Orchestrator Runbook: Delete Machines from SCCM

This article will detail an Orchestrator Runbook that has the ability to delete devices from SCCM based on computer name or MAC address. This script works with SCCM 2012 – it has not been tested on SCCM 2007. The primary reason for this runbook is to be able to delete devices from a web browser using the Orchestration Web Console. The runbook will take computer name and MAC address inputs and execute. There is also error checking along the way. The user will be able to feed multiple computer names, MAC addresses, or both to the runbook.

Here is what the runbook will look like:


Initialize Data

The first step, Initialize Data, is under the Runbook Control activities. Drag it into your runbook and open it. Create two parameters. I named mine “Computer Name(s)” and “MAC Address(es)”. Also, decide what character you want to use as a separator. I chose a semicolon.


Split/Validate Entries

Next, drag a “Run .NET Script” activity into your runbook. Name it “Split/Validate Entries” and change the language to PowerShell. As the title says, this activity will validate the entries by checking SCCM for corresponding names or MAC addresses and split the values into an array. Paste this code into the “Script” box:

$uf_wmi_names = @()
$f_wmi_names = @()
$wmi_macs = @()
$res_ids = @()
$not_valid = @()

$wmi = Get-WmiObject -computername -namespace “root\sms\site_” -class SMS_R_SYSTEM

$uf_wmi_names = $wmi | select-object Name
ForEach ($name in $uf_wmi_names) {
$str_name = “$name”
$f_wmi_names += $str_name.trim(“@{Name=”).trim(“}”)

$wmi_macs = PowerShell {
$wmi = Get-WmiObject -computername -namespace “root\sms\site_” -class SMS_R_SYSTEM
$wmi.MACAddresses }

$uf_names = “{Computer Name from “Initialize Data”}”
$split_names = $uf_names -split “;”

ForEach ($split_name in $split_names) {
If ($f_wmi_names -contains $split_name) {
$res_ids += ($wmi | where-object -filterscript {$_.Name -eq “$split_name”}).ResourceID }
Else { $not_valid += $split_name }

$uf_mac_addr = “{MAC Address from “Initialize Data”}”
$split_mac_addrs = $uf_mac_addr -split “;”

ForEach ($split_mac_addr in $split_mac_addrs) {
If ($wmi_macs -contains $split_mac_addr) {
$res_ids += ($wmi | where-object -filterscript {$_.MACAddresses -like “*$split_mac_addr*”}).ResourceID }
Else { $not_valid += $split_mac_addr }

Be sure to replace placeholders for site server name and site code. Also, be sure to change the text blue to your actual Published Data from the previous step. Most of this script is self-explanatory. I define the arrays I’m using, pull all computer information into a variable and compare it to what was entered in Initialize Data.

The only thing that is not so evident is the line that begins “$wmi_macs = PowerShell {“. This couple of lines launches another PowerShell session, pulls the MAC addresses, and basically reads them into the $wmi_macs variable. I had to do this because the data stored in the MACAddresses property of my WMI query is not a string format. We are limited in our string conversion methods in PowerShell v2. Launching another session allows us to just read everything into a variable. Having to do this slows the script down because it has run the big WMI query again, but it’s the easiest way to get our information.

We need to publish two variables to the next step. To do this, go to the “Published Data” node and give it this information:


Delete Computer Object

Next, drag another Run .NET Script activity into your runbook, name it Delete Computer Object and change the language to PowerShell. Paste this code into the script box:

$name = (Get-WmiObject -computername -namespace “root\sms\site_” -class SMS_R_SYSTEM | Where-Object -FilterScript {$_.ResourceID–eq”{ResourceIDs from “Split/Validate Entries”}”}).Name

$comp = [wmi]”\\\root\sms\site_:sms_r_system.resourceID={ResourceIDs from “Split/Validate Entries”}”

Again, be sure to replace the placeholders with your actual site server and site code and replace the blue text with the real Published Data.

The first line of this gets the computer name for us to use in the next step. The second and third lines deletes the object.

Platform Events

Next, we will go over the three Platform Event activities. These are “Invalid Entry”, “Delete Failure”, and “Delete Success”. You can find Platform Events under the Notification activity node. These events will show a message under the “Events” node of the web console, as illustrated here:


Here is what the setup for this event looks like (Invalid Entry):


You can make these events say whatever you want for your environment. It’s important to also change the link between the Run .NET Script activities and these platform events. Basically, set the link to the Invalid Entry Published Data does not equal blank.


For Delete Computer Objects, just change it to failed:


Error Runbook

These two Run .NET Script activities have one line:

write-host “error”

This line will force the runbook to end in a “Warning” state, which will show as warning icon instead of successful icon on the web console. This would be an indicator to your users that they need to see the “Events” node to see why the runbook failed to delete the computer object.

A runbook export of this will be available under the “Scripts” section of our website.



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 005
Cyber Security

WME Security Briefing 15 April 2024

E-Commerce Security Alert: Unveiling Magecart’s Persistent Backdoor Overview Malicious activities by Magecart attackers have been reported. They are targeting Shopify’s content delivery network (CDN) by creating fake Shopify stores. The backdoor method has enabled them to

Read More »
WME Cybersecurity Briefings No. 004
Cyber Security

WME Security Briefing 11 April 2024

Mispadu Trojan Exploits Windows Vulnerability to Target Financial Data Overview The Mispadu banking trojan has intensified its operations as it’s exploiting an already patched Windows SmartScreen flaw. Since its initial identification in 2019, Mispadu has primarily preyed on

Read More »
WME Cybersecurity Briefings No. 003
Cyber Security

WME Security Briefing 29 March 2024

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs. Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.