I promised last week I would write a blog post on how I use OSDbackground in case of a Task sequence failure, so here it is. OSDbackground gives us the possibility to show an error in case a Task Sequence fails and when doing so it also provides us with the option to read all TS variables and open a command Prompt or CMtrace without having F8 Support enabled.

Well, to handle errors in a Task Sequence I use a couple of small scripts that I will describe here and that can be downloaded further down in the blog post. Basically, the functionality is the same as in an MDT integrated Task Sequence.

We start by using a group called “Execute Task Sequence” with the “continue on” error option selected.

Then we run our whole Task Sequence within that group, in that way we can catch any error in a group later in the Task Sequence.

I also set the variable shown above “SMSTSErrorDialogTimeOut” to “28800” which equals 8 hours. If the task sequence fails, the countdown timer will count down from 8 hours before restarting.

In the end of the Task Sequence we have two groups, “OSD Completion” and “OSD Error”.

The OSD Completion group is run as the name indicates when the Task Sequence is successful, using the Task Sequence variable “_SMSTSLastActionSucceeded” = “True”. We remove the computer from the OSD Collection using the Onevinn WebService in this group as well.

I also added a little step to stop the OSDBackground process, if we don’t restart the computer after we started OSDBackground the last time it will still show as desktop background when the user logs on.

The Powershell script used looks like this.

Stop-Process -Name “OSDBackground” -Force -ErrorAction SilentlyContinue

What if the Task Sequence fails?

In the OSD Error group we have a couple of interesting steps as well. The OSD Error code has the following condition. Using the same Task Sequence variable as before when there is an error in the Task Sequence, “_SMSTSLastActionSucceeded” = “False”.

The next step saves the error code from the Task Seqeunce step that actually failed in a Task Sequence variable called “ErrorReturnCode”. We use that later to actually fail the Task Sequence using a script but with the original error code.

The next step uses OSDBackground to change the Background image and enable us to open a password protected debug mode with ,command prompt support without having F8 enabled.

The next three steps are from the sample scripts in the Onevinn OSD WebService, and the first one sets a couple of variables we need to be able to remove it from the Collection used to target the OS deployment.

The next step remove the computer from the OSD Collection.

We can then disable the computer account using the Web Service in the domain to make sure no one uses a computer with a failed OS deployment potentially missing anti-virus and much more.

Then we use a small script that will fail the Task Sequence with the original error code that we saved in the variable before.

The script used looks like this:

$tsenv = New-Object -ComObject Microsoft.SMS.TSEnvironment

exit $tsenv.Value(”ErrorReturnCode”)

The result is a Task Sequence that will end up with this dialog when it fails.

Now we can right-click in the upper left corner and supply the configured password to open the debug options in OSDBackground and troubleshoot our Task Sequence error without having F8 enabled in our boot image.

OSDBackground was updated on Technet yesterday as well, so if you don’t have CMtrace in your image, you can just copy Cmtrace.exe to the OSDBackground package and it will copy CMtrace to the local drive so it can be used to read the log files. A great addition by Johan!
The two scripts used can be downloaded here and I would add them to the OSDBackground package so we can run them from the same package in our Task Sequence.

OSDBackground Addon

Thanks Johan Schrewelius for creating OSDBackground!!

Configuration Manager 1612 Technical Preview was released a couple of days ago and I have been playing around with it all the time I could spare since! Many new features that makes us long for 1701TP already now to see how the new features have improved.

I cannot help seeing a picture before me where David James are Santa Claus and the rest of fhe ConfigMgr team are his helpers , the work and innovation put in Configuration Manager the last year is truly amazing! Fantaststic Work!

I have played around with a couple of the new features so I will cover them here, for a complete list of new features check out the documentation: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1612

Task Sequence Retry option:

We have a new retry option when a Task Sequence fails because there is not content availble or a deployment could not be found for the computer in WinPE. A great addition, there are more steps that could benefit of a “retry” option but I am sure that will come.

It looks like this when content is missing on the DP, we now have a “Previous” button in the dialog, so we can retry the previous step.

Checking for running applications when an application is about to install.

This is a very big deal as well, we can now add .exe files that shouldn’t be running when our application is trying to install. We add the .exe files in a new tab for the deployment type.

I tested with an available deployment to a user and then this dialog is shown. A friendly name would be a great addition so the user knows what to close, a retry option like in the TS would also be good.

Android for Work

Android for work is in the console but not yet operational. Also high on our list to Santa.

Data Warehouse

We got a new Site System role “Data Warehouse service Point” which is just that, a DatawareHouse. It makes it possible to copy data to another SQL database for long term storage. This is great as we can replace all the custom solutions out there today. I love the

We can then choose which custom tables to include/exclude in out Data Warehouse and when to synchronize data.

There are a couple of builtin reports as well that uses the Data Warehouse as datasource. The one I am sure I will use the most is the “Endpoint Protection and Software Update Compliance report” great stuff no more custom solutions to solve that for customers.

OData endpoint data access

We have a new option under Site Properties to enable REST endpoint for quering Configuration Manager data from the tool of our choosing, PowerBI or Excel for instance.

Express files support for Windows 10 (RS2 or update to RS1 in early 2017 required)

We can now enable support for Express updates both on our Software Update Point and in the client settings as well to allow the client to use the Express files. This feature requires either Windows 10 RS2 or an update coming to Windows 10 1607 in early 2017 to work. Express updates are a big deal, because they bring down the amount of data that the clients will download when applying Windows 10 Cumulative Updates.

Enhancement for online-licensed apps from the Windows Store for Business (RS2 required)

This feature will make it possible to deploy Online licensed apps using Configuration Manager, the next step towards the future of application management.

Azure AD onboarding

We can now add our Azure AD to Configuration Manager which can in turn be used by the Cloud Management Gateway to provide user policies to our clients when they use the Cloud Management Gateway.

In-console improvements

Ther are som console improvements, where my favorite is that it actually remembers if you selected to search sub-nodes.

So many new features to try out! There are more, like the command line tool to cleanup content in the content library and I am sure much more as well. I will play around with it some more and see what I can find.

In WinPE 1607 Dot3svc fails to load as I and many others have noted before. http://ccmexec.com/2016/09/dot3svc-does-not-load-using-winpeadk-1607/ Today on the comment to my post “Robert” posted the following workaround which seems to be working just fine!

Copy the following files from a windows 10 1607 installation to winpe:

%windir%\l2schemas\OneX_v1.xsd %winpewindir%\l2schemas\OneX_v1.xsd

%windir%\system32\l2gpstore.dll %winpewindir%\system32\l2gpstore.dll

%windir%\system32\onex.dll %winpewindir%\system32\onex.dll

%windir%\system32\en-US\onex.dll.mui %winpewindir%\system32\en-US\onex.dll.mui

%windir%\system32\wbem\en-US\l2gpstore.mfl %winpewindir%\system32\wbem\en-US\l2gpstore.mfl

Thanks Robert for sharing this! All credit to your work!

After playing around a while with Configuration Manager 1701 Technical Preview build I thought it was time to share some info and some nice screenshots.

The biggest new feature without competition is the fact that SCCM clients will now select Software Update point using Boundary Groups just like it would with an MP, DP … This is awesome news as it replaces the random selection a client does today! Right now there are some limitations to it in the Technical Preview, all information about what is included in 1701 Technical Preview can be found here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1701

Software update points and Boundary Groups improvements

A look a the new setting for SUP fallback in the Boundary Groups, it is not fully implemented yet in the Technical Preview.. but it looks nice! New clients will use the SUP assigned to the in the Boundary Group but existing clients will use the one that has been selected randomly until it fails to contact it. Something to keep in mind when implementing it if that is how it will work when it is released.

Hardware inventory now inventories UEFI information

UEFI is extremely important for all new security features in Windows 10 and going forward. In 1701 Hardware Inventory now inventories UEFI information as well. A Dashboard as well that shows Credential Guard, Device Guard state would be great as well. Configuration Item for it works just fine.. but if I could wish.

Improvements in Operating System deployment

There are many small but great updates to the Task Sequence as well, updates to Standalone Media, expiration dates, additional content.

In the task Sequence editor we can now multi select applications and instead of a maximum of 9 applications per step it is now possible to add 99.

All steps in a Task Sequence that reference a package, driver package, application and so on will have it packageID/applicationID shown as well. making it much easier to find and troubleshoot, an example would be the Setup Windows and Configuration Manager step.

Validate device health attestation data via management points

We can now configure our Management Points with a list of On-Premise Device Health attestation points it should use to report device health. Device health attestation is not the most used feature as far as I know but it will be when we get rid of all the “old” hardware that doesn’t support TPM 2.0 for instance.

Host software updates on cloud-based distribution points

A feature that has been requested but is debated as well, as for Microsoft Updates the clients can download the content from Microsoft Update as it will introduce an additional cost for hosting them in the Cloud DP. Something to think about.

The features listed I wrote about here is far from complete, check out the documentation for a complete list.. It is great to follow the development of the product that is being done now, impressive!

User Experience Virtualization(UE-V) is builtin Windows 10 1607 and no longer a standalone installer as it has been before. This is great as UE-V is a very powerful solution to Synchronize application settings like for instance Outlook signatures; IE favorites, Windows themes and so on.

When we design and build our new Windows 10 platform we should move away from legacy solutions and use new features to build a modern client.

I have had an issue that Internet Explorer favorites doesn’t sync in Windows 10 1607, and we tried a couple of workarounds but they never synced on the first logon for the user which is very annoying.

What we ended up with solving this is to configure the following to UE-V settings using Powershell: WaitforSyncOnApplicationStart and WaitForSyncOnLogon (it turns out that it is the waitforsynconlogon that actually solves it.)

After that the Internet Explorer favorites synchronizes as expected

The script we currently use to enable UE-V looks like this, can be run during OS deployment or as a package/program.

Enable-Uev

Set-uevconfiguration -computer -EnableWaitforSyncOnApplicationStart -enablewaitforsynconlogon

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml

I will write another post this week about the templates and how it works when you use a Template share which is also very interesting.

To follow up on my post earlier this week about how to enable UE-V during OSD and get it to sync Internet Explorer favorites I will cover UE-V templates Powershell and a template share.
In UE-V we can define a central template share where we can drop a UE-V template and the clients will automatically pick it up. New in Windows 10 1607 is that we also must register even the builtin templates so if we just enable UE-V no templates are imported. In UE-V 1607 the builtin templates are placed in C:\Programdata\Microsoft\uev\InboxTemplates. We can register them with a Powershell script during OS deployment for instance.

In this example I will register all of the templates in the inbox templates which I don’t think you should. I will get 35 templates in my Templates folder that contains registered templates after they are imported.

And everything works just fine.

If I then specify a central template share and then restart the computer… I am left with only 26 + the Google Chrome one from my template share. The rest is removed.

Conclusion: When using UE-V register all templates during OS deployment that you want to make sure that they are used the first time the user logs on and add all the Office related templates to a template share if a template share is used, otherwise they are unregistered after the first reboot.

Configuration Manager Technical Preview 1702 includes a lot of new features, amazing how much features that are put into each Technical Preview version of Configuration Manager. For a complete list of news in Configuration Manager 1702 TP see the documentation here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1702

Here are some notes and screenshots of the new features.

Improvements to Software Center settings and notification messages for high-impact task sequences

This is one of the most voted for items on user-voice, and that is to be able to change the information to a user when starting a Task Sequence from Software Center. In Configuration Manager 1702 TP we got more than one new feature. The default message displayed when a Inplace upgrade task sequence is executed from Software Center is now changed and it doesn’t tell our users that all their data will be lost.

We can also choose to customize the message in the properties of the Task Sequence.

Then it looks like this for the end-user when they start the Task Sequence from Software Center. Very Nice!

Configure Software Center properties

We can also configure the information show in Software Center for a Task Sequence, Restart required, Download Size and Estimated run time. This is also great, now we only need to train our users to use Software Center….

Check for running executable files before installing an application

This feature has improved since previous technical preview releases, now we can display a Friendly Name as well for the application, so it doesn’t say “Iexplore.exe” anymore.

It looks like this when launched from Software Center, which looks so much nicer! Now we want a “close my application now” and “retry” button as well and I am sure we will see a lot of new options in this new feature in the future.

We can also choose to close the running apps that are blocking the application installation if it is deployed as a “required” deployment. Note: this will not prompt the user to close the applications, they will be closed automatically when the deployment runs.

Create PFX certificates with S MIME support

We can now use the same feature that has been around for a while in Intune Standalone and that is to create and distribute .PFX certificates as well as SCEP as has been the case before. This is great news as a .PFX certificate on mobile devices can be used for S MIME support for instance. (It is also much easier to setup than NDES/SCEP)

Android for Work support

Android for work support, there have been traces of it in previous Technical Previews but not it is fully operational! With the same features that are available in Intune Standalone.

More Improvements:

There are even more improvements that I haven’t covered here, one I really like is the option to use Azure Active Directory Domain Services, great new feature that shows that Configuration Manager has a great future ahead as well!!

• New compliance settings for iOS devices
• Compliance assessment for Windows Update for Business updates
• Antimalware client version alert
• Conditional access device compliance policy improvements
• Use Azure Active Directory Domain Services to manage devices, users, and groups
• Peer Cache improvements
• Changes for Updates and Servicing

My college Johan Schrewelius wrote a script to copy log files from OSD to a network share like the functionality we have in MDT so I thought I would post it here as it is brilliant. It can be downloaded here: https://gallery.technet.microsoft.com/Script-to-Zip-and-copy-c37c4c8e

The script “CopyOSDLogs.ps1” can be run anywhere in an OSD TS but is most often used in the Error Section, thus only run in case of a failed deployment. I wrote a post here a while ago as well on how to add some basic error handling in a standalone TS.

http://ccmexec.com/2016/12/error-handling-in-ts-without-mdt-using-osdbackground/

There are a couple of pre-requisites to make it work:

·         We need to make sure that Powershell support is added to our Boot image.

·         We need a location (file share) to save the logs.

·         A TS Variable holding the UNC path to the share.

·         The “First” Network Access Account must be granted “Modify” permissions on the share.

Make sure that Powershell is added to the boot image by adding it if it isn’t added already.

The script will use the Network Access Account for authentication; making it work also in the event of a failure during Windows PE, where we cannot use the computer account, as the machine is not yet domain joined

Check the name of your “first” NAA, if you have several it should be the one on top.

Make sure the Account has been granted “Modify” permissions on your log share:

Create a TS Variable “SLShare” and assign it the UNC-Path to your log share:

Create a Package (without program) or put the script in an existing scripts package, incorporate in TS as:

When the script runs, could be in event of a failure or if you want it to run always, the SMSTSLogs folder will now get zipped and stored as a single file on your log share:

If we combine it with the script also published on Technet Galleries to safely dump TS variables it will also be incorporated in the log files save, that script filters out all password and sensitive information so they are not part of the log file. https://gallery.technet.microsoft.com/Task-Sequence-Variables-de05b064

That is great if we want to troubleshoot afterwards for instance which applications was installed dynamically using variables.

I hope you find it useful.

I wrote a blog post a while ago where I used a vbscript that will distribute the content of newly added package and check the “copy content in this package to a package share on Distribution Points”. i still use it and it works great… My college Johan Schrewelius re-wrote it to use Powershell instead and it also handles boot images, OS images, driver packages and packages.

If you been working with SCCM for a while you have most probably experienced this? You created a new program package, driver package or perhaps added a new OS image; but you forgot to distribute it.

Another possible problem is that your deployment is configured to “Access content directly from a distribution point when needed by the running task sequence” and that you instead forgot to mark the new package to be copied to a package share on distribution points.

To make life easier we decided to create a status driven script to automatically handle this.

Every time a new package is added we will get a new status message with ID: 30000

This “Message ID” can be used to trigger the execution of a custom script that automates distribution and also, if desired, copies the content to a share, making sure that we from now on don’t have to bother anymore. The script can be downloaded from here: https://gallery.technet.microsoft.com/Script-to-automatically-c069d8b9

CONFIGURE THE SCRIPT

1.Place the script in a “scripts folder” on you Site server.

2. Find the name(s) of your distribution point group.

3. Open the script and let it know the name(s) of your distribution point group.

If you wish to auto distribute to several groups add them to the list like:

$DPgroups = @(”Group One Name”, ”Group Two Name”)

If you don’t want to copy your packages to a share on DP’s, change $CopyToShare = $false

CREATE STATUS FILTER RULE

1. Right click your “Site” and press “Status Filter Rules” on the context menu.

2. Press “Create” to open the Rules Wizard.

3. Give the new Rule a Name (Auto Distribute new Package) and make Message ID 30000 the trigger. Press Next

4. Specify the Action for the new Rule = Run the script with Powershell. Press Next when done.

Program: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -executionpolicy bypass -file “C:\Scripts\AutoDistributePackages.ps1″ %msgis02

5. Check the Summary and press Next.

6. Close wizard

7 You should now have a new Status Filter Rule. Press OK to close the Window.

8. Done!

Next time you create a package, driver package or add an OS image, Distribution will be automatically handled for you.

Limitations:

-It’s only possible to choose Distribution point groups, if you need DP resolution, feel free to edit the script, or write a dedicated.

-Script must run on a server with the SCCM Admin console installed.

Updated!! With the new features in OSD that Aaron Czechowski shared on Twitter! Thanks Aaron, great stuff!

Every time a new Technical Preview of Configuration Manager is released is a late night upgrading and playing around with the new cool features! Last night it was time again TP 1703 was released. One of my favorite small but great feature is the Collapsible groups in the Task Sequence editor Will make navigating long and complex Task Sequences much easier.

More OSD news, Secureboot state can also be included in the hardware inventory, great important for Windows 10 deployments.

Importing a computer is also updated, it is now possible to add the computer to more than one collection, I wish we had that a long time ago!

The next feature proves how much investment is made in Windows Analytics and that you should look at starting to use these awesome FREE service now! We will be able to control the Commercial ID, Telemetry level and more in Client Settings in Configuration Manager hopefully eliminating the need of running the Windows Analytics script to configure the clients as we do today!

Next new feature is a new wizard to on board to all Azure Services, the one that exists there in TP 1703 is Windows Store for Business.

More new features:

https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion#convert-from-bios-to-uefi-during-an-in-place-upgrade

For more information on the improvements in Configuration Manager 1703 Technical Preview, check out the product documentation. https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1703

Applocker is used more and more so I wrote this little Powershell script that can be run as a Configuration Item which checks that the Application Identity service is running and an Applocker policy is applied. We could also do a remediation script to start the AppIDSvc again if stopped but I normally use a Group Policy to set the service to start Automatically so if it isn’t started something else is wrong, GPO not being applied or something.
The discovery script(Note it requires WMF 4 or later):

$Applocker = Get-AppLockerPolicy -Effective |Where-Object {$_.rulecollections -ne $Null}

$AppIDSvc = Get-Service |Where-Object {$_.Name -eq "AppIDSvc" -and $_.Status -eq "Running"}

Return $Applocker -and $AppIDSvc

Using Configuration Manager CI’s and Baselines to configure your clients is an extremely powerful tool, GPO is basically fire and forget here vi get status back. It can also be used in many scenarios that Group Policy cannot, like when managing clients on the internet using the Cloud Management Gateway.

We need to start with checking the client agent settings so that it allows Powershell scripts that are not signed to be run by the SCCM client, or sign the script.

Then we create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Select the supported platforms:

Select New in the Settings step

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

Then we edit the discovery script and paste the script as shown below.

Then we create a compliance rule with the following settings.

Then we can add it to a baseline and deploy it to our clients. For you all that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the Baseline used from here: Applocker status

Windows 10 1703 is here! And is has some great new features as always, we are still waiting for the official .ADMX files and the documentation on what GPO’s are new and have changed. Some are changed like the Credential Guard setting where we have more options. I did a quick comparision so there are more I am sure, some are renamed some are moved so it is hard to put together. The components with most new settings are Microsoft Edge, Delivery Optimization and Windows Update.

Microsoft Edge have taken huge steps and is working great. The feature that will please out customers the most are the fact that we can synchronize Microsoft Edge and Internet Explorer favorites! Simple, small feature that will increase the adoption of Microsoft Edge. Setting a custom Start page that the users an change is great news as well.

Here are the list on new GPO settings that my little investigation found, I am sure I missed some of them. Didn’t include changed ones like credential Guard improvements for instance. But it could be useful until we get the official documentation.

And here it is in Excel which could make sense. Windows 10 1703 new GPOs

In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.

Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.

In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.

When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point.  At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.

To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.

We add the SQL Database Server Name, database name and Port to be used.

We can then configure how often it should synchronize the data.

We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.

When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.

We grant the SQl Reporting Service user account the data reader role.

After granting the Reporting Services user account permissions to the database the reports now run as they should.

The Data Warehouse role is a great feature so you should try it out!

In Windows 10 1703 we have some new really great new Group Policy settings for Microsoft Edge, the most important making it possible to sync favorites between Internet Explorer and Microsoft Edge. We can also set the default search enginge to something else than Bing with group policies.

To do this we first need to create an .xml file that complies with the Opensearch 1.1 framework https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery and we need to host that file on a Webserver that the clients can reach and it must use HTTPS.

Update!

This can be done in two ways, the easiest one that I overlooked is to actually use the opensearch.xml file hosted by Google! Method 2 still works, Thanks for the comment on this post!

Method 1

The URL is https://www.google.com/searchdomaincheck?format=opensearch then we don’t have to host any .xml file of our own.

We simply add that to the Group Policy settings and we are done!

Method 2

Here is an .xml file that can be used to set the default search engine to Google instead of Bing using a group policy, it can be downloaded here: Opensearch.xml

<?xml version="1.0" encoding="UTF-8"?>

<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">

<ShortName>Google</ShortName>

<Description>Search Google</Description>

<Url method="get" type="text/html"

template="https://www.google.com/search?q={searchTerms}"/>

</OpenSearchDescription>

We then need to place that on a webserver reachable from the clients that use HTTPS, in my lab I put it on my SCCM server under Opensearch and called it opensearch.xml as well.

Then we configure the Group Policy setting to point to the .XML file we added above.

When logging on the a computer which the group policy is applied to, you can if you are fast enough see that the search engine changes from Bing to Google under Settings\advanced settings.

This can of course be used to change the search engine to something else than Google as well, just create an .xml file that points to that search engine instead and make sure it supports Opensearch 1.1.

Thanks to my colleague Sassan for testing and supplying the .XML file!

Configuration Manager 1704 Technical Preview was released yesterday, some really awesome stuff in there this time for all OSD fans for sure!

If you aren’t running Technical Preview in a test environment you really should! It is a great way of getting to know the new features and a great way of providing feedback to make the features even more valuable for your organisation. Technical Preview 1703 is the current baseline you can grab it here: https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview then you can upgrade that to 1704 TP.

You can make it easy for you and use Johan Arwidmarks excellent hydration kit to get a test environment up and running. http://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch

Now let’s look at what is new in 1704 Technical Preview.

Nested Task Sequences

This is something that many of has dreamed about for years and wished for and now it is finally here, we can call a Task Sequence from a Task Sequence. We have a new Task Sequence Step called “Run Task Sequence” which will give use great possibilities to make our Task Sequences smarter. There are some limitations in this Technical Preview release that you should be aware of so check the documentation so you now what is possible or not.

Android for Work app configuration

Android for work will be the way to manage Android devices in the future and now we got the ability to configure Android for Work apps in the same way we can do with iOS apps today. This is great news making the Android platform a real challenger for companies.

Secure Boot Inventory

We got the possibility to inventory if UEFI is enabled or not before and now we can inventory if Secure Boot is enabled or not as well. It is inventoried per default.

Reload the Boot images with the latest WinPE version

We need to update the ADK and WinPE version used twice a year as it looks now with the current release cadence of Windows 10 and supportability with Configuration Manager. We got a new way to do this which makes it much easier we can simply select to update the WinPe version when we distribute the boot images to our DP’s.

Powershell support to create advanced detection methods

A long awaited addition, we can now create advanced detection methods for applications using Powershell.

https://blogs.msdn.microsoft.com/ameltzer/2017/04/20/powershell-how-to-add-enhanced-detection-methods-to-deployment-types-1704-tp/

Eliminate Duplicate Records when converting BIOS-UEFI

This is an issue that has been raised and seen when convertin BIOS-UEFI we get a dupliate record as the under-laying hardware ID could change, these duplicate records are now elimated in the TP 17+04 release. We actully could use that as a hotfix to the 1702 release as well…

High DPI support in the admin console

Now that we have cool devices with high resolution this has been an issue that the SCCM Admin Console didn’t support High-DPI very well. now that is solved as well. Long awaited!!

OS version Column in the System Images node

We can now see what OS version an OS Image is based on in one of the Columns in the System Images Node, makes life a little easier.

More efficient logging in SMSTS.log

Improvements have been made to the SMSTS.log file and logging which will make it easier to read the logs. Will test that and see how much difference it makes when time allows.

Installing the 1704 TP update

Another thing to note as well is the new behavior that updates aren’t automatically downloaded any more bin the Updates and Servicing node, we need to decide which updates to download. The reason behind this is that you don’t have to download updates/hotfixes that you perhaps skip and don’t install.

For a full list of features check out the documentation here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1704

I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.

Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1

Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.

If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:

We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Select the supported platforms:

Select New in the Settings step

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

And then click “Add script”

Then we edit the discovery script and paste the script as shown below.

Then we create a compliance rule.

Then we create a compliance rule with the following settings.

Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status

In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.

Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.

This is highly unsupported so use it at your own risk!

And from the Task Sequence we call it after the Operating System has been applied.

Then the app cannot be installed during setup.

Again this is unsupported use at your own risk!!

In Windows 10 1703 – Creators Update there is a new Group Policy setting that actually allows us to control what is visible in “Settings” for our users. This is useful for computers with a specific purpose for instance or other business requirements. The policy is called “Settings Page Visibility” it can be used to either Hide a specific settings or Show only a specific setting or settings.

Example to hide the Bluetooth settings page we use the GPO with the settings hide:bluetooth as shown below.

On the machine the Bluetooth settings is actually gone:

We can also use the Group Policy setting with the “ShowOnly” option as shown below.

On the computer the Settings page will now only show, Colors, Start and Themes

The syntax for the settings you want to hide/show is not that easy to find, this is where I found them, https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

Updated after comment on post, the Gaming can be hidden the following needs to be added to hide the group.

hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting;gaming-gamemode

Tip on how to test them, you can just launch run and type: MS-Settings:Colors for instance and it will launch the Colors settings node. We can also use this to create shortcuts to different settings.

And Colors is launched.

That is basically it, great for some scenarios!

At MMS 2017 in Minneapolis me and Ryan Ephgrave @EphingPosh had the great honor of doing a session on some of the great Community tools out there for Configuration Manager. We did it last year as well with the help of Kent Agerlund and it is always great fun, just preparing it, researching looking for new tools, what has changed, what is updated is great!

We did some polls as well on Twitter this year on which tools people used for different purposes, the result of these polls is in this post as well together with the links to the tools we talked about and demoed.

Infrastructure

• Configuration Manager prerequisites tool – https://gallery.technet.microsoft.com/ConfigMgr-2012-R2-e52919cd
• Hydration Kit – http://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch
• Hands on Labs – https://www.microsoft.com/handsonlabs
• Azure Devtest labs – https://azure.microsoft.com/services/devtest-lab/
• Documentation script – http://www.enhansoft.com/customer-area
• SQL Maintenance script – https://ola.hallengren.com/
• SQL maintenance – https://stevethompsonmvp.wordpress.com/2016/11/16/why-you-should-not-use-the-configmgr-rebuild-index-task/
• ConfigMgr package distribution Scheduler and Monitor – https://gallery.technet.microsoft.com/ConfigMgr-Package-4ccbcc3b

Configuration Items

• Reg2CI – https://reg2ps.azurewebsites.net/ and
• ConfigMgr Remote Compliance – https://gallery.technet.microsoft.com/ConfigMgr-Remote-Compliance-2a9e55f3

Applications

• PSApp deployment toolkit – http://psappdeploytoolkit.com/
• Application Importer – https://sccmappimp.codeplex.com/
• SCCM Application Creator – https://gallery.technet.microsoft.com/SCCM-2012-Application-10980205
• Application Tester – http://www.ephingadmin.com/test-configmgr-applications-automatically-with-powershell-and-hyper-v/
• RuckZuck – http://ruckzuck.tools/

Software Updates Reports

• https://blogs.technet.microsoft.com/gary_simmons_mcs/2014/09/16/system-center-2012-r2-configuration-manager-software-update-compliance-dashboard/
• http://eskonr.com/tag/sccm-patch-reports/

Software Update PowerBI

• https://gallery.technet.microsoft.com/Power-BI-SCCM-Dashboard-d1b7e688
• https://miketerrill.net/2016/01/24/the-power-of-power-bi/
• https://blogs.technet.microsoft.com/configmgrteam/2016/04/01/exploring-your-system-center-configuration-manager-and-microsoft-intune-hybrid-data-on-power-bi-dashboard/

Software Updates

• Create Software Update Groups Tool 1.0.0 console extension – https://gallery.technet.microsoft.com/Create-Software-Update-bb775cd4

OS Deployment

• OSDBackground – https://gallery.technet.microsoft.com/Replacement-for-BGInfo-0095cff3
• OSDwebservice – https://gallery.technet.microsoft.com/Web-Service-for-OS-93b6ecb8
• Driver Automation Tool – https://gallery.technet.microsoft.com/scriptcenter/Driver-Tool-Automate-9ddcc010
• ConfigMgr Task Sequence Monitor – https://gallery.technet.microsoft.com/ConfigMgr-Task-Sequence-fefdc532
• Install applications dynamically – https://gallery.technet.microsoft.com/Get-computer-targeted-9aa0d094

Frontends

• UEFI Bitlocker frontend – https://www.niallbrady.com/2016/05/17/introducing-the-windows-10-uefi-bitlocker-frontend-for-system-center-configuration-manager-current-branch/
• UI++ – http://blog.configmgrftw.com/uiplusplus/
• ConfigMgr OSD Frontend – https://gallery.technet.microsoft.com/ConfigMgr-OSD-FrontEnd-100-55209031

Right – click tools

• Recast (Right Click Tools) – http://www.nowmicro.com/Software/Recast

Troubleshooting tools

• Client Center – https://sccmclictr.codeplex.com/ or in the Windows Store
• Remote Manage – http://cireson.com/apps/remote-manage/
• Loglauncher – http://wmug.co.uk/wmug/b/r0b/archive/2017/02/23/loglauncher-3-1
• SCStore -  https://gallery.technet.microsoft.com/System-Center-Store-56d76894

Techdays in Sweden is the biggest event of its kind in Sweden and I always enjoy it. Meeting old colleagues, customers, Microsoft employees, MVP’s and fellow community peers, it is always so much fun! This year I have the great honor to be hosting a pre-conf together with Peter Löfgren at TrueSec “Windows 10 – Client management now and in the future“, we will gather our combined experience around Windows 10 Configuration Manager, UE-V and so on and also try to look in a Crystal ball and look at the future and where we are going with Client Management. Really looking forward to it!!

I will also deliver two sessions:

What’s new on Configuration Manager 17xx and Beyond, Configuration Manager is the leading product when it comes to and on-prem application delivering continuous innovation with 15 releases every year!! 3 Current Branch releases and 12 Technical Preview releases!  I will cover the latest features in both Current branch and technical previews!

Windows 10+EMS = Helt fantastiskt!, together with my fellow colleague and MVP Anders Olsson. We will focus on the latest and greatest of features in a Combination of Windows 10 and EMS.

The session are held in Swedish and I hope to see many old and meet new friends at the event! http://tdswe.se/