CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in System Center Configuration Manager

In Windows 10 1703 – Creators Update there is a new Group Policy setting that actually allows us to control what is visible in “Settings” for our users. This is useful for computers with a specific purpose for instance or other business requirements. The policy is called “Settings Page Visibility” it can be used to either Hide a specific settings or Show only a specific setting or settings.

Example to hide the Bluetooth settings page we use the GPO with the settings hide:bluetooth as shown below.

HideOn the machine the Bluetooth settings is actually gone:

NoBluetoothWe can also use the Group Policy setting with the “ShowOnly” option as shown below.

ShowOnlyGPO

On the computer the Settings page will now only show, Colors, Start and Themes

ShowonlyThe syntax for the settings you want to hide/show is not that easy to find, this is where I found them, https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

Not all settings are in that list and can be removed :-( like all the Game settings for instance.

Tip on how to test them, you can just launch run and type: MS-Settings:Colors for instance and it will launch the Colors settings node. We can also use this to create shortcuts to different settings.Run

And Colors is launched.

Colors

That is basically it, great for some scenarios!

In previous versions of Windows 10, before 1703 built-in apps that couldn’t be uninstalled could still be blocked with Applocker so that they never got installed and it has worked great! With Windows 10 1703 there are two apps that I have identified as not being able to uninstall, it is not a Windows Capability which we can block that way. The result I am seeing when blocking for instance and Connect and Mixed reality portal using Applocker is this.

Applocker block

Me and Johan Schewelius wrote a small .cmd file that simply deletes the app after the image has been applied on the disk during OS deployment and then the app is simply never installed.

This is highly unsupported so use it at your own risk!

DisarmStuborn apps1

And from the Task Sequence we call it after the Operating System has been applied.

DisarmStuborn apps

Then the app cannot be installed during setup.

Again this is unsupported use at your own risk!!

I posted a Configuration Manager Configuration Item and Baseline a while back that checks to see if Applocker is configured and running. Another important thing to check on Windows 10 is that Credential Guard is configured and running. Credential Guard is an extremely important security feature in Windows 10 and should be used and of course we need to make sure that is active and running.

Here is a Configuration Item and Baseline that will do those checks. We use a Powershell script to check that Credential Guard is configured and running.

$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

return $DevGuard.SecurityServicesConfigured -contains 1 -and $DevGuard.SecurityServicesRunning -contains 1

Same as the Applocker post I wrote we need to configure the Powershell policy in Client settings or sign the script.

Powershell Client agent setting

If we compare it to the Applocker CI we created credential Guard doesn’t exist on Operating Systems earlier than Windows 10 so we need to configure that as well, otherwise the steps are the same. Here they are:

We create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Credential Guard 1

Select the supported platforms:

Credential Guard 2

Select New in the Settings step

Credential Guard 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

And then click “Add script”

Credential Guard 4

Then we edit the discovery script and paste the script as shown below.

Credential Guard 5

Then we create a compliance rule.

Credential Guard 6

Then we create a compliance rule with the following settings.

Credential Guard 7

Then we can add it to a baseline and deploy it to our clients. And again for all of you that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the baseline used from here:Credential Guard status

Configuration Manager 1704 Technical Preview was released yesterday, some really awesome stuff in there this time for all OSD fans for sure!

If you aren’t running Technical Preview in a test environment you really should! It is a great way of getting to know the new features and a great way of providing feedback to make the features even more valuable for your organisation. Technical Preview 1703 is the current baseline you can grab it here: https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection-technical-preview then you can upgrade that to 1704 TP.

You can make it easy for you and use Johan Arwidmarks excellent hydration kit to get a test environment up and running. http://deploymentresearch.com/Research/Post/580/Hydration-Kit-For-Windows-Server-2016-and-ConfigMgr-Current-Technical-Preview-Branch

Now let’s look at what is new in 1704 Technical Preview.

Nested Task Sequences

This is something that many of has dreamed about for years and wished for and now it is finally here, we can call a Task Sequence from a Task Sequence. We have a new Task Sequence Step called “Run Task Sequence” which will give use great possibilities to make our Task Sequences smarter. There are some limitations in this Technical Preview release that you should be aware of so check the documentation so you now what is possible or not.

RunTS

Android for Work app configuration

Android for work will be the way to manage Android devices in the future and now we got the ability to configure Android for Work apps in the same way we can do with iOS apps today. This is great news making the Android platform a real challenger for companies.

Android for Work configuration

Secure Boot Inventory

We got the possibility to inventory if UEFI is enabled or not before and now we can inventory if Secure Boot is enabled or not as well. It is inventoried per default.

secureboot

Reload the Boot images with the latest WinPE version

We need to update the ADK and WinPE version used twice a year as it looks now with the current release cadence of Windows 10 and supportability with Configuration Manager. We got a new way to do this which makes it much easier we can simply select to update the WinPe version when we distribute the boot images to our DP’s.

Reload Boot Images

Powershell support to create advanced detection methods

A long awaited addition, we can now create advanced detection methods for applications using Powershell.

https://blogs.msdn.microsoft.com/ameltzer/2017/04/20/powershell-how-to-add-enhanced-detection-methods-to-deployment-types-1704-tp/

Eliminate Duplicate Records when converting BIOS-UEFI

This is an issue that has been raised and seen when convertin BIOS-UEFI we get a dupliate record as the under-laying hardware ID could change, these duplicate records are now elimated in the TP 17+04 release. We actully could use that as a hotfix to the 1702 release as well…

High DPI support in the admin console

Now that we have cool devices with high resolution this has been an issue that the SCCM Admin Console didn’t support High-DPI very well. now that is solved as well. Long awaited!! :D

OS version Column in the System Images node

We can now see what OS version an OS Image is based on in one of the Columns in the System Images Node, makes life a little easier.

OS version

More efficient logging in SMSTS.log

Improvements have been made to the SMSTS.log file and logging which will make it easier to read the logs. Will test that and see how much difference it makes when time allows.

Installing the 1704 TP update

Another thing to note as well is the new behavior that updates aren’t automatically downloaded any more bin the Updates and Servicing node, we need to decide which updates to download. The reason behind this is that you don’t have to download updates/hotfixes that you perhaps skip and don’t install.

Download Update

For a full list of features check out the documentation here: https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1704

In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.

Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.

In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.

When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point.  At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.

Pre-release features

To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.

DataWareHouse Service Point

We add the SQL Database Server Name, database name and Port to be used.

DataWareHouse Service Point 2

We can then configure how often it should synchronize the data.

DataWareHouse Service Point 3

We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.

DataWareHouse reports

When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.

Error Displaying Reports

We grant the SQl Reporting Service user account the data reader role.

Reporting user permissions

After granting the Reporting Services user account permissions to the database the reports now run as they should.

Reporting user permissions_2

The Data Warehouse role is a great feature so you should try it out!

Windows 10 1703 is here! And is has some great new features as always, we are still waiting for the official .ADMX files and the documentation on what GPO’s are new and have changed. Some are changed like the Credential Guard setting where we have more options. I did a quick comparision so there are more I am sure, some are renamed some are moved so it is hard to put together. The components with most new settings are Microsoft Edge, Delivery Optimization and Windows Update.

Microsoft Edge have taken huge steps and is working great. The feature that will please out customers the most are the fact that we can synchronize Microsoft Edge and Internet Explorer favorites! Simple, small feature that will increase the adoption of Microsoft Edge. Setting a custom Start page that the users an change is great news as well.
Edge IE Sync

Here are the list on new GPO settings that my little investigation found, I am sure I missed some of them. Didn’t include changed ones like credential Guard improvements for instance. But it could be useful until we get the official documentation.
Windows 1703 New GPOs
And here it is in Excel which could make sense. Windows 10 1703 new GPOs

Applocker is used more and more so I wrote this little Powershell script that can be run as a Configuration Item which checks that the Application Identity service is running and an Applocker policy is applied. We could also do a remediation script to start the AppIDSvc again if stopped but I normally use a Group Policy to set the service to start Automatically so if it isn’t started something else is wrong, GPO not being applied or something.
The discovery script(Note it requires WMF 4 or later):

$Applocker = Get-AppLockerPolicy -Effective |Where-Object {$_.rulecollections -ne $Null}

$AppIDSvc = Get-Service |Where-Object {$_.Name -eq "AppIDSvc" -and $_.Status -eq "Running"}

Return $Applocker -and $AppIDSvc

Using Configuration Manager CI’s and Baselines to configure your clients is an extremely powerful tool, GPO is basically fire and forget here vi get status back. It can also be used in many scenarios that Group Policy cannot, like when managing clients on the internet using the Cloud Management Gateway.

We need to start with checking the client agent settings so that it allows Powershell scripts that are not signed to be run by the SCCM client, or sign the script.

Powershell Client agent setting

Then we create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Applocker CI 1

Select the supported platforms:

Applocker CI 2

Select New in the Settings step

Applocker CI 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

Applocker configured and running CI

Then we edit the discovery script and paste the script as shown below.

Applocker CI Script

Then we create a compliance rule with the following settings.

Applocker CI Compliance

Then we can add it to a baseline and deploy it to our clients. For you all that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the Baseline used from here: Applocker status

Updated!! With the new features in OSD that Aaron Czechowski shared on Twitter! Thanks Aaron, great stuff!

Every time a new Technical Preview of Configuration Manager is released is a late night upgrading and playing around with the new cool features! Last night it was time again TP 1703 was released. One of my favorite small but great feature is the Collapsible groups in the Task Sequence editor :D Will make navigating long and complex Task Sequences much easier.

1703TP1

More OSD news, Secureboot state can also be included in the hardware inventory, great important for Windows 10 deployments.

1703Secureboot

Importing a computer is also updated, it is now possible to add the computer to more than one collection, I wish we had that a long time ago!

1703multipleOSD

The next feature proves how much investment is made in Windows Analytics and that you should look at starting to use these awesome FREE service now! We will be able to control the Commercial ID, Telemetry level and more in Client Settings in Configuration Manager hopefully eliminating the need of running the Windows Analytics script to configure the clients as we do today!

1703TP2

Next new feature is a new wizard to on board to all Azure Services, the one that exists there in TP 1703 is Windows Store for Business.

1703TP4

More new features:

PFX certificates for Configuration Manager Windows client computers
Direct links to applications in Software Center
Convert from BIOS to UEFI during an in-place upgrade
PFX certificates for Configuration Manager Windows client computers
Making it possible to deploy .PFX cert to Windows 10 client as well, great and important addition.
Direct links to applications in Software Center
This will make it possible to email or send a link to an application in Software Center to the users. Will have to try it out as well.
Softwarecenter:SoftwareId=*Application Identifier*
Convert from BIOS to UEFI during an in-place upgrade
With the new ADK for Windows 10 creators update it is now possible to convert BIOS-UEFI during an in-place upgrade as well, removing one of the biggest blockers for inplace upgrade. More information:

https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion#convert-from-bios-to-uefi-during-an-in-place-upgrade

For more information on the improvements in Configuration Manager 1703 Technical Preview, check out the product documentation. https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1703