Run Scripts is the Best Feature in SCCM

There is long story behind why I think Run Scripts is my new favorite feature within Configuration Manager (SCCM/ConfigMgr/MEMCM). One day, I was troubleshooting a problem with a computer that’s located in another office from where I work. In order to go onsite, I needed to drive 20+ minutes there, spend another 5-minutes fixing the problem, and then drive another 20+ minutes back to my office. That seemed to be a waste of valuable time. Instead, using Remote Desktop (RDP) to access the computer made more sense.

When I attempted to use RDP to access the computer, however, it was failing, so I quickly determined that the problem was the firewall. It was blocking me from accessing the computer. In order to overcome this problem, I used Run Scripts to turn off the firewall, which then allowed me to use RDP. Below are the steps I took to turn off the firewall. Always remember, though, to put the firewall back on afterwards!

Turn Off a Windows Firewall by Using PowerShell

A quick Google search revealed that the following PowerShell command turns off all firewalls on a Windows computer, so I am going to use it in my script.

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

How to Create a Script in SCCM/ConfigMgr/MEMCM

Run Scripts - Create Script

Starting in the ConfigMgr console, under Software Library, select the Scripts node and then click on Create Script from the ribbon.

Run Scripts - Specify Script Details

Enter the script’s name. In my case, I called it, “Turn off Firewall.” Then in the script text box, I copied/pasted the PowerShell script I showed you earlier. Click Next.

Run Scripts - Script Details - Summary Node

Click Next.

Run Scripts - Script Details - Completion Node

Click Close.

Run Scripts - Waiting for Approval

Back in the console, you notice that the script needs to be approved before it can be used.

How to Approve a Script

Note: By default, the person who created a script CANNOT approve their own script. Why? Most companies have change controls, so this helps with that, but it is a site setting option that can be changed. If you want to change this setting, check out the next section, “How to Change the Approval Settings.”

Below are the steps on how to approve a script.

Run Scripts - Approve-Deny

Right-click on the script and select Approve/Deny.

Run Scripts - Approve or Deny - Script Details

Review the script and click Next.

Run Scripts - Approve

Select Approve and enter a comment before clicking on the Next button.

Run Scripts - Approve or Deny - Summary Node

Confirm the details and click Next.

Run Scripts - Approve or Deny - Completion Node

Click Close.

How to Change the Approval Settings

Run Scripts - Hierarchy Settings

In the console, under Administration | Overview | Site Configuration | Sites, select Hierarchy Settings from the ribbon.

Run Scripts - Hierarchy Settings Properties

Unselect the Script authors require additional script approver check box and then click on the OK button.

How to Use a Run Script on a Device

Run Scripts - Run Script

Select the device that you are going to run a script on by right-clicking on it and then selecting Run Script.

Run Scripts - Select Script

Select the script and click Next.

Run Scripts - Run Script - Summary Node

Confirm the summary and click Next.

Run Scripts - Script Status

Wait for the script to run. Generally, it takes less than 30-seconds. Once the script is completed, click Close.

How to Run a Script on a Collection

This is where the Run Scripts feature is extremely powerful! You need to be careful here otherwise this can cause you problems.

Run Scripts - Collection - Run Script

Locate the collection that you want to run the script against. Right-click on the collection and select Run Script.

Run Scripts - Collection - Select Script

Select the script and click Next.

Run Scripts - Collection - Summary Node

Review the summary, paying particular attention to the number of resources you are targeting! Then click Next.

Run Scripts - Collection - Script Status

If the computer is offline, the script attempts to run for 1-hour before timing out. Click Close after reviewing the results.

Remember that you can always see the results within the Script Status node on the Monitoring node in the console.

Official Run Scripts Documentation

The documentation is always being updated, so for the most up-to-date details, please review the official documentation.

Summary

Believe me when I tell you that it took me far less time to research, write, approve and deploy the run script to my problem computer (approx. 5 minutes) than it would have taken me to drive across town to our other office! Ultimately, the Run Scripts feature saved me about 35-minutes of travel time. It also meant that the end-user wasn’t interrupted, so no down-time, and their problem was resolved behind the scenes.

Please remember that if you are running the same script as me, don’t forget to turn the firewall back on! One of the tricks that I use for this is a CI that detects if a firewall is off. See my blog post, How to Create a Compliance Setting to Detect If the Firewall Is Off, for more details.

If you have any questions, please feel free to contact me @GarthMJ.

Showing 2 comments
  • Sandra
    Reply

    It is safer just adding a registry entry and FW rule to enable RDP with a run script. I do this with a run script in my system already:

    Set-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’ -name “fDenyTSConnections” -value 0
    Enable-NetFirewallRule -DisplayGroup “Remote Desktop”

    • Garth Jones (Admin)
      Reply

      I love that Idea!

Leave a Comment

Share via
Copy link