We normally arrange at least two physical events per year in our Swedish User group but this time we will do it online using Teams instead as the whole horrible Covid-19 is affecting the whole world.
New this time as well we will do it in English as well!

We have the great pleasure to announce the following awesome presenters for our Online Day!
Maurice Daly – https://twitter.com/modaly_it
Mirko Colemberg – https://twitter.com/mirkocolemberg
Mattias Borg – https://twitter.com/MattiasBorg82
Timmy Andersson – https://twitter.com/TimmyITdotcom
Dawn Wertz – https://twitter.com/wertzdm3
Jörgen Nilsson – https://twitter.com/ccmexec
Stefan Schörling – https://twitter.com/stefanschorling

Agenda for the day:
08:30 – Meeting Opens
08:45 – State of the union – Stefan & Jörgen
09:15 – Intune RBAC – Mirko Colemberg
10:00– Break / Networking (on your own!)
10:15 –Threat Response– Stefan Schörling / Mattias Borg
11:15 – Manage Intune using PowerShell – Timmy Andersson
11:45 – MEM – Kahoot!!
12:00 – Lunch
13:00 – Make the transition to Edge Chromium – Jörgen Nilsson
13:30 – Key security features you should enable during your M365 journey- Maurice Daly
14:00 – Break / Networking (on your own!)
14:15 – Configuration Manager Update & Cloud attach – Jörgen & Mirko
14:45 – Keep it simple when deploying Office365 languages – Dawn Wertz
15:15 – The End

Registration is free but you can select to support our User Group if you have the possibility in these pressing times.
Registration can be done here: Register Now

Hope to see you all on the 27 of April!

Stay Safe!

The recordings from our SCUGSE – Client Day in April 2020 is now live on YouTube in the SCUGSE channel.
Thanks to everyone who attended and for all the presentations by the great speakers!
There were almost 250 people signed up for the meeting
Connected in the MS Teams meeting at the same time was 190 = Amazing!

The recordings that are available are the following:

Manage Intune using PowerShell – Timmy Andersson

Make the transition to Edge Chromium – Jörgen Nilsson

Key security features you should enable during your M365 journey- Maurice Daly

Keep it simple when deploying Office365 languages – Dawn Wertz

What’s new in MEMCM 2020 – Jörgen Nilsson

Intune RBAC – Mirko Colemberg

A lesson learned for the next time is to time the recording start better and end as well, it was hard to combine an online community event where we like questions with a great recording in these Covid-19 times. It is easier when you can sit together and moderate the questions.
We will work on that an keep posted for more content to come on the YouTube Channel.

I always love testing out the new Technical Previews and I must say that this one is extremely impressive and all the features are in line with the times we live in now with Covid-19. The product team has once again outdone themselves in features that we need in this scenario. The features included in the preview is epic!

Where to start then? well let’s start with the new additions to Tenant attach CMPivot, Run Scripts, install Application and Timeline. Install application requires that you made the move to collections less deployment of apps using the approve feature. And it works great as you can see in the short video below.
Timeline will be really useful for troubleshooting a client and available from everywhere, i can troubleshoot a client from my iPad amazing.

Let’s look at the timeline, we enable it in Client Settings.

Here is the complete list of activities that are recorded on the Timeline for a client – https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005#collected-events The client reports events to the timeline once per day but you can force it to refresh from the portal simply by selecting refresh, it will initiate a refresh from the client and not just the view.

VPN Boundary type is a new boundary type which is used to automatically determine that a client is connected using VPN! Looking at the questions in user groups, forums and reddit configuring boundaries for VPN has been asked a lot lately and this is perfect in time. You can only have one VPN Boundary type.

OS Deployment from the cloud, yes you read it right PXE and Boot media are now able to use Cloud DP/CMG to download all content needed during OSD. Imaging the possibilities! remote offices, just send then a USB drive no more deploying over the internal WAN, less DP’s less hazzle.
to test it out I have changed my Boundary Group to “Prefer cloud based sources over on-premise sources” ,added the CMG as site system, and enabled the client setting to “Allow access to cloud distribution point”

The result is an OSD running everything from the CMG.

Taking a look at the SMSTS.log file it downloads the content from the CMG during OSD.

Improved Enable BitLocker steps in the Task Sequence are updated with a “Disk Encryption mode” one less .reg file to import during OSD great news!

Community Hub, is also updated to allow more types of objects, for now only from Microsoft and not the community.

• PowerShell Scripts
• Reports
• Task sequences
• Applications
• Configuration items

Report update failures to Microsoft, if and Configuration Manager update fails to install a new button will be displayed where you can report the upgrade errors directly to Microsoft = making the product even better for everyone!

There are more great additions that will save us time and make our life easier, like Notification for Azure AD app secret key expiration which I have ended up troubleshooting a couple of times already.
More features:

• Remove command prompt during Windows 10 in-place upgrade
• Improvements to the content library cleanup tool
• Microsoft 365 Apps for enterprise
• Improvements to cloud management gateway cmdlets

Check out the whole documentation on Docs https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005

Oh and even if nothing is noted in the docs, the remote control dialog with support for remote control over CMG/MP is back in the Technical Preview. It was first introduced in Technical Preview in 1906, let’s hope it makes it this time!

And if you have the time install the Technical Preview and provide feedback to Microsoft so we can make the product even better!

Custom backgrounds in Microsoft Teams is a really great feature, I love it! Use it all the time!

I got a question if users can roam their custom backgrounds somehow between machines and of course User Experience Virtualization(UE-V) comes to the rescue. If UE-V is already used and configured on the computers it is really simple, either we add a “teams.xml” file with the configuration needed to the Templates folder or register it using PowerShell for example
“Register-UevTemplate -Path C:\Temp\teams.xml”

When adding a custom teams background using the + Add new option in teams.

The custom file you add are copied to C:\Users\YOUR_USER_NAME_HERE\AppData\Roaming\Microsoft\Teams\Backgrounds\Uploads or %Appdata%\Microsoft\Teams\Backgrounds\Uploads

The following UE-V template will take all the files in the above folder and roam them between the users differnet computers.

<?xml version="1.0"?>
<SettingsLocationTemplate xmlns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate">
  <Name>MS Teams</Name>
  <ID>Teams-background</ID>
  <Version>1</Version>
  <Author>
    <Name>Jorgen</Name>
    <Email>jorgen@ccmexec.com</Email>
  </Author>
  <Processes>
    <Process>
      <Filename>Teams.exe</Filename>
    </Process>
  </Processes>
  <Settings>
    <File>
      <Root>
        <EnvironmentVariable>APPDATA</EnvironmentVariable>
      </Root>
      <Path Recursive="true">Microsoft\Teams\Backgrounds\Uploads</Path>
      </File>
  </Settings>
</SettingsLocationTemplate>

The file can also be downloaded from GitHub here: https://github.com/Ccmexec/Other

After importing the template file we can verify that it works on two different machines or by looking in the settingspackages for my user where we can see the Teams-Background folder is created and contains data.

UE-V is a great feature still not being adopted enough by companies, as we can give the end-users an amazing experience roaming settings for applications both using on-premise or OneDrive for example. Google Chrome is a great example usage as well that is really appreciated which I blogged about a while back. https://ccmexec.com/2018/09/using-google-chrome-roaming-profile-settings-with-ue-v/

There are many blogposts on how to configure Autologon for use when deploying kiosk devices for example. I needed to solve that in a kiosk scenario, more kiosk blogposts will be posted later.
What are the challenges with Autologon then? To start with the OOBE phase clears out all Autologon registry values so they need to be configured after OSD is complete. Another challenge is that the username and password is saved in clear test in the registry.

Autologon.exe is a SysInternals tool that encrypts the password used by Autologon in the registry instead of storing it in clear text. Autologon.exe can be downloaded here https://docs.microsoft.com/en-us/sysinternals/downloads/autologon

Here is how we solved it in the project.

Run a PowerShell script during OSD that does the following:

-Writes the username to a registry value so we can pick up later (in another blog post)
-Copies Autologon.exe to C:\Windows\Temp
-Creates an Autologon.cmd file in C:\Windows\Temp which we can run as a scheduled task.
-Autologon.cmd includes username/password for the kiosk user with permissions set to System  
-Creates a schedule task that runs Autologon.cmd
-Autologon.cmd runs Autologon.cmd then deletes Autologon.cmd and AutoLogon.exe and reboots.

I use Collection variables to set username and password to be used during OS deployment shown below.

I create a package with Autologon.exe and the .xml file for the schedule task and the PowerShell script which can be downloaded here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Kiosk%20scripts

The PowerShell script, remember to change the $Domain and the $RegKeyName to reflect your environment.

# Name: Autologon.ps1
# Authors: Jörgen Nilsson
# ccmexec.com

[CmdletBinding()]
Param(
    [Parameter(Mandatory=$True)]
    [string]$Username,
    [Parameter(Mandatory=$True)]
    [string]$Password
  )
# Set values
$Version="1"
$RegKeyName = "CCMEXECOSD"
$FullRegKeyName = "HKLM:\SOFTWARE\" + $regkeyname 
$Domain="demiranda"

# Create Registry key 
New-Item -Path $FullRegKeyName -type Directory -ErrorAction SilentlyContinue

# Set registry values to be used later
new-itemproperty $FullRegKeyName -Name "Kiosk Version" -Value $Version -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null
new-itemproperty $FullRegKeyName -Name "UserName" -Value $username -Type STRING -Force -ErrorAction SilentlyContinue | Out-Null

# Creates ScheduleTask
Register-ScheduledTask -Xml (get-content $PSScriptRoot\autologon.xml | out-string) -TaskName "Autologon"

# Copy Autologon.exe
Copy-Item -path $PSScriptRoot\autologon.exe -Destination C:\Windows

# Creates the autologon.cmd file
$AutologonFile = "C:\Windows\temp\Autologon.cmd"
New-Item $AutologonFile -ItemType File -Value "C:\Windows\Autologon.exe /accepteula $Username $Domain $Password"
Add-Content $AutologonFile ""
Add-Content $AutologonFile "del C:\Windows\Autologon.exe"
Add-Content $AutologonFile "schtasks.exe /delete /tn AutoLogon /f"
Add-Content $AutologonFile "shutdown /r /t 20 /f"
Add-Content $AutologonFile "del %0" 

# Sets permissions so only System can read the cmd file
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /inheritance:r"
Invoke-Expression -Command:"icacls C:\Windows\Temp\Autologon.cmd /grant SYSTEM:'(F)'"

The group in my Task Sequence looks like this where I have a conditon on the group that the Task Sequence variable “KioskDomain” must be present for it to execute.

The configure Autologon step looks like this and executes the PowerShell script from the package we created earlier. Where I pass the username / password as variables to the script. A follow up post on this will explain how I will use that in a Run script as well.

The step “Move to correct OU” moves the computer to a Kiosk OU using an account that has the needed permissions. The script can be found here: https://github.com/Ccmexec/MEMCM-OSD-Scripts

The computer will restart once after the OSD completes and then the schedule task will start and execute the script and the machine will reboot and logon automatically.

Then we have successfully configured autologon during OSD without the password in clear text in the registry.
Next post will cover the script I use to configure Windows 10 to run KioskMode with Multiple apps and how to update it as well, stay tuned!

Configuration Manager 2008 Technical preview is out! So many Cool features in MEMCM 2008 Technical Preview. Always great new features in there that will make our lives easier. I have a hard time decide which is the most useful feature, my top two favorites are Collection Query Preview and Integrated collection evaluator.

Collection query preview
Many customers have a policy not to change a collection membership query after it has been created, to avoid surprises with what the result of the change are. Could be a very unpleasant surprise!
But with the new feature where we can preview the result before we save the changes made to the query are simply great!

Integrated Collection evaluator
The collection evaluator viewer tool from the toolkit is really useful and not used enough as it is in the toolkit and not the product itself. Now when it is integrated it will be so much easier to use and used much more which will result in better performing environment out there!
It has three views,
-Manual Evaluation Queue
-Full Evaluation Queue
-Incremental Evaluation Queue
-New Evaluation Queue
It seems to be summarized every time I select Collection Evaluation, the Last Updated time is changed at least, will test it out when I have added more collections and queries in my Technical Preview lab.

For each each och the queues we have the following information.
Collection Name
Collection ID
Estimated Completion Time
Estimated Run Time

This will be extremely useful and should be included in every MEMCM admins check list once a week to make sure smooth collection evaluation and performance is maintained.

Windows 10 SetupDiag error charts
More interesting investments made to Windows 10 Servicing with the automatic analyze of Windows 10 Servicing errors displayed in the console. Starting with Windows 10 2004 Setupdiag automatically runs on error and that is the information now being collected by Configuration Manager. My error chart is empty but this will be a great addition.

Scenario Health
Scenario Health is a great addition to the console where we can monitor dependent services like the first example out, the SQL Server Service Broker. Status is checked every 15 minutes per default which can be tweaked. Looking forward to many more services in future releases.

See task sequence size in the console
A new column is introduced in the Task Sequences view, where we can see the size of the Task Sequence directly in the view.

Import objects to current folder
A smaller but very appreciated change is the fact that we can import objects directly to the currently selected folder. This new behavior applies to applications, packages, driver packages, and task sequences.

Delete Aged Collected Diagnostic Files task
A new Site Maintenance task that automates the cleanup of collected diagnostics files are also included in this Technical Preview release as shown below.

That was all the Cool features in MEMCM 2008 Technical Preview for this time. For more information check out the official docs – https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2008

The post Cool features in MEMCM 2008 Technical Preview appeared first on CCMEXEC.COM - Enterprise Mobility.

I wrote a blog post in June on how to use AutoLogon.exe in a Task Sequence to configure AutoLogon in Windows 10. https://ccmexec.com/2020/06/configuring-autologon-during-osd-using-autologon-exe/

After writing that post my colleague Johan Schrewelius wrote a nice little C# part for us which we use in Powershell so we can create and configure a LSA secret using PowerShell instead of using Autologon.exe. Which doesn’t store the password in clear-text in the registry as it with traditional solutions.
The script also creates a Schedule Task without any filecopying needed, a clean and nice solution. As background the OOBE part of the Windows setup clears out all the AutoLogon registry keys which is one of the reasons to use a Schedule Task that configures Autologon after deployment.

The script does the following:
1. Create a Schedule Task that runs the PowerShell script after the first reboot.
2. The script configures the necessary registry keys for Autologon and a LSA secret with the password so it is not stored in clear-text.
3. Deletes the Schedule Task
4. Reboots the computer so it logs on automatically.

The script will use the following three variables as shown below to configure AutoLogon.
They can either be configured using Device variables, Collection variables, Task Sequence variables or script.

in the Task Sequence I use the following three steps. One that moves the computer to a Kiosk OU to make sure the correct Group Policies are applied.
And the Reboot after OSD step sets the “SMSTSPostAction” variable to “cmd /c shutdown /r /t 30 /f”.

The PowerShell script itself can be imported in the Task Sequence instead of using a Package.

The script itself, it can also be downloaded from the Github repository: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Kiosk%20scripts

<#
    Name: Autologon.ps1 
    Version: 1.0
    Author: Johan Schrewelius
    Date: 2020-06-15
#>

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment

[string]$Username = $tsenv.Value("KIOSKUSER")
[string]$Domain = $tsenv.Value("KIOSKDOMAIN")
[string]$Password = $tsenv.Value("KIOSKPASSWORD")

$Code = @'
Add-Type @"
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
 
namespace PInvoke.LSAUtil {
    public class LSAutil {
        [StructLayout (LayoutKind.Sequential)]
        private struct LSA_UNICODE_STRING {
            public UInt16 Length;
            public UInt16 MaximumLength;
            public IntPtr Buffer;
        }
 
        [StructLayout (LayoutKind.Sequential)]
        private struct LSA_OBJECT_ATTRIBUTES {
            public int Length;
            public IntPtr RootDirectory;
            public LSA_UNICODE_STRING ObjectName;
            public uint Attributes;
            public IntPtr SecurityDescriptor;
            public IntPtr SecurityQualityOfService;
        }
 
        private enum LSA_AccessPolicy : long {
            POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,
            POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,
            POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,
            POLICY_TRUST_ADMIN = 0x00000008L,
            POLICY_CREATE_ACCOUNT = 0x00000010L,
            POLICY_CREATE_SECRET = 0x00000020L,
            POLICY_CREATE_PRIVILEGE = 0x00000040L,
            POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,
            POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,
            POLICY_AUDIT_LOG_ADMIN = 0x00000200L,
            POLICY_SERVER_ADMIN = 0x00000400L,
            POLICY_LOOKUP_NAMES = 0x00000800L,
            POLICY_NOTIFICATION = 0x00001000L
        }
 
        [DllImport ("advapi32.dll", SetLastError = true, PreserveSig = true)]
        private static extern uint LsaStorePrivateData (
            IntPtr policyHandle,
            ref LSA_UNICODE_STRING KeyName,
            ref LSA_UNICODE_STRING PrivateData
        );
 
        [DllImport ("advapi32.dll", SetLastError = true, PreserveSig = true)]
        private static extern uint LsaOpenPolicy (
            ref LSA_UNICODE_STRING SystemName,
            ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
            uint DesiredAccess,
            out IntPtr PolicyHandle
        );
 
        [DllImport ("advapi32.dll", SetLastError = true, PreserveSig = true)]
        private static extern uint LsaNtStatusToWinError (
            uint status
        );
 
        [DllImport ("advapi32.dll", SetLastError = true, PreserveSig = true)]
        private static extern uint LsaClose (
            IntPtr policyHandle
        );
 
        [DllImport ("advapi32.dll", SetLastError = true, PreserveSig = true)]
        private static extern uint LsaFreeMemory (
            IntPtr buffer
        );
 
        private LSA_OBJECT_ATTRIBUTES objectAttributes;
        private LSA_UNICODE_STRING localsystem;
        private LSA_UNICODE_STRING secretName;
 
        public LSAutil (string key) {
            if (key.Length == 0) {
                throw new Exception ("Key lenght zero");
            }
 
            objectAttributes = new LSA_OBJECT_ATTRIBUTES ();
            objectAttributes.Length = 0;
            objectAttributes.RootDirectory = IntPtr.Zero;
            objectAttributes.Attributes = 0;
            objectAttributes.SecurityDescriptor = IntPtr.Zero;
            objectAttributes.SecurityQualityOfService = IntPtr.Zero;
 
            localsystem = new LSA_UNICODE_STRING ();
            localsystem.Buffer = IntPtr.Zero;
            localsystem.Length = 0;
            localsystem.MaximumLength = 0;
 
            secretName = new LSA_UNICODE_STRING ();
            secretName.Buffer = Marshal.StringToHGlobalUni (key);
            secretName.Length = (UInt16) (key.Length * UnicodeEncoding.CharSize);
            secretName.MaximumLength = (UInt16) ((key.Length + 1) * UnicodeEncoding.CharSize);
        }
 
        private IntPtr GetLsaPolicy (LSA_AccessPolicy access) {
            IntPtr LsaPolicyHandle;
            uint ntsResult = LsaOpenPolicy (ref this.localsystem, ref this.objectAttributes, (uint) access, out LsaPolicyHandle);
            uint winErrorCode = LsaNtStatusToWinError (ntsResult);
            if (winErrorCode != 0) {
                throw new Exception ("LsaOpenPolicy failed: " + winErrorCode);
            }
            return LsaPolicyHandle;
        }
 
        private static void ReleaseLsaPolicy (IntPtr LsaPolicyHandle) {
            uint ntsResult = LsaClose (LsaPolicyHandle);
            uint winErrorCode = LsaNtStatusToWinError (ntsResult);
            if (winErrorCode != 0) {
                throw new Exception ("LsaClose failed: " + winErrorCode);
            }
        }
 
        private static void FreeMemory (IntPtr Buffer) {
            uint ntsResult = LsaFreeMemory (Buffer);
            uint winErrorCode = LsaNtStatusToWinError (ntsResult);
            if (winErrorCode != 0) {
                throw new Exception ("LsaFreeMemory failed: " + winErrorCode);
            }
        }
 
        public void SetSecret (string value) {
            LSA_UNICODE_STRING lusSecretData = new LSA_UNICODE_STRING ();
 
            if (value.Length > 0) {
                //Create data and key
                lusSecretData.Buffer = Marshal.StringToHGlobalUni (value);
                lusSecretData.Length = (UInt16) (value.Length * UnicodeEncoding.CharSize);
                lusSecretData.MaximumLength = (UInt16) ((value.Length + 1) * UnicodeEncoding.CharSize);
            } else {
                //Delete data and key
                lusSecretData.Buffer = IntPtr.Zero;
                lusSecretData.Length = 0;
                lusSecretData.MaximumLength = 0;
            }
 
            IntPtr LsaPolicyHandle = GetLsaPolicy (LSA_AccessPolicy.POLICY_CREATE_SECRET);
            uint result = LsaStorePrivateData (LsaPolicyHandle, ref secretName, ref lusSecretData);
            ReleaseLsaPolicy (LsaPolicyHandle);
 
            uint winErrorCode = LsaNtStatusToWinError (result);
            if (winErrorCode != 0) {
                throw new Exception ("StorePrivateData failed: " + winErrorCode);
            }
        }
    }
}
"@
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultUserName" -Value "%USERNAME%"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultDomainName" -Value "%DOMAINNAME%"
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoAdminLogon" -Value "1"
[PInvoke.LSAUtil.LSAutil]::new("DefaultPassword").SetSecret("%PASSWORD%")
Unregister-ScheduledTask -TaskName "CreateAutologon" -Confirm:$false -EA SilentlyContinue
Restart-Computer -Force
'@

function Create-Task ($Argument)
{

    $Schedule = New-Object -ComObject "Schedule.Service"
    $Schedule.Connect('localhost')
    $Folder = $Schedule.GetFolder('\')

    $task = $Schedule.NewTask(0)
    $task.RegistrationInfo.Author = "Onevinn"
    $task.RegistrationInfo.Description = "CreateAutologon"

    $action = $task.Actions.Create(0)
    $action.Path = "PowerShell.exe"
    $action.Arguments = "$Argument"

    $task.Settings.StartWhenAvailable = $true

    $trigger = $task.Triggers.Create(8)
    $trigger.Delay = "PT120S"


    $result = $Folder.RegisterTaskDefinition("CreateAutologon", $task, 0, "SYSTEM", $null, 5)
}

$Code = $Code.Replace("%USERNAME%", $Username)
$Code = $Code.Replace("%DOMAINNAME%", $Domain)
$Code = $Code.Replace("%PASSWORD%", $Password)

$bytes = [System.Text.Encoding]::Unicode.GetBytes($Code)
$b64 = [System.Convert]::ToBase64String($bytes)

Create-Task -Argument "-EncodedCommand $($b64)"

I hope you find this useful

The post Windows 10 Secure AutoLogon – PowerShell appeared first on CCMEXEC.COM - Enterprise Mobility.

One of the new features in MS Edge v85 is support for roaming profile settings to a local file, profile.pb.
This is great news for many organizations that cannot synchronize the user settings to Azure AD account due to for example laws, compliance or lack of Azure AD Premium. More information about the new feature in Edge version 85 can be found here: https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-on-premises-sync

I wrote a blog post about two years ago on how to roam the “Profile.pb” file in Google Chrome using UE-V here: https://ccmexec.com/2018/09/using-google-chrome-roaming-profile-settings-with-ue-v/
Tested using UE-V for the new MS Edge feature and it works fine as well! The short video below shows two computers with the same user logged on to both and roaming favorites between them.

The new setting enables the creation of the “Profile.pb file” Note that Edge and Edge Beta saves the file in different locations per default which makes sense. The default location can be changed as well using a Group Policy as well if we want to point it to another folder. For MS Edge Beta the default folder is shown below.

To enable roaming using the local file we need to enable two Group Policies. “Configure automatic sign in with an Active Directory domain account when there is no Azure AD domain account” as shown below.
NOTE: as the name indicates it will not work if the user exists in AzureAD in a Hybrid setup.

And then then we enable the creation of the profile.pb file by using the “Enable using roaming copies for Microsoft Edge profile data” as shown below.

If we look in MS Edge settings on the client we can see that the setting is applied.

I have posted the UE-V xml template for MS Edge beta as Edge Stable v.85 is not released when I write this post on Github here: https://github.com/Ccmexec/Other/tree/master/UE-V%20sample%20files
Because the Edge Beta and Edge Stable saves the files in different locations I have created one for Beta and will post the one for Stable when it is released.
The content of the file is really simple as shown below.

<?xml version="1.0"?>
<SettingsLocationTemplate xmlns="http://schemas.microsoft.com/UserExperienceVirtualization/2013A/SettingsLocationTemplate">
  <Name>MSEdgeBeta</Name>
  <ID>EdgeBeta-Profile</ID>
  <Version>1</Version>
  <Author>
    <Name>Jorgen</Name>
    <Email>jorgen@ccmexec.com</Email>
  </Author>
  <Processes>
    <Process>
      <Filename>MSEdge.exe</Filename>
    </Process>
  </Processes>
  <Settings>
    <File>
      <Root>
        <EnvironmentVariable>APPDATA</EnvironmentVariable>
      </Root>
      <Path>Microsoft\Edge Beta\User Data</Path>
      <FileMask>profile.pb</FileMask>
    </File>
  </Settings>
</SettingsLocationTemplate>

In my case I simply drop the template in my UE-V template folder and the clients will pick it up and start syncing the file.

The new roaming option is great news for many organisations and if we combine it with UE-V the end user experience is really great!

The post MS Edge v85 roaming profile + UE-V appeared first on CCMEXEC.COM - Enterprise Mobility.

Configuration Manager 2009 Technical Preview is out with some great new features for us to test. One of them is Cloud Management Gateway(CMG) support for Virtual Machine Sets. This a great feature as it solves the CSP issue we had with CMG as it is using a classic service that is not available in a CSP subscription.

I needed to test it out of course, it was one of the scenarios as well which I always try to complete for all Technical Preview builds.

So what has changed?
I deleted my “old” CMG and started over. We now have the choice when we setup a new CMG if we want to use “Virtual machine scale set” or “Cloud Service ( Classic)”. As shown below

What I of course failed at in my first attempt was to read the documentation…… hmm.
Using Virtual machine scale sets requires new/different resource providers in Azure to be enabled in the Subscription.
I logged in to my Azure Subscription and added the following Resource Providers that are required when using Virtual machine scale sets.

Next change is the new service name which includes the region as well, in my case North Europe. Which required a new certificate if cloudapp.net names are used as it is in my case. If you are using a different DNS name and certificate than cloudapp.net you can just update the CNAME in DNS to point to the new service name.

I requested a new certificate from my CA using the same template as I used to set it up my old CMG but with the new DNS name “CCMEXECTP4.northeurope.cloudapp.azure.com” as shown below.

Next step is adding my trusted Root certificate.

Then we configure our alerts for our CMG

Next I reconfigured my Cloud Management Connection point to use the new CMG I have setup.

Then we are done, a Configuration Manager cup of coffee or actually dinner in my case and the deployment of my new CMG using Virtual Machine Scale sets was ready to use!

If we look in azure there are a couple of new services created for us compared to when we use the classic CMG or should we start calling it “Legacy” now?

A great addition to Configuration Manager cannot wait until it ships. Support for CSP has been a long awaited feature and discussed numerous times. For more information about what is new in MEMCM 2009 TP check out the docs: Technical Preview 2009
Now that I have a new CMG up and running testing out remote control over CMG will be my next task.

The post MEMCM 2009 TP CMG – Virtual Machine sets appeared first on CCMEXEC.COM - Enterprise Mobility.

Had to test out this feature as well in Configuration Manager(MEMCM) 2009 Technical Preview, remote control over Cloud Management Gateway(CMG). A long awaited feature that was first introduced in Technical preview 1906, Technical Preview Docs and then removed again for a year or more.

Being able to remote control a computer over Internet using CMG has been asked for many many times the last couple of months with all Work from home that is being done now in these hard Covid-19 times. So I needed to check it out and recorded a short video here on how the experience was as shown below.

The requirements for using it is the following from the Docs, more information can be found here: Technical Preview 2009

• The user that is remote controlling, needs to be added to the list of permitted viewers in client settings/remote control.
• The CM Client needs to be updated and online over CMG

The following authentication options can be used.

• A valid PKI client certificate
• Azure Active Directory (Azure AD)
• Token-based authentication

It works really well haven’t tested slower connections yet…

One thing I will file as feedback is that it seems like it is trying to resolve the client the local network first and after timeout tries to use the CMG. This takes a while as you can see in the video above and could be stressful when trying to remote control a computer both for the end user and the technician.

Great that we finally can test it again at least, let’s hope it makes it to the next release.

The post Remote Control over CMG MEMCM TP 2009 – First look appeared first on CCMEXEC.COM - Enterprise Mobility.

SCUG.SE welcomes you to two afternoons packed with Workplace management goodness! We normally host two physical events in Stockholm every year, but with the Covid-19 situation that is not possible. So instead we are doing it online using Teams.
We did a poll in our Swedish user group about the format and the winning format was to host the event over two afternoons instead of a whole day event. The community has spoken so that is what we are planning.
For this Online event in October we have a great lineup of speakers and sessions! We welcome:

Sandy Zeng, MVP – @Sandy_Tsang

Thomas Kurth, MVP – @ThomasKurth_CH

Nickolaj Andersen, MVP – @NickolajA

Ronny de Jong, MVP –@Ronnydejong

Stefan Schörling, MVP –@stefanSchorling

Jörgen Nilsson, MVP – @ccmexec

Jan Ketil Skanke, MVP –@jankeskanke

We still have two slots open; we will announce them soon.

Agenda 6/10:

Agenda 7/10:

Registration is free with an option to sponsor our User Groups if you like.
Registration
We will email the event link a couple of days before the event to all registered attendees.

Hope to see you there.

Jörgen & Stefan

The post SCUG.SE Online Workplace days 6-7 October 2020 appeared first on CCMEXEC.COM - Enterprise Mobility.

I wrote a post on how to use Autologon.exe and PowerShell, thanks Johan Schrewelius, to make Autologin in Windows 10 a little bit more secure a while ago. https://ccmexec.com/2020/08/windows-10-secure-autologon-powershell/
Taking this one step further I wrote a blogpost for 4Sysops.com on how to configure a multiapp Kiosk where that script is used as part of the solution to configure a multiapp Kiosk.

https://4sysops.com/archives/deploy-a-windows-10-multi-app-kiosk-with-microsoft-endpoint-manager-configuration-manager-memcm-and-powershell/

I hope you find the script/solution useful!

The post Deploy a Windows 10 multi-app kiosk with MEMCM and PowerShell – 4Sysops appeared first on CCMEXEC.COM - Enterprise Mobility.

To follow up on the post on deploying a Windows 10 multi-app kiosk using MEMCM, this post shows how we can update the configuration using Run Scripts in Configuration Manager (MEMCM).

A little background. In the last post, we deployed a Windows multi-app kiosk using an assigned access and PowerShell script during OS deployment. But now, when we have the kiosk machine in production, we get a service desk ticket that the kiosk users must be able to add printers to the kiosk machine.
The whole post can be found on 4Sysops.com, https://4sysops.com/archives/update-windows-10-multi-app-kiosk-using-run-script-in-microsoft-endpoint-configuration-manager-memcm/

I hope you find it useful!

The post Update Windows 10 multi-app kiosk using Run Script in MEMCM – 4Sysops appeared first on CCMEXEC.COM - Enterprise Mobility.

Support for Adobe Flash is going away on the 31st of December 2020 as announced by Adobe back in 2017, https://www.adobe.com/se/products/flashplayer/end-of-life.html In October 27th Microsoft released an update that will remove Adobe Flash Player, which is a good thing, https://support.microsoft.com/en-us/help/4577586/update-for-removal-of-adobe-flash-player
We need to make sure it is removed as it is no longer supported = big security risk (bigger than Flash itself) as no security updates are released for it anymore.

The update released is not available in WSUS yet. It will be made available in early 2021 according to the KB article mentioned above which in my opinion is a bit late. It is available in Microsoft Update catalog though which is a good start then we can import it in WSUS, synchronize it to MEMCM and deploy it.
Note: Once the update is installed it cannot be uninstalled if you need to re-enable Flash.

I have imported it in a couple environments and run into some different issues so I wrote this post to save you some time googling the errors.

Import and deploy the update

To import the update we need to start the WSUS admin console using Run as administrator. From there we can then select import updates, Internet Explorer 11 is launched and we are directed to Microsoft update catalog.

We search for our KB4577586 to find our update.

We select the update for the versions and architecture we need, then select add to basket.

From the “basket” view we can select to import the update directly into WSUS as shown below.

When clicking Import the updates are imported into the WSUS Database. The process is really fast as the update is really small.

When the import is completed we start a manual synchronization of updates in MEMCM as we lack patience to wait for the next sync to occur.

Then we take a Configuration Manager cup of coffee and wait until the synchronization is complete, once it is complete. We can deploy the update and start testing it out.

Troubleshooting WSUS import errors

Make sure you start Internet Explorer once with ” Run as administrator” and navigate to the Microsoft Update catalog website. Install the ActiveX when supported. If you get the below message I found it easiest to add “http://catalog.update.microsoft.com” to the trusted sites zone. Note “HTTP” it is old stuff and the link from the WSUS admin console uses HTTP…..

Another issue I always run into the first time is to actually download the updates as shown below.

Enable .Net 4 strong chiper, as described here: https://community.spiceworks.com/topic/2144162-import-to-wsus-fails-direct-import-from-ms-update-catalog.

1. reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1
2. Reboot the server and try again.

That should solve the issue!

Happy testing!

The post Deploy Adobe Flash Removal update KB4577586 using MEMCM appeared first on CCMEXEC.COM - Enterprise Mobility.

In every modern management project where we use Azure AD Join instead of traditional domain join, there are always some network drives that needs to be mapped for the end users. Not very modern I know but there is a real world out there as well.
When we use a modern client using sleep or hibernate is the new way to work. Running a script at logon isn’t enough we need to be more flexible.
There are a great number of great logon script samples out there so I will not go down that way. Instead adding a trigger to a scheduled task to run when we connect to a network with a specific name, is a useful addition which makes the end-user experience much better.

Here is a short demo on how to map drives when connecting to corporate network.

But wait! No blue PowerShell splash screen was in the video.
I use PSRun.exe that my colleague Johan Schrewelius has written which you can find here: https://onevinn.schrewelius.it/Apps01.html. PSRun suppresses the PowerShell splash screen and passes all commands that you execute PSRun with directly to PowerShell.

To achieve this, we add a trigger to our schedule task so we have two triggers on it, one to run at logon and one custom that runs when connected to a network with a specific name. It looks like this:

The custom event filter contains the network name for which we will use to trigger the script when connected to.

The scripts

I wrote a simple sample script to import the schedule task and copy the simple script I used to map the drives to C:\Program Files\ConnectDrives. It also writes to the registry so there is a registry key and value. Which can be used as a detection method when deploying it using Win32App on our modern clients.

<#
    Name: Install.ps1 
    Version: 1.0
    Author: Jörgen Nilsson
    Date: 2020-11-15
#>

[string]$RegKeyName = "ConnectDrives"
[string]$FullRegKeyName = "HKLM:\SOFTWARE\ccmexec\" + $regkeyname 
[string]$InstallPath = "$env:ProgramFiles\ConnectDrives"

# Create registry value if it doesn't exist
If (!(Test-Path $FullRegKeyName)) {
    New-Item -Path $FullRegKeyName -type Directory -force 
    New-itemproperty $FullRegKeyName -Name "Connectdrives" -Value "1" -Type STRING -Force
    }
If (!(Test-Path $InstallPath)) {
    New-Item -Path $InstallPath -type Directory -force 
    }

Copy-Item -Path "$PSScriptRoot\ConnectDrives.ps1" -Destination $InstallPath -Recurse -Force
Copy-Item -Path "$PSScriptRoot\psrun.exe" -Destination $InstallPath -Recurse -Force

# Creates ScheduleTask
Register-ScheduledTask -Xml (get-content $PSScriptRoot\ConnectDrives.xml | out-string) -TaskName "ConnectDrives"

The script I used to map the drives:

If (!(Test-Path G:)) {
   New-PSDrive G -PSProvider FileSystem -Persist -Root "\\d00001\share"
}

If (!(Test-Path M:)) {
   New-PSDrive M -PSProvider FileSystem -Persist -Root "\\d00001\sources"
}

Registry key/value configured by the script:

The files in the script:

The scripts can be downloaded here: https://github.com/Ccmexec/Intune-MEM

PSRun needs to be downloaded from here and copied to the folder:
https://onevinn.schrewelius.it/Apps01.html

I hope this is useful!

The post Map drives when connecting to corporate network appeared first on CCMEXEC.COM - Enterprise Mobility.

In a project lately we use Windows 10 Personal devices that enroll into Intune. Works great, but…. When we configured Conditional Access even if the device is compliant it still blocks access since more Work accounts are configured on the device. On the personal device in this scenario a personal Microsoft Account is used to logon to the device.

Looking under Access work or School under Settings we have more than one account. On an Azure AD Joined device this works just fine, but in a Personal device you cannot add more than one work account using settings that is.

If we try to add an account from settings, we get this error.

How was the second account added then? Well Outlook is the “bad” app in this case. When you add a second account in Outlook you get this question.

And how many end-users actually select “No, sign in to this app only”???
What happens when a second account is added, which is blocked for a reason in Windows? Synchronization with Intune fails.

If we look in the Event log, we find the following error.

It seems like there is a reason that Windows 10 blocks adding more than one work account.
How can we help the end user making the correct choice in Office?
Well in the same way we do it for an Azure AD Hybrid Joined device, that blocks AAD registration by configuring the following registry value,

HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001

Here is a simple PowerShell Script that we can deploy using MEM to the devices. Then the end user does not get the choice to register the device anymore from Office apps.

$Location = 'hklm:\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin'

if ( !(Test-Path $Location) ) {
    New-item -path $Location
    New-ItemProperty -Path $Location -Name "BlockAADWorkplaceJoin" -PropertyType Dword -Value "1"
}

We create a Dynamic Azure AD group which will include all our enrolled Personal Windows 10 devices, which we can use to target the PowerShell script.

Rule syntax:

(device.deviceOwnership -eq "Personal") and (device.deviceOSType -startsWith "Windows") and (device.managementType -eq "MDM")

Upside, happier end-users, less support calls.

Downside, well as the device is personal and the end-user wants to restore the functionality to register the AAD device, the registry key needs to be removed.

More information about the setting can be found here: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state

The post MEM, Windows 10 Personal device and Sync issues appeared first on CCMEXEC.COM - Enterprise Mobility.

During the Nordic Virtual Summit me and Ronni Pedersen did a session on “Windows Servicing in the work from anywhere era”, great event, great fun! Nordic Virtual Summit – A virtual IT Pro Community Event!

During that session we demoed a new community tool or actually two community tools from my colleague Johan Schrewelius.

DeploymentScheduler – An advanced UI to schedule updates, app deployments, upgrades, reboots and much more.

IPUInstaller – A solution to do Windows 10 Servicing in a new way, with driver support, post upgrade actions, full media or .ESD support and much more.

It can be downloaded here together with the manual, https://onevinn.schrewelius.it/index.html  
Here is a short video on how the end-user experience could look like.

One of the reasons this was developed was to provide an alternative to Task Sequence and Windows Servicing to manage upgrades of Windows 10 to Windows 10. Task Sequences are the most used way to do in-place upgrades when we asked the community on Twitter.

Many customers and end-users are getting tired of the long downtime when doing an in-place upgrade of Windows 10 using a Task Sequence. Work from home also requires us to do things in new ways.

I did a non-scientific comparison between some options. Fairly clean Windows 10 1909 upgraded to Windows 10 20H2.
This will take longer when testing on a computer that has been used for a while.

We always want the user to be productive which is the main driver from the end-users and business. IPUInstaller is an application that we deploy just like that, an application in Configuration Manager. It has a folder structure that looks like shown below.

In the media folder we place a fully updated In-place upgrade media, which can be created for example by using WIM Witch which is a great tool by Donna Ryan. https://msendpointmgr.com/2019/10/04/wim-witch-a-gui-driven-solution-for-image-customization/
In the SetupComplete folder we can add post commands and for all of you using TSBackground you will recognize Runsilent.exe and Runsilent.ini. Which can be used to run commands hidden, for example suppress the blue PowerShell splash screen.
Example from what I have in my folder when testing.

Runsilent will create a log file as well in C:\Windows\Temp where you can see the exit codes from the commands and help you troubleshoot.
In Configuration Manager we extend the HW inventory and create a collection structure that looks like this.

The computer will then move between Failed, Succeeded and pending reboot based on the inventory of registry values that the are written by IPUInstaller.

If IPUInstaller failes there will be more values in the inventoried IpuResult as shown below.

There is also a script that can be run as a Run Script in the console to retry the upgrade.

Johan has created a useful tool which provides us a new way of managing In-place upgrades, he has also written a great documentation which you can find here https://onevinn.schrewelius.it/

Test it out and provide any feedback!

The post Windows Servicing in the work from anywhere era using IPUInstaller appeared first on CCMEXEC.COM - Enterprise Mobility.

Edge is updated often and if we use AutoUpdate which I think we should use for Edge it is automatically updated after OS deployment. But in some cases, we need policies to be applied to Edge that are only supported in newer versions then we need to make sure it is updated when the user logs on.

I found this great PowerShell module “Evergreen” https://www.powershellgallery.com/packages/Evergreen written by Aaron Parker; Bronson Magnan; Trond Eric Haarvarstein. Which makes this task easy as we can use that module to check the latest version, get download paths and so on. I have used to send emails when new versions are being published so a ticket is being created in our helpdesk system. Be sure to check it out!

The script can be downloaded from Github here: PowerShell/UpdateEdgeSourceFiles at master · Ccmexec/PowerShell · GitHub

The script will do the following:

• Install/Update the Evergreen module
• Check if a new version of Edge (stable) is available
• Download the latest version if needed to a staging folder
• Copy the EdgeEnterprise.MSI to the source folder configured in the script
• Update the Source files on Distribution Points

In this setup I used the wizard in MEMCM to create the Edge application, the detection method created by the wizard uses the “Greater than or equal to” Operator so it will still work just fine even after we updated the Source files.

The script can be run as a schedule task on a server/computer, it needs the Configuration Manager console installed or cmdlets. 

Before using the script, the following lines needs to be adjusted to your environment.

$CMEdgeAppName = The name of the Edge application that should be updated.
$CMAPPDeploymentType = The Deployment type Edge that should be updated.
$TempPath = Path to staging folder where the new .MSI will be downloaded to.
$TargetPath= the path to the source files for Edge
$VersionsToKeep = how many versions of Edge should be saved in the Staging folder.

The script will create the staging folder, in this example “D:\staging”. It can also be configured to keep x number of versions if for some reasons a rollback is needed, after that it will start deleting the oldest one.

It also creates a log file that can be used to troubleshoot if something went wrong when running the script.

I hope this can be useful!

The post Update Edge source files in MEMCM using PowerShell appeared first on CCMEXEC.COM - Enterprise Mobility.

When we use AutoPilot with Windows 10 and Intune one of the great benefits is that we can make the enrolling user a standard user and not local admin per default. In some case we of course need to make the users who enrolled the PC a local admin, perhaps after ordering it from a self-service solution.
This script can be run as a script from Intune, it reads which user enrolled the Windows 10 device from the following registry location.
HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo

Then we use that information to add the user to the local administrators group. A very simple way to make the user local administrator on the device.
Adding the computer to the Azure AD group we deploy the script to will make the job done!
The script can be downloaded here: https://github.com/Ccmexec/Intune-MEM/tree/master/Make%20Enrolled%20user%20local%20admin

We then add it to Intune as a script with the following settings, note that the script must be run as a 64 bit script as for example “Get-LocalGroup” is not available in 32-bit PowerShell on a 64-bit system.

The script will output information to C:\Windows\Temp\localadmin.log, if it is re-run it will check that the user is in the local admin group and output that instead of that is has added the user.

The script works on localized Windows 10 versions, tested on Swedish to make sure. A challenge was that the “Get-localGoupMember” PowerShell command doesn’t work on an AzureAD joined device as there are two unresolved SIDs in the member list. It will throw the following error.

A know issue for a while Get-LocalGroupMember – Failed to compare two elements in the array. · Issue #2996 · PowerShell/PowerShell · GitHub

Here is the script as well:

# Script to update User GPO from System context using a Schedule Task
# Written by Jörgen Nilsson
# ccmexec.com

$LocalAdminGroup = Get-LocalGroup -SID "S-1-5-32-544"
$Localadmingroupname = $LocalAdminGroup.name

function Get-MembersOfGroup {
    Param(
        [Parameter(Mandatory = $True, Position = 1)]
        [string]$GroupName,
        [string]$Computer = $env:COMPUTERNAME
    )

    $membersOfGroup = @()
    $ADSIComputer = [ADSI]("WinNT://$Computer,computer")
    $group = $ADSIComputer.psbase.children.find("$GroupName", 'Group')

    $group.psbase.invoke("members") | ForEach {
        $membersOfGroup += $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
    }

    $membersOfGroup
}

# Get the UPN of the user that enrolled the computer to AAD
$AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"
$Localadmins = Get-MembersOfGroup $Localadmingroupname

$guids = $AADInfo.GetSubKeyNames()
foreach ($guid in $guids) {
    $guidSubKey = $AADinfo.OpenSubKey($guid);
    $UPN = $guidSubKey.GetValue("UserEmail");
}

$Username = $UPN -split ("@")
$Username = $Username[0]

if ($UPN) {
    $Success = "Added AzureAD\$UPN as local administrator." | Out-File -FilePath $env:TEMP\LocalAdmin.log
    if (!($Localadmins -contains $Username)) {
        Add-LocalGroupMember -Group $Localadmingroupname -Member "Azuread\$UPN"
        $Success = "Added AzureAD\$UPN as local administrator." | Out-File -FilePath $env:TEMP\LocalAdmin.log
    }
    else {
        $Alreadymember = "AzureAD\$UPN is already a local administrator." | Out-File -FilePath $env:TEMP\LocalAdmin.log
    }
}
else {
    $Failed = "Failed to find an administrator candidate in registry." | Out-File -FilePath $env:TEMP\LocalAdmin.log
}

I hope you find it useful

The post Script to make the user which enrolled in AAD a local admin. appeared first on CCMEXEC.COM - Enterprise Mobility.

This solution is provided to the Community by Daniel Gråhns and Nicklas Eriksson, Twitter(Sigge_gooner), thank you for sharing it! Great work!

As the title says it is a solution for deploying drivers and software during a Task Sequence using HP Image Assistant. The benefit of using this is that you can automate the whole process of downloading and updating drivers and solve the additional software needed for HP devices. Including the software needed as that is not included in the driver packs.
The purpose of this solution is to:

• Install HP drivers and related Software during OS Deployment.
• Automate download of drivers/software
• Create and distribute packages in Configuration Manager
• Easily update the drivers/software to the latest version automatically

How does it work

In the folder with the scripts, we have the following files.

All configuration is done in the Config.xml file by editing the variables there. Site Code, Package path and more, It is well documented in the script.
In the Import-models.csv file we simply put the Basebord ID, Modelname and OS version as shown below.

Then we run the script, it will download the Softpaqs, create a Package and distribute it to the dp group we select in the config. We will cover that later in this post.
The script will automatically install HPCSML and update it if needed.

In the task sequence we run the following commands that will use the Configmgr Webservice to populate the variables for which package should be used.
Then it is downloaded and installed by using the image assistant and the files downloaded to the local disc as source.

If a second pass of HPIA is needed, which could be the case simply just add that model to the Conditions for the “Second HPIA Pass if needed”

Prereqs

The solution uses the following components:

• Configmgr Webservice – by Nickolaj Andersen https://msendpointmgr.com/configmgr-webservice/
• HP Software Framework – Available on HP FTP /pub/caps-softpag/cmit/softpaq file “CASLSetup.exe” (use an FTP software like Winscp for example)
• The files for this solution – GITHUB
• Exported Task Sequence with the steps need – GITHUB
• Driver Package with the latest WinPE Driver Pack – http://ftp.hp.com/pub/caps-softpaq/cmit/HP_WinPE_DriverPack.html

We will not cover how to install the ConfigMgr webservice, that is included in the manual provided with the download above.

HP Software Framework

We need a Package in Configuration Manager with the HP Software Framework. Here is how to download and extract the .msi file.

• Download the file “CASLSetup.exe” from the HP FTP site.

• Save it to a temp folder like E:\Temp
• Run the following command:
   CASLSetup.exe /s /x /b”E:\Temp” /v” /qn”
  That will extract the .msi to E:\Temp.

• Then copy the file to your MEMCM Package source share
• Create a Package and Program in Configuration Manager for the HP Software Framework using the “Create package from definition” and use the .MSI works just fine.
• Distribute the content to the correct DP group.

HP WinPE driver Package

As we install all drivers using HP Image Assistant we still need storage drivers and network drivers to be installed during OSD to be able to get Windows 10 up and running.

• Download the HP WinPE package that matches the OS version you are deploying.
• Import the drivers to a driver package we can then use in the Task Sequence as shown below.

Use the following conditions so it only installs for HP devices.

PowerShell script

Before we run the script for the first time, we need to configure it for our environment.

• Download the HPIA.zip file from Github here:
• Extract the content to a folder, in my example “E:\HP Repository”
• Open the importHPIA.ps1 and edit the following line to match your environment.

• Then edit the config.xml file with all the information in there. Should be self-explained.

Then we are ready to run the script for the first time, there is a log file as well you can use to check for errors if the script is run as a Scheduled Task for example.
The result in my case will look like this.

And the packages have gotten the information needed for the Configmgr Webservice to pull them down.

Task Sequence import

The steps needed in the Task Sequence can be downloaded from Github and then imported to make it as easy as possible.

• Download the Exported task sequence and import it in Configuration Manager
• Select “Ignore Dependency” when importing it.

• Edit the imported task sequence
• Fix the error so the package for HP Software Management Framework is correct

• Edit the “PowerShell download script” so the URL and Secretkey matches your installation of the Configmgr Webservice.

• Copy the whole group included in the Task Sequence so it runs after the full OS is installed.

Putting it all together

Edit the “import-models.csv” file with your information as mentioned above.

Then it is time to run the script and watch it download the drivers for our models and then test out the deployment. You can schedule it as well of hours and let it update the driver packages if needed.
Again thanks to Daniel Gråhns and Nicklas Eriksson for sharing the solution. Great work!

The post MEMCM TS HP Image Assistant offline repository installation appeared first on CCMEXEC.COM - Enterprise Mobility.