PowerShell to get user SID

$u = [adsi]"WinNT://domainname/username,user"
$u | gm
$u.objectSid

App-V materials

http://blogs.technet.com/b/appv/archive/2015/06/30/the-microsoft-app-v-5-0-sequencer-and-client-troubleshooting-guide.aspx

http://www.applepie.se/category/app-v/european-app-v-user-group-app-v

http://packageology.com/?s=uac

http://blogs.technet.com/b/configmgrdogs/archive/2013/12/23/understanding-configmgr-2012-app-v-virtual-environments.aspx

App-V 5 SP3 error 0xc0000142 on client

I get this error when trying to run any new sequenced app-v 5 package. It looks like there is a problem with the sequencer it self - this is the Vmware VM with Win 7 x64 OS, domain joined. As it was not used since some time domain trust relationship was not valid any more so I thought that this could lead this problems. Even when I rejoined it to domain and fully update with Windows Updates the problem still persist (even reinstallation of Sequencer did not resolve this problem).

I used new VM on Hyper-V and it works ok because new VM on Vmware vCenter works only once, after snapshot revert there is the same problem

App-V 5 publishing globally with DeploymentConfig.xml

To publish App-V package globally You can use powershell on client

Add-AppvClientPackage [Path_to_AppV_Package] -DynamicDeploymentConfiguration
[Path_to_DeploymentConfig_xml_File] | Publish-AppvClientPackage –Global |
Mount-AppvClientPackage

or You can use App-V Management server - grant access to package for computers group from AD, then right click on added app-v package in management console and choose Edit default configuration. Then from Advanced section use Import and Overwrite this Configuration button to load DeploymentConfig.xml for this app-v package

SQL basics

sqlcmd -s server_name\instance_name
1> select @@version
1> go

Run simple WMI query

From Elevated Command Prompt type Run wbemtest, connect the namespace root\cimv2
Click Query… and enter the following query “Select * from Win32_ComputerSystem”

Exchange meeting rooms troubleshooting

Try to move exchange meeting room to another database. Add meeting room mailbox into outlook to see whether it receives meeting requests, to do this You need to get proper permissions (owner):
Add-MailboxFolderPermission -Identity room:\Calendar -User domain\user -AccessRights owner

If You need to book meetings in external exchange meeting rooms remember to synchronize GAL and check\set the below:
Get-Mailbox room_name | set-CalendarProcessing -ProcessExternalMeetingMessages $true

Performance monitor disk counters

To measure latency use: Avg. Disk sec/Write and Avg. Disk sec/Read. The values recorded by these counters are always in seconds (nevermind the scale, scale is used only for the graph). So if the average recorded value for Avg. Disk sec/Write is 0,022 sec it is equal to 22 ms. Latency up to 25 ms is accepted and quite normal

PhysicalDisk\% Idle Time This measures the percentage of time the disk was idle during the sample interval. If this counter falls below 20 percent, the disk system is saturated. You may consider replacing the current disk system with a faster disk system.

Memory\Cache Bytes This indicates the amount of memory being used for the file system cache. There may be a disk bottleneck if this value is greater than 300MB.

Find out hard disk parametrs from disk model number

A. A typical desktop hard disk rotate at 7,200 revolutions per minute (RPM). A typical server hard disk spin at 10,000 or 15,000 rpm to achieve sequential media transfer speeds. You can use hard disk model number to obtain disk RPM. For example, a typical Seagat disk Model # ST373455SS can provide following information:

• ST - Brand identity
• 3 - Form Factor (3 = 3.5")
• 73 - Disk size / Capacity in GB i.e. 73GB
• 4 - Reserved for future use
• 5 - RPM ( 5 = 15k and 0 = 10K)
• 5 - Generation
• SS - Indicates interface i.e Serial Attached SCSI

Script for asking for computer name during OS deployment task sequence

You need to create a package with script like the below


Dim sNewComputerName, oTaskSequence, sTSMachineName, bPromptName
Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment")
' Get the name the computer is set to receive and truncate to first 6 letters
sTSMachineName = lcase(oTaskSequence("_SMSTSMachineName"))
If left(sTSMachineName,6) = "minint" Then
 bPromptName = True
ElseIf sTSMachineName = "minwinpc" Then
 bPromptName = True
Else
 bPromptName = False
End If
' Note: The wscript.echo commands are logged in SMSTS.log for troubleshooting.  They are not displayed to the end user.
If bPromptName = True Then
 wscript.echo "Detected that the computer name is scheduled to receive a random value.  Prompting user to input a standard name."
 sNewComputerName = InputBox ("Please enter a standard computer name to continue.", "Computer Name", , 30,30)
 oTaskSequence("OSDComputerName") = UCase(sNewComputerName)
 wscript.echo "Set Task Sequence variable OSDComputerName to: " & sNewComputerName
Else
 wscript.echo "Computer set to receive a standard name, continuing as is."
End If

SCCM task sequence to change Program Files location

I used it in scenarion with computers with 2 hard disks: firts small one SSD and second one standard SATA disk. We wanted to place all program files on the second disk

There is a package contains PFx86.reg file and program for this package:
cmd /c xcopy *.* %systemroot%\temp /E /H /C /I /Q /Y

Reg PFx86.reg file looks like below:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"ProgramFilesDir"="D:\\Program Files"
"ProgramFilesDir (x86)"="D:\\Program Files (x86)"
"ProgramW6432Dir"="D:\\Program Files"

Then You run two command line tasks:
%systemroot%\syswow64\regedit /s %systemroot%\temp\PFx86.reg

and
%systemroot%\regedit /s %systemroot%\temp\PFx86.reg

To remove item (meeting) from meeting\conference room hosted on Exchange when users left the company

In Exchange management shell:

Get-MailboxFolderStatistics -Identity RoomName -FolderScope calendar
Look at the FolderPath it could be different
FolderPath                        : /Kalendarz
FolderPath                        : /Calendar

Add-MailboxFolderPermission -Identity RoomName:\Kalendarz -User -AccessRigh
ts owner

Then You can remove any meetings from RoomName meeting room using Outlook

Install IIS with all sub features

Add-WindowsFeature Web-Server -IncludeAllSubFeature -Source:d:\sources\sxs

Add user to local administrators group on DC

net localgroup Administrators /add domain\user

SCCM report: user and computer match

Report name: Users in a specific domain

Show AD object attributes

New-PSDrive -Name bart -PSProvider activedirectory -Root "AD:\ou=test,dc=domain,dc=com"
ls bart:
Get-Item -Path '.\*' -properties showInAddressBook | select showInAddressBook, NAme

32bit ODBC connection for 64bit systems using GPP

Run
C:\Windows\SysWOW64\odbcad32.exe
and configure system DSN connection. Open Group Policy Management snapin:
 Go to Computer Configuration > Preferences > Windows Settings > Registry
Create new collection item
In this new collection item use registry wizard
http://www.explodingbraincells.com/2012/04/16/32-bit-odbc-system-dsn-on-64-bit-windows-using-group-policy-client-preferences/

Refresh kerberos ticket without log ogg

In cmd type: klist purge

Lync - get a message body (decrypt) from SIP messages

When You use Lync Logging tool or Lync centralized logging by default message body\content is removed from SIP messages. To enable message body logging, do the following on each server in a Front End pool:

1.    Click Start, click Run, and then type Regedit.

2.    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtcSrv\Parameters.

3.    Right-click the right pane of Registry Editor, and click New, and then, in DWORD (32-bit), type EnableLoggingAllMessageBodies (no spaces).

4.    Set EnableLoggingAllMessageBodies to the value 1.

5.    Close RegEdit, and restart the pool server(s) or restart the RTCSrv service (Lync Server Front-End service) by doing one of the following:

·         At an administrator cmd.exe prompt, run the following command:

net stop rtcsrv && net start rtcsrv

·         In the Lync Server Management Shell, run the following command:

Stop-CsWindowsService –Name RtcSrv –Verbose

Start-CsWindowsService –Name RtcSrv -Verbose

Or You can encrypt TLS messages, described here:
http://blogs.technet.com/b/nexthop/archive/2012/02/15/how-to-decrypt-lync-2010-tls-traffic-using-microsoft-network-monitor.aspx

Lync SIP messages - Event header

Registration:
Event: registration (REGISTER)

In-band provisioning settings:
Event: vnd-microsoft-provisioning-v2 (SUBSCRIBE, OK)

Information about contacts from contact list:
Event: vnd-microsoft-roaming-contacts (SUBSCRIBE, OK)

Presence:
Event: presence (SUBSCRIBE, OK)
Event: presence (NOTIFY, OK)
Event: vnd-microsoft-roaming-self (BENOTIFY)
SERVICE message has no Event header

PowerShell list of folders size

Sample script

$c = gc .\ListOfDisabled.txt
foreach ($el in $c) {
$col = (Get-ChildItem $el -recurse | Measure-Object -Property Length -sum)
if ($col.sum -gt 1000000) {
$el
"{0:N2}" -f ($col.sum / 1MB)
}
}

Troubleshooting Lync 2013 mobility

I want to describe a specific situation in specific Lync environment where was a problem with Lync mobility. There was a few misconfigurations and I will describe them below.
I created also a topic on technet forum about it
https://social.technet.microsoft.com/Forums/office/en-US/492f7d00-4896-40f6-a356-ca864f0ea12f/mobility-cannot-sign-in-android-display-self-signed-certificate?forum=lyncdeploy

Even if it is not supported by Microsoft we use wildcard certificate for Lync and all Lync services are able to work both internally and externally.

I did a lot of troubleshooting steps before find it out like Test-CsMcxP2PIM and another Test-Cs cmdlets, also get logs from mobile devices but the errors were not descriptive enough for me. Finally I found that lyncdiscoverinternal.domain.com was actually resolved from external DNS because we have wildcard\"catch all" DNS setting for our domain. So we changed it and now lyncdiscoverinternal.domain.com is resolvable to some "fake" ip address 1.1.1.1.

Then there was a few misconfigurations on IIS ARR configuration described below.

On IIS ARR there are URL rewrite rules - there must not be rules for http, only rules for https are needed. I had an issue that there was a rule for http with wildcard and it catch what should not be caught also there was a checkbox selected "Stop processing of subsequent rules"
To troubleshoot it enable "Failed request tracing" on IIS under default web site on reverse proxy and look at rule names

Next mistake was to have defined server with external web services URL under IIS ARR Server farms. External web services URL is basically nor resolvable on reverse proxy - this is desirable situation. Server name should be specified as internal FE server name or FE pool name.

Next mistake was specified additional lync.* pattern with Match All setting as shown below. It was never true so trying to use another URL rewrite rules.

Then take a look also for server health: IIS ARR -> Server farms -> select specific farm and click Monitoring and Management. Health status must be health.  It was unhealthy for me as I did some health checks before.

What helps me also was trying to access
https://ExternalWebServicesURL.domain.com:443/certprov/certprovisioningservice.svc
on computer (web browser) which was not domain joined and externally (not in corporate LAN). When You access this address You should get logon window and You should be able to authenticate providing user credentials

Test-CsMCXP2PIM bug - UPN credentials must be provided

You can get an error when doing Test-CsMCXP2PIM
Error Message : No response received for Web-Ticket service.
                Inner Exception:The HTTP request is unauthorized with client au
                thentication scheme 'Ntlm'. The authentication header received
                from the server was 'Negotiate,NTLM'.
                Inner Exception:The remote server returned an error: (401) Unau
                thorized.

when using user credentials in format domain\username. Try to use UPN credentials then user@domain.com

Show disabled AD account with still enabled Lync account and assigned DID numbers

When You disable AD account it is not disabled in Lync automatically and phone number assigned to such user is still in use.

Get-CsAdUser | ?{$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true} | get-csuser | ft Name,Enabled,Lineuri -auto

Exchange 2013 dial tone database recovery

In order to check if the database is in a healthy state we can use the command below, but first we need to be on the same location of the EDB file using either Exchange Management Shell
eseutil /mh

Use the eseutil utility in recovery mode (/r) to bring the database to a clean shutdown
eseutil /r


Use the New-MailboxDatabase cmdlet to create a dial tone database, as shown in this example
New-MailboxDatabase -Name DTDB1 -EdbFilePath D:\DialTone\DTDB1.EDB

Use the Set-Mailbox cmdlet to rehome the user mailboxes hosted on the database being recovered, as shown in this example
Get-Mailbox -Database DB1 | Set-Mailbox -Database DTDB1

Use the Mount-Database cmdlet to mount the database so client computers can access the database and send and receive messages, as shown in this example
Mount-Database -Identity DTDB1

Create a recovery database (RDB) and copy the database and log files containing the data you want to recover into the RDB. Rename edb file name to RDB.edb
New-MailboxDatabase –Recovery –Name  -Server name>  -EDBFilePath ‘X:\folder\RDB.edb’ –LogFolderPath ‘X:\folder\’

Mount the RDB, and then use the Dismount-Database cmdlet to dismount it, as shown in this example.
Mount-Database -Identity RDB1
Dismount-Database -Identity RDB1

After the RDB is dismounted, move the RDB database and log files within the RDB folder to a safe location. This is done in preparation for swapping the recovered database with the dial tone database.
Dismount the dial tone database, as shown in this example. Note that your end users will experience an interruption in service when you dismount this database.
Dismount-Database -Identity DTDB1

Remember about renaming edb file names!

https://technet.microsoft.com/en-us/library/dd979810%28v=exchg.150%29.aspx

VB script to send email from exchange

Dim objNTInfo
Set objNTInfo = CreateObject("WinNTSystemInfo")
GetComputerName = objNTInfo.ComputerName

mTo = WScript.Arguments.Item(0)
mFrom = "SCCM-OSD@domainB.com"
mSubject = "Need to change domainA.com email address to domainB.com in distribution groups"

mbody = "check content of c:\temp\listalista.txt on exchange server then use C:\temp\replaceAPdistList.ps1 "

sendmail mTo, mSubject, mBody, mFrom


Function SendMail(strTo,strSubject,strBody,strFrom)
Dim m_EmailObj, m_EmailConfig
Set m_EmailObj = CreateObject("CDO.Message")
m_EmailObj.From = strFrom
m_EmailObj.To = strTo
m_EmailObj.Subject = strSubject
'm_EmailObj.TextBody = strBody


m_EmailObj.HTMLBody = strBody
Set m_EmailConfig = m_EmailObj.Configuration
m_EmailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "ExchangeServerName"
m_EmailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
m_EmailConfig.Fields("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
m_EmailConfig.Fields.Update
m_EmailObj.Send
Set m_EmailObj = nothing
Set m_EmailConfig = nothing
End Function

Exchange - Find specific mail addresses in all distribution group

Get-DistributionGroup -Identity *  -ResultSize Unlimited | Select-Object name | set-content C:\temp\allDistNames.txt
$names = gc C:\temp\allDistNames.txt
#remove no needed brackets and other signs
$cont = foreach ($n in $names) {
$n.remove(0,7) -replace ".$"
}
$cont | set-content C:\temp\allDistNames.txt

$names = gc C:\temp\allDistNames.txt
foreach ($n in $names) {
Get-DistributionGroupMember -Identity $n -ResultSize Unlimited | Select-Object PrimarySmtpAddress | set-content C:\temp\temp.txt
$mails = gc C:\temp\temp.txt

#remove no needed brackets and other signs
$cont = foreach ($m in $mails) {
$m.remove(0,21) -replace ".$"
}

foreach ($c in  $cont) {
#get only not empty mails\lines
if ($c.Length -gt 3) {
#search last 14 characters and compary them
if ($c.substring($c.Length-15) -eq "applypoland.com") {
#put the names of distribution list in text file
$n | out-file c:\temp\listalista.txt -append
}
}
}
}


Below script is using for replace emails ended with applypoland.com to ended with applysorco.no

Get-DistributionGroupMember -Identity testbb | Select-Object PrimarySmtpAddress | set-content C:\temp\testbb1.txt
$mails = gc C:\temp\testbb1.txt
$cont = foreach ($m in $mails) {
$m.remove(0,21) -replace ".$"
}
foreach ($c in  $cont) {
if ($c.substring($c.Length-15) -eq "applypoland.com") {
$c | out-file c:\temp\ap.txt -append
$c = $c -replace 'applypoland.com','applysorco.no' | out-file c:\temp\sorco.txt -append
}
}
$usun = gc c:\temp\sorco.txt
foreach ($u in  $usun) {
add-DistributionGroupMember -Identity testbb -member $u
}
$dodaj = gc c:\temp\ap.txt
foreach ($d in  $dodaj) {
remove-DistributionGroupMember -Identity testbb -member $d -Confirm:$False
}

Exchange 2013 remote powershell

In PowerShell:
$session = New-PSSession -ConfigurationName microsoft.exchange -ConnectionUri http://FQDN/
powershell
Import-PSSession $session

If You need this every time You open PowerShell:
PS C:\> $profile
C:\Users\xxx\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
then change this ps1 file adding above 2 lines

SCCM configuration baseline samples

Configuration item which helps to find computers with Windows Media Player installed:
Setting type: Script

$ff = dism /online /get-featureinfo /featurename:WindowsMediaPlayer | findstr State
If ($ff -eq "State : Enabled") {
    $Compliance = "Compliant"
} 
Else { 
    $Compliance = "NonCompliant"
}
Return $Compliance

Compliance rule:

------------------------------------------------------------------------------------

Configuration item which helps to find computers with PowerShell 3.0 installed
Setting type: WQL query

Compliance rule:

------------------------------------------------------------------------------------

Configuration item which helps to find computers with missing WSUS configuration
Setting type: Registry value

and

Compliance rule:

and

SCCM best practices for collections

User collections should be based on AD user groups. Common scenario is to name group for the name of application which users in specific group use, e.g. APP - Autocad. Then the collection name should be the same as AD group. Thanks for user collections You can deploy software on any computer on which user is or will be working on

Device collections - good practice is to create folders under each You can get collections designed for specific purpose

IsInstalled contain collection based on Configuration Baseline, e.g. PowerShell 3.0_All Windows 7 Computers Active_Compliant
Thanks for this approach You can schedule deployment of specific software to such collections, e.g. App-V 5.0 client needs PowerShell 3.0 as prerequisite so we scheduled App-V deployment for PowerShell 3.0_All Windows 7 Computers Active_Compliant collection. The easiest way to create such collections based on Configuration Baseline is shown below

Another approach to create collection for specific software installed is based on query, below sample for Citrix Reciver 3.4 IsInstalled 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Citrix Receiver (Enterprise)" and SMS_G_System_ADD_REMOVE_PROGRAMS.Version = "13.4.0.25"

or for AutoCAD

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where LOWER(SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName) like "AutoCAD%" and SMS_R_System.Obsolete = 0

IsNotInstalled can be based on similar like above examples or another approach is to use rules Include Collections and Exclude Collections

UnwantedSoftware can store collections with software which should be automatically uninstalled when detected, e.g. specific version of Java or torrent software.

You create a package with data source files and associate with it some programs like Uninstall Java Auto Updater which contains:
msiexec /x {4A03706F-666A-4037-7777-5F2748764D10} /qn /norestart

Collection for computers with Java Auto Updater can be based on query like below:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Java Auto Updater"

Collection for computers with specific network card:
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_NETWORK_ADAPTER on SMS_G_System_NETWORK_ADAPTER.ResourceId = SMS_R_System.ResourceId where SMS_G_System_NETWORK_ADAPTER.Description = "Intel(R) 82567LM-3 Gigabit Network Connection"

Maintenance - can store another collections which are build on already created (e.g. All Windows 7) in another place but have setup maintenance window

Power Plan - similar like Maintenance folder but have a power management configured, like wakeup time

SCCM 2012 application redistribute content to DP

Let's consider following scenario: there is an application (not package) which is installed using script install.bat You provide some changes to script and need to update the application to DP. If You go into Properties of Application and go to tab Content Locations

there You can click Redistribute button. But in case of such change in Application it will not cause that new version of Application will be created on DP and new version on install.bat will not be distributed.

You can check it using Content Library Explorer from Configuration Manager Toolkit 2012 R2. Using this tool You can copy content of any application or package from DP to selected folder.

What You need to do is to select Application in SCCM console, then go to Deployment Types tab (on the bottom) right click and choose Update content

SCCM Net Framework 4.5.1 installation problems

I need to install Net Framework 4.5.1 during OS deployment task sequence. I want to have it in SCCM as application not the package. Thanks for this it is easy to use it later as dependency for another applications.

To successfully install it during OS deployment task sequence (no user logged on) You need to mark check box "Run installation and uninstall program as 32-bit process on 64-bit clients" in program properties. Installation program should looks like:
NDP451-KB2858728-x86-x64-AllOS-ENU.exe /q /norestart /ChainingPackage ADMINDEPLOYMENT /log c:\windows\temp\dotnet451.log

Detection method is based on registry (Key: SOFTWARE\Classes\Installer\Products\BE4EBED704B66673BB53C5BB3C58AD73)

I tested it using OS deployment task sequence which contains a lot of different software installation. To speed it up I disabled some steps in task sequence for test purposes. Then Net Framework was installed ok. I enabled all previously disabled steps and test OS deployment task sequence once again. There was an error with Net Framework installation 13EC - looks like there was not enough disk space (tested in on VM with small disk)

SCCM application installation failed - not enough cache size

User reports that he cannot install specific application from application catalog. Check the cas.log and execmgr.log on client wokstation. In cas.log there was info about not enough space in cache. You can change it easily using SCCM console (ConfigMgr 2012 Right Click Tools http://myitforum.com/myitforumwp/2012/05/07/config-manager-2012-right-click-tools/), right click on specific computer, then Client Tools -> Change cache size. Restart PC to speed up cache size changes

SCCM collection for active computers

Below is a sample query to create such collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_CH_ClientSummary on SMS_G_System_CH_ClientSummary.ResourceId = SMS_R_System.ResourceId where SMS_G_System_CH_ClientSummary.ClientActiveStatus = 1

SCCM configuration baseline - unknown state "client check passed\acive"

CIDownloader.log - details about configuration item definition downloads, You need to search by GUID. You can find this GUID from SCCM console, under configuration baselines - show column: CI Unique ID

DCMAgent.log is the log located on client in which You can find when specific baseline was run last time, below example line from log:
DCMAgentJob({698E2389-8394-491E-91DA-FB9C7222F173}): CDCMAgentJob::SetupJob - Add assignment Java Installation IsValid_All Windows 7 Computers Active({554557FF-3A41-49FB-BAA9-672B5A3510FF})

Java Installation - is the name of baseline

DCMAgent.log - next log to check on client

Status:
'Client check passed/Inactive' means these are machines which were previously responding to SCCM but are currently switched off, unplugged, offline etc.

'Client check passed/Active' 
"Unknown" is not a good name for this, for each system, a deployment's status starts as "Unknown", moves to "In-Progress", and finishes as "Compliant". 
Most like computers need to be restarted, pending restart after windows updates installation etc.

Visio 2013 app-v 5.0 package

Activation done by KMS – there is a need to have at least 5 computers with Office 2013 to start KMS activation!!! Visio 2013 packaged by using Office Deployment Tool. First step is to change configuration.xml file, for Visio 2013 it should looks like below:

<Configuration>
  <Add SourcePath="c:\Visio2013volume" OfficeClientEdition="32" >
    <Product ID="VisioStdVolume">
      <Language ID="en-us" />
    </Product>
  </Add> 
</Configuration>

Then You run setup.exe /download configuration.xml
Next step is to create app-v package using Office Deployment Tool 
setup.exe /packager package.xml c:\visio2013appv
Below is a sample package.xml

<Configuration>
  <Add SourcePath="c:\Visio2013volume" OfficeClientEdition="32" >
    <Product ID="VisioStdVolume">
      <Language ID="en-us" />
    </Product>
  </Add> 
  <Updates Enabled="TRUE"/>
  <Display Level="Full" AcceptEULA="TRUE" />
  <Logging Level="Standard" Path="c:\Visio2013volume\logs" />
  <Property Name="AUTOACTIVATE" Value="1" />
  <Property Name="FORCEAPPSHUTDOWN" Value="TRUE" />
</Configuration>

Important notes:
Removal package 
If You unpublished application it still persist some data on disk %ProgramData%\App-V\{PkgGUID}\{newVerGUID}. To remove all data use Remove-AppVClientPackge  

Deploying App-V 5.0 client using SCCM

App-v 5 client on workstations: PoweShell 3.0 is a prerequisite.
To have both 4.6 and 5.0 client version in place on workstation app-v 4.6 client must be updated to SP3
1. Install PowerShell 3.0 (separate package and separate deployment)
program properties:
wusa PowerShell3.msu /passive /quiet /norestart
You need to wait for a service window because powershell will be fully installed after computer restart
deployment properties:
allow for software installation outside maintenance window
configuration baseline and collection:
Based on PowerShell 3.0 configuration baseline there is a collection created under Device Collections \ Application \ IsInstalled \ PowerShell 3.0

Configuration Item is configured as below:

Compliance rule looks like below:

2. Install app-v 5 sp3 (separate package and separate deployment)
deployment properties:
Deployment is performed based on PowerShell 3.0 collection

By default app-v 5 client has no GUI – You need to download it and install separately. It can be installed as virtual application or as normal software.

The App-v 5 SP3 client is installed using install.bat
appv_client_setup.exe /CEIPOPTIN=0 /MUOPTIN=1 /ACCEPTEULA=1 /S1PUBLISHINGSERVERNAME=srvname /S1PUBLISHINGSERVERURL=http://srvname.domain.com:8001 /S1USERREFRESHONLOGON=1 /S1USERREFRESHENABLED=1 /S1GLOBALREFRESHONLOGON=1 /S1GLOBALREFRESHENABLED=1  /ENABLEPACKAGESCRIPTS=1 /MIGRATIONMODE=1 /log c:\windows\temp\appv5.log /q


Lessons learnt:
PowerShell 3.0 deployment errors:
1. error code 2145124330 - another updates were installed, there is a need to restart computer
2. error code 1151 - broken windows update service (to many updates injected offline by DISM) - system re installation needed
3. Program failed (run time exceeded) - if deployment is setup with Rerun if failed previous attempt option and there are more than one schedule assignment it should automatically rerun

KMS for Office 2013

To check KMS status for Office 2013, type on KMS server:
slmgr /dli 2E28138A-847F-42BC-9752-61B03FFF33CD

Currect count must at least 5

To manually activate Office 2013 (it is faster) type on client:
C:\Program Files (x86)\Microsoft Office\Office15\cscript ospp.vbs /act

SCCM configuration baseline to check whether specific Windows feature is installed

You need to start from preparing script which will check whether specific Windows feature is installed. On Windows 7 dism tool must be used, on Windows 8 powershell cmdlet Get-WindowsOptionalFeature can be used. Below is a simple script based on dism for Windows Media Player feature:

$ff = dism /online /get-featureinfo /featurename:WindowsMediaPlayer | findstr State
If ($ff -eq "State : Enabled") {
$Compliance = "Compliant"
}
Else {
$Compliance = "NonCompliant"
}
Return $Compliance

To use this script in configuration item and then in configuration baseline the PowerShell execution policy must be changed from default All signed into Bypass. This is under Client Settings, under Computer Agent, there is an option to configure the PowerShell execution policy

NetScaler Gateway policies description

https://drive.google.com/file/d/0B-Myn42Tc3zSMDZTcXN0UXIwWDQ/view?usp=sharing

PowerShell import module from remote machine

$kappa = New-PSSession -ComputerName kappa.applypoland.com -Credential $cred
Import-Module -Name Lync  -PSSession $kappa

PowerShell - open console with credentials stored in variable

Create a script and save it in %userprofile%\WindowsPowerShell\profile.ps1
In script put:
$cred = get-credential -username Lab\admin -Message 'Need admin pass for $cred'

Exchange shared mailbox cross forest permissions

It is simply done by running the shell command in the Exchange Organization (Forest B) of the shared mailbox:

Add-MailboxPermission sharedmailboxalias -User "DomainA\UserA" -AccessRights FullAccess