POSH for adding Security Updates to a Software Update Group in CM12

Ever used ADRs (Automatic Deployment Rules) functionality in CM12?  Use it!  Granted, the search engine in there could use some work, but it's probably the best feature that was added in CM12!   I have to give my buddy Mason credit for this, for he has a lot to do with this addition :).

Anyway, we leverage ADRs in our environment for simply downloading the Monthly patches. Then we just turn around and add these downloaded patches to our Monthly patching groups with a deployment set to it. Well ok, we’ve automated the monthly downloads, now I kind of wanted to automate the group membership addition step here, for managing and patching our own servers. Well, how do we do that without having to recreate the patch deployment to our servers or kicking off the patch installs on our servers right away and impacting them?   Granted we have maintenance windows set for them, but we still wanted to tightly control this process and set the deployment deadline time appropriately in the future. So the answer is, we set the Update deployment to our Pilot collection first (to avoid impact), then add the newly downloaded patches from the ADRs to our group. Then modify the existing deployment’s deadline time later when pilot servers are validated.

So the POSH script below is what I had put together for this process.   So after the ADRs are done downloading, intent is to run this script and here’s what it does:

  1. Loads the CM12 PS module and connects to the CAS
  2. Sets or points the existing deployment to our pilot collection
  3. Then it grabs the downloaded updates from the ADR groups, and add them to our Software Update Group

NOTE: You can change that Pilot collection to an Empty collection, for added safety measures.  And this also ensures that itanium updates are not added. For every now and then, those clowns get added in our group somehow. So this should avoid that. Oh, this would also go hand in hand with my other script/posting “Posh to remove expired and/or superseded updates from a CM12 Software Update Group”.

Use it at your own risk! :)


CMCB, PowerShell

  • Created on .

POSH to import new machine objects for imaging along with OSD Variables

For the longest time, i couldn't find a good way to quickly and easily import a machine in CM12 for imaging along with necessary OSD variables to properly image our servers/workstations.  Now that we have CM12 R2, a new cmdlet "New-CMDeviceVariable" is put to use!  Here's a POSH i put together for importing new machine(s) in CM12 along with OSD variables.   It reads the .CSV file you provide (will be prompted for the path and name for it) and import the machines that are in that file, line by line.  This script also detects which domain you're in so you can set certain variables for let's say working you're in Lab or in your Production environment.   Just crack this posh open and change necessary variables in there to match your settings.   Below is the script, along with a sample .csv with required formats.  





CMCB, PowerShell, OSD

  • Created on .

Keeping inactive clients alive in CM12 for fast Patching and Distributions

In order to keep our CM12 clean, we normally enable “Delete Inactive Client Discovery Data” under Site Maintenance properties. By default this is disabled, but when enabled it is set to 90, unless you change that. This removes the clients that are inactive from the CM12 console every 90 days unless again, you change that setting.

However, this presents a challenge for organizations that have laptops or remote users that remain offline longer than what that’s set for.   Or spare machines that get stuck in closets or storages for long periods of time. But are required to get deployments or patch deployments fast.   Because when you plug them in the network, it takes a while before they fall back in their collections after they get deleted, so that they can quickly get their deployments or patch deployments that they deserve.

So to keep these machines alive in the console, remember in CM12, these machines do not get deleted from the database. They just get their Decommissioned0 set to 1, and disappear from the console. So the trick is, just keep their decommissioned0 set to 0!

In our environment, we leverage SCORCH to detect these machines by executing SQL query below:

select Name0, Decommissioned0

from System_DISC

where Distinguished_Name0 LIKE 'CN=%,OU=Laptops,OU=Computers,OU=LOB,OU=ORG,DC=jeff,DC=com'

AND Decommissioned0='1'

We then resolve it by:


SET Decommissioned0 = '0'

where Distinguished_Name0 LIKE 'CN=%,OU=Laptops,OU=Computers,OU=LOB,OU=ORG,DC=jeff,DC=com'

AND Decommissioned0='1'


Then these guys never leave their collections J


  • Created on .

POSH to remove Expired and/or Superseded Udpates from a CM12 Software Update Group

Up to this date, there’s still not a CM12 cmdlet that would help remove updates from Software Update Groups.   It makes it cumbersome on the monthly basis to remove the expired and superseded from these groups… Just a lot of clicking! :) Here’s a PowerShell code that I threw together to try to reduce the my mouse clicks every patch cycle :).   This code will prompt you for which you'd like to process or remove from the given group, E for expired or S for superseded.   I suppose i could add that as another parameter, but then it'd be too much typing :).   Alright, I’m fairly new to POSH, so don’t judge!

Usage :  Remove-ExpAndSuperseded.ps1 <CAS Server Name> <sitecode> '<Target SUP Group>'


Updated: 7/8/2014


CMCB, PowerShell

  • Created on .
Copyright © 2019 - The Twin Cities Systems Management User Group