Hello All, my name is Deepika and I’m a Premier Field Engineer with Microsoft India. I would like to share one of the methods to identify devices which are built via SCCM.
Imagine a scenario where machines are re-imaged\built at different geographical locations by using multiple Task sequences each with different TS steps and with different Operating systems Images referenced in it. To find which machines was built using which OS image will be a tough task unless we have some unique value\setting available to differentiate in these images.
Here is one instance I encountered where an organization had many methods of imaging a machine. A Standard OS Image is used in all these methods which has a hash associated with it and is not allowed to be modified as per their corporate security standards. Now there is a specific ask where the SCCM team wants to keep track or find machines which are built via SCCM going forward.
Plan is to generate Unique GUIDS, apply those while running the task sequences [One Unique GUID for One Task Sequence] and track them using Compliance baselines. Below steps can be followed to do the same.
- Generate one or more Unique GUIDs on SCCM server [Can be any server, in this case its generated on SCCM server
Use this method to generate GUIDS. : https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-guid?view=powers...
[guid]::newguid()
b982f798-20b6-4419-a4fb-779ceab58c66
- Create a cmd file named: cmd when run creates the below entries in the registry. [Test this cmd file on a machine]
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\contosoBuildInfo1 /v UniqueID /t REG_SZ /d "b982f798-20b6-4419-a4fb-779ceab58c66" /f
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\contosoBuildInfo1 /v date /d "%DATE%" /t REG_EXPAND_SZ /f
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\contosoBuildInfo1 /v time /d "%TIME%" /t REG_EXPAND_SZ /f
- Create a package named ' UniqueSCCMBuildInfo' using the cmd file
Create a Package and Program: https://docs.microsoft.com/en-us/sccm/osd/deploy-use/manage-task-sequences-to-automate-tasks#process...
- Edit the Task sequence used to build machine example: XYZTaskSequence CON0020E
Process to edit task sequence: https://docs.microsoft.com/en-us/sccm/osd/deploy-use/manage-task-sequences-to-automate-tasks#process...
- Add the 'Run Command Line' Task Sequence step as the last step named: 'ContosobuildInfo' add the package : ' UniqueSCCMBuildInfo'
- Enter cmd in Command Line of this step and save the Task Sequence.
- Create a Configuration Item with the registry values. Attached is the CI [If using the attached CI, please do modify the GUID]
Configuration Item: ContosoUniquebuild-CI
- Add this CI to the Baseline
Configuration Baseline: ContosoUniquebuild-Baseline
How to Create configuration baselines in System Center Configuration Manager https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-baselines
- Deploy the baseline to the appropriate collection.
- Monitor the compliance of this baseline. The machines which are compliant with this baseline are built via the specific SCCM Task sequence.
Monitor compliance settings in System Center Configuration Manager:
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/monitor-compliance-settings
Please note:
- If this SCCM package or cmd file is deployed outside of task sequence can also bring the machines as compliant. So, we need to have a process\Role Based Access Control which secures this package\GUID\cmd file to be deployed outside of Task Sequence.
- All existing machines will be non-compliant and will only be compliant once they are re-imaged.
A default report ‘List of Assets by compliance state for a configuration baseline' can be run against the specific baseline to list all the machines which is compliant, meaning these machines were imaged using the image example: ContosoUniquebuild.
Now we have list of machines with a specific image built using SCCM.
Thank you!
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.