At Teched 2014 in Barcelona some new information about the next version of Microsoft Intune and Configuration Manager / MDT vNext was displayed and mentioned. The session recordings are now out be sure to check them out!

Enterprise Client Management with System Center Configuration Manager and Intune

This session outlines the current and future plans for Intune and System Center Configuration Manager. We also provide a sneak peek into the newest enhancements for managing Windows, Windows Phone, iOS, and Android systems
http://channel9.msdn.com/Events/TechEd/Europe/2014/EM-B216

What’s New and Upcoming with OS Deployment in System Center Configuration Manager and the Microsoft Deployment Toolkit

This session covers future improvements for deployment and upgrade in the next versions of System Center Configuration Manager, Microsoft Deployment Toolkit, and Windows. Learn how Microsoft is gearing up to make the deployment and upgrade of the next version of Windows on Configuration Manager the easiest yet.
http://channel9.msdn.com/Events/TechEd/Europe/2014/EM-B326

There is a session today Thursday that sounds really interesting as well, EM-B312 Mobile Application Management with Intune

Be sure to check them out!

When preparing for our session a TechED 2014 in Barcelona on Community Tools, we found this nice little tool that adds BranchCache support in WinPE, which means that during OS deployment the client can download the content from a client on the local network instead of pulling it from a DP, this is great for small branch offices for instance without a DP. It can be found here: http://2pintsoftware.com/portfolio-items/branchcache-for-osd-toolkit/ At TechED 2014 Europe it was also announced that BranchCache support will be added in WinPE in ConfigMgr vNext as well, so this is a technology that is coming.

I created an OSD Task sequence,updated the boot image, enabled BranchCache and added the tools and steps from the toolkit to my Task Sequence. To prestage the data on another client in the network I created a check in the start of the Task Sequence to see if the “Prestage” variable was set to TRUE, if so the Task Sequence will not install anything on the client but it will download all the content and add it to the BranchCache on the client.

Then I deployed the task sequence with the option “download all content locally before starting the Task Sequence” remember to make sure that the content will fit in the CCMCache.

After that I deployed a client and it used the BranchCache from the client on the same network, really cool! We like free stuff

The reporting is awesome as well be sure to check it out!

Here is a short video from 2Pint Software as well: https://www.youtube.com/watch?v=4HcRRb-ayW4

Stefan(www.cmtrace.com)  and I had the great honor of presenting Configuration Manager Community Jewels at TechED Europe 2014, it was great fun!
There are so many cool tools out there that can save a lot of time, increase the quality in what we do and improve the implementations out there as well. Thanks to all who contribute to the community and thanks to all who attended our session!

We have collected all the links to the tools we showed and many many more on a TechNet Wiki page so that everyone can edit and add their own favorite tools you use or create on your own. http://social.technet.microsoft.com/wiki/contents/articles/22802.system-center-2012-configuration-manager-tools.aspx

I also do feel a need to apologize to all who have created tools that we haven’t found or didn’t have the time do mention or show.

Mine and Stefan Schörling’s (www.cmtrace.com) session, System Center Configuration Manager Community Jewels from TechED Europe 2014 is now live on Channel 9. If you think you saw it already in Houston you are mistaking, we have switched some Demos and added new tools in the presentation like Cireson Remote Manage App, 2Pint Software – BranchCache for OSD. Thanks to all who contribute to the community and thanks to all who attended our session!

http://channel9.msdn.com/Events/TechEd/Europe/2014/EM-B308

Note: And my name is not Stefan……

When I logged in my Microsoft Intune account today it was already updated with the new UI which looks great and all the new cool features are there as well, just in time for my session at Microsoft Techdays 2014 in Stockholm tomorrow. It even looks cool in Swedish

The November update 2014 of Microsoft Intune adds a lot of new features and brings the standalone version of Intune or Cloud only if you like up to parity with the Hybrid solution where you integrate Intune with Configuration Manager. There are actually settings/features that can be used only in the standalone version.
Looking at the TechED session of what will come next with a secure way of managing corporate applications, an app wrapper to manage your LOB apps and Office for Android as well I would say that this brings Intune up as a really strong enterprise device management solution with unique features and end user experience!

So what is new in the November release? It is listed here as as well on the Intune blog which you really should follow: http://blogs.technet.com/b/microsoftintune/archive/2014/11/17/new-microsoft-intune-capabilities-coming-this-week.aspx

• Enhanced user interface for Intune administration console
• Ability to restrict access to Exchange on-premises email based upon device enrollment
• Bulk enrollment of devices using a single service account
• Lockdown of Supervised iOS devices and devices using Samsung KNOX with Kiosk mode
• Targeting of policies and apps by device groups
• Ability to report on and allow or block a specific set of applications
• Enforcement of application install or uninstall
• Deployment of certificates, email, VPN and WiFi profiles
• Ability to push free store apps to iOS devices
• More convenient access to internal corporate resources using per-app VPN configurations for iOS devices
• Remote pin reset for Windows Phone 8.1 devices
• Multi-factor authentication at enrollment for Windows 8.1 and Windows Phone 8.1 devices
• Ability to restrict administrator access to a specific set of user and device groups
• Updated Company Portal apps to support customizable terms and conditions

There is a recorded webinar here that shows the new features of Conditional Access: https://azureinfo.microsoft.com/US-Azure-WBNR-FY15-11Nov-EMSWebinarSeries4-Registration-Page.html?ls=Social&WT.mc_id=Blog_Intune_Announce_PCIT

And as I wrote above you will be able to use control access and manage you LOB applications as well in the future and it is demoed here at TechED if you want to have a look: http://channel9.msdn.com/Events/TechEd/Europe/2014/EM-B312

If you haven’t looked at Intune before you really should and if you have look again! If you are attending Techdays 2012 in Stockholm 19-20 November I hope to see you there!

Microsoft System Center 2012 Configuration Manager Servicing Extension is now released!

This add-on to the Configuration Manager Admin Console makes it easier to manage Cumulative updates in your environment. When installed it adds a new node to the Administration pane in the Admin Console.

Make sure to check it out!

Download it here: http://www.microsoft.com/en-us/download/details.aspx?id=45033

In Configuration Manager 2012 R2 a new variable was introduced to help us solve an issue with installing applications in a task sequence on new computer with SSD drives where all the networking components are not loaded when the Task Sequence tries to access the MP which results in the fact that the Task Sequence fails.

After doing a lot of testing with a lot of help from a new colleague of mine Johan which did a lot of testing (not the Johan you think of;-) ) the value should be entered in Milliseconds instead of Seconds! Combining this value with the following two solved all our issues with applications not installing during the Task Sequence:

SMSTSMPListRequestTimeout=120000

SMSTSDownloadRetryCount=5

SMSTSDowloadRetryDelay=15

Today a hotfix was released as well, KB3007095, Applications may not be downloaded in System Center 2012 R2 Configuration Manager

To answer the question can you use Applications in a Task Sequence? Yes you can, works great when you have solved the above issue. Technet will be updated with this information as well and hopefully the hotfix will make it more stable as well.

I hope this can save time for someone.

In the January 2015 Patch Tuesday update the .Net Framework 4.5.2 is included as an update to all supported platforms. Category: Feature Packs.

If you haven’t tested .NET Framework 4.5.2 with your applications already and you are building your images and pulling the updates for those images from Windows Update Directly you need to exclude the .NET Framework 4.5.2.

I wrote a post on this a while ago so just replace the KB article with the one for .NET framework 4.5.2 in this post. http://ccmexec.com/2014/06/exclude-net-framework-4-5-1-building-images-using-windows-update/

Some more information about .NET Framework 4.5.2:

What’s new in .NET Framework 4.5.2 http://msdn.microsoft.com/en-us/library/ms171868%28v=vs.110%29.aspx#v452
Known issues with .NET Framework 4.5.2 http://support2.microsoft.com/kb/2962547/en-us

I thought I would share how I demo Microsoft Intune and management of devices as it hard to display some devices in a Lync call or in a conference room, and it is heavy to carry all that hardware with you

Android, for testing Android I use Genymotion which is a Android Emulator that is free for personal use. It uses VirtualBox seamless in the background and runs Andorid virtual on top of Virtualbox. You can download Android images for Samsung Galaxy S4 with Andorid 4.4, Nexus and a lot more.
To be able to enroll it Google Play must be working on the virtual Android device, here is a blog post on how to enable it http://www.techrepublic.com/article/pro-tip-install-google-play-services-on-android-emulator-genymotion/

After that you can just fire up you Android device and enroll it in Intune.

iOS, For iOS I have used iTools before but it doesn’t work that well with iOS 8.2 anymore so I reverted back to using the Reflector application instead which makes you PC a Airplay device so you can simply use Airplay on you iOS device and select to mirror the screen of your PC. Works really well.
One note though, if you are using guest wireless network it is not always that they allow peer-to-peer connections so I use a small 4G wifi pocket router so I know it works.

Windows Phone, Windows Phone is somewhat easier as in Visual Studio Express 2013 with Update or later you can choose to install the Windows Phone 8.1 emulator as well. https://dev.windows.com/en-us/develop/download-phone-sdk . The Windows Phone 8.1 emulators uses Client-Hyper-V in the background so it cannot run on the same machine as Virtual box and Genymotion, here is one solution that can be used from Scott Hanselman to add a boot option to your Windows 8.1 and choose Hyper-V or VirtualBox.

Happy Intune testing!!

On patch Tuesday this month, February 2015, a new version of the System Center Endpoint Protection client was released, which replaces the one released in October. The same way as the latest versions of the Endpoint protection client they are released on Microsoft Update / WSUS and can be deployed as an update to your clients. The scpeinstall.exe file on the Configuration Manager 2012 servers are updated with the Cumulative Updates as it has been before as well. So when you deploy a new System Center Endpoint Protection client it will require this update as well.

New in this release from the KB article, http://support.microsoft.com/kb/3036437:
The KB article was updated 13/2 with this new content.

Update 20150220:

The Update is now pulled back from Windows Update and expired in WSUS, if you are experiencing the issues with downloads being blocked with a message that they contain virus, you should downgrade those effected systems. More details can be found here: Team Blog

• Improvements to registry and file system protection to counter tampering from malware.
• Sub-mount points can be automatically excluded, and volumes can be fully excluded in Real time protection (RTP).
• This update also includes the deprecation of the DisableGenericReports subkey in the following registry location:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting

  
  Note Unless this key is edited directly in the registry, this update should not have any effect on telemetry behavior.

  After you apply this update, to disable telemetry that’s sent by Endpoint Protection through Microsoft Active Protection Service (MAPS), open the Endpoint Protection UI, click the Settings tab, select the MAPS section, and then click I don’t want to join MAPS.

  Notes

  • Administrators can manage the MAPS configuration options through Windows Management Infrastructure (WMI), Windows PowerShell, and Group Policy.
  • Endpoint Protection may request file samples to be sent to Microsoft for further analysis. By default, Endpoint Protection will always prompt before it sends such samples. There is an option available to send samples automatically. To opt in to automatic sample submission, open the Endpoint Protection UI, click the Settings tab, select the Advanced section, and then click Send file samples automatically when further analysis is required.
  • Administrators can manage automatic sample submission with additional configuration options through WMI, PowerShell, and Group Policy by using the following registry subkeys:
    • MAPS Configuration Registry location:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting

      
      DWORD name: SpyNetReporting
      DWORD values:

      • 0 – Off
      • 1 – Basic Membership
      • 2 – Advanced Membership
    • Sample Submission Registry location:
      HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting

      DWORD name: SubmitSamplesConsent
      DWORD values:

      • 0 (default) – Automatic sample submission disabled. End-users will always be prompted for samples.
      • 1 – Most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
      • 2 – All sample submission disabled. Samples will never be sent and end-users will never be prompted.
      • 3 – All samples will be sent automatically. All files determined to require further analysis will be sent automatically without prompting.

The new version is 4.7.205.0 which can be seen in the UI under help.

I have seen some issues being reported on the forums and from customers.

• WMI related errors in the event logs and SCCM Client Health reports back a faulty WMI, a reboot solves this issue.
• The next issue with the update is that registry keys needs to be configured as the KB articles states above, to stop the Submit sample consent dialog from being displayed and to be able to configure MAPS membership.
• There has also been reports about all downloads in IE being blocked as they contains virus, no real solution to that one yet.

A couple of weeks ago TechX Azure 2015 Sweden took place in Stockholm. I had the great honor to present on how to manage Android and iOS devices using Microsoft Intune. The recording is now available here (in Swedish): https://www.youtube.com/watch?v=Tuvd3fVgQSc&list=PLcHuyfrfAe…

As Enterprise Mobility Suite is a really hot topic right now here are two great sessions on Azure RMS and Azure AD Premium as well also in Swedish.

• Azure Rights Management:
  https://www.youtube.com/watch?v=6uAa9eRcDtQ&index=29&list=PL…
• Azure AD Premium:
  https://www.youtube.com/watch?v=B1YdQy76klE&index=28&list=PL…

Happy EMS weekend!

As I wrote here before there were some issues with the 4.7.205.0 update of the System Center Endpoint protection client that caused all downloads in Internet Explorer, Firefox, Chrome and so on was blocked with a message that they contained a virus.

A new updated version is now released, 4.7.209.0 where this issue is fixed. It is available through Windows Update and WSUS. The KB that describes the revised System Center Endpoint Protection Client can be found here: http://support.microsoft.com/kb/3041687

I have a new favorite feature in standalone Intune, custom iOS Policy. This lets you basically deploy a XML file with the supported configuration information you want to set on an iOS device even if it isn’t available in the Intune console, like deploying a Wi-Fi network with WPA2 and a Password.

The easiest way to create a profile file is to use the Apple Configurator, it is only available for OSX so you need a machine running OS X. Notepad can of course also be used Apple Configurator is available in the App store on OS X. In this example I will create a custom policy using Apple Configurator which configures a Wi-Fi WPA2 SSID with a password and then deploy it using Intune.

1. Launch Apple Configurator and create a new policy.
2. Give the policy a Name and enter your Organization name.
3. Select Wi-Fi and click configure.
4. Enter the information about the Wi-Fi network, here you can select WPA2 Personal and supply the password which isn’t possible in Microsoft Intune for now at least. Then select Save 
5. When the policy is created, select it and select Export Profile.
6. Save it somewhere where you can access it later and upload it to Intune, I save it to my Onedrive.

The XML file will get an extensions of .Mobileconfig and it looks like this:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>AutoJoin</key>

<true/>

<key>EncryptionType</key>

<string>WPA2</string>

<key>HIDDEN_NETWORK</key>

<false/>

<key>IsHotspot</key>

<false/>

<key>Password</key>

<string>21432432423</string>

<key>PayloadDescription</key>

<string>Configures Wi-Fi settings</string>

<key>PayloadDisplayName</key>

<string>WiFi</string>

<key>PayloadIdentifier</key>

<string>Jorgens-MacBook-Air.local.9FDC88B6-3717-4165-8ABC-42E6330D25AD.com.apple.wifi.managed.C649D542-D680-4855-9CD5-917D373F256D</string>

<key>PayloadType</key>

<string>com.apple.wifi.managed</string>

<key>PayloadUUID</key>

<string>C649D542-D680-4855-9CD5-917D373F256D</string>

<key>PayloadVersion</key>

<real>1</real>

<key>ProxyType</key>

<string>None</string>

<key>SSID_STR</key>

<string>office1</string>

</dict>

</array>

<key>PayloadDisplayName</key>

<string>Wifi4</string>

<key>PayloadIdentifier</key>

<string>Jorgens-MacBook-Air.local.9FDC88B6-3717-4165-8ABC-42E6330D25AD</string>

<key>PayloadOrganization</key>

<string>CCMEXEC</string>

<key>PayloadRemovalDisallowed</key>

<false/>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>4E067E5B-BD43-4760-B879-D8E26FEEA789</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

</plist>

More information about valid syntax and settings can be found here: https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

To deploy the newly created custom iOS policy file do the following:

1. Login to the Intune console at http://manage.microsoft.com using a supported browser and platform = Windows Client.
2. Under Policy and Configuration Policy, select Add
3. Select Create and Deploy a Custom Policy and Create Policy.
4. Enter a Name, Name displayed to the user and import the wifi4.mobileconfig file created before. Then select Save Policy.
5. A dialog appears that asks you if you want to deploy the policy.
6. We then select a group to deploy the policy to, in my case TechX demo
7. On the iOS device, in my case an IPad Mini I can now see that the policy is applied under the Management Profile (yes it is in Swedish)

The Custom iOS policy is a really powerful tool, wish for it to be available in Hybrid scenarios as well!

I had a scenario at a customer where I needed to set and iOS device in Kiosk Mode with the only allowed app, the Safari browser. Currently in Microsoft Intune Standalone when you select Kiosk Mode you have to select either a Managed App or a Store App when you select the Kiosk Mode option.

Let’s start with the background. To be able to set an iOS device in Kiosk Mode you need to configure it to “supervised mode” which have to be done with the Apple Configurator on an computer running OS X. When the device is in supervised mode enroll it in Intune as you normally would with any device, then we can configure Kiosk mode using Intune.

Create an iOS Configuration Policy with the following settings.

1. Create a new “iOS Configuration Policy”

2.  Enable the “Select a managed app that will be allowed to run when the device is in Kiosk mode:” if you browse you have to select either an application in the App Store or a managed app that you have deployed (.ipa). Instead of browsing simply type “com.apple.mobilesafari”, then Safari is the app that will be allowed to run in Kiosk mode and no one else. You can also turn off/control if you want to allow screen rotation and so on in the options below.
3. Save the policy and deploy it to a group, in my scenario a group called “kiosk”

4. As soon as the policy is applied Safari will be launched on the iPad and you cannot close it or do anything else than browse the web using Safari.

If you want it out of Kiosk mode you can do any of these things:

• Choose to Retire it using the Intune console, it will be removed from Intune if you choose this option.
• Delete the deployment of the policy that has set it in Kiosk mode
• Delete it from the group where the policy is applied.

One thing that many of my customers both Servicedesk staff, Support staff and administrators complain about with Configuration Manager 2012 Remote Tools is that the client service is set to Automatic (Delayed Start) when installed per default.

When remote controlling a user’s machine and a reboot is necessary, the service doesn’t start immediately and it feels like it takes forever for them to able to remote control the computer again.

Changing the startup to Automatic instead of Automatic (Delayed Start) can be done using a Group Policy and a Group Policy Preference setting. Under Services add the SCCM Remote Control Service and change the startup to “Automatic”

When the Group policy preference is applied, the service startup is changed. Have run it as Automatic for more than a year now, works great.

Next question would be:
“Doesn’t the sccm client remediation task that runs on the clients change it back to “Automatic (Delayed Start)?”
No it doesn’t, actually it will however change it back to “Automatic” if you set it to “Automatic” before setting it to “Disabled” and then run the CCMEval task, so it will work just fine.

Next Question: “Is it supported?”
I guess that could be debated

When testing the latest Build of Windows 10 I got an error installing the Configuration Manager 2012 R2 client, it fails installing the Windows Update agent with the following error in the CCMSetup.log file.

“File ‘C:\WINDOWS\ccmsetup\WindowsUpdateAgent30-x64.exe’ returned failure exit code 775. Fail the installation.”

I assume a solution to this error will presented soon, but I cannot wait to get started with my testing of 10049 so installing the SCCM Client with the following command line solves at least the installation error of the Configuration Manager client.

“ccmsetup.exe  /skipprereq:windowsupdateagent30-x64.exe”

Then ccmsetup.exe will skip the installation of the Windows Update Agent and continue the installation anyway. Normally I use the /Skipprereq: command to skip the installation of Silverlight on servers as I don’t want Silverlight installed on my servers. But the command line works great in this case as well.

You will then see this in the ccmsetup.log file on the client which shows that the installation of the Windows Update agent was skipped and that the installation continues.

“Item ‘x64/WindowsUpdateAgent30-x64.exe’ is excluded by the ‘/skipprereq:’ switch. Ignore it.”

God Luck with the testing of Windows 10 Build 10049

One very appreciated feature in Configuration Manager 2012 when you integrate it with MDT is the background pictures showing OS deployment step, IP Address, MAC Address and so on to the end user och technician deploying the computer.

The first two steps are shown in WinPE only and under Computer Name in the background the generated Minint-3242 is displayed as computer name. I wrote a little powershell script which will simply write the OSDComputername variable to the registry in WinPE so we can read it from there with BGinfo and show both the WinPE name and the OSDComputername. It will look something like this:

I like the flexibility of running the scripts in the Task Sequence instead of modifying the Boot image so I run the script as a Run Powershell Script step in the Task Sequence. Start by doing the following:

1. Make sure you have the Powershell component included in the Boot Image for the script to be able to run.
2. Save a Powershell script with the following content.
   Param(
[string]$OSDcomputerName
)
New-Item -Path HKLM:\Software -Name OSD –Force
New-ItemProperty -Path HKLM:\SOFTWARE\OSD -Name OSDComputername -PropertyType String -Value $OSDcomputerName
3. Save this script in a folder and create a package in SCCM with the folder as source path so we can use it later in the Task Sequence.
4. In the Task Sequence before the step you are displaying in WinPe add the following step, select the package to run the script from and enter the %OSDComputername% in the Parameters to pass the OSDComputername variable to the script.
   
5. After that edit the STEP_02.BGI file by launching your MDT 2013 Toolkit package under \Tools\x86 in your package source directory  by launching Bginfo.exe from that directory.
6. In BGinfo select File, Open the STEP_02.BGI file, then you will see the information displayed in the background.
7. Select Custom and add the following value, the path should be HKEY_LOCAL_MACHINE\SOFTWARE\OSD\OSDComputerName
   
8. You will see a warning that the registry value doesn’t exist accept that and then we go on and edit the information displayed.
9. Edit the background to look something like this.
   
10. Then save the STEP_02.BGI file. If you are using the State Capture Step do the same with that step or save this one with the STEP_01.BGI filename instead.
11. Update the MDT 2013 Toolkit package so that the new .BGI files are updated on the DP’s and then you are good to go!

I haven’t tested it with MDT 2012 but I cannot see why it shouldn’t work.

I am writing this post as I had two customers that wanted to use alternate Login ID in Azure AD together with Intune and SCCM 2012 in a Hybrid deployment using SCCM as the MDM Authority. I found several blogs and a Wiki that described that this wasn’t supported and that unsupported scripting directly to the database in SCCM 2012.

The background to this is that when using SCCM in a Hybrid deployment as the MDM authority you must use a collection in SCCM containing the users that are allowed to enroll their devices. If you are using different UPN in your On-premise AD and Azure AD SCCM would not be able to match the user in Azure AD and therefor you could not enroll any devices.

One workaround was changing the UPN directly in the SCCM database so it matched the UPN used in Azure AD, for example e-mail address if that was used as UPN in Azure AD.

After some investigation those issues are now resolved by Microsoft and there is no changes required on the SCCM side as Intune tries to match the user using UPN and if that doesn’t work it tries the e-mail address and then it is solved basically.

I have successfully delivered two proof-of-concepts where e-mail address was used as UPN in Azure AD instead of the UPN in the On-premise AD and it has worked just great!

Thanks to Kerim and Saud at Microsoft for verifying and support!

One of the Wiki’s that mentioned this: http://social.technet.microsoft.com/wiki/contents/articles/24096.dirsync-using-alternate-login-ids-with-azure-active-directory.aspx is updated by Saud as well so that the information that there are issues with SCCM+Intune in hybrid using alternate Login IDs is removed as well.

Note:

• There are still some limitations with Office 365 and alternative login ID
• When using ADFS together with Alternate Login ID in Azure you need to configure ADFS to allow login using e-mail address as well as described here: https://technet.microsoft.com/en-us/library/dn659436.aspx (it will be updated as well to remove the information that Intune and SCCM has issues

I have many customers who have experienced the same issue deploying 64-bit Windows 7 using a 32-bit boot image. The error has not been consistent either the Apply Driver Package step fails and the DISM log file indicates that it cannot read the Software Hive from the registry or the machine blue-screen on first boot.

Rebuilding the master image has solved the problem. I have one customer who logged a case with Microsoft Support and got this solution that works great!

Thanks Ola Ahrens for sharing!!

The issue

WinPe tries compacting the offline registry and fails to commit the registry hives back to disk.

This problem only happen when you deploy windows 7 and use WinPe 5.0 or 5.1, 32 bit, to deploy the image.

Note: Sccm 2012 R2 and higher uses winpe 5.0 or higher to deploy os images.

Resolution

Create a Value in WinPE

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager

Name:  RegistryReorganizationLimitDays

Datatype: DWORD

Value:  365

This value has the effect that the registry hives are not compacted as long as the modified date of the hives is not older than a year.

When you intend to use the deployment longer than a year, a higher value must be chosen.

Techdays 2015 in Sweden 21-22 October is THE event of the year in Sweden! It always have great content, great speakers, and a great time meeting the IT community.

This year I have the great honor to be presenting a session, “Windows 10 + EMS =TRUE” together with my collegue Anders Olsson (http://itsakerhetsguiden.se/) (in Swedish) We will focus on the latest and coolest features in Windows 10 and how we can utilize Enterprise Mobility Suite(EMS) together with Windows 10 to achieve greatness! EMS and Windows 10 will change change how we manage our devices and users in the future!

Really looking forward to it! Hope to meet you all there!