When we are required to automate a few activities in Configuration Manager, we need to use any of the scripting languages, such as VB or PowerShell. PowerShell has its own advantages over other scripting languages.

In this article by Guruprasad HP, coauthor of the book Microsoft System Center Powershell Essentials we will cover:

The introduction of Configuration Manager through PowerShell
Hierarchy details
Asset and compliance

(For more resources related to this topic, see here.)

Introducing Configuration Manager through PowerShell

The main intention of this article is to give you a brief idea of how to use PowerShell with Configuration Manager and not to make you an expert with all the cmdlets. With the goal of introducing Configuration Manager admins to PowerShell, this article mainly covers how to use PowerShell cmdlets to get the information about Configuration Manager configurations and how to create our own custom configurations using PowerShell. Just like you cannot get complete information of any person during the first meet, you cannot expect everything in this article.

This article starts with an assumption that we have a well-built Configuration Manager environment. To start with, let's first understand how to fetch details from Configuration Manager. After that, we will create our own custom configurations. To stick on to convention, we will first learn how to fetch configuration details from Configuration Manager followed by a demonstration of how to create our own custom configurations using PowerShell.

PowerShell provides around 560 different cmdlets to administrate and manage Configuration Manager.

You can verify the cmdlets counts for Configuration Manager by using the count operation with the Get-Command cmdlet with ConfigurationManager as the module parameter:
(Get-Command –Module ConfigurationManager).Count

It is always a good idea to export all the cmdlets to an external file that you can use as a reference at any point of time. You can export the cmdlets by using Out-File with the Get-Command cmdlet:

Get-Command –Module ConfigurationManager | Out-File "D:SCCMPowerShellCmdlets.txt"

Once we have the Configuration Manager infrastructure ready, we can start validating the configurations through the PowerShell console. Here are the quick cmdlets that help to verify the Configuration Manager configurations followed by cmdlets to create custom configurations. Since PowerShell follows a verb-noun sequence, we can easily identify the cmdlets that help to check configurations as they start with Get. Similarly, cmdlets to create new configurations will typically start with New, Start, or set. We can always refer to the Microsoft TechNet page at http://technet.microsoft.com/en-us/library/jj821831(v=sc.20).aspx for the latest list of all the available cmdlets.

Before proceeding further, we have to set the execution location from the current drive to System Center Configuration Manager (SCCM) to avail the benefit of using PowerShell for the administration of SCCM. To connect, we can use the Set-Location cmdlet with the site code as the parameter or we can open PowerShell from the Configuration Manager console. Assuming we have P01 as the site code, we can connect to Configuration Manager using PowerShell by executing the following command:

Set-Location P01:

Hierarchy details

This section will concentrate on how to get the Configuration Manager site details and how to craft our own custom hierarchy configurations using PowerShell cmdlets. This involves knowing and configuring the site details, user and device discovery, boundary configurations, and installation of various site roles.

Site details

First and foremost, get to know the Configuration Manager architecture details. You can use the Get-CMSite cmdlet to know the details of the Configuration Manager site. This cmdlet without any parameters will give the details of the site installed locally. To get the details of the remote site, you are required to give the site name or the site code of the remote site:

Get-CMSite 
Get-CMSIte –SiteName "India Site"
Get-CMSite –SiteCode P01

Discovery details

It is important to get the discovery details before proceeding, as it decides the computer and the users that Configuration Manager will manage. PowerShell provides the Get-CMDiscoveryMethod cmdlet to get complete details of the discovery information. You can pass the discovery method as a parameter to the cmdlet to get the complete details of that discovery method. Additionally, you can also specify the site code as a parameter to the cmdlet to constrain the output of that particular site.

In the following example, we are trying to get the information of HeartBeatDiscovery and we are restricting our search to the P01 site:

Get-CMDiscoveryMethod –Name HeartBeatDiscovery –SiteCode P01

We can also pass other discovery methods as parameters to this cmdlet. Instead of HeartBeatDiscovery, you can use any of the following methods:

ActiveDirectoryForestDiscovery

ActiveDirectoryGroupDiscovery

ActiveDirectorySystemDiscovery

ActiveDirectoryUserDiscovery

NetworkDiscovery

Boundary details

One of the first and most important and things to be configured in Configuration Manager are the boundary settings. Once the discovery is enabled, we are required to create a boundary and link it with the boundary group to manage clients through Configuration Manager.

PowerShell provides inbuilt cmdlets to get information of the configured boundaries and boundary groups. We also have the cmdlets to create and configure new boundaries.

You can use Get-CMBoundary to fetch the details of boundaries configured in Configuration Manager. PowerShell will also leverage you to use the Format-List attribute with the * (asterisk) wild character as the parameter value to get the detailed information of each boundary.

As default, this cmdlet will return and give you the available boundaries configured in Configuration Manager. This cmdlet will also accept parameters, such as the boundary name, which will give the information of a specified boundary. You can even specify the boundary group name as the parameter, which will return the boundary specified by the associated boundary group. You can also specify the boundary ID as a parameter for this cmdlet:

Get-CMBoundary –Name "Test Boundary"
Get-CMBoundary –BoundaryGroup "Test Boundary Group"
Get-CMBoundary –ID 12587459

Similarly, we can use Get-CMBoundaryGroup to view the details of all the boundary groups created and configured on the console. Using the cmdlet with no parameters will result in the listing of all the boundary groups available in the console. You can use the boundary group name or ID as a parameter to get the information of the interested boundary group:

Get-CMBoundaryGroup
Get-CMBoundaryGroup -Name "Test Boundary Group"
Get-CMBoundaryGroup –ID "1259843"

You can also get the information of multiple boundary groups by supplying the list as a parameter to the cmdlet:

Get-CMBoundaryGroup –Name "TestBG1", "TestBG2", "TestBG3", "TestBG4"

Until now, we saw how to read boundary and boundary-related details using PowerShell cmdlets. Now, let's see how to create our custom boundary in Configuration Manager using PowerShell cmdlets.

Just like you create boundaries in console, PowerShell provides the New-CMBoundary cmdlet to create boundaries using PowerShell. At the minimum, we are required to provide the boundary name, boundary type, and value as a parameter to the cmdlet.

We can create boundaries based on different criteria, such as the Active Directory site, IP subnet, IP range, and IPv6 prefix. PowerShell allows us to specify the criteria based on which we want to create a boundary in the boundary type parameter.

The following examples show you all four ways to create boundaries. The boundary type to be used is decided based on the architecture and the requirement:

New-CMBoundary –DisplayName "IPRange Boundary" –BoundaryType IPRange –Value "192.168.50.1-192.168.50.99"
New-CMBoundary –DisplayName "ADSite Boundary" –BoundaryType ADSite –Value "Default-First-Site-Name"
New-CMBoundary –DisplayName "IPSubnet Boundary" –BoundaryType IPSubnet –Value "192.168.50.0/24"
New-CMBoundary –DisplayName "IPV6 Boundary" –BoundaryType IPv6Prefix –Value "FE80::/64"

With the introduction of the boundary group concept with Configuration Manager 2012, it is expected that every boundary created should be made a part of a boundary group before it starts managing the clients. So, we first need to create a boundary group (if not present) and then add the boundary to the boundary group.

We can use the New-CMBoundaryGroup cmdlet to create a new Configuration Manager boundary group. At the minimum, we are required to pass the boundary group name as a parameter, but also it is recommended that you pass the boundary description as the parameter:

New-CMBoundaryGroup –Name "Test Boundary Group" –Description "Test boundary group created from PowerShell for testing"

Upon successful execution, the command will create a boundary group named Test Boundary Group. We will now add our newly created boundary to this newly created boundary group. PowerShell provides an Add-CMBoundaryToGroup cmdlet to add the existing boundary to the existing boundary group:

Add-CMBoundaryToGroup –BoundaryName "IPRange Boundary" –BoundaryGroupName "Test Boundary Group"

This will add the IPRange Boundary boundary to the Test Boundary Group boundary group. You can use looping to add multiple boundaries to the boundary group in a real-time scenario. We can remove a boundary from Configuration Manger using the Remove-CMBoundary cmdlet. We can just specify the name or ID of the boundary to be deleted as a parameter to the cmdlet:

Remove-CMBoundary –Name "Test Boundary" -force

Distribution point details

The details of the distribution points are one of the most common requirements, and it is essential that the Configuration Manager admin knows the distribution points configured in the environment to plan and execute any deployments. We can do this either using the traditional way of logging in to the console or by using the PowerShell approach. PowerShell provides the Get-CMDistributionPoint cmdlet to get the list of distribution points configured. Distribution points in Configuration Manager are used to store files, such as software packages, update packages, operating system deployment related packages, and so on.

If no parameters are specified, this cmdlet will list down all the distribution points available. You can pass the site server system name and site code as parameters to filter the result, which will restrict the results to the specified site:

Get-CMDistributionPoint –SiteSystemServerName "SCCMP01.Guru.Com" –SiteCode "P01"

Here is a quick look of how to create and manage distribution points in Configuration Manager through PowerShell. We can create and manage the distribution point site system role in Configuration Manager through PowerShell just as we did using the console. To do this, we first need to create a site system server on the site (if not available), which we can later be upgraded as the site distribution point. We can do this using the New-CMSiteSystemServer cmdlet:

New-CMSiteSystemServer –sitecode "P01" –UseSiteServerAccount –ServerName "dp.guru.com"

This will use the site server account for the creation of the new site system. Next, we will configure this site system as a distribution point. We can do this by using the Add-CMDistrubutionPoint cmdlet:

Add-CMDistributionPoint –SiteCode "P01" –SiteSystemServerName "dp.guru.com" 
–MinimumFreeSpaceMB 500 –CertificateExpirationTimeUtc "2020/12/30" –MinimumFreeSpaceMB 500

This will create dp.guru.com as a distribution point and also reserve 500 MB of space.

We can also enable IIS and PXE support for the distribution point. We can also configure DP to respond to the incoming PXE requests with the following parameters. It just needs an extra effort to pass a few more parameters for the Distribution Point creation cmdlet:

Add-CMDistributionPoint –SiteCode "P01" –SiteSystemServerName "dp.guru.com" –MinimumFreeSpaceMB 500 –InstallInternetServer –EnablePXESupport –AllowRespondIncomingPXERequest –CertificateExpirationTimeUtc "2020/12/30"

We can create the distribution point group (if not already present) for the effective management of distribution point managements available in the environment using the New-CMDistributionPointGroup cmdlet with the minimum distribution point name as the parameter:

New-CMDistributionPointGroup –Name "Test Distribution Group"

With the distribution point group created, we can add the newly created distribution point to the distribution point group. You can use the Add-CMDistributionPointToGroup cmdlet with the distribution point name and distribution point group name, at the minimum, as parameters:

Add-CMDistributionPointToGroup –DistributionPointName "dp.guru.com" 
–DistributionPointGroupName "Test Distribution Group"

We can also add any device collection to the newly created distribution point group so that whenever we deploy items (such as packages, programs, and so on) to the device collection, the content will be auto distributed to the distribution group:

Add-CMDeviceCollectionToDistributionPointGroup –DeviceCollectionName 
"TestCollection1" –DistributionPointGroupName "Test Distribution Group"

Management point details

The management point provides polices and service location information to the client. It also receives data from clients and processes and stores it in the database. PowerShell provides the Get-CMManagementPoint cmdlet to get the details of the management point. Optionally, you can provide the site system server name and the site code as the parameter to the cmdlet.

The following example will fetch the management points associated with the SCCMP01.Guru.Com site system that has the site code P01:

Get-CMManagementPoint –SiteSystemServerName "SCCMP01.Guru.Com" –SiteCode "P01"

When you install CAS or the primary server using the default settings, the distribution points and management points will be automatically installed. However, if you want to add an additional management point, you can add the role from the server or through the PowerShell console. PowerShell provides the Add-CMManagementPoint cmdlet to add a new management point to the site.

At the minimum, we are required to provide the site server name that we designated as the management point, database name, site code, the SQL server name, and the SQL instance name. The following example depicts how to create a management point through PowerShell:

Add-CMManagementPoint –SiteSystemServerName "MP1.Guru.Com" –SiteCode "P01" –SQLServerFqDn "SQL.Guru.Com" 
-SQLServerInstanceName "SCCMP01" –DataBaseName "SCCM" 
–ClientConnectionType InternetAndIntranet –AllowDevice –GenerateAlert -EnableSsl

We can use the Set-CMManagementPoint cmdlet to change any management point settings that are already created.

The following example changes the GenerateAlert property to false:

Set-CMManagementPoint –SiteSystemServerName "MP1.Guru.Com" –SiteCode "P01" –GenerateAlert:$False

Other site role details

Like distribution points and management points, we can get the detailed information of all other site roles (if they are installed and configured in the Configuration Manager environment). The following command snippet lists the different cmdlets available and their usage to get the details of different roles:

Get-CMApplicationCatalogWebServicePoint –SiteSystemServerName "SCCMP01.guru.com" –SiteCode P01
Get-CMApplicationCatalogWebsitePoint –SiteSystemServerName "SCCMP01.guru.com" –SiteCode P01
Get-CMEnrollmentPoint –SiteSystemServerName "SCCMP01.guru.com" –SiteCode P01
Get-CMEnrollmentProxyPoint –SiteSystemServerName "SCCMP01.guru.com" –SiteCode P01
Get-CMFallbackStatusPoint –SiteSystemServerName "SCCMP01.guru.com" –SiteCode P01
Get-CMSystemHealthValidatorPoint –SiteSystemServerName "SCCMP01.guru.com" –SiteCode P01

Asset and compliance

This section will mainly concentrates on gathering information and how to get details of devices, users, compliance settings, alerts, and so on. It also demonstrates how to create custom collections, add special configurations to collections, create custom client settings, install client agents, approve agents, and so on.

Collection details

Getting the collection details from PowerShell is as easy as using the console to get the details. You can use the Get-CMDeviceCollection cmdlet to get the details of the available collection. We can use the basics by using Format-Table with the autosize parameter to get the neat view:

Get-CMDeviceCollection | Format-Table –AutoSize

We can also use the grid view to get the details popped out as a grid. This will give us a nice grid that we can scroll and sort easily:

Get-CMDeviceCollection | Out-GridView

We can use Name or CollectionID as the parameter to get the information of a particular collection:

Get-CMDeviceCollection –Name "All Windows-7 Devices"
Get-CMDeviceCollection –CollectionId"2225000D"

You can also specify the distribution point group name as the parameter to get the list of the collection that is associated with the specified distribution point group:

Get-CMDeviceCollection –DistributionPointGroupName "Test Distribution Point Group"

You can also replace the DistributionPointGroupName parameter with DistributionPointGroupID to pass the distribution point ID as a parameter to the cmdlet.

Similarly, you can use the Get-CMUserCollection cmdlet to get the details of the available user collection in SCCM:
Get-CMUserCollection | Format-Table –AutoSize

It is also possible to read direct members of any existing collection. PowerShell provides cmdlets to read the direct membership of both the device and user collection. We can use Get-CMDeviceCollectionDirectMembershipRule and Get-CMuserCollectionDirectMembershipRule to read the direct members of the device and user collection respectively:

CMDeviceCollectionDirectMembershipRule – CollectionName "Test Device Collection" –ResourceID "45647936"
Get-CMUserCollectionDirectMembershipRule –CollectionName "Test User Collection" –ResourceID 99845361

Similarly, PowerShell also empowers us to get the query membership rule by using the Get-CMDevicecollectionQueryMembershipRule and Get-CMUsercollectionQueryMembershipRule cmdlets for the device and user collections respectively. The collection name and rule name needs to be specified as parameters to the cmdlet.

The following example assumes that there is already a collection named All Windows-7 Machines associated with the Windows-7 Machines rule name and an All Domain Users user collection associated with the Domain Users query rule:

Get-CMDeviceCollectionQueryMembershipRule –CollectionName "All Windows-7 Machines" –RuleName "Windows 7 Machines"
Get-CMUsercollectionQueryMembershipRule –CollectionName "All Domain Users" –RuleName "Domain Users"

Reading Configuration Manager status messages

We can get status messages from one or more Configuration Manager site system components. A status message includes information of success, failure, and warning messages of the site system components. We can use the Get-CMSiteStatusMessage cmdlet to get the status messages. At the minimum, we are required to provide the start time to display the messages:

Get-CMSiteStatusMessage –ViewingPeriod "2015/02/20 10:12:05"

We can also include a few optional parameters that can help us to filter the output according to our requirement. Most importantly, we can use the computer name, message severity, and site code as additional parameters. For Severity, we can use the All, Error, Information, or Warning values:

Get-CMSiteStatusMessage –ViewingPeriod "2014/08/17 10:12:05" –ComputerName XP1 –Severity All SiteCode P01

So, now we are clear on how to extract collection information from Configuration Manager using PowerShell. Let's now start creating our own collection using PowerShell.