DPs before creating an advertisement.  How do I do that with Nomad, considering that all of your Nomad clients as a whole act as kind of a pseudo-Distribution Point?  How do you distribute content without creating an advertisement?  How do you verify that content is there?

With Nomad, content is only distributed to clients if an advertisement exists, so if you want to be certain the content will be present in an area before the clients begin to execute, you’d set an available date sufficiently in advance of the mandatory execution date for your advert.  In short, you have to create an advert to get content out to your clients when Nomad is used.

You can mandate that a number of packages, driver images, or boot images to be distributed out by creating a content pre-staging task sequence.  In this case, you’d add as many steps as needed for all of your content, and then advertise it to as many PCs as you want to distribute the content, with an available date of now, and an install date set to far, far in the future.  You can also place all of the content steps within a Task Sequence group that has a condition which would never evaluate to true, like “If ChasisType -equals SomethingUnlikely”

As for verifying the content is on the sites, installation of Nomad includes a number of reports that list package availability by subnet.  You can use this report to verify that content is available on a particular subnet.  If so, this would roughly correlate to a package existing on a DP in a traditional SCCM hierarchy.

These reports depend on some additions to SMS_DEF and Configuration.mof files, which will increase the size of the files processed by your SCCM servers.  Watch out for an increase of data to be processed by your site servers, after importing these new definitions.  It can result in increased memory usage by WMI, and you may find ‘Quota Exceeded 0x8004106c’ errors in your SMS Provider log file.  If you run into this, increase the WMI memory quota.

PowerShell Question Time: Whats the deal with Positional Parameters?

Hi guys,

Recently a colleague reached out to me with a question about PowerShell that I thought might benefit others.  I thought I’d share it with you here.

Hi Stephen,

Get-ChildItem -filter *.exe -Recure  -path c:\windows
Get-ChildItem -path c:\windows -filter *.exe -recurse

-Path <String[]> Specifies a path to one or more locations. Wildcards are permitted. The default location is the current directory (.).

Required?                    false
Position?                    1
Default value                Current directory
Accept pipeline input?       true (ByValue, ByPropertyName)
Accept wildcard characters?  true

I’m confused in the two commands displayed at the top which both return the same value, how do they both work. If -path requires position 1 and in the first command its all the way at the end how can it be acceptable, or am I not seeing the information correctly. Perhaps this reads

Hopefully that made sense and hopefully I am assuming correctly.


Good question!  Well, first and foremost let me begin by saying that you should never use positional parameters, so just forget about them and move on!
Continue reading

Upgrade your SCOM Notifications with PowerShell

At a client recently for a proof of concept job, we implemented OpsManager to replace an existing monitoring product they were using in their environment.

Out of the gates, they loved it!  SCOM had out of the box management functionality for most the equipment in their environment, and with installing just a few quick management packs, they were able to monitor everything they wanted.  It was great, it was easy and everyone had that warm, fuzzy feeling of IT Project Satisfaction.

One of the major concerns we began to hear was that the out of the box alerts from SCOM weren’t very informative.  For instance, an e-mail would tell you that an alert was triggered, and when and on which computer, but other than that, you were kind of on your own.

Continue reading

Two ways to provide GUI interaction to users

In this blog post, I’ll outline two methods you can use in your PowerShell scripts to provide GUI interactivity to your users, and allow them to select an object from a list.  These may not be the best method to achieve a goal, but are quick and simple enough that you can throw them in your scripts.

Method One

First, the System.Windows.Forms .Net way of building a form.  In this case, we’ll have a string $users, which will contain the results of an Active Directory Query to return all users with a name like ‘Fox-*’, so Fox-01, Fox-07, and so on.  One thing that is tricky to many (I know it was to me!) when they first start using .net forms to build GUIs is that it can be hard to understand how to list dynamic content in a ComboBox or ListBox.

One thing to keep in mind when choosing between the two is that only a ListBox allows for the selection of more than one object.


ListBox v. ComboBox – Bitter Enemies

Assume we have a ListBox defined and added to our Form.  This is the code you’d need to do so. Continue reading