The registration for SCUG.se Client Day on March 20 is now open! This time we are proud to announce that Ronni Pedersen, Enterprise Mobility MVP and a great guy! (https://www.ronnipedersen.com/ @ronnipedersen) will be joining us and deliver an awesome session on Protecting Cloud Identities using Azure MFA and EMS!

We have more great presenters on the way, we will announce them in the coming weeks! As always this event also present a great opportunity to meet colleagues and do some networking! Most sessions will be in Swedish! Hope to see many of you there!
https://www.eventbrite.com/e/scugse-klientdagen-mars-2018-tickets-43226988085

Preliminary Agenda:

08:00 – Registration Opens
08:45 – Welcome
09:00 – Keynote, Get current, Stay Current, Get going!! – Jörgen Nilsson & Stefan Schörling
09:45 break
10:00 – Modern Management, Co-Management the road to the future! – TBA
10:45 – What’s new in Configuration Manager 1802 and what is not… – TBA
11:30 – Whats new in Windows 10 18xx – TBA
12:00 Lunch
13:00 – Intune MAM, to Enroll or not to Enroll – TBA
14:00 – Protecting Cloud Identities using Azure MFA and EMS – Ronni Pedersen
15:00 Break
15:20 – Community tools, SCCM Extensions (Driver Manager) – Jörgen Nilsson & Johan Schrewelius
16:00 – Q&A

I checked the statistics for my blog and comments as well, the “old” vbscripts I wrote to Add a Computer to an AD group and Set AD Computer Description as still being downloaded, used and commented on. I mostly use webservices to manage tasks like this now, but they are still being used out there so it is time to update them to Powershell!

Here are three of the scripts in Powershell instead, AddtoADGroup, RemoveFromADGroup And SetADdescription. They can be downloaded here:OSDScripts
All scripts have to run in full OS and not in WinPE.

AddToADGroup

The script adds the computer it is being executed on to one or more AD Groups. “:” is the separator and if there is a space in the group name use “” as well. The account used to run the step must have permissions in AD to execute the command.
Example command line:
Powershell.exe -NoProfile -ExecutionPolicy Bypass –File AddToADGroups.Ps1 “group1”:”group2”

RemoveFromADGroup

The script removes the computer it is being executed from one or more AD groups. “:” is the separator and if there is a space in the group name use “” as well. The account used to run the step must have permissions in AD to execute the command.
Example command line:
Powershell.exe -NoProfile -ExecutionPolicy Bypass –File RemoveADGroups.Ps1 “group 1”

SetADDescription

Sets a Description in AD on the computer object in AD it uses the name of the computer it is being executed on. Use “” around the description if the description contains spaces.

Example Command Line:
Powershell.exe -NoProfile -ExecutionPolicy Bypass –File SetComputerDesc.Ps1 “Test Computer”

I wrote a blog post way back(2010) on how to move a computer to another OU during OS Deployment http://ccmexec.com/2010/12/move-computer-to-the-correct-ou-during-deployment/.
Could be that you want to move it when you upgrade to Windows 10 or if you reinstall a computer and it already exist in an different OU then it will not be moved automatically. The script is still being used, downloaded and commented on. So here is an updated blog post with a PowerShell script that does the move, if you don’t want to use a webservice which there are couple of on Technet Gallery.

The script:
# Script to move the computer object in AD to the OU supplied as a variable
# Example Command line Powershell.exe -NoProfile -ExecutionPolicy bypass -file MoveToOU.ps1 "%MachineObjectOU%"

$OU = $args[0]

try {
$CompDN = ([ADSISEARCHER]”sAMAccountName=$($env:COMPUTERNAME)$”).FindOne().Path
$CompObj = [ADSI]”$CompDN”
$CompObj.psbase.MoveTo([ADSI]”LDAP://$($OU)”)
}
catch {
$_.Exception.Message ; Exit 1
}

Save the script to a file in your package source folder for the script.

1. Add the script to a package you replicate to all DPs
2. In the Task Sequence add the following Run Command Line task (Make sure to add it after the “Setup Windows and Configuration Manager Client step”)
3. Use a User Account with permission in the Active Directory to perform the task.

In this example the %MachineObjectOU% variable is used which can be set by MDT for example.

As simple as that and you are done!

Thanks to my colleague Johan Schrewelius for the help.

Close after Configuration Manager 1802 CB we got a new technical preview, 1803!! Some really great stuff in this one some is a result of the Hackathon we did at the MVP Summit in March. What is new then?

PXE boot without the need for WDS and IPV6 support.

This has been around for a while in TP but it was one of the challenges. We no longer need WDS anymore and client OS:s can also be PXE points.

• When I tried it out I had WDS installed already, I had to manually remove the WDS feature and then restart the server to get it to work. I also had to disable and reenable PXE without WDS again to make it work.
• I also selected to not require a password, but I am still prompted for a password on the client when PXE-booting. If you are going to test this out I hope it will save you some time.

Software Center improvements

The possibility to include a web-page in Software center, one of the topics from the hackathon at the MVP Summit. Software Center has gotten a lot of new features lately which is great and this is a great addition.

And the result!

Software center will also show upcoming Maintenance Windows for the client as well. Will be loved by Power Users and IT-staff troubleshooting.

3^rd Party software updates improvements

This one made it to 1802 CB as well. It is a new client setting that lets you enable 3^rd Party updates.

What it does is that it pulls the Codesigning certificate used in SCUP/WSUS for 3^rd party updates and add it to the Trusted Publisher certificate store on the clients that are targeted by the client setting. It also configures the following setting on the clients “Allow signed updates for an intranet Microsoft update service location”.

For the WsyncMgr that is responsible for pulling the certificate from WSUS to be successful the WSUS server must be running HTTPS. After enabling that it worked just fine.

Management Insight

There is a new Management Insight as well for MacOS and Unix clients in the environment.

More features that are new from the article which I haven’t tested: https://cloudblogs.microsoft.com/enterprisemobility/2018/03/27/update-1803-for-configuration-manager-technical-preview-branch-available-now/

• Pull distribution points support cloud distribution points as source – Now you can set a cloud distribution point as a source for a pull distribution point.
• Partial download support in client peer cache to reduce WAN utilization – Client peer cache sources can now divide content into parts. These parts minimize the network transfer to reduce WAN utilization.
• Enable copy/paste of asset details from monitoring views – You can now enable copy/paste functionality in the asset details pane in deployment and distribution status monitoring views.
• Remote Control – When you are using remote control on a client with multiple monitors at different DPI scaling, the mouse cursor now correctly maps between the monitors.

I urge you all to install the Technical Preview in a lab, it is great fun to test all the new features!

I wrote a post back in 2012 on how to tattoo the registry with OSD information from Task Sequence variables and OS versions. http://ccmexec.com/2012/08/script-to-tattoo-the-client-registry-during-osd/
We can then inventory that information using Configuration Manager and create collections and create reports based on Task Sequence used, media type and originally installed Windows 10 build which can be useful in the future. I have added in this example OSD Duration so we really easy can see how long time the OS deployment took. It can be downloaded here from Technet Gallery: https://gallery.technet.microsoft.com

And the inventoried values will look like this in resource explorer. I used RegKeyToMof to extend the HW inventory, https://gallery.technet.microsoft.com/RegKeyToMof-28e84c28

I use the variable for OSD StartTime that we set in OSDBackground which I have blogged about here before: http://ccmexec.com/2016/10/configuration-manager-osdbackground/  and it can be downloaded from Technet Galleries.

The name of the Registry key can be configured in the beginning of the script as shown here.

After adding changing the script with the name of the registry key, add it to a package and distribute it to your Distribution Point group. I run the script in the end of my Task Sequences like this.

hope this can be useful and spark ideas on what more to add to the registry during OSD that can be useful afterwards.

I wrote a script before on how to remove builtin apps in Windows 10 that was based on Ben Hunter’s script to do the same http://ccmexec.com/2015/08/removing-built-in-apps-from-windows-10-using-powershell/

As always, make sure you uninstall what you really need some apps can be reinstalled from the Store some are harder or impossible to get back.

Not everything we can/want to remove are Apps, some of the Apps are installed as “Capabilities” instead and can be removed with PowerShell as well. Quickassist is a Windows Capability for instance. To list all Windows capabilities on a Windows 10 Computer runt he following PowerShell command.
“Get-WindowsCapability -Online”

With each new version of Windows 10 there are new apps that can/should be removed from a Windows 10 enterprise client. I have re-written the script so it reads the Capabilities to remove from one text-file and the apps to uninstall from another text file. These text files needs to have the Windows 10 build-number in the file name so that we can use the same Task Sequence step for multiple Windows 10 versions without have to create modify the script itself as shown below.

The script can be downloaded from here: https://gallery.technet.microsoft.com/Windows-10-remove-builtin-3a65a09b

In the Task Sequence we can now have one step that runs the Powershell script and the script will uninstall different apps based on the Windows 10 Build number it is running on like shown below.

 The script will also create a log file in C:\Windows\temp with the name RemoveApps_Buildnr as shown below. It could have been placed in the SMSTSLOG folder as well but thought it is better placed in C:\Windows\Temp.

When a new version of Windows 10 is released we simply do the following:

1. Deploy a Windows 10 with the new build without removing any apps.
2. Run the following Powershell command:
   $Appx = Get-AppxPackage | select name
   $appx | Out-File -FilePath C:\temp\Appx.txt
3. Then we take the Appx.txt file and remove all the apps from the list that should NOT be removed, so the list only contains apps that we want to remove.
4. Save the file in the Package Source folder with the name Apps17999 where “17999” is the buildnumber.
5. Then we copy one of the Capabilities files so there is a Capabilities17999 file as well.
6. Update the package on the DP’s and test the script.

That gives us a more flexible and simple way to handle the removal of builtin apps.

I hope it is useful!

I had the great pleasure of presenting “Configuration Manager Community tools 2018 Edition!” together with fellow MVP Ryan Ephgrave, @ephingposh at MMS 2018 in Minnesota. It is always great fun and the amount of great community tools out there for Configuration Manager is simply amazing!

Thank you to everyone who contribute to the Community, you are the real Community Heroes!

Here are the tools we demoed during the session:

Infrastructure

SQL Maintenance Script – Ola Hallengren

ConfigMgr Prereq Tool – Nickolaj Andersen

Hydration Kits – Johan Arwidmark

Microsoft 365 Lab Kit – Microsoft

Microsoft hands-on-labs – Microsoft

Azure DevTest Labs – Microsoft

Image Factory – Mikael Nystrom

Client Startup Script – Jason Sandys

ConfigMgr Client Health – Anders Rödland

Intune

Powershell samples Github – Dave Falkus

Intune Driver Management – Maurice Daly

Configuration Items

Reg2CI – Roger Zander

ConfigMgr remote Compliance – Trevor Jones

Application Management

Powershell App deployment toolkit – Seán Lillis / Dan Cunningham and more

Powershell app deployment toolkit GUI – Tom Degreef

Application tester – Ryan Ephgrave

RuckZuck – Roger Zander

Software Updates

Create Software Updates Group Tool – Nickolaj Andersen

Patch Master – Robert Marshall

OS Deployment

OSDBackground – Johan Schrewelius

OSDWebservice – Johan Schrewelius

ConfigMgr Webservice – Nickolaj Andersen

Driver Automation Tool – Maurice Daly

SCCM Extensions – Johan Schrewelius

ConfigMgr Task Sequence Monitor – Trevor Jones

Frontends

UEFI Bitlocker Frontend – Niall Brady

UI++ – Jason Sandys

ConfigMgr OSD Frontend – Nickolaj Andersen

Windows 10 Servicing

Windows 10 force upgrade – Niall Brady

Improving the end-user experience – Trevor Jones

Windows 10 Upgrade UI – Rich Mawdsley

Windows 10 Upgrade Tools – Johan Schrewelius

Helpdesk

Right-Click Tools – Recast

Client Center – Roger Zander

LogLauncher – Robert Marshall

“Non” SCCM Community Tools

WMI Explorer – CTGlobal

WMI Explorer – K-Soft

SysInternals – Microsoft

LUA Buglight – Aaron Margosis

My colleague Johan Schrewelius has put together a Windows 10 Upgrade Tools kit that is available for download on TechNet Galleries. It contains two tools to assist with the upgrade to Windows 10 and Servicing of Windows 10.

TSLaunch which is run as a Package/Program and is used to do pre-flight checks and kick of a UI for the end user. In that UI the end-users can select to install Windows 10 now or Schedule it for a later date.

It also can perform many pre-flight checks all are configurable, for example:

• Include a Company logo
• Check if the computer is in presentation mode
• Check if it is running on battery
• Check if it has a wired connection
• Verify that the OS Image is already present in the CCMCache (TS Pre-download content)
• Check if the computer is connected via VPN
• Log off the user when the upgrade starts
• Launch UPBackground
• Multi Language Support
• Log to a file share
• And much more…. (It is covered in the documentation included in the download)

All configuration can be done in the configuration .xml file.

UPBackground which is launched as a service once it is installed (MSI), and it is placed on top of the desktop, so the end-user sees a screen that looks like the Windows 10 Upgrade process. The text is configurable and MUI aware as well. As it runs a Service it will launch after reboots as well and then stop the user from login on, so they don’t mess up the upgrade.

We use the same solution as in OSDBackground so if you right-click the upper-left corner it will prompt you for a password, so you can troubleshoot if needed. If the task sequence engine fails to start for instance after a reboot the UPBackground will catch that and then timeout and terminate and uninstall itself.

Here is a short video of how a Windows 10 upgrade could look like for the end-user when using these tools together.

I hope you find it just as useful as we do!

System Center User Group Sweden celebrates 10 years with a two-day event on the 8-9 of October in Stockholm Sweden. To make this a truly special event David James,Director Software Engineering, Configuration Manager will be joining us for the first day! A great opportunity to hear David present the news and roadmaps for Configuration Manager going forward! Me and Stefan Schörling will also present and more MVPs like Nickolaj Andersen will also join us!

There are still some slots in the agenda that we haven’t filled yet, we will add those as we get closer to the event! Most sessions will be held in Swedish.

The preliminary agenda looks like this and registration is now open and can be found here: https://www.eventbrite.com/e/scugse-klientdagarna-oktober-2018-tickets-47148736139

Day 1, 2018-10-08

0815 – Doors Open

0900 – 0915 – Welcome – Jörgen & Stefan

0915 – 1015 – State of the union – David James

1015 – 1030 – Break / Networking

1030 – 1115 – TBA – David James

1115 – 1130 – Break / Networking

1130 – 1215 – What’s new from Ignite! – Stefan Schörling / TBA

1215 – 1300 – Lunch

1300 – 1330 – Sponsor Session – TBA

1330 – 1345 – Break / Networking

1345 – 1430 – TBA – David James

1430 – 1445 – Break / Networking

1445 – 1530 – TBA – TBA

1530 – 1615 – Q&A DJAM and Speakers

Day 2, 2018-10-09

0815 – Doors Open

0900 – 1000 – Windows 10 as a Service, the good the bad and the ugly – Stefan Schörling / Jörgen Nilsson

1000 – 1015 – Break / Networking

1015 – 1100 – Managing and Securing Web browsers in Windows 10 – Jörgen Nilsson

1100 – 1115 – Break / Networking

1115 – 1215 – From the Community – TBA

1215 – 1300 – Lunch

1300 – 1330 – Sponsor Session – Lookout

1330 – 1345 – Break / Networking

1345 – 1430 – What’s new in Windows 10 1809 – TBA

1430 – 1445 – Break / Networking

1445 – 1545 – Advanced Windows 10 Deployment Tricks “TS End2End” – Nickolaj A

1545 – 1600 – Closing and Price Drawings

It is still vacation time in Sweden but nothing can pull you from the hammock like a Technical Preview of Configuration Manager! in this case 1807. Some great additions in this one, like a long awaited repair option which will enable us to basically do what we did back in SCCM 2007 where many of us used a repair program that we made available to the user so they could repair their applications themselves without calling Servicedesk( and easier for a technician).

Application improvements

We can as I wrote add a repair option to an application and then let the end user be able to repair it themselves in Software Center(not yet available) The best thing about the repair option is that we can specify our own repair script and not just passing /fa to msiexec.exe for instance which in my experience seldom solves problems.

We can per deployment then decide if the end-user is allowed to run repair or not, which also can be very useful, restrict it for complex and sensitive apps but allow it for the rest.

And in the screenshot above we can also see another great addition, the possibility to send an e-mail with an approval request and the receiver of that mail can approve/deny it directly in the mail. As this is configured per deployment we can have multiple recipients per applications. The request link is only valid once so if the mail goes to a group and Stefan approves it, another admin that receives the mail cannot deny it.

It requires the Cloud Management gateway to handle the approval directly from the mail so if you don’t have the Cloud Management gateway in your environment yet it is a component of the future with more and more features using it. It also requires one of my favorite features that has been in TP since 1612 which is the Restful Odata endpoint OData endpoint data access. Let’s hope that this means that we are getting closer to getting the restful Odata enpoint in CB as well.

Select drive used for temporary data storage during Offline servicing.

We can also select which drive is used when using Offline Servicing which is a small but asked for improvement as well.

Configuration Manager Community Hub

From within the console we have brand new Workspace called Community. From there we can reach the documentation and provide feedback, but most important is the Hub. In the hub we in the community can all share Configuration Manager scripts, reports, configuration items and more coming. In this TP there is currently only on script but be sure to check it out, provide feedback on how you would like to be notified in new versions, new content, changes which is some of the things that comes to my mind. This will be great!!

More features like script output is now improved and can handle more outputs than before, improvements to third-party catalogs and more. Read the documentation for the full list. https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1807

I have worked with SMS/SCCM for many years now and the last 20 years a common question has been “we need to know which computers have a specific file present now!” or “we need to know which computers that have this software installed and we need to know it now”. We have never been able to fulfil that request because things take time, inventory interval, inboxes with backlogs as a result and so on. It can be done with right-click tools but that requires permissions and access to all computers. CMpivot works through CMG as well and for clients that are connected to the MP! But now in 1806 we can finally do it with CM Pivot, amazing!!

CMPivot which has been in Technical Previews before makes it possible to query computers in real-time using the channel that was developed to support Malware alerts fast instead of sending it together with a client policy check or some other scheduled task in Configuration Manager. So finally, the security guys which I would say that most requests come from can get their answer faster than “tomorrow or later this week”.

CMpivot queries the context that you start it in, so if you start CMpivot from the Ribbon when you have selected the “All Desktop and Servers” collection that is what the scope of the result. What can we more do? We can create Collections based on the result and export the result.

How do I get started? CMpivot uses a subset of the Azure Log Analytics data flow model as shown in the help above. The easiest way to test the power of CMpivot is to simply click on a link in the Home tab and then use that query as a start, adding operators and count to it, it really makes sense after a while. Select in this case CCMlogs, the we get the query to query ccmlog.

Then we can easily add “| “ sign so we can filter the result. Then the UI will help us with what values that are valid.

That way we can easily within a few seconds modify the query to only show all lines which starts with Execute.

What is the next step? I would start looking into my RBAC delegation because more than SCCM admins will want to use this feature with the power it brings.

A simply amazing feature and one of the biggest mindset changes to Configuration Manager for a long long time!

My dear colleague Johan Schrewelius has created some awesome tools for making it easier to upgrade/service Windows 10 to Windows 10 releases using a Task Sequence. We will start this blog series with a post on one of the tools UPGBackground. For those of you who use OSDBackground we can call it OSDBackgrounds little sister You will recognize the debug feature which is the same in both. It can be downloaded on Technet Gallery here: https://gallery.technet.microsoft.com/Windows-10-Upgrade-Tools-431094ca

What does UPGBackground do then?

UPGBackground will cover the entire screen, regardless if a user is logged on or not. In short this it is a full screen application that disables certain system key combinations such as ctr+alt+del and Alt-F4. Except for a debug password, it requires no configuration and it will survive a reboot at is launched as a Service. This will prevent any curious end-user to log on before the upgrade is complete and possible break the upgrade or loose data. It supports multiple screens as well and great feedback from the community has made it even better. If you downloaded it before please download it again as some bugs have been solved.

Debug feature

There is a builtin debug mode that is password protected the same way as OSDBackground is. The Password can be configured for example using a Collection Variable called “UPGDebugPassword” as shown below.

When UPGbackground then runs you can right click in the top-left corner and a password prompt will appear.

Once the password is entered the following options are displayed.

Language Support

UPGBackground shows only three lines of text, default language is English as shown above. The language support is limited to one at the time. Place a simple .txt file in the same folder as the .msi file named “UPGBackground.txt” as shown below and it will be copied along to the installation folder. UPGBackground will detect the file and try to use its content line for line.

Example content of the UPGBackground.txt file in Swedish

Task Sequence sample

To launch it we can use TSLuanch which is another tool Johan has written. I will cover TSLaunch in detail in a later post, with possibly a video as well as you can do so many things with it. We install the UPGBackground in the Task Sequence as an application as show below.

As soon as it is installed it will launch automatically.

To uninstall it when the upgrade is complete or has failed, we use a SMSTSPostaction that simply runs the uninstall command as shown below. In the sample below I have placed the SMSTSPostaction variable in the end of each section because we have seen that the SMSTSPostaction command is executed on every reboot in some SCCM versions. It should be fine to add it directly after the install command if everything works as intended.

In case of Task Sequence failure

• In the event the TS breaks, not fails, but completely breaks – the application has a built-in selfdestruction function and will eventually (2-4 minutes) uninstall itself.
• If a failure or misconfiguration causes the Task Sequence not to start at all UPGBackground will close and uninstall itself in 12-14 minutes.

To sum it up here is a little animated .gif that will show how it works.

Google Chrome has a great set of Group Policy settings we can configure which makes it possible for us to even use Chrome in environments with high-security requirements, and we can also do this with Intune as it supports ADMX ingestion and ADMX backed policies!
Starting with Google Chrome version 69 and later it supports ADMX-backed policies (Windows 10 1703 or later) delivered through Intune.

Let’s see how we can configure Chrome using Intune.

Some of the things we might want to configure is forcefully install Chrome Extensions like:

Windows Defender Browser Protection extension, which will protect you from suspicious and malicious sites.

https://chrome.google.com/webstore/detail/windows-defender-browser/bkbeeeffjjeopflfhgeknacdieedcoml 

Windows 10 Accounts extension which the possibility to use your AzureAD account for websites and for Conditional access in Chrome so it can be recognized as a managed device https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji

In this example we will configure the following:

• Configure the Home Button
• Forcefully install the two extensions above

1. Create a custom Intune Configuration Profile for Windows 10 and later which we will use to ingest the Chrome.ADMX file to the clients. Create it with the settings shown below
   OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
   Data type: String
   And in the value for the “String” field copy all the content from the Chrome.ADMX file as shown below and then assign it to a test client.
   
2. Verify that it works by looking in the registry of the test client under HKLM\Software\Microsoft\PolicyManager\ADMXInstalled
   There you should see ChromeADMX added as shown below.
   
3. Create a new Configuration Profile that uses the Chrome.ADMX file we just ingested. Select a new Profile for Windows 10 and later and a Custom profile type. And then we add a new OMA-URI for each setting we make, it will look like this when we are finished
   
   Show Home Button:
   OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ShowHomeButton
   Data type: String
   Value: <enabled/>
   
   Forcefully Install extensions:
   OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
   Data type:String
   Value: <enabled/>
   <data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;bkbeeeffjjeopflfhgeknacdieedcoml;https://clients2.google.com/service/update2/crx&#xF000;2&#xF000;ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx”/>
   NOTE: “&#xF000;” are the characters used as separators
   
4. Then we assign the Configuration Profile to our test client

On the clients we can see that the policies are applied either by entering chrome://policy/ as the URL in Chrome

or check the HKLM/Software/Policies/Chrome registry key.

And when starting Google Chrome, the extensions are automatically installed.

Note that not all policies seem to be working as many of the Group Policies for Google Chrome only works on devices that are AD Joined.

References: https://support.google.com/chrome/a/answer/9102677?hl=en

I am writing this post because I am lazy and already have Configuration Manager in my lab. But it is useful in other scenarios as well to get the latest version of Windows 10 on a computer before testing AzureAD Join/Autopilot for example.
When I am testing more and more scenarios with AzureAD Join and Autopilot I ended up doing this little workaround to be able to deploy Windows 10 using Configuration Manager, uninstall the SCCM client and then reboot the machine and come up in OOBE.

Fellow MVP Per Larsen wrote a blog post on how to do it with MDT a while back which is great, if you use MDT have a look at it https://osddeployment.dk/2016/08/26/how-to-show-oobe-for-azuread-join-after-mdt-deployment/

I use a little Powershell script that uninstalls the SCCM client and then run Sysprep on the machine which I trigger using the SMSTSPostAction command.

The PowerShell script.

Start-Process -FilePath "C:\Windows\ccmsetup\ccmsetup.exe" -ArgumentList "/Uninstall" -wait
Start-Process -FilePath "C:\windows\system32\sysprep\sysprep.exe" -ArgumentList "/oobe /reboot"

I created a package of the script and added a small file called copy.cmd file to copy the PowerShell script to C:\Windows\temp so it can be executed from there.

I run the script the last thing I do and then I let the SMSTSPostAction execute the script.

The end result is as expected a Windows 10 machine in OOBE and can be AzureAD Joined.

It saved me time when testing AzureAD Join and Autopilot in my lab, with different versions of Windows 10. I hope it will save you time as well.

In my work to get Google Chrome being a good citizen in an enterprise environment it is not time to look at roaming the Chrome settings. Chrome has support for roaming profile data and it can be enabled using a Group Policy which is great. Is it perfect, no it doesn’t roam Extensions for example. Is that a problem in an enterprise, perhaps I will cover that in a later post.

Note: that this settings disable cloud sync of Chrome settings for the end-users.

The file is stored per default in C:\Users\%UserName%\AppData\Roaming\Google\Chrome\User Data\Default and it is called Profile.pb which in my scenario is fine then I can roam it using UE-V in Windows 10. You can move the file it creates using another Group Policy setting: “Set the roaming profile directory” so we can choose to save it somewhere else that is synced by another solution perhaps.

The .xml template used for UE-V is really simple, it only includes the profile.pb file.



<?xml version=”1.0″?>
<SettingsLocationTemplate xmlns=”http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate”>
<Name>Google Chrome</Name>
<ID>Google-Chrome-profile</ID>
<Version>1</Version>
<Author>
<Name>Jorgen</Name>
<Email>jorgen@ccmexec.com</Email>
</Author>
<Processes>
<Process>
<Filename>chrome.exe</Filename>
</Process>
</Processes>
<Settings>
<File>
<Root>
<EnvironmentVariable>APPDATA</EnvironmentVariable>
</Root>
<Path>Google\Chrome\User Data\Default</Path>
<FileMask>profile.pb</FileMask>
</File>
</Settings>
</SettingsLocationTemplate>

The file can be downloaded here:
chrome

We then register the new template either using PowerShell or an UE-V Template share.
And the result is an amazing end user experience!

Today version 2 of the “Onevinn Windows 10 Upgrade tools” was released and there are many new great features in there created by my colleague  Johan Schrewelius. It can be downloaded here: https://gallery.technet.microsoft.com/Windows-10-Upgrade-Tools-431094ca

More information on what TSlaunch is can be found here: https://ccmexec.com/2018/05/windows-10-upgradeservicing-tools-demoed-at-mms-2018/

I will try to cover at least some of the new features starting with how we can use the new feature for Windows 10 Upgrade Assessment. The new version of TSLaunch includes a SCCM console extension where we can monitor Tslaunch status and Upgrade Assessment status as well if we choose to use that feature.

We can have TSLaunch to automatically run a assessment upgrade as soon as the the content for the upgrade is cached locally, the result will be written to a central log file and to the SCCM console using custom status messages. This will give as nice graphical overview in the SCCM admin console of how the upgrade assessment ran and also the possibility to deep-dive into any error as shown below.

You can then select “Launcher” in the menu to the right to see more status, in my case the Windows 10 Upgrade Assessment failed on one computer, the error message is translated to a more understandable error at least for the known errors.

A log file is also created where we can see the status of everything TSlaunch actually do, it is placed in C:\Windows\Temp and copied to the logshare defined in the tslaunch.exe.config file as well.

You can then drill down to the specific computer in the console, and if you have fixed the assessment error you can select “Start TSlaunch” and it will actually inject a script in SCCM and execute it on the client using the “Runs Script” feature in Configuration Manager.

We can also run script based on the Windows 10 upgrade assessment status, success or failure then we can add computers to collections, remove them, email or whatever we want to do. Simply place the script in the TSLaunch folder and add it to the tslaunch.exe.config file.

How do we configure it then? The user-guide that Johan put together it simply great it covers that as well.

In TSLaunch.exe.config there are a couple of settings we change that is related to Windows 10 Upgrade Assessement.

RunAssessmentTestWhenContentAvailable

If the task sequence deployment is configured to pre-download all content before running it’s
possible to have TSLaunch perform an “Assessment test”. This will be performed according to the
settings in the next key “AssessmentTestArguments”.
The result of the test will be logged as integer, hex and, in most cases, clear text.
Example: “True” or “False”
Remark: Running an Assignment test might temporarily impose a slight negative impact on the
computer’s performance. Since TSLaunch is running repeated preflight checks until all pass the
assessment test will be suppressed for 12 hours. once succeeded. This will be logged.

AssessmentTestArguments

When an assessment test is performed during (within) an upgrade task sequence it invokes the windows installer program “Setup.exe” with the following arguments: “/ImageIndex 3 /auto Upgrade /quiet /noreboot /DynamicUpdate Disable /compat ScanOnly” The “AssementTestArguments” key is prepopulated with the same switches and arguments. The image index might have to be changed if you’re upgrading to anything apart from the Enterprise edition, are using modified (patched) media or if Microsoft in the future decides to not bundle the different editions. For 1709 and 1803 out of the box media, no change is required.

It’s possible to add an extra switch/argument to the line if you wish to have the logs copied somewhere for further analysis.
/CopyLogs \%COMPUTERNAME%
%COMPUTERNAME% will in this case be resolved by TSLaunch

SkipAssessmentTestOnFinalPreflightCheck

Even if the preflight checks have previously succeeded TSLaunch will always perform a final check
just before launching the upgrade task sequence. This is necessary to detect if, for example, the user
has disconnected the AC power or left the company network since last run.
It might not be necessary to run an assessment test as part of this final check; thus, it can be
suppressed by setting this key to “True”.
Example: “True” or “False”

AssessmentSucessScript

There are many possible outcomes of an assessment test, one is success all the others are different
kinds of failures, all preventing the upgrade.
If the test is successful you might want to take some special action, like adding the computer to a
collection or similar. To accomplish this, it’s possible to run a PowerShell script on success. The script
could in turn invoke a web service, such as OnevinnWS, to do the actual adding. An example script
that does just that has been included. Executed as SYSTEM.
Leave blank if no script should be run.
Example: “MyOnAssessmentSuccessScript.ps1” or “”

AssessmentFailedScript

Same as above but the script will be invoked in the event of a failure. Executed as SYSTEM
Example: “MyOnAssessmentFailureScript.ps1” or “”

This gives us great flexibility and more information and options to be successful in our Windows 10 Servicing.

One of the biggest limitations in Microsoft Intune has been that we can only deploy single-file .MSI’s and not .EXE installers. With the release of Win32app install support (in Preview) that limitation is now gone!

Not only does it support legacy setups like .exe files for instance we can also use it for advanced .MSI files with more that one file and Transform files as well.
That is a great feature, if you select an .MSI file to install when we create the wrapped installer it actually fills in Uninstall Command and Detection method for us automatically.
Let’s have a look at how it works when we add an .MSI file using the Win32app option which was a a pleasant surprise that it added command line and detection rule automatically when a .MSI file is selected.

To start with we need to create a wrapped file containing all the files needed by the setup using the Intune win32app wrapping tool which can be found here: https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool 

We use that tool to create an “.Intunewin” file that can be uploaded to Intune, it will ask for folder and executable to run. Note that the current file size limitation on the .Intunewin file is 2GB in Technical preview.

Now we have our .Intunewin file we can use with Intune.

Once that is done we can log on to the Azure Portal and create our application.

We now get a couple of pages with information to enter about our application. As we can see we can configure detection rules to define if the installation is successful or not. We get all of that filled in if we selected an .MSI file to deploy during the creation of the .IntuneWin file.

App Package file, this is where we select the file that should be uploaded to Intune.

We then go through the wizard step by step

The next step is the program to run, as we selected the .MSI file before the command line is already created for us which makes it so simple.

We add our transform file to the command line so it looks like this instead.

Requirement, here we can set requirement for the application to install, Windows 1o versions, memory, disk space and more.

Detection rules, this is something we are used to in Configuration Manager, in our example as we selected an .MSI when we created the IntuneWin file the detection rule is already filled in for us under MSI. We can use script, registry, file or MSI product code.

We can also add our own return codes and what they mean as well.

When we click Add to add the application we have created, we get this dialog until the upload of our .IntuneWin file is completed, it can take a while depending on the Internet connection that is being used.

Now we are ready to deploy our newly created Windows Installer App with an .MST.

For me this is a Game Changer and closes the one thing I missed the most in Intune, it is simply a great addition! I will follow up this post with a more detailed on troubleshooting Win32app deployment.

More information can be found in the Ignite session recording on the topic: https://myignite.techcommunity.microsoft.com/sessions/64593#ignite-html-anchor

And the official documentation: https://docs.microsoft.com/en-us/intune/apps-win32-app-management

The great feeling when you get an email from Uservoice that your uservoice item has been implemented in the latest Configuration Manager Technical Preview 1810.2!!

This is one thing I always change, the Startup of the SCCM Remote Tools service on the clients to Automatic instead of Automatic(delayed). That is one of the biggest complaints I get about SCCM Remote Tools in SCCM when a machine is remote controlled and restarted they have to wait until the service starts.
Looking at a client that has the Configuration Manager 1810.2 Technical preview installed, the Remote control service is set to Automatic no configuration needed!

A small but great change!

Uservoice works! be sure to add/vote for you favorite ideas!

https://configurationmanager.uservoice.com/forums/300492-ideas

A quick post on how to check Bitlocker compliance where all computers with “Hardware” encryption is used will also be marked as non compliant which can be useful after the recent security advisory for SSD’s with Hardware encryption:
https://redmondmag.com/articles/2018/11/06/microsoft-ssd-security-advisory.aspx?fbclid=IwAR21wX_6S32eyqdRXDeoNqdjb6DZw8UPNXT_d2FQ8pdH52Jop9lvx7g6Tko  

And the Security advisory from Microsoft on the topic.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180028

This started with a discussion with Mattias Borg,@MattiasBorg82 – http://Sec-labs.com and input from Robert Israelsson and the rest in System center user group Sweden – SCUG.SE awesome!

But only checking for Hardware encryption would not be any fun so we check that Encryption is enabled as well, so all machines without Bitlocker enabled will also be flagged as “Non-compliant” which is great as they also need attention. So we get double benefit of the compliance check. If you would want to check for just “Hardware” encryption the values that are returned by Powershell is:

None
Aes128Diffuser
Aes256Diffuser
Aes128
Aes256
Hardware
XtsAes128
XtsAes256
Unknown

You can also remove any encryption-methods that you shouldn’t be using from the list below so they are marked as non-compliant as well.

The PowerShell script:

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Aes128 { $true }
Aes256 { $true }
Aes128Diffuser { $true }
Aes256Diffuser { $true }
XtsAes128 { $true }
XtsAes256 { $true }
Default { $false }
}
We put that in a Configuration Item with the settings type “Script” and Data Type “Boolean” as shown below.

With the following Compliance rule:

If we only want to catch all drives with Hardware encryption the Powershell script can be edited to only check for that. (haven’t tested it, I don’t have disk with HW encryption.)

$BitlockerVolume = Get-BitLockerVolume | select encryptionmethod,mountpoint,VolumeType,ProtectionStatus |? { $_.VolumeType -eq "OperatingSystem" -and $_.ProtectionStatus -eq "On" }

switch ($BitlockerVolume.encryptionmethod) {
Hardware { $false }
Default { $True }
}
The .Cab file with the basline and CI can be downloaded from Github https://github.com/SweJorgen/SCCM-Configuration-Items
I hope this is useful

MMS is one of my favorite conferences of the year! The reason is the community feeling I have never been to an event where I have had the pleasure to be part of so many great discussions and to me that is worth a lot! Microsoft also adds many speakers from many different product groups like the Man himself, David James, Director Software Engineering, SCCM, Michael Niehaus, Principal Program Manager If you are into anything Configuration Manager/Windows 10 MMS is the right conference for you!

The mix of speakers is perfect if you ask me, a mix of MVP’s, Product group a Community peers it cannot be better. https://de.mmsmoa.com/directory/speakers

I have the great, great pleasure myself to be presenting on all the great Configuration Manager Community Tools together with the Godfather of SMS/SCCM himself, Wally Mead. That is like a dream come true! The Configuration Manager community truly is great.

MMS hosts a Desert edition now in December 2-4 with two full conference days and coming from Sweden which, where I live is rainy, moist, windy and cold I am really looking forward to some desert heat and a great conference!

https://mmsmoa.com/desertedition

Hope to meet many of you there!