CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

I am proud and honored to be renewed as Enterprise Mobility MVP 2017-2018! I was originally to be renewed in October but now that the MVP program is moving to a annual renewal cycle I was renewed in July as well!

Thanks Microsoft and everyone in the community making this possible!MVP201720181

Techdays in Sweden is the biggest event of its kind in Sweden and I always enjoy it. Meeting old colleagues, customers, Microsoft employees, MVP’s and fellow community peers, it is always so much fun! This year I have the great honor to be hosting a pre-conf together with Peter Löfgren at TrueSec “Windows 10 – Client management now and in the future“, we will gather our combined experience around Windows 10 Configuration Manager, UE-V and so on and also try to look in a Crystal ball and look at the future and where we are going with Client Management. Really looking forward to it!!

I will also deliver two sessions:

What’s new on Configuration Manager 17xx and Beyond, Configuration Manager is the leading product when it comes to and on-prem application delivering continuous innovation with 15 releases every year!! 3 Current Branch releases and 12 Technical Preview releases!  I will cover the latest features in both Current branch and technical previews!

Windows 10+EMS = Helt fantastiskt!, together with my fellow colleague and MVP Anders Olsson. We will focus on the latest and greatest of features in a Combination of Windows 10 and EMS.

The session are held in Swedish and I hope to see many old and meet new friends at the event! http://tdswe.se/

MTD_Talarbanner_250x300

At MMS 2017 in Minneapolis me and Ryan Ephgrave @EphingPosh had the great honor of doing a session on some of the great Community tools out there for Configuration Manager. We did it last year as well with the help of Kent Agerlund and it is always great fun, just preparing it, researching looking for new tools, what has changed, what is updated is great!

We did some polls as well on Twitter this year on which tools people used for different purposes, the result of these polls is in this post as well together with the links to the tools we talked about and demoed.

WP_20170517_13_00_51_Pro

Infrastructure

Configuration Items

Applications

Software Updates Reports

Software Update PowerBI

Software Updates

OS Deployment

Frontends

Frontends

Right – click tools

Right click tools

Troubleshooting tools

Troubleshooting tools

In Windows 10 1703 – Creators Update there is a new Group Policy setting that actually allows us to control what is visible in “Settings” for our users. This is useful for computers with a specific purpose for instance or other business requirements. The policy is called “Settings Page Visibility” it can be used to either Hide a specific settings or Show only a specific setting or settings.

Example to hide the Bluetooth settings page we use the GPO with the settings hide:bluetooth as shown below.

HideOn the machine the Bluetooth settings is actually gone:

NoBluetoothWe can also use the Group Policy setting with the “ShowOnly” option as shown below.

ShowOnlyGPO

On the computer the Settings page will now only show, Colors, Start and Themes

ShowonlyThe syntax for the settings you want to hide/show is not that easy to find, this is where I found them, https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

Updated after comment on post, the Gaming can be hidden the following needs to be added to hide the group.

hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting;gaming-gamemode

Tip on how to test them, you can just launch run and type: MS-Settings:Colors for instance and it will launch the Colors settings node. We can also use this to create shortcuts to different settings.

Run

And Colors is launched.

Colors

That is basically it, great for some scenarios!

In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.

Applocker block

Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.

This is highly unsupported so use it at your own risk!

DisarmStuborn apps1

And from the Task Sequence we call it after the Operating System has been applied.

DisarmStuborn apps

Then the app cannot be installed during setup.

Again this is unsupported use at your own risk!!

I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.

Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1

Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.

Powershell Client agent setting

If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:

We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Credential Guard 1

Select the supported platforms:

Credential Guard 2

Select New in the Settings step

Credential Guard 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

And then click “Add script”

Credential Guard 4

Then we edit the discovery script and paste the script as shown below.

Credential Guard 5

Then we create a compliance rule.

Credential Guard 6

Then we create a compliance rule with the following settings.

Credential Guard 7

Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status

Configuration Manager 1704 Technical Preview was released yesterday, some really awesome stuff in there this time for all OSD fans for sure!

If you aren’t running Technical Preview in a test environment you really should! It is a great way of getting to know the new features and a great way of providing feedback to make the features even more valuable for your organisation. Technical Preview 1703 is the current baseline you can grab it here: https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview then you can upgrade that to 1704 TP.

You can make it easy for you and use Johan Arwidmarks excellent hydration kit to get a test environment up and running. http://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch

Now let’s look at what is new in 1704 Technical Preview.

Nested Task Sequences

This is something that many of has dreamed about for years and wished for and now it is finally here, we can call a Task Sequence from a Task Sequence. We have a new Task Sequence Step called “Run Task Sequence” which will give use great possibilities to make our Task Sequences smarter. There are some limitations in this Technical Preview release that you should be aware of so check the documentation so you now what is possible or not.

RunTS

Android for Work app configuration

Android for work will be the way to manage Android devices in the future and now we got the ability to configure Android for Work apps in the same way we can do with iOS apps today. This is great news making the Android platform a real challenger for companies.

Android for Work configuration

Secure Boot Inventory

We got the possibility to inventory if UEFI is enabled or not before and now we can inventory if Secure Boot is enabled or not as well. It is inventoried per default.

secureboot

Reload the Boot images with the latest WinPE version

We need to update the ADK and WinPE version used twice a year as it looks now with the current release cadence of Windows 10 and supportability with Configuration Manager. We got a new way to do this which makes it much easier we can simply select to update the WinPe version when we distribute the boot images to our DP’s.

Reload Boot Images

Powershell support to create advanced detection methods

A long awaited addition, we can now create advanced detection methods for applications using Powershell.

https://blogs.msdn.microsoft.com/ameltzer/2017/04/20/powershell-how-to-add-enhanced-detection-methods-to-deployment-types-1704-tp/

Eliminate Duplicate Records when converting BIOS-UEFI

This is an issue that has been raised and seen when convertin BIOS-UEFI we get a dupliate record as the under-laying hardware ID could change, these duplicate records are now elimated in the TP 17+04 release. We actully could use that as a hotfix to the 1702 release as well…

High DPI support in the admin console

Now that we have cool devices with high resolution this has been an issue that the SCCM Admin Console didn’t support High-DPI very well. now that is solved as well. Long awaited!! :D

OS version Column in the System Images node

We can now see what OS version an OS Image is based on in one of the Columns in the System Images Node, makes life a little easier.

OS version

More efficient logging in SMSTS.log

Improvements have been made to the SMSTS.log file and logging which will make it easier to read the logs. Will test that and see how much difference it makes when time allows.

Installing the 1704 TP update

Another thing to note as well is the new behavior that updates aren’t automatically downloaded any more bin the Updates and Servicing node, we need to decide which updates to download. The reason behind this is that you don’t have to download updates/hotfixes that you perhaps skip and don’t install.

Download Update

For a full list of features check out the documentation here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1704

In Windows 10 1703 we have some new really great new Group Policy settings for Microsoft Edge, the most important making it possible to sync favorites between Internet Explorer and Microsoft Edge. We can also set the default search enginge to something else than Bing with group policies.

To do this we first need to create an .xml file that complies with the Opensearch 1.1 framework https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery and we need to host that file on a Webserver that the clients can reach and it must use HTTPS.

Update!

This can be done in two ways, the easiest one that I overlooked is to actually use the opensearch.xml file hosted by Google! Method 2 still works, Thanks for the comment on this post!

Method 1

The URL is https://www.google.com/searchdomaincheck?format=opensearch then we don’t have to host any .xml file of our own.

We simply add that to the Group Policy settings and we are done!

Set default search enginge_1

Method 2

Here is an .xml file that can be used to set the default search engine to Google instead of Bing using a group policy, it can be downloaded here: Opensearch.xml

<?xml version="1.0" encoding="UTF-8"?>

<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/">

<ShortName>Google</ShortName>

<Description>Search Google</Description>

<Url method="get" type="text/html"

template="https://www.google.com/search?q={searchTerms}"/>

</OpenSearchDescription>

We then need to place that on a webserver reachable from the clients that use HTTPS, in my lab I put it on my SCCM server under Opensearch and called it opensearch.xml as well.

XML File

Then we configure the Group Policy setting to point to the .XML file we added above.

Set default search enginge

When logging on the a computer which the group policy is applied to, you can if you are fast enough see that the search engine changes from Bing to Google under Settings\advanced settings.

Google default search engingeThis can of course be used to change the search engine to something else than Google as well, just create an .xml file that points to that search engine instead and make sure it supports Opensearch 1.1.

Thanks to my colleague Sassan for testing and supplying the .XML file!