About the sccm-ts-scripts repo

Purpose

The purpose of this repo is to host scripts that will be downloaded and used on the fly in SCCM Task Sequences (TSes).

Rules

1. Don't keep scripts here which will not be used in SCCM TSes.
2. Name scripts in all lowercase, with dashes for word separators, preferably using the verb-noun[-noun].ext convention.
3. This repo is for version control of text-based scripts and configuration files. Don't upload non-text files such as images, or other dependencies such as executables. Keep those on \\engr-wintools.
4. Scripts which have associated text/configuration files should go in their own directory, named after the script if possible.
5. This repo is public. Don't contribute scripts which have confidential information. See the Securing Credentials section below for info on how to use credentials in TSes and scripts.
6. Powershell scripts are preferred. It's really quite easy to translate batch scripts to Powershell, and they will be much cleaner and more flexible.

Usage

There's two basic ways to use these scripts during a task sequence:

Method 1: Download a zip of the entire repo and run scripts locally

This is probably the preferred method. Advantages are that it will be faster, makes running each script much simpler, and reduces the number of connections to GitLab, thus reducing failure points. The disadvantge, if you want to call it one, is that you may end up with a bunch of unneccessary scripts downloaded locally, if you're only going to use one or two.

How to do it

1. See the Dependencies section below
   
   

2. To download the repo zip locally Create a Run PowerShell Script step with the following code:

# Get local directory paths
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$scriptDir = $tsenv.Value('EngrIT_ScriptsGoHere')
$logDir = $tsenv.Value('EngrIT_LogsGoHere')

# Logging
$log = "$logDir\download-scripts-from-repo.log"
function log($msg) {
	$timestamp = Get-Date -UFormat "%Y-%m-%d %H:%M:%S"
	"[$timestamp] $msg" | Out-File $log -Append
}
log "Downloading scripts from repo..."

# Full master branch zip file
$zipURL = "https://gitlab.engr.illinois.edu/engrit-epm-public/sccm-ts-scripts/-/archive/master/sccm-ts-scripts-master.zip"
log "Zip URL: $zipURL"
$zipFilename = $zipURL.Substring($zipURL.LastIndexOf("/") + 1)
$zipDirname = $zipFilename -Replace ".zip",""
$zipDir = "$scriptDir\$zipDirname"
log "Zip filename: $zipFilename"


# Download zip and save to x:\engrit\scripts
$zipPath = "$scriptDir\$zipFilename"
log "Zip destination: $zipPath"

log "Downloading..."
Invoke-WebRequest -Uri $zipURL -OutFile $zipPath | Out-File $log -append
log "    Done."

# Extract zip
log "Extracting..."
Expand-Archive -Path $zipPath -DestinationPath $scriptDir | Out-File $log -append
log "    Done."

# Move scripts out of archive subdirectory into root x:\engrit\scripts directory
log "Moving scripts up a directory, out of the archive-named directory..."
Move-Item -Path "$zipDir\*" -Destination $scriptDir
Remove-Item $zipDir
log "    Done."

log "EOF"

3. To run one of the scripts, create a Run PowerShell Script step with the following code:

# Specify script here
$scriptName = "build-software-string.ps1"



# Don't edit
# ---------------------------------------------------------------------------------------------------
# Get TS variables
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$scriptDir = $tsenv.Value('EngrIT_ScriptsGoHere')
$script = "$scriptDir\$scriptName"
$logDir = $tsenv.Value('EngrIT_LogsGoHere')
$log = "$logDir\$scriptName.log"
# ---------------------------------------------------------------------------------------------------



# Run script
# No need to edit unless you need to add parameters
Powershell -ExecutionPolicy ByPass -File "$script" > "$log" 2>&1

Method 2: Download individual script files and run them

This is also possible, but has the disadvantages of being slower, potentially relying on multiple connections to GitLab, thus increasing failure points, and complicating individual steps that run scripts.

How to do it

1. See the Dependencies section below
2. WIP

Dependencies

The examples above rely on one or more of these custom task sequence variables and local directories. The variables aren't strictly necessary, and you can replace them with hard-coded paths, but they greatly simplify things.

• Before the Apply OS step
  • EngrIT_LogsGoHere = x:\engrit\logs
  • EngrIT_ScriptsGoHere = x:\engrit\logs
• After the Apply OS step
  • Copy x:\engrit to c:\engrit
  • EngrIT_LogsGoHere = c:\engrit\logs
  • EngrIT_ScriptsGoHere = c:\engrit\scripts
• EngrIT_TSRepo = https://gitlab.engr.illinois.edu/engrit-epm-public/sccm-ts-scripts

How to reference variables

Most text fields in a task sequence can simply reference task sequence variables using the %Variable_Name% syntax. This is not the case in the script editing window of a Run PowerShell Script step, as all text there is interpreted as Powershell code.

To reference a task sequence variable in powershell code, use the following syntax:

# Gain access to the TS environment variables
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

# To read a TS variable
$foo = $tsenv.Value('EngrIT_Foo')

# To set a TS variable
$tsenv.Value('EngrIT_Foo') = "bar"

Securing Credentials

Credentials should never be stored in plain text in scripts. If you need to use credentials in a script, such as service account credentials you should:

1. Store the credentials in a "protected" TS variable.
2. Pass the TS variable to the script as a parameter, or simply access the protected variable directly within the script, as shown above.
3. Never write/output the credentials to the screen/pipeline/a file.

Notes

WIP