CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts published by Jörgen Nilsson

In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.

Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.

In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.

When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point.  At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.

Pre-release features

To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.

DataWareHouse Service Point

We add the SQL Database Server Name, database name and Port to be used.

DataWareHouse Service Point 2

We can then configure how often it should synchronize the data.

DataWareHouse Service Point 3

We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.

DataWareHouse reports

When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.

Error Displaying Reports

We grant the SQl Reporting Service user account the data reader role.

Reporting user permissions

After granting the Reporting Services user account permissions to the database the reports now run as they should.

Reporting user permissions_2

The Data Warehouse role is a great feature so you should try it out!

Windows 10 1703 is here! And is has some great new features as always, we are still waiting for the official .ADMX files and the documentation on what GPO’s are new and have changed. Some are changed like the Credential Guard setting where we have more options. I did a quick comparision so there are more I am sure, some are renamed some are moved so it is hard to put together. The components with most new settings are Microsoft Edge, Delivery Optimization and Windows Update.

Microsoft Edge have taken huge steps and is working great. The feature that will please out customers the most are the fact that we can synchronize Microsoft Edge and Internet Explorer favorites! Simple, small feature that will increase the adoption of Microsoft Edge. Setting a custom Start page that the users an change is great news as well.
Edge IE Sync

Here are the list on new GPO settings that my little investigation found, I am sure I missed some of them. Didn’t include changed ones like credential Guard improvements for instance. But it could be useful until we get the official documentation.
Windows 1703 New GPOs
And here it is in Excel which could make sense. Windows 10 1703 new GPOs

Applocker is used more and more so I wrote this little Powershell script that can be run as a Configuration Item which checks that the Application Identity service is running and an Applocker policy is applied. We could also do a remediation script to start the AppIDSvc again if stopped but I normally use a Group Policy to set the service to start Automatically so if it isn’t started something else is wrong, GPO not being applied or something.
The discovery script(Note it requires WMF 4 or later):

$Applocker = Get-AppLockerPolicy -Effective |Where-Object {$_.rulecollections -ne $Null}

$AppIDSvc = Get-Service |Where-Object {$_.Name -eq "AppIDSvc" -and $_.Status -eq "Running"}

Return $Applocker -and $AppIDSvc

Using Configuration Manager CI’s and Baselines to configure your clients is an extremely powerful tool, GPO is basically fire and forget here vi get status back. It can also be used in many scenarios that Group Policy cannot, like when managing clients on the internet using the Cloud Management Gateway.

We need to start with checking the client agent settings so that it allows Powershell scripts that are not signed to be run by the SCCM client, or sign the script.

Powershell Client agent setting

Then we create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Applocker CI 1

Select the supported platforms:

Applocker CI 2

Select New in the Settings step

Applocker CI 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

Applocker configured and running CI

Then we edit the discovery script and paste the script as shown below.

Applocker CI Script

Then we create a compliance rule with the following settings.

Applocker CI Compliance

Then we can add it to a baseline and deploy it to our clients. For you all that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the Baseline used from here: Applocker status

Updated!! With the new features in OSD that Aaron Czechowski shared on Twitter! Thanks Aaron, great stuff!

Every time a new Technical Preview of Configuration Manager is released is a late night upgrading and playing around with the new cool features! Last night it was time again TP 1703 was released. One of my favorite small but great feature is the Collapsible groups in the Task Sequence editor :D Will make navigating long and complex Task Sequences much easier.


More OSD news, Secureboot state can also be included in the hardware inventory, great important for Windows 10 deployments.


Importing a computer is also updated, it is now possible to add the computer to more than one collection, I wish we had that a long time ago!


The next feature proves how much investment is made in Windows Analytics and that you should look at starting to use these awesome FREE service now! We will be able to control the Commercial ID, Telemetry level and more in Client Settings in Configuration Manager hopefully eliminating the need of running the Windows Analytics script to configure the clients as we do today!


Next new feature is a new wizard to on board to all Azure Services, the one that exists there in TP 1703 is Windows Store for Business.


More new features:

PFX certificates for Configuration Manager Windows client computers
Direct links to applications in Software Center
Convert from BIOS to UEFI during an in-place upgrade
PFX certificates for Configuration Manager Windows client computers
Making it possible to deploy .PFX cert to Windows 10 client as well, great and important addition.
Direct links to applications in Software Center
This will make it possible to email or send a link to an application in Software Center to the users. Will have to try it out as well.
Softwarecenter:SoftwareId=*Application Identifier*
Convert from BIOS to UEFI during an in-place upgrade
With the new ADK for Windows 10 creators update it is now possible to convert BIOS-UEFI during an in-place upgrade as well, removing one of the biggest blockers for inplace upgrade. More information:

For more information on the improvements in Configuration Manager 1703 Technical Preview, check out the product documentation.

I wrote a blog post a while ago where I used a vbscript that will distribute the content of newly added package and check the “copy content in this package to a package share on Distribution Points”. i still use it and it works great… My college Johan Schrewelius re-wrote it to use Powershell instead and it also handles boot images, OS images, driver packages and packages.

If you been working with SCCM for a while you have most probably experienced this? You created a new program package, driver package or perhaps added a new OS image; but you forgot to distribute it.

Failed to run TS

Another possible problem is that your deployment is configured to “Access content directly from a distribution point when needed by the running task sequence” and that you instead forgot to mark the new package to be copied to a package share on distribution points.

Data Access

To make life easier we decided to create a status driven script to automatically handle this.

Every time a new package is added we will get a new status message with ID: 30000

Message ID

This “Message ID” can be used to trigger the execution of a custom script that automates distribution and also, if desired, copies the content to a share, making sure that we from now on don’t have to bother anymore. The script can be downloaded from here:


1.Place the script in a “scripts folder” on you Site server.

Powershell Script

2. Find the name(s) of your distribution point group.

DP Group Name

3. Open the script and let it know the name(s) of your distribution point group.

Config Script

If you wish to auto distribute to several groups add them to the list like:

$DPgroups = @(”Group One Name”, ”Group Two Name”)

If you don’t want to copy your packages to a share on DP’s, change $CopyToShare = $false


1. Right click your “Site” and press “Status Filter Rules” on the context menu.

Status Filter Rule

2. Press “Create” to open the Rules Wizard.

Status Filter Rules

3. Give the new Rule a Name (Auto Distribute new Package) and make Message ID 30000 the trigger. Press Next

Status Filter Message ID

4. Specify the Action for the new Rule = Run the script with Powershell. Press Next when done.

Run Program

Program: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -executionpolicy bypass -file “C:\Scripts\AutoDistributePackages.ps1″ %msgis02

5. Check the Summary and press Next.

Status filter summary

6. Close wizard


7 You should now have a new Status Filter Rule. Press OK to close the Window.

Status Filter Rule Done!

8. Done!

Next time you create a package, driver package or add an OS image, Distribution will be automatically handled for you.


-It’s only possible to choose Distribution point groups, if you need DP resolution, feel free to edit the script, or write a dedicated.

-Script must run on a server with the SCCM Admin console installed.

My college Johan Schrewelius wrote a script to copy log files from OSD to a network share like the functionality we have in MDT so I thought I would post it here as it is brilliant. It can be downloaded here:

The script “CopyOSDLogs.ps1” can be run anywhere in an OSD TS but is most often used in the Error Section, thus only run in case of a failed deployment. I wrote a post here a while ago as well on how to add some basic error handling in a standalone TS.

There are a couple of pre-requisites to make it work:

·         We need to make sure that Powershell support is added to our Boot image.

·         We need a location (file share) to save the logs.

·         A TS Variable holding the UNC path to the share.

·         The “First” Network Access Account must be granted “Modify” permissions on the share.

Make sure that Powershell is added to the boot image by adding it if it isn’t added already.


The script will use the Network Access Account for authentication; making it work also in the event of a failure during Windows PE, where we cannot use the computer account, as the machine is not yet domain joined

Check the name of your “first” NAA, if you have several it should be the one on top.


Make sure the Account has been granted “Modify” permissions on your log share:


Create a TS Variable “SLShare” and assign it the UNC-Path to your log share:

TS Step1

Create a Package (without program) or put the script in an existing scripts package, incorporate in TS as:

TS Step2

When the script runs, could be in event of a failure or if you want it to run always, the SMSTSLogs folder will now get zipped and stored as a single file on your log share:


If we combine it with the script also published on Technet Galleries to safely dump TS variables it will also be incorporated in the log files save, that script filters out all password and sensitive information so they are not part of the log file.

That is great if we want to troubleshoot afterwards for instance which applications was installed dynamically using variables.

I hope you find it useful.

Configuration Manager Technical Preview 1702 includes a lot of new features, amazing how much features that are put into each Technical Preview version of Configuration Manager. For a complete list of news in Configuration Manager 1702 TP see the documentation here:

Here are some notes and screenshots of the new features.

Improvements to Software Center settings and notification messages for high-impact task sequences

This is one of the most voted for items on user-voice, and that is to be able to change the information to a user when starting a Task Sequence from Software Center. In Configuration Manager 1702 TP we got more than one new feature. The default message displayed when a Inplace upgrade task sequence is executed from Software Center is now changed and it doesn’t tell our users that all their data will be lost. :D

Task Sequence customizable 1

We can also choose to customize the message in the properties of the Task Sequence.

Task Sequence customizable 21

Then it looks like this for the end-user when they start the Task Sequence from Software Center. Very Nice!

Task Sequence customizable 2

Configure Software Center properties

We can also configure the information show in Software Center for a Task Sequence, Restart required, Download Size and Estimated run time. This is also great, now we only need to train our users to use Software Center….

TS properties

Check for running executable files before installing an application

This feature has improved since previous technical preview releases, now we can display a Friendly Name as well for the application, so it doesn’t say “Iexplore.exe” anymore.

Application1It looks like this when launched from Software Center, which looks so much nicer! Now we want a “close my application now” and “retry” button as well and I am sure we will see a lot of new options in this new feature in the future.

Application2_IEWe can also choose to close the running apps that are blocking the application installation if it is deployed as a “required” deployment. Note: this will not prompt the user to close the applications, they will be closed automatically when the deployment runs.


Create PFX certificates with S MIME support

We can now use the same feature that has been around for a while in Intune Standalone and that is to create and distribute .PFX certificates as well as SCEP as has been the case before. This is great news as a .PFX certificate on mobile devices can be used for S MIME support for instance. (It is also much easier to setup than NDES/SCEP)

Hybrid PFX

Hybrid PFX 2

Android for Work support

Android for work support, there have been traces of it in previous Technical Previews but not it is fully operational! :D With the same features that are available in Intune Standalone.

Android for work

Android for work 2

More Improvements:

There are even more improvements that I haven’t covered here, one I really like is the option to use Azure Active Directory Domain Services, great new feature that shows that Configuration Manager has a great future ahead as well!!

  • New compliance settings for iOS devices
  • Compliance assessment for Windows Update for Business updates
  • Antimalware client version alert
  • Conditional access device compliance policy improvements
  • Use Azure Active Directory Domain Services to manage devices, users, and groups
  • Peer Cache improvements
  • Changes for Updates and Servicing

To follow up on my post earlier this week about how to enable UE-V during OSD and get it to sync Internet Explorer favorites I will cover UE-V templates Powershell and a template share.
In UE-V we can define a central template share where we can drop a UE-V template and the clients will automatically pick it up. New in Windows 10 1607 is that we also must register even the builtin templates so if we just enable UE-V no templates are imported. In UE-V 1607 the builtin templates are placed in C:\Programdata\Microsoft\uev\InboxTemplates. We can register them with a Powershell script during OS deployment for instance.

In this example I will register all of the templates in the inbox templates which I don’t think you should. I will get 35 templates in my Templates folder that contains registered templates after they are imported.Template 1

And everything works just fine.

If I then specify a central template share and then restart the computer… I am left with only 26 + the Google Chrome one from my template share. The rest is removed.


Conclusion: When using UE-V register all templates during OS deployment that you want to make sure that they are used the first time the user logs on and add all the Office related templates to a template share if a template share is used, otherwise they are unregistered after the first reboot.