CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Earlier this week the new ADK 10, 10.0.10586 was released or made available on Microsoft Download. I downloaded it as I and many others have had some issues with .Net applications and Powershell scripts in WinPE on X64 UEFI Machines when PXE booting them and the new ADK solves that problem :D

However it creates a new issue and that is that it cannot initialize the Network connection during WinPE if you do a Refresh from within Windows. You will get the error message below.


And the following in the SMSTS.log file.

Failed to configure adapter 0 (0x80220014)

So do not upgrade yet!! Further investigation is on it’s way.
A big thanks to Johan Schrewelius and Johan Arwidmark for testing and confirming the issue! :D

Earlier this week the new ADK 10, 10.0.10586 was released or made available on Microsoft Download. I downloaded it as I and many others have had some issues with .Net applications and Powershell scripts in WinPE on X64 UEFI Machines when PXE booting them and the new ADK solves that problem :D More on the Powershell / .NET error below.

Warning!! The New ADK 10.0.10586 when used with Configuration Manager 2012 SP2 / R2 SP1 crashes in WinPE when you do a refresh/installation from within Windows See separate blog post in this.

When running either Powershell  or .Net applications in WinPE from ADK 10 (10240), the Task Sequence will fail:


With the following error in the SMSTSL.log file,

Failed to run the action: SetError.

Recursion too deep; the stack overflowed. (Error: 800703E9; Source: Windows)

It only happens when you PXE boot a X64 UEFI Computer and run as I wrote above run either Powershell or .NET applications in WinPE.

The good news is that it is solved in the updated ADK 10.0.10586 that was made available a couple of days ago. So if you run in to this error make sure you upgrade the ADK to at least 10.0.10586


In Windows 10 there are built-in support for Flash in both Internet Explorer 11 and Microsoft Edge but that doesn’t mean that you should use it! Even if that makes updating the Flash plugin much easier as it is done using Microsoft Update/WSUS/Configuration Manager it is still very many 0-Day vulnerabilities and security issues in Flash. In most organisations there are no LOB application or other productivity tools that use Flash. So why are you using Flash in your organisation? to be able to consume commercial AD’s on the Internet? Play games?

I know there are users/system that need require it, but disabling it on those systems that doesn’t need it is a good idea! Found this picture on Twitter somewhere and i visualizes it well I think! ;-)

So the next thing would be disabling Flash, for Internet Explorer it is easy there are a group policy that we can do it with a Group Policy as displayed below.


In Microsoft Edge on the other hand that is more of a challenge, there are no Group Policy to disable Flash with. We can solve this by using Group Policy Preferences.

1. Create a new Group Policy Preference setting in the User part of the GPO as it is a user setting in Edge.

2.The following key is the one that should be created:

[HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Addons]

[HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Addons]


3. Add a registry entry in the GPP, I did it using the “Update” action if a handy user enables it again it will be disabled when the GPP are applied the next time.

4.  The result will look something like this.

DisableFlashEdgeSo when you start designing/testing/piloting Windows 10 in your organisation, why not do it without Flash enabled?!

There are now better time to make a change like this as when you roll out a new Operating System, so your next big opportunity to do this will be with the release of… Wait that are no new Operating Systems versions coming only Windows 10!

In Windows 10 Onedrive is builtin, in some scenarios you don’t want to use it as, for instance if you use both Onedrive and Onedrive for Business installed as that is confusing for the user. Yes, you can turn of Onedrive using a Group Policy but the Onedrive Setup will run for every user creating a profile on the system anyway. In many scenarios we don’t want it to run at all.


How does this work then? In the default user profile there is a Run Command in the registry the runs for every user creating logging on to the computer.


What we use is the old trick in the book, to mount the default user profile during OS Deployment and simply delete the Run command from the registry then it will not execute at all for any user. We create a .cmd file with the following command lines to first mount the default user registry, remove the command and unmount it.


The .cmd file can be downloaded here: removeOnedrive.cmd

To implement it:

1. Download the file and copy it to a folder that you can use as a package Source for a package in Configuration Manager.

2. Rename the file to “RemoveOneDrive.cmd”

3. In Configuration Manager create a new package with the newly created folder as the source folder.

5. Then we distribute the content if you haven’t automated it already like I do ;-) :

6. Add a step to the Task Sequence to run the command, I like to use the Run Command Line step but you could create a program as well if you like. Note: It has to run after a reboot to the full OS, it cannot be run in WinPE.
RemoveOnedriveTS Then you are ready to test the deployment.

Provisioning packages in Windows 10 is a really cool new feature which has great potential both for configuring Windows 10 and to assist in the deployment. Configuration Manager vNext has a great new feature as well which is Bulk enrollment of Windows 10 devices, Technical Preview 3 support Windows 10 Desktop edition, but let us all hope it will support Windows 10 Mobile as well when it is released. It is great news that we will get Bulk enrollment of Windows 10 devices!

It can be used to import a Trusted Root certificate, Wi-Fi Profile and enroll the device either in the cloud or On-Prem MDM which is new as well in Configuration Manager vNext. Panu and Kent has written a great blog post on how to get started with On-Prem MDM in Configuration Manager vNext Technical Preview, I had the same issue as they are explaining as well that my CRL lists where not accessible to non-domain clients and then you cannot enroll a Windows 10 using the MDM agent in Windows 10.

What I will focus on here is the new Bulk Enrollment feature. It is configured in the Configuration Manager vNext Admin Console, before we start note the following:

  • Configuration Manager vNext Technical preview must be installed and configured to support On-Prem MDM
  • You MUST start the Console with right-click and “Run as Administrator” otherwise creation of the Provisioning Package will fail.
  • A Trusted Root Certificate must be imported before starting the wizard under Compliance Settings, Company Resource Acess, Certificate Profiles.

Under All Corporate-owned Devices we have a new option under Windows, Enrollment profile.


We select Create Enrollment Profile in the menu. In the next dialog we can choose either On-Premise or Cloud.


We select which proxy enrollment point the Windows 10 client we run the provisioning package on should use.


We select the Root Certificate that should be imported as part of the enrollment process so that the Windows 10 client trust the certificate that is used for the roles in the Configuration Manager site that uses HTTPS.





Now we have a enrollment profile that we want to export to a provisioning package, that is achieved by selecting the enrollment profile and select export.


Then we have two files in that folder which makes up the provisioning package.


We then copy the files to a USB drive or locally on the Windows 10 computer and launch the provisioning package and we are presented with a dialog with what the package will do to the client.


After launching it we wait a minute before we open Work Access under Settings, Account in the Windows 10 client. There we now can see that the enrollment process is successful. Note that as it is enrolled as a Corporate owned device it has no username associated with it.


The provisioning package created can be opened using the Windows Imaging and Configuration Designer, you will get a warning that not all settings can be read.
bulkwicd After opening it we can see which feature in WICD that is used to do the Bulk enrollment which is shown below.

bulkwicd1I am really looking forward to when we can start using this live to enroll Windows 10 devices in Intune and Configuration Manager vNext ON-Prem MDM will be really cool. Then we can have a single provisioning package that can configure the device and enroll it in Intune. :D

In my last post I wrote about how to make Internet Explorer the default web browser in Windows 10, now I will cover how to deploy a customized Start Menu during deployment and add a menu item for Internet Explorer the last took a while to figure out how to add the shortcut to Internet Explorer. There are many more ways to customize the Start Menu, deploy it as a mandatory Start Menu using Group Policies in that case the user cannot modify it.

Let’s start with the basic information, the default Start Menu template is located here:

C:\Users\%username%\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml this file should not be modified. To modify the start menu we use file called LayoutModifications.xml that should reside in the same directory. This file can be used in many ways for OEM’s to add icons to the Start Menu or for us IT-Pro to override the default Start Menu. More information on how to use these files can be found here on MSDN:

Exporting a customized Start Menu layout

To export the Start Menu we start by using a computer and a user and adjust the Start Menu on that computer so it looks the way we want it.


Then we use Powershell to export a customized start menu using the following command, Export-Startlayout –path C:\Windows\Temp\Startmenu.xml


Then we have a .xml file with our current Start Menu Layout that looks like below that will override the default start menu defined in the DefaultLayouts.xml in Windows 10.


Import a Start Menu layout using Powershell

Now that we have an exported Start Menu we can import it using Powershell. All users that log on to the machine the first time will get this Start Menu layout that you import.

Import-StartLayout –LayoutPath C:\Windows\Temp\Startmenu.xml -MountPath $env:SystemDrive\


After the command is successfully completed the Layoutmodification.xml file is created here: C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\Layoutmodification.xml


When we log on to the computer as a “new” user that haven’t logged on the computer before we get the newly imported Start Menu as shown below.


But wait, where did the Internet Explorer icon that we added before go?

Solving the Internet Explorer icon issue

When we export the file above it exports the Internet Explorers ApplicationID in the .xml file. This will fail when you import it as the Internet Explorer icon doesn’t exist in the users Start Menu folder or as an application during when the Start Menu is imported. It doesn’t exist in the Default start menu folder either and it is not present as an ApplicationID when the Start Menu is imported and therefor it will not show up in the users Start Menu.

To solve this we need to do two things, add a .lnk file that points to Internet Explorer somewhere that all end-users can reach it. I will create it in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories


Then we need to change the information in the exported .xml file as well. The following line in the .xml file needs to be replaced with a pointer to the .lnk file instead of the ApplicationID.


So we replace it with the following line instead, using the DesktopApplicationLinkPath instead and pointing to the Internet Explorer.lnk file we created before.

DesktopApplicationLinkPath=”%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk”

****Update: As per requested a sample file can be downloaded here with Office 2013 and the IE shortcut: StartMenu.xml****

If we then log on as a new user once again we get the Internet Explorer icon on the Start Menu as well as intended.


Applying the Start Menu during OS deployment

To deploy this I have written a simple Powershell script that imports the StartMenu.xml file and copies the Internet Explorer link we created before.

The Powershell Script content:

Import-StartLayout -LayoutPath $PSScriptRoot\StartMenu.xml -MountPath $env:SystemDrive\

Copy-Item -Path $PSScriptRoot'\Internet Explorer.lnk' -Destination $env:SystemDrive'\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories'

I then place the Powershell script in a folder together with the exported Start Manu and the Internet Explorer.lnk file.
Then we create a package of that folder in Configuration Manager with no program as we use the Powershell step in the Task Seqeunce to execute it and distribute it to the Distribution Points. And add a step in the task sequence to run the Powershell script as shown below.

Then you are ready to test the deployment of a customized start menu including an Internet Explorer icon.

I have had this request a couple of times now, on how to make Internet Explorer the default browser in Windows 10. I think Microsoft Edge is and will be a great browser and the most secure browser out there but in some scenarios Internet Explorer is still required to be the default browser.

Here is how to export the associations from one Windows 10 computer and then import them during OS deployment on the target computer which is the way to do it. It exports all file associations so it can be used for 3rd party applications as well.

To export the file associations from a computer running Windows 10 do the following.

  1. Log on to the computer as a user that is local administrator and open Settings and then System
  2. Under Default Apps mark the Web Browser and click Microsoft Edge, then you get an option on which browser to use instead, select Internet Explorer
  3. Then open and Command Prompt with Run as administrator.
  4. In the command prompt type, the following command to export the file associations.
    C:\WINDOWS\system32>Dism.exe /online /Export-DefaultAppAssociations:C:\Windows\Temp\DefaultApps.xml
  5. In the C:\Windows\Temp we now have a file with the default associations.

To import the file associations during OS deployment when deploying Windows 10 the following steps are needed. The easiest way is to use a .cmd file and the “%~dp0” variable that gives us the path to the folder the .cmd file is executed from.

  1. Create a folder in your source folder structure that can be used as a package source for the Default Apps Association package.
  2. Copy the DefaultApps.xml file we just created to that folder
  3. Create a new file in the folder called DefaultApps.cmd with the following content
    Dism.exe /online /Import-DefaultAppAssociations:%~dp0Defaultapps.xml
  4. Then we have the following files in that folder
  5. Create a Package in Configuration Manager and use the folder created as the source folder. Do not create a program. By using Run Command line, it is easier to add more .xml files so that we can import different files based on different roles or purpose for the target computer.
  6. In your OS deployment Task Sequence create a new “Run Command Line” step somewhere after the “Setup Windows and Configuration Manager” step.
  7. Then you are ready to test deploy a Computer and test the updated Default Associations

This procedure is the same as it was for Windows 8 / Windows 8.1 and can be applied to Adobe Reader as well for instance or other 3rd party applications as well.

Yesterday an update was released to the Technical Preview 3 version of Configuration Manager vNext. A really cool update which is distributed using the new Updates and Servicing feature. First the end-users will love the new Software Center, one unified place instead of two and no more Silverlight!


The next cool thing in the update is how it is delivered. It is delivered using the new Update and Servicing feature in the Preview. It will look like this. In the console under the Update and Servicing branch we now see that an update is available.
We have two choices, Install Update pack or Run Prerequisite check.


I choose the Install Update Pack option and here are the screenshots of how it will look like.



Next is an interesting choice if we want to upgrade all clients directly without testing or use the test new version with a pre-production collection.



Done! But what happens next? Well the upgrade actually starts and the progress can either be tracked in the console. If we look at the update it is now changed state to Installing and we can in the bottom of the screen we can select Show Status.

cmvnexttp3u11Really cool, but for us who like to use CMtrace or Notepad if you want instead ;-)

The pre-req part uses the same log files as the setup of Configuration Manager so you can follow it in ConfigMgrSetup.log and ConfigMgrPrereq.log.

For the update installation itself can be tracked and troubleshooted in the following log file, CMUpdate.log


What about the console on the Configuration Manager Server? It is updated automatically the next time you open the console :-)

The new way to handle this kinds of updates are really cool and it works really well. Well I have only installed it three times but it has worked so far :D