When Configuration Manager Goes Bad! and How Cireson can Help.

Let me start by saying I Love Configuration Manager!

For those of you that don’t know, System Center Configuration Manager is now 25 years old. Brad Anderson recently blogged about it and even celebrated this milestone at Microsoft Ignite.

Personally, my love affair with ConfigMgr started when it was still SMS. (No not a text message service, but Server Management System) Over the years as the product has grown and become more and more powerful my infatuation with the product continued to increase and now it is an awesome tool that I can not imagine doing without.

Before SMS or ConfigMgr, admins would have to visit each machine for updates or for software installs, we had no clue what was installed on what machine and don’t even get me started on patch management.

Throughout the years more and more functionality has been added to the product to make it more efficient and to solve admin issues time and again including software deployment, Patch management, Operating System Deployment, Baseline configuration, inventory reporting, software metering and even anti virus!

However, There is one big issue with all this new found power…..  As someone famous once said:

With great power comes great responsibility!

With the power to deploy a single patch to many machines with just one click comes the potential for disaster of sending the wrong patch to the wrong machines. (or worse, the wrong Task Sequence).

Anyone that has been a ConfiMgr admin for any length of time has war stories of when the wrong advertisement was sent tot he wrong collection and business was impacted in some way. Many of these stories are small slow downs or minor interruptions in service but some are more like “Resume generating events”.

A very public example of this occurred in late July back in 2012. The Commonwealth Bank of Australia (The second largest bank in Australia) was effectively taken “Offline” and unable to open the doors of the majority of their 1,000 branches for trading due to a “Systems Outage”.

The official line from the bank at the time was “a problem with an internal software upgrade”. However, it was reported that “… 9,000 desktop PCs, hundreds of mid-range Windows servers (sources said as high as 490) and even iPads had been rendered unusable….”

Unofficially, a simple mistake by a ConfigMgr admin advertising an OSD Task Sequence  to the “All Systems” collection saw teller machines, AD servers and god knows what else, reboot and format the hard drive in preparation of installation of a new OS.

While there are no official numbers on the business cost to the bank or the cost of restoring the systems, I think we should all ask ourselves, “What would this type of impact cost your company?”

I don’t want to harp on this individual incident and break down the exact DNA of the outage, others have done this in the past. What I do want to do is talk about how we can make sure this does not happen to us, or at least minimise the potential risk.

How Can We Prevent ConfigMgr Disasters?

The biggest risk we have with ConfigMgr is the lack of control or granularity of security around deployments and limitations on what collections can be advertised to.

By default, all admins can send any package to any collection. Role Based Access Control (RBAC) within ConfigMgr does allow for some configuration of administration however it is not simple or straight forward to implement and has many limitations.

When an administrator deploys an OS Deployment task sequence to a collection with hundreds or thousands of  clients, ConfigMgr warns the admin that the action is a “High Risk” deployment and asks them to confirm the action. However, if the same admin sends patches or software updates to the same collection, no warning is given.

  • What if we could put warnings on ANY deployment type when sent to a collection containing large numbers of computers?
  • What if RBAC was more powerful and easier to use?
  • What if we could keep non-critical personnel out of the ConfigMgr console?
  • What if you could even add a bunch of support tools directly in to a single pane of glass?

Well that’s exactly what the Cireson True Control Center (TCC) does! 🙂

True Control Center is Cireson’s latest version of the Configuration Manager platform and allows organisations to control who sees and does what within Config Mgr all while making is super easy for them to come up to speed and learn so they can be more productive faster.

So lets take a look at each of the key points that Config Manager admins and Support Desk managers would be interested in:

Simple and Powerful RBAC

Using super simple RBAC rules it is possible to lock down what computers or users are visible to groups of users. This gives Config Manager admins the ability to limit what users can see and therefore the damage that can be inflicted if someone makes a mistake.

It also allows them to limit the number of applications that can be advertised and the number of computers that can be advertised to at one time. This removes the potential for an analyst to accidentally rebuild all your domain controllers to Windows 7. 🙂

Remote Manage Support Tools for Computers

True Control Center now introduces Remote Manage support tools that provide analysts with a wide range of simple tools to provide targeted and simple support to customers and computers all from within the browser.

Right clicking a computer and selecting Remote Manage provides a vast list of support tools including:

  • Basic Hardware information, including CPU, RAM, OS, Make and Manufacturer.
  • Process list and control. You can see and kill processes on the remote machine.
  • Services list and control. You can see and stop, start or restart services on the remote machine.
  • Client Actions and Logs. Support actions that allow analysts to trigger common support tools for client computers. Such as:
    • Remote Control
    • Client re-install
    • WMI repair
    • Remote PowerShell
    • and much more…..


Remote Manage Support Tools for Users

Quite often with Configuration Manager users in an environment are forgotten about. However, all the users in an AD domain are listed in Configuration Manger and are up to date. Wouldn’t it be great to introduce user tools to allow support actions such as Password Reset, Account unlock and Software Deployment?

Well now you can!
All from the one tool!


Audit Trail

A common security issue that is faced by organisations is how to audit who, internally, invoked specific actions. The most common example is resetting a users password. To allow support staff to reset passwords usually an organisation will grant users access to reset passwords via AD security then give the support staff access to AD Users and Computers. That user then has access to reset anyone’s user account and gain access to their account and there is no audit to show who did what when.

By using True Control Center to reset or unlock user accounts, there is a single service account that can unlock passwords and every time an account is unlocked or has it’s password reset, it event is logged against a specific user account that triggered it.

Simple and Intuitive User Interface

Any of the System Center products, while powerful, are complicated and to administer through a complex console interface. Many of the work-spaces and navigation nodes are not required by most staff and just add complexity and time to the learning of the solution.

True Control Center reduces complexity and removes the excess navigation menus that an average support representative would not require. This makes the time to benefit for analysts that are new to the tool very quick allowing them to be effective faster and with less confusion with the required learning curve.

Support Tool Integration

The nirvana of support tools for analysts is a “Single Pane Of Glass” that they can use to log calls, track and update calls, investigate and resolve calls and also report from.

In all my 20+ years of experience with ITSM tools, I can honestly say, I’ve NEVER seen an ITSM solution that even comes close to this goal……   until now.

With the recent release of v4.8.x of Cireson’s Analyst portal for System Center Service Manager, analysts now have access to all the regular ITSM goodness that the Analyst Portal provides, but now also access to the Remote Manage tools of True Control Center directly from any associated Computer CI!

  • No changing apps.
  • No need for multiple screens.
  • No need for copy and paste of machine names between apps.
  • All while being secure and audited.


But I don’t use System Center Service Manager, I hear you cry. (Why not? I ask…)
Don’t despair, The Truce Control Center functionality has a flexible API that you can use to create a custom integrated solution in to your ITSM tool of choice!

No Console App Required

Traditional use of the Configuration Manager console requires an analyst to install the Configuration Manager console on to their computer to administer or use the tools functionality. This locks the analyst to a specific workstations that they must return to or remote access to achieve even the most basic tasks.

True Control Center is a web based application and can therefore be accessed from anywhere including mobile devices and even outside the organisation. Analysts can trigger the required events from any browser without having the delay and effort of returning or remote accessing to their primary workstation.


True Control Center is an amazing tool that any organisation that runs Configuration manager should review. It quickly and easily delivers real world benefits to any analyst responsible for the configuration and health of end users and computers.

Reducing time-to-resolution is a constant goal for support organisations and the Cireson True Control Center solution delivers the tools to drive down the time and effort required to achieve the most common tasks all while ensuring security and the ability to audit activity.

Do your support team a favour and get an onsite trial organised today or even try it out in the online demo environment with no need to install a thing.


Custom Open Source Exchange Connector for SCSM

Since 2015 pretty much all of us who use System Center Service Manager (SCSM) have used the Microsoft Exchange Connector v3.1 to capture e-mails coming from end users and turn them in to Incidents. It works well and does what it says on the box…… But wouldn’t it be great if it did some other things?

What if it could merge replies to prevent multiple work items from being created, or work with encrypted e-mail systems,  or even use AI to predict the subject and auto search KB articles for the end user?

All this and be open source so we could customise it ourselves?

That would be special…

Well that’s exactly what one member of the Cireson Community did!

Adam Dzyacky took on this challenge and has now created an Open Source, Community driven, PowerShell coded Exchange Connector that not only preserves the functionality of the Microsoft Exchange Connector but adds additional functionality.

Recently I was lucky enough to sit down with the connectors creator, Adam Dzyacky, and ask him a bunch of questions about the product so I thought I’d write a blog post to share with you some questions and answers including what was the genesis of this product, what are its goals, what are its current abilities and how can people use it today….   FOR FREE!  🙂

Question: Where did the idea of this connector come from and what was your thought process behind creating this connector?

Answer: Several years ago when I first got involved with Service Manager and the Exchange Connector I was immediately confronted with a problem – the stock connector only processes a single message type (IPM.Note). As such, any other message type is simply ignored. Out of Office, Meeting requests, Signed/Encrypted messages…all of it.


But hope was not lost because with some PowerShell and SMA, one could create scheduled SMA jobs to pick up what the stock connector missed. It would certainly introduce a new level of administration, but once it’s automated the work is done. I thought to myself;

“Well at least I can curb this with PowerShell so I guess it isn’t that bad.”

But I couldn’t help but shake the feeling that I can’t be the only one who cares about those other message types.

Next, if it wasn’t some new message type I’d have to deal with it was how the connector worked when it came time to process even those basic emails. Employees replying within a current processing loop of the connector, to the same thread of a message would generate new and unique Work Items for every single reply instead of simply appending to a single Action Log for a single Work Item.

Since the connector isn’t real time and instead every runs every X minutes…well a lot can happen between runs of the connector! It’s an unpredictable behaviour that requires the team(s) charged with that initial filtering to do a lot of Work Item micro-management thus detracting from their actual work of Resolving Incidents and fulfilling Service Requests. That’s potentially a lot of duplicate Work Items to close in SCSM and no less to understand to ignore in reporting.

In this case, supplementary PowerShell and SMA job can’t solve this because the Work Items have already been created. The connector would need to be able to understand the concept of an email thread at the source before Work Items are updated.

The above are but the first of many issues I had with the stock connector. It’s not that it isn’t great at what it does, it’s just I wished I could change some of it.

But no matter how much I wished I could change it the Exchange Connector is a sealed, closed source, C# management pack. Even if you could address this at its source, not only would you need an understanding of the C# programming language but you’d also need an in depth understanding of the System Center SDKs.

Question: So what was your plan of attack to fix these issues?

Answer: In February of 2017 I finally had enough of what wasn’t possible and committed my requirements to OneNote.

  • Preserve all functionality of the stock connector
  • Introduce some kind of new functionality over the stock connector
  • Be modular to support new/changing processes
  • Be open source
  • No programming languages – need something more than just developers understand and could ultimately edit

Question: No programming languages? As an admin I love the thought of that. So what was the plan of attack?

Answer: So from here, the decision was straightforward. Build an Exchange Connector written entirely in PowerShell leveraging the widely used community PowerShell module that is SMLets.

On top of that, host on GitHub so that bugs can be tracked, features requested, and anyone can contribute.

If successful you’d be able to drop the stock Exchange Connector, improve performance on your workflow server (especially if you had multiple connector for multiple inboxes), optionally move the script into an SMA or Azure Automation RunBook, and of course introduce a host of new possibilities as the only limitation to new features would be PowerShell.

As per Tom Hendrick’s comment in the Cireson Community thread;

“Limitation and PowerShell do no often appear in the same sentence.”

Question: How long did it take you to write the initial version?

Answer: In what probably totals about three weeks of actual focused work – I had the first version done.

Question: Being Open Source means that anyone can contribute to it, but allowing people to contribute and finding people to contribute are two different things. Have you been able to garner support from others to help develop this solution?

Answer: Starting April 2017 I shared this with Tom Hendricks, Brian Wiest, Martin Blomgren, and Leigh Kilday who were gracious enough to provide their time to test and provide feedback for the first release published on GitHub later that month.

Question: So what exactly does it do? What are It’s features?

Answer: The connector has all of the regular features of the stock Exchange Connector plus new features that fall in to two categories:

  • People who are using SCSM by itself
  • People who are using SCSM with Cireson products

Features if you’re just using SCSM

More keywords

  • Change Requests
    • [hold]
    • [cancel]
    • [take]
  • Incident
    • [take]
    • [reactivate]
  • Problem
    • [take]
  • Service Request
    • [take]
    • [hold]
    • [acknowledge]
  • Manual Activity
    • [skipped]


Just throw [announcement] in your next email to Service Manager and as long as your part of a configurable AD group that’s defined an Announcement will get created in SCSM. Need to control the priority? Just add an additional #low or #high. Announcements default to normal priority otherwise. And yes, you can update announcement simple by keeping the [Work Item] in the subject.

Minimum File Attachment Size

No more signature graphics as attachments. Set a minimum like 25kb and your Work Items will get a whole lot cleaner.

Maximum File Attachment Size

Optionally enforce File Attachment Settings as defined in the Administration -> Settings pane of each Work Item type.

File Attachment “Attached By” Relationship

When the connector processes messages, the Sender will be marked as the “Attached By” relationship for attachments. This is useful when multiple parties are updating the same Work Item.

Review Activities without [approved] or [rejected]

Do your end users think someone is actually reading the Service Manager inbox so they respond with questions to RAs? Fret not because now comments that don’t contain a vote will get appended to the Action Log of the highest Parent Work Item

Vote on Behalf of AD Groups

Open up a whole new world of voting possibility!

Schedule Work Items

The Scheduled Start/End times of a Work Item can now be set by sending a Meeting request to Service Manager. No Work Item yet? Just like email, if a Work Item doesn’t exist to update a new one will be created only now those date fields will be set in addition to the Work Items creation.

Digitally Signed/Encrypted Messages

Leveraging the open source MimeKit project the connector can process digitally signed or encrypted emails just like regular mail.

SCOM Integration

Get the health of your [Distributed Apps] and their current Active Alerts.

#private replies

Want to keep the notes between analysts? Just throw in a #private in your message to SCSM and it’ll get marked as Private on the Action Log.

Merge Replies

No more duplicate Work Items because now when users Reply to an email that does not have a [Work Item] in the subject, Service Manager will identify the email thread they were in and update the one, true, correct Work Item.

Create Related Work Items on Closed Work Items

Sometimes employees send an email about a Closed Incident. Rather than turn a blind eye, a New Related Work item will get opened for them and copy information from the previous Work Item into the new one along with their recent comment.

Multiple Inboxes

Configured correctly, you can redirect several inboxes on Exchange to your single Service Manager inbox. On top of this, unique templates can and will still be applied based on the source inbox they were redirected from. Buh bye multiple connectors!

More Default Work Item Types

No reason to limit yourself. The connector can now be configured to created Change Requests or Problems by default. Great for vendors sending maintenance or analysts generating Problems.

Artificial Intelligence

Did you battle with classic Exchange Connector dilemma of “What should the default work item type be when people send in emails – Incident or Service Request?” Wouldn’t it be great if Service Manager could just decide whether or not it should create an IR or SR based on the Affected User’s perceived attitude? Thanks to Azure Cognitive Services, emails can now be run through Sentiment Analysis and based on the rating will dynamically create either a Service Request or Incident based on a minimum defined score as configured per organisation.

Features If You Are a Cireson Customer

Suggest Knowledge Articles

You can optionally enable the connector use the body of the email as a search query against one’s respective Cireson HTML KB. Once complete, the connector will send an HTML email back to the Affected User with suggested Knowledge Articles and hyperlinks to them.

Suggest Knowledge Articles

You can optionally enable the connector use the body of the email as a search query against one’s respective Cireson Service Catalog. Once complete, the connector will send an HTML email back to the Affected User with suggested Request Offering and hyperlinks to them.

Send Outlook Meeting

The connector supports the ability to create or update Work Items from Meeting Requests. This introduces a New Work Item task on the Cireson portal so you can further leverage this feature.


Just throw [announcement] in your next email to Service Manager and as long as your part of a configurable AD group that’s defined an Announcement will get created in the Cireson SCSM Portal. Who will see it? Simple – the Distro groups you included on your email message out! Need to control the priority? Just add an additional #low or #high. Announcements default to normal priority otherwise. And yes, you can update announcements simple by keeping the [Work Item] in the subject.

[take] Keyword Restrictions for Support Groups

Maybe you want to put some restrictions on who can [take] things. Leveraging the Cireson Web API this is now possible checking to see if the Sender is part of the Support Group the Work Item is currently assigned to.

Artificial Intelligence

Instead of using the entire email body to suggest Knowledge Articles or Request Offerings to the Affected User, Azure Cognitive Services will pick out the keywords of the message and use those words to drive suggestions. This results in more focused searches and faster processing times.

Question: WOW! That’s a lot. What’s next on the planning table and how can others join in the conversation?

Answer: A few that come to mind are things like creating Work Items on behalf of others through the connector, assigning to yourself on Create, and as GitHub community suggested – integrating with the Cireson Portal Watchlist feature. All of these can be found on the repo’s Issue page.

Speaking just for myself I’d say that since day 1 I’ve wanted some kind of AI integration and fortunately Azure Cognitive Services readily provides that through easily consumable APIs. While we have sentiment and keyword analysis in the current version, I think the more interesting topics are things like their using their Speech API to convert voicemails to Work Item descriptions or using LUIS to understand intent to drive specific actions within SCSM. But ultimately, just discussion at this point.

Question: How would someone get involved in contributing to the project if they wanted to?

Answer: All it takes is a GitHub account. After you sign up you can Fork the repository. This, in short, creates a duplicate SMLets Exchange Connector under your own account that you can edit and change how you see fit and submit requests to Merge back into the master repository if you want. Cireson Community member Roland Kind has done this to start building a version that makes use of the stock SCSM cmdlets if you prefer that module instead.

An account also gets you the ability to suggest features, post bugs, and join the conversation directly on the Issues page. Maybe you just want to be notified when there are changes? If you put a Watch on the repo you can get email notifications when changes occur. Or if you just want to show your support you can also Star the repository.


The new PowerShell based Open Source Exchange Connector is nothing short of AMAZING!

Thanks go to Adam Dzyacky and anyone else who has contributed to this solutions for all the hard work and dedication to get this solution up and running.

New features get added regularly and there is a vibrant and energetic group of contributors who keep it updated and supported. (Not sure I could say the same about the MS Exchange Connector offering – Last updated in 2015)

While some organisation may have issues with this solution being Open Source and not officially supported by a vendor, I personally think the benefits far outweigh the possible risks. Considering the time and effort we all spend micro managing the results of the out of the box connector this new solution will shave tens of hours per week in support effort.

Securing Cireson True Password Reset for Use Over The Internet

Many customers with Cireson’s True Password Reset need to publish the password reset portal external to the organisation enabling end users the ability to change their domain passwords from anywhere. Publishing the solution externally provides great value and flexibility however, internet facing web servers create security concerns that MUST be addressed to reduce security risk to the organisation.

In this blog post I will take you through some steps to ensure the security of your site is as high as possible.


The most obvious first step in securing ANY web site is to enable HTTP (port 443) with a signed trusted certificate. This is ubiquitous throughout the internet nowadays and provides us with a level of security to know that no one has hijacked the communications between the client and the server therefore preventing replay attacks.

To set the True Password Reset site to accept an HTTPS connection we first must provide it with a certificate to use to secure the communications. For testing you can use a self-signed certificate but for production use it is recommended to use a publicly signed certificate to ensure maximum compatibility regardless of what machine your end users are connecting from.

The easiest way to include a certificate in to the True Password Reset site is at installation time. Ensure the certificate is installed on the server(s) that will be hosting the password reset server and select the required certificate and installation time.

This will save the certificate values in to the configuration settings to ensure HTTP is available for end users.



To ensure all users visit the True Password Reset site across a secure channel, we want to enforce HTTPS on the page. To do this we have to disable HTTP protocol, or simply stop Port 80 listening.

To do this:

  • Logon to the server hosting True Password Reset.
  • Within the Password Reset installation folder, open Platform_CiresonPasswordReset.Config in a text editor such as Notepad++.
  • Within the URLS section, remove the value “http://*:80” and ensure “https://*:443“ is available.
  • Save the file and restart the CiresonPasswordReset service.

Once this change has been made, if a user navigates to HTTP:// they should be greeted with a 404 Error as the server is no longer responding on that port.


Once we have force end users to communicate over HTTPS only, we need to make sure that the correct protocols are being used and no outdated security cyphers are used that may expose weaknesses or open us to known attacks.

So how do we know if our server is secure or not?

The best way to know where you stand is to check your server against some of the free tools that are available on the internet for scanning sites for known issues.

Some examples are:

  • SOPHOS SecurityHeaders.io – Used for checking what response headers are returned from your site to tell browsers and search web crawlers what to and what not to scan and record from your site.
  • Symantec CryptoReport – Used for checking your certificate plus a bunch of server configurations.
  • Qualys SSLLabs – Used for giving an in-depth report on what protocols and ciphers are enabled and what possible attacks can be launched against any weak or outdated configurations.

The top two things you can do to secure your site in relation to protocols and ciphers are:

  1. Disable SSL.
  2. Configure TLS.

To do this I would suggest using a tool called IIS Crypto which is a free tool from Nartac Software. Those of you who are concerned that the name of the tool has IIS in the name and the True Password Reset app does not use IIS, do not despair. The underlying web protocols are intrinsic to Windows, not the web hosting service.

With this tool installed you have two choices for configuring the settings you need:

  • Download the template that I have created to set these exact settings described below.


  • Configure the following settings manually.


The only protocols that should be enabled are:

  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

Uncheck any others.

NOTE: If you wish to score an A+ on Qualys SSLLabs, you will have to disable both TLS 1.0 and 1.1 to prevent the protocol from being able to “Fallback” to other protocols and potentially suffering from a protocol downgrade attack such as POODLE.


The only ciphers that should be enabled are:

  • Triple DES 168
  • AES 128/128
  • AES 256/256

Uncheck any others.


Uncheck the MD5 hash as this is the only one in the list that is known to be weak.

Key Exchanges

All the key exchanges that are listed are fine and can be left enabled.

Cipher Suite Ordering

The order in which your server offers up its cipher suites to browsers can have a significant impact on your implementation of TLS. To take the maximum advantage of the suites shipped with Windows Server 2016 ensure the order of the cipher suites are as follows:

  • TLS_ECDHE_RSA ciphers suites should be first in the list.
  • TLS_DHE_RSA should come after any of the above ciphers.

If you have an elliptic curve digital signature algorithm (ECDSA) certificate, you could move the TLS_ECDHE_ECSA ciphers to the top to ensure the most robust cipher is used, however, most of us do not have one of these certificates so these ciphers can be disabled to speed up negotiation.

Finally, it is important to ensure that all ELS_DHE ciphers are disabled. The Diffie Hellman Key Exchange cipher is known to have issues that I won’t get in to here in this article, but suffice to say this should be disabled from your server.

That’s it.

Hope this guide has been useful.

Thanks to Blue Coat Photos for the post image.
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

2018 Tech Trends and Predictions

As another year gets underway and we look forward to another year of technological breakthroughs and industry changing trends we often have to stop and re-evaluate our investments in some technologies and reaffirm our commitment to others.

2017 saw vast swings in technology with things like a Bitcoin bubble to rival any other bubble in history, amazing advances in Artificial Intelligence, Apple deliberately slowing their phones in an attempt to make us want to buy the “Latest and Greatest” phones and Cyber-attacks where at an all-time high including huge losses of user details across a wide range of companies such as Yahoo, Kmart, Equifax, Imgur, and even Uber.

2018 is shaping up to be even more disruptive as we see early indications of a buddle burst and potential entire collapse of Bitcoin, exciting advancements in mobile phone technology, VR and one of the most impactful security vulnerabilities to ever hit the industry in the form of the Meltdown and Spectre exploits.

So what are the technologies that are worth watching out for and looking in to how it may affect our businesses our industry or even society itself?

Here are my top 5 that I believe will make huge impacts in 2018.

Block Chain (The tech behind Bitcoin)

Bitcoin has been in the news a lot of late for some good reasons and some bad. More importantly than the massive swings in value of Bitcoin is the technology that makes it all work.

Block Chain is a new way of decentralizing the data required to drive many applications meaning that our transaction data is no longer required to be stored and secured by a specific company (Uber, AirBNB, Twitter, Google, FaceBook etc.). Instead, Block Chain databases allows for the authentication of a transaction (Let’s say a driver picking up and dropping off a passenger) with it all being encrypted, open source, highly available and unable to be corrupted without anyone noticing.

This technology does not have to be limited to financial transactions, but can also be used to verify identity of an individual. For example: Australia Post have announced it will be using Block Chain technology within its Digital ID platform.

I think that 2018 will be the watershed year for Block Chain and how it affects the way, we in the IT industry, think about data and trust across a wide range of applications.

AI, Bots and Digital Assistants

We’ve slowly seen the emergence of digital assistants such as Apples Siri, Amazons Echo and Alexa, Googles Assistant and even Microsoft’s Cortana, but these have been more of a novelty than something we rely on in our day to day lives.

As AI technology increases, even with basic pattern recognition improvements and big data mining techniques, we will see more and more applications for these will become more ubiquities and will really start to make an impact on our daily lives.

We are already seeing the emergence of Chat Bots in areas such as banking (Great examples are Wells Fargo and Australians Commonwealth Bank) however, each of these chat bots are specific to their own area of expertise and exposed to a specific data set that they can reply about.

Once we have a way to retrieve all of the required data from all of the companies we interact with, then we are going to see some great leaps ahead in how we interact with companies, consumers and even government agencies.

With access to more machine learning, in 2018 we should start to see proactive skills start to appear in our digital personal assistance that will notify us of suspect banking transactions, when our friends or pizza delivery are arriving, when we are due for a health check or even book all of our flights and accommodation ahead of time to get the best deals.

VR v’s AR v’s MR (Because we need more acronyms in our industry!)

Virtual Reality is awesome!

VR headsets such as the HTC Vive and the Oculas Rift are not new to 2018 but we will see increasing numbers of games and content that are tuned to VR. If you have ever used a VR headset then you will agree that the experience of playing an existing high end game in VR (Such as Fallout 4) is cool, but clunky as the original controls were never built with VR in mind. In 2018 we will see new high end content that is built for VR from the ground up will bring a level of realism to games that will literally be game changing. 🙂

Some tech that you may not have played with is AR or Augmented Reality especially in the form of the Microsoft HoloLens. I had a chance to try this nearly 2 years ago and the ability to see the real world but augment what you are seeing with the real world was revolutionary, but also limiting with its field of view etc.

MR, or Mixed Reality, is the next big thing and Microsoft are the leaders in this space with all the lessons they have learnt from HoloLens.

What is MR? Take all the positives of VR but remove the need for pre-mapping a room with special sensors. This opens up the world to a virtual experience without limitations.

2018 will see more innovation and a faster move towards some sort of augmentation on how we perceive the world. It may start with big bulky headsets but rapidly move to helmets, windscreens and regular old glasses before we start wearing them as contact lenses!!.

If the argument of VR v’s MR ever comes to a head, like the good old days of VHS v Betamax or Blue Ray v HDDVD, consider me squarely in the MR camp.

Being a System Center tragic I can’t predict technology in 2018 if I didn’t include some note about System Center and what I think will be on the horizon for the next 12 months.

System Center Configuration Manager

All of our favourite System Center product would have to be Configuration Manager. This has to be one of the easiest products in the IT industry to predict as we are not only given the opportunity to vote on the features we want using the UserVoice Feedback page but Microsoft even give us the next version ahead of time with the monthly Technical Preview releases.

One thing that is obvious from Microsoft’s direction is that InTune will become more and more integrated in to the product we know and love and make managing of devices outside of our perimeters easier and easier.

System Center Service Manager

Microsoft have announced that 2018 will be the year that Service Manager is going to join the Configuration Manager with a regular cadence of 6 monthly releases including new features by the end of 2018. This is fantastic news for the one System Center application that never seems to get the recognition it deserves.

v1801 has already been released and it adds the first new features we have seen since the release of 2012 and also some much needed security features, such as support for TLS 1.2.

For example, there is now Azure integration with Azure Action Groups via the IT Service Management Connector that allow you to set up rules to create incident work items automatically in Service Manager for alerts generated on Azure and non-Azure resources.

The authoring toolkit has also already been released and can be downloaded here.

There is no news at this stage on if Microsoft will release a Technical Preview of Service Manager or if they will host a UserVoice site for end user feedback…..   We can only hope.


Exciting times!

Microsoft’s New Intune Troubleshooting Portal is a Real Plus For Useful Support

Microsoft’s Intune product is not something that I have blogged much about, in fact this is the first blog I’ve ever written on the product. But that’s all about to change….

Microsoft Intune was originally designed as an online “Lite” version of System Center Configuration Manager for those smaller organisations with a very mobile workforce. It was very slow to gain much momentum as many organizations already has System Center Configuration Manager and could not see the value for the product.

Over the years Microsoft have slowly but surely moved focus of the Intune product to a more Mobile Device Management focus and even started to integrate in a “Hybrid” method in to System Center Configuration Manager. (More on this in later blog posts)

In late October this year (26th October 2016 to be precise) the Enterprise Mobility and Security team announced a new Troubleshooting Portal for the Azure platform.

This new troubleshooting portal provides analysts with a range of critical data exactly when and where they need it to resolve issues for end users who may be experiencing issues with their Intune connected mobile devices.

As the Microsoft Intune Team says in their announcement blog post:

Having the right data at your fingertips is a must when you’re troubleshooting issues with your end users. Intune’s new Troubleshooting Portal provides a “single pane of glass” for reviewing device status, assignments and policies affecting a user, eliminating the need to click into multiple workloads to diagnose issues.

…..this is a big win for IT Pros and Support or Helpdesk workers who want resolve end user issues faster with less effort.

The user details that an analyst can view for each user are:

  • User status
  • Group assignment
  • Application and policy assignments
  • App protection status
  • Compliance issues
  • Device status
  • Device details (Such as OS type and version)

But I don’t want to give my Helpdesk staff access to my Intune environment!

No worries there.

Intune’s inbuilt Role Based Access Control (RBAC) solution allows for admins to grant access to support and helpdesk staff to just the items that they require and nothing else. The inbuilt Helpdesk Operator role grants members access to end users assignments, policies devices apps etc. and even see if their devices are registered in AD and in the future you will even be able to see applications installation status and enrollment status of devices.

Getting access to this level of information on the helpdesk at the time of a users call to the service desk is very powerful to assist staff in resolving any issues at first contact and getting your end users back to fully functional work as soon as possible.

If only Configuration Manager had a nice friendly website that we could give easy RBAC access to for Helpdesk and Support staff to get basic troubleshooting information without them needing the console or giving away the keys to the ConfigMgr kingdom……   Oh wait….   I’m sure I’ve blogged about that before…..  🙂


Is Service Manager Dead? NO says Microsoft.

While working with customers to better map out their use of the Microsoft products that they are licensed for, the conversation always drifts to System Center Service Manager and Orchestrator because they are the two products I like talking about most. 🙂

One of the most common questions I get asked is “What’s the future of Service Manager and Orchestrator?”

This was always a hard question to answer because Microsoft have been rather tight lipped about the products and what their futures are…..  until now!

In a recent blog post, Chris Howie wrote about the SCSM Roadmap and future and mapped out exactly what is on the cards for the two beloved products.

In short, SCSM and Orchestrator (Along with Data Protection Manager, Virtual machine Manager and Operations Manager) will be moving to the same “Semi-Annual” release cycle as System Center Configuration Manager was more than 2 years ago.

Chris Howie put it perfectly:

Why is this important? By releasing these products more frequently, the rest of System Center can now leverage the development agility that Configuration Manager has – meaning additional features and fixes released more frequently. On the flip side of that, this means the roadmap fundamentally changes as well. If features and fixes are being released semi-annually, it makes sense that the next set of features have about the same visibility. This means that the days of 3 year roadmaps for any System Center product are gone.

What does this mean for you? System Center Service Manager and Orchestrator are still being developed and are part of this new release cycle along with the rest of System Center. Some semi-annual updates will only have fixes and some will have additional functionality. The features that get added to the entire suite each cycle will depend on customer demand and will be prioritized as such.  The products which receive enhancements will likely vary each time. All products are therefore still fully supported.

What you may have also missed is another post on the Microsoft Hybrid Cloud blog back in June 15th 2017. The Microsoft Windows Server Team wrote about this faster release cadence but only in general terms, but one cool item that was buried in this post was the fact that:

We also recently announced the ability to send incident data to Service Manager from Azure.

Now that’s cool.

The one thing that we can do as fans of System Center is to participate in the System Center Tech Community and UserVoice forums to provide feedback to the product teams to help influence what is release in the upcoming releases.

Please keep it coming Microsoft.

SCSM SLO’s 101

I’m frequently asked about SLO’s when I do consulting work and I realised that many people may not full understand how SLO’s work and the key pieces that have to be in place to not only get these to work as we expect but to do it efficiently so they do not adversely impact performance on our SCSM environment.

What is an SLO?

An SLO within ITIL is a contract or agreement negotiated between you as a service provider and your customer(s). An SLA describes the service and specifies your responsibilities that you will deliver to the customer. You might use a single SLA across several services or even customers, depending on your business model.

A simple example of an SLA might be that we agree to resolve a priority 1 rated incident in 4 hours.

A more complicated example might be that we agree to provide a 99.99% up time for a service.

What Components Make Up an SLO within SCSM?

To create an SLO within SCSM we need four components:

  1. A metric to measure
  2. A Queue to apply it to
  3. A calendar that defines our “Work Hours”
  4. A time set against the metric

Creating a Metric in SCSM

A metric, within SCSM, is defining any two properties that can have time difference between them.

For example: The Creation time and Resolution time of an Incident or Service Request.

The Metric is used as the point of measure for the workflow to use when displaying or reacting to a warning or breach event.

Out of all the SLO’s I’ve seen, the most common two are IR First Contact and IR Resolution.

Creating a Queue in SCSM

Not all SLO’s apply to all Work Items.

To limit what SLO’s apply to what Work Items, we need to group together a bunch of Work Items that we want to apply the SLO to.

Creating a Queue is a way of being about to group together a given type of work item based on a criteria that you choose.

Common examples used for Queues are:

  • Priority based queues (P1, P2, P3 etc.)
  • Category based queues (Server, Desktop, Network etc.)

The most critical thing to watch when creating Queues is to ensure you select a class that has the minimum number o relationships your required to achieve your goal. Selecting the “Incident (Advanced)” combination class for all Incident based Queues is the leading cause of SCSM slowdowns that I have seen.

Creating a Calendar in SCSM

The calendar is used to ensure that the SLO is only calculated when support staff are at work and not over weekend or overnight. (If you don’t work in a 24×7 organization)

You can have multiple calendars if you have different support groups working different hours, but for most organizations there is a single support schedule that the entire team works to.

Creating an SLO in SCSM

To create an SLO you have to have all of the perquisites created and available.

The SLO is then just a case of selecting the time to set against the metric type and applying it to a given queue.

Within the SLO creation wizard you will be asked for both a warning time and breach time.

Warning time triggers an event at a given time before the SLO breaches allowing you to have an e-mail sent to the relevant parties to give them fair warning that the Work Item needs to be worked on.

Breach time triggers an event at the time of the breach and can be used to notify management or an escalation team if required.

How to (and how not to) Use SLO’s in Day-to-Day Operations?

In this authors opinion, for MOST organizations, SLO’s are not required and provide nothing more than a false sense of security in reports and a great source of anxiety for support staff.

I only advise customers to implement SLO’s if they have strict, contractually binding service levels that they must achieve under penalty of contract breach or financial fine.

If your organization wishes to use the SLO’s purely as a reporting measure after the fact, then I suggest you use some advance reporting features to tease this information out of the data after the fact rather than placing the stress of the SLO clock on the support staff.

In a future post I will also offer an opinion on why I believe SLO’s for most organizations are terrible and should be killed with fire……   But that’s another post 😉

Hidden SCSM Console Shortcuts

After working with SCSM for 6 years now, I thought that there was pretty much no new surprises left for me within this product that, lets face it, gets new features about as often as politicians do something right.

So it was with much celebration and rejoicing that I was informed of a hidden trick with in the SCSM Console that we all love to hate.

A good friend and fellow SCSM tragic Shayne Ray contacted me today to share what he found.

While doing some work jumping from the SCSM Console to the Cireson Service Manager portal, Shayne hit Ctrl+F5 to refresh the browser however, the focus at the time was on the SCSM console and he found something remarkable. A quick search around the interwebs finds a few mentions of it from others but nothing official from Microsoft, so I thought I’d do a quick write up of it all.

While in the console, any location, if the analyst hits any of the following combination of keys, the following actions are invoked:

  • Ctrl+F1 – Opens a new default Incident form
  • Ctrl+F2 – Opens a new Incident from a template
  • Ctrl+F3 – Opens a new Request Offering from a template
  • Ctrl+F4 – Opens a new Service Request from a template
  • Ctrl+F5 – Opens a new Change Request from a template
  • Ctrl+T – Hides or shows Tasks pane
  • Ctrl+F – Opens the Advanced Search window
  • Ctrl+D – Hides or Shows the Details Pane
  • Ctrl+1 – Selects the Administration Workspace
  • Ctrl+2 – Selects the Library Workspace
  • Ctrl+3 – Selects the Work Items Workspace
  • Ctrl+4 – Selects the Configuration Items Workspace
  • Ctrl+5 – Selects the Data Warehouse Workspace
  • Ctrl+6 – Selects the Reporting Workspace
  • Alt+F1 – Hides or Shows the Navigation pane

You learn something new every day! 🙂

Cireson Software Asset Management – Tracking Operating Systems

The question of tracking Operating Systems within the Cireson Asset Management solution came up the other day and I thought I’d put together a quick blog post to cover off why we would do this and more importantly how.

Why Track OS Versions in Asset Management?

First off, I think it is important to ask yourself why you would want to track Operating Systems within your organisation as it might not give you any useful metrics or data that would be useful in any way to us.

For example: If your organisation has an Enterprise Agreement with Microsoft that covers Windows for all of your PC’s then why do we need to report on it? If we know for sure that we are covered regardless of what version of the OS is used, then there is no useful reports that we can gain about licensing of OS’s.

However, we could get some reports about how our upgrades are going or if a particular threat is seen for a specific OS we could quickly report on what our exposure would be.

So the first thing that you really need to do is determine if it is worth tracking Operating Systems before investing time and effort in to setting these up.

How to Track OS Versions in Asset Management

If we have decided to track OS versions then we need to make sure we cover all OS’s that we want to track by creating Software Assets for each of the branches that we want to track.

For Example: If you are wanting to track just major versions (Windows 7, 8, 10) then it is possible to create a Software Asset for each of these without needing to go any lower level.

However, if you are trying to ensure workstations are up-to-date, then you will have to create a software asset for each SKU of Windows OS (e.g. Windows 10 Home, Windows 10 Enterprise)

Once all individual OS’s are tracked then I would also suggest creating two Software asset called “All Windows Desktop OS’s” and “All Windows Server OS’s”. These will have bundle rules for all of the OS’s so you can track licensing if you have a limited number of OS Licenses.

Below is a list of OS’s that could be tracked, but it would be up to the individual as to which ones to use.

Server OS’s

Microsoft Windows Server 2003 Enterprise Edition R2
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard Edition R2
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008 Enterprise
Microsoft Windows Server 2008 R2 Enterprise
Microsoft Windows Server 2008 R2 Standard
Microsoft Windows Server 2008 Standard
Microsoft Windows Server 2012 Datacenter
Microsoft Windows Server 2012 R2 Datacenter
Microsoft Windows Server 2012 R2 Standard
Microsoft Windows Server 2012 Standard
Windows Server 2016 Datacenter
Windows Server 2016 Standard

Desktop OS’s

Microsoft Windows 10 Enterprise
Microsoft Windows 10 Pro
Microsoft Windows 7 Enterprise
Microsoft Windows 7 Professional
Microsoft Windows 7 Ultimate
Windows 7 Enterprise
Windows 7 Professional
Windows 7 Ultimate
Microsoft Windows 8 Enterprise
Microsoft Windows 8 Professional
Microsoft Windows 8.1 Enterprise
Microsoft Windows 8.1 Professional
Microsoft Windows Vista
Windows XP Professional

How to Enter OS Versions in Asset Management

Now all you have to do is enter these in the Cireson Asset Management and we are done right?

Not so fast.

We have a few options to play with here including an option that is “This is an OS”. Seems fairly obvious that we would select this right?

Not so much.

This option looks in a separate location of the ConfigMgr data instead of the Add or Remove Programs list, But the Windows OS is also recorded in the Add or Remove Programs list and can often have more detail, so it is better not to use this option.

Entering Software Assets one at a time can be a challenge and take a lot of time, so to make it easier, here is an Excel file filled with all the information you need to make this happen by importing via Cireson Asset Import, or Cireson Asset Excel.


Happy reporting.

A New Way to Look at System Center Configuration Manager

If you are like me and have spent many years (even decades) looking at the Configuration Manager console you probably can’t think that there could possibly be any other way to do you work on a day-to-day basis. Navigating the Configuration Manager console becomes second nature after a while and we don’t really think about it.

However, what if there was a new way to look at the Configuration Manager console that was easy to teach new staff members to learn and use, gives staff members access to just the features they need (and no more) and is available everywhere we need it without needing an app installed?

Well now there is!

Cireson, Your System Center Experts, have announced the Cireson Portal for Configuration Manager. It is a web-based experience to help manage and standardise daily tasks outside of the native Configuration Manager Console. This new approach to the ConfigMgr console empowers everyone on your IT team with anywhere, anytime access to inventory data, collection membership, software management and deployment, OSD management and deployment, and more.

Full Disclaimer: At this point I want to make the disclaimer that I work for Cireson. I also want to point out that I have worked with ConfigMgr since SMS v2.0 and that I will try my utmost to not let my involvement with Cireson colour my judgement of this tool and what it means for the SysAdmin’s daily workload.

With that out of the way….. This product is the best thing since ADR’s!

Any admin who uses ConfigMgr on a daily basis knows what a HUGE relief it was when we got ADR’s in the 2012 release of ConfigMgr. It saved us hours of packaging and testing and mucking about. In my opinion, the Cireson Portal for Configuration Manager is the most important innovation to the administration of  ConfigMgr since ADR’s were introduced.

Why am I so confident about this portal and it’s claims? The answer is that it is build is being directed and overseen by Wally Mead himself. For anyone involved ins the Configuration Manager world for more than 5 minutes knows who Wally is, but in case you don’t Wally was involved with the ConfigMgr product within Microsoft for 22 years and literally wrote the book on all things ConfigMgr. So when I say this solution has pedigree, you know I mean it.

Enough talk, let’s take a look at some of the ways the Configuration Manager Portal changes the way people will use and interact with ConfigMgr on a daily basis.

If you are a ConfigMgr admin in Australia, no doubt you know, and often tell stories at dinner parties, about the incident where “SCCM Task Sequence blew up Australia’s CommBank” also reported as “Disastrous patch cripples CommBank“. Many ConfigMgr admins shudder at the thought of how easy this mistake was and often bring this up when explaining to their managers why they don’t want to give Service Desk or other IT teams access to the ConfigMgr console.

The Configuration Manager Portal is designed to give Configuration Manager Admins what they have always dreamed of… a way to easily give others access to the parts of Configuration Manager they require and nothing else! With the Configuration Manager Portal, Admins can easily configure targeted access for different Analyst Groups using Role-Based Access Control (RBAC) so that these Analysts can add Configuration Manager to their tool belt and maximise the value they bring to the business without the keys to the kingdom….   and potential disaster.

At the core of why the Configuration Manager Portal is it is a localized web-based portal and therefore there is no Configuration Manager Console deployment that needs to be created and maintained. Also it is a simplified interface that makes it easy to use and intuitive, thereby reducing the time that is required to spend on training Analysts.


Easy to scope security for all support teams

Don’t get me wrong, the Configuration Manager Portal is not designed to replace the OOB Configuration Manager Console for actual Configuration Manager Administrators. The traditional console has everything and admin needs to not only operate day-to-day, but also upgrade, plan, expand, migrate etc. But for non-admins, or non-admin tasks, the Configuration Manager Portal is perfect to get in and get the job done.

What about a specific example?

For many organisations, the Service Desk (Level 1 Support) is a volume business.  Time management and efficiency are the keys to success for incident and request triage, first-call resolution, and escalation. Correctly gathering and analysing required information about an incident or service request in an expedient manner allows for a faster resolutions or fulfillment of service.

Leveraging the Cireson Portal for Service Manager with the Configuration Manager Portal gives Service Desk Analysts the tools they need to gather and analyze the info they need to do their jobs more efficiently. Upon receiving an Incident Request, they can quickly use the Configuration Manager Portal to gain information on affected resources such as:

  • User Device Affinity lookup and edit
  • Current Inventory
  • Software Deployment Status

The Service Desk Analyst can also use the Configuration Manager Portal to initiate a Software Deployment on demand if you as the admin allows it via RBAC right.


Simple console interface from any browser

What about Desktop Support or the Server team?

Desktop Support staff spend much of their time away from their assigned workstations resolving issues and providing services at the end user’s location. Having to access a locally installed Configuration Manager Console can add unnecessary time when needing to get the end user back to being productive. Server Support teams put a premium on time, especially when dealing with server outages. Therefore, Server Analysts need quick access to information and remediation tools for servers either from their desk or in the Data Center, and sometimes from remote locations.

Having a web based ConfigMgr console allows Desktop and Server teams to:

  • Get software update status and apply patches when necessary
  • Deploy or upgrade software, if required
  • Deploy a new OS Image to a computer or server
  • Migrate a computer to an new OS (such as Windows 10 + Office 365) using MDT
  • View reporting for all of the above

Easily deploy software, even when not at your desk.

Finally, Managers can easily report and track the overall health of the organisation using simple to access dashboards to get a high level view of the entire IT operation.

Watch a sneak peek of the solution featuring Cireson Co-Founder, Shaun Ericson, and Microsoft MVP, Wally Mead. View now.

The Cireson Portal for Configuration Manager will be generally available in early 2017. Learn more and sign-up for first-priority access here.