CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in System Center Configuration Manager

I have written some posts before on how to block updates if you build your images using MDT or SCCM for that matter and download the update using ZTIwindowsupdate.wsf directly from Internet instead of installing a dedicated WSUS which I always recommend, http://ccmexec.com/2013/09/tips-when-building-images-with-configmgr-2012-part-2/ I got a couple of questions on how to block .Net Framework 4.6.1 when building Windows 7 images.

On January the 26th .NET Framework 4.6.1 was released on Windows Update as a recommended update for Windows 7 and Server 2008 R2, If you build your images and install updates from Windows Update you will now get .NET Framework 4.6.1 installed.

You can block it using the normal way and block KB3102433 as shown below either in Customsettings.ini or as a Task Sequence variable in SCCM.

BlockNet

Or you can use the registry key to block the installation then .NET Framework 4.6.1 will not be installed after the image is deployed either. So in some scenarios that can be a good solution.. By running the following command in the Task Sequence before the ZTIWindowsUpdate.wsf step will block the installation. More information can be found here: https://support.microsoft.com/sv-se/kb/3133990

reg add “HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU” /v “BlockNetFramework461″ /d “1″ /t REG_DWORD /f

If you then want to enable the installation again and you mange your updates through WSUS or Configuration Manager you can remove the registry key in the task sequence after software updates are installed with the following command.

reg delete “HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU” /v “BlockNetFramework461″ /f

Both solutions will do the job!

In Windows 10 1511 there is a new feature which is enabled by default, “Let Windows Manage my default printer“. This setting will make the last printer you used the default printer.

printers1511

At many customers this is not a wanted scenario so here is the registry key you need to change to turn it off.

HKEY_Current_User\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LegacyDefaultPrinterMode Dword: 0×00000001

Easiest way is to use a User  Group Policy preference with the following settings:

Printer1511_!

When searching for registry settings I tend to use Regshot to find them, easy to use, nothing to install. Works great! http://sourceforge.net/projects/regshot/

Happy printing!

I have the great honor to present two session at the Microsoft TechX in Stockholm 15-18 February 2016!

TechX is a four day event(in Swedish), focusing on Azure 15-16 and Office 365 17-18, I am really looking forward to it!

My session are:

“Future of client management with Intune/Configuration Manager Hybrid” Where we will focus on all the new features in Intune and how it links to Configuration Manager CB

“Windows 10 + EMS = True” together with my colleague Anders Olsson, http://itsakerhetsguiden.se/ Which will focus on what EMS brings to Windows 10 and why they are a match made in heaven (or Redmond?!)

There are a lot more sessions as well so I hope to see you all there!

TechX

When you are using Windows 10 and Windows Defender in Windows 10 then the definitions are as old as the .WIM file is. It is a good idea to update the definitions during OSD to make sure that the latest definitions are there.

I have used Chris Nackers post and script a lot for downloading and deploying the definitions for System Center Endpoint Protection during OS deployment in Windows 7, Windows 8. http://www.chrisnackers.com/2012/10/18/configuration-manager-2012-installing-endpoint-protection-during-a-task-sequence/

I also found this script in Technet Galleries also for downloading the Endpoint Protection definition files: https://gallery.technet.microsoft.com/scriptcenter/SCEP-Definition-Updates-to-fde57ebf

This post will cover how we can do the same for Windows Defender when deploying Windows 10, it is actually much easier as we don’t have to install the Windows Defender client as it is already included in Windows 10. My colleague Johan Schrewelius and I put together this little script that can be run as a Schedule Task that download the definitions from Microsoft to the UNC path and update the package source files in a specific DP group.

The script can be downloaded from Technet Galleries: https://gallery.technet.microsoft.com/Windows-Defender-b15b8057

Here is how to use it:

1. To start with we create the following structure, “Defender Definition“, with two underlying leaflets for each architecture, on our Package-share to which we can download the definition files:
Windows_Def1

2. Download the script from the link above and place the script in any folder, for example. “C:\Scripts”
Windows_Def2 3. Then we create the Package that will be used in Configuration Manager as wee need the PackageID in the powershell script to be able to update it when a new version is downloaded. Use the folder we created above as the package source, in this example:”\\CM2012R2\pkgshare$\Defender definitions”
WindowsDef_9

4. Then we select a Standard Program as well, we need three more if both Windows 10 i386 and X64 is used as wee need two for each architecture
WindowsDef_10

5.  Use the following command  for the first x86 program “mpam-fe.exe” with the command line x86\mpam-fe.exe as shown below, we cannot browse as we haven’t downloaded the files just yet. There are two files per architecture that needs to be installed.

WindowsDef_11

6. Limit so that the application can only be run on 32-bit Windows 10.
WindowsDef_112

7. Create three more programs one more for x86, the command line for the second x86 Program should be x86\nis_full.exe. Then it should look like this.

WindowsDef_16

8. Then we create two more programs for X64 with the same commands but run from the x64 folder instead. So it looks like this in the console.

WindowsDef_161

9. Then we distribute the content to a Distribution Point Group

10. Now we can have a PackageID as well for the package which can be found in the Configuration Manager Admin Console, in this example 06000159
Windows_Def162

11. Now we edit the script that we placed in the C:\Scripts folder and change the following lines to reflect our environment.

Windows_Def172

12. Now we create a Schedule Task that will download the definition updates and update the package on the DP’s in the Distribution Point Group.

WindowsDef_4

13. Schedule it to run it daily at 5 AM

WindowsDef_5

14. Use the task “Start a program

Program: Powershell.exe

Arguments: -NoProfile-ExecutionPolicy ByPass-File C:\scripts\DownloadDefenderDefinitions.ps1

WindowsDef_6

15. Then we can test the Schedule Task to make sure everything works by right-click the new event “Download Defender Definition” and select Run:

WindowsDef_7

16. Examine the contents of both x 86 and x 64 leaflet under ‘Defender Definition“, they should now contain two files each with name as shown.

WindowsDef_8

17. In the Configuration Manager Admin Console check the content status for the Package so that it was updated successful.
Windows_Def173

18. Then we add the steps to the Task Sequence to install the updated definitions
Add a new group “Defender Definition Updates” in the TS and restrict this to Windows 10 (32-and 64-bit).

WindowsDef_17

19. Then we add the four programs that should be run, restrict them to run only on the correct architecture.

WindowsDef_19

Then we are ready to deploy Windows 10 including the latest Windows Defender updates.



This has been a hot potato with Windows 10, the fact there is a new edition of Windows 10 and that everyone using the school agreement isn’t allowed to use the Enterprise version of the OS. The must use new Education version which has its own media. When Windows 10 1507(10240) was released it was not possible to do an in-place upgrade from Windows 8.1 Enterprise to Windows 10 Education as you can only upgrade to higher SKU’s.

Starting with Windows 10 1511 (10586) this has changed so now it is possible to do an in-place upgrade from Enterprise edition to education and also use either Dism or a Provisioning package to achieve this. This is great news as it enables a lot more scenarios for us. One concern many have had as well is that you need to maintain more than one image which has been the case in the past to handle Enterprise, Education and Long-Term Servicing Branch. Now that we can use Dism for instance we can create our own reference image and then use Dism to change the edition from Enterprise to Education.

On a computer with the latest Windows 10 ADK installed, open the “Deployment and Images Tools Environment” as Administrator and then mount the Windows 10 Enterprise .wim file to check if we can upgrade it and to which editions.

In my environment:

dism /mount-image /imagefile:E:\DeploymentShare\Captures\WIN101511X64_edu.wim /index:1 /Mountdir:D:\mountdir

dism


dism /image:D:\Mountdir /get-targeteditions

Then we can see that it is possible to upgrade to Education using Dism.

Dism1511To actually upgrade the image to Education use the following commands in the “Deployment and Images Tools Environment” as above.

dism /mount-image /imagefile:E:\DeploymentShare\Captures\WIN101511X64_edu.wim /index:1 /Mountdir:D:\mountdir

dism /image:D:\mountdir /set-edition:Education
dism /image:d:\mountdir /Set-ProductKey:NW6C2-QMPVW-D7KKK-3GKT6-VCFB2
dism /unmount-image /mountdir:d:\mountdir /commit

dism /mount-image /imagefile:E:\DeploymentShare\Captures\WIN101511X64_edu.wim /index:1 /Mountdir:D:\mountdir

dism /image:D:\mountdir /set-edition:Education

dism /image:d:\mountdir /Set-ProductKey:NW6C2-QMPVW-D7KKK-3GKT6-VCFB2

dism /unmount-image /mountdir:d:\mountdir /commit

Dism1511_1

Then test deployment of the image and you should see an Education edition installed, also note that it is not possible to run Dism and change the Windows edition on a running operating system.

I wrote a blog post before on how to remove the Edge icon in the Taskbar on Windows 10, http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

This post will cover how to use the same scripts and deploy a customized Taskbar instead with the Internet Explorer shortcut instead of the Edge icon.

Custom_taskbar1

1. Download the Script from Technet Galleries https://gallery.technet.microsoft.com/Manage-the-taskbar-remove-c3024e40

2. Extract the content to a folder that can be used as package source. It should look like this.

Custom_taskbar7

3. In the ManageTaskbar folder Delete the “Quicklaunch” folder and the “TaskbandCU.reg” file
Custom_taskbar81

4. On a Windows 10 client modify the Taskbar as you want it to look like adding the IE icon in this case and removing the Edge icon.

5. Copy the folder “C:\Users\%username%\appdata\roaming\Microsoft\Internet Explorer\Quick Launch” folder to the “ManageTaskBar” folder in the structure show above.

6. Remove the space in the “Quick Launch” folder-name to “QuickLaunch

7. Open the “QuickLaunch” folder and right-click on the the “User-Pinned” folder which is hidden and remove the Hidden attribute, including all subfolders.
Custom_taskbar518. Open Regedit and browse to the following key, “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband

Custom_taskbar3

9. Right-click on the “Taskband” key and select to export it, save it under “ManageTaskbar” in the folder structure created earlier with the name “TaskBandCU.reg” so that the content of the “ManageTaskbar” folder once again looks like this.

Custom_taskbar81

10. Then you are ready to create a package as in the previous blog post and the result will be in this case a customized Taskbar with the IE icon instead of the Edge icon.

Enjoy!

This one isn’t pretty but it does work just fine. One of the most common questions I get when we do Windows 10 projects are how to modify the taskbar and to be more specific remove the Edge icon. The configuration of the Taskbar is stored in a big blob in the registry so what I simply do is modify the taskbar as I want it and then export the registry key and the files needed as well.

The script can be downloaded here: http://ccmexec.com/wp-content/uploads/2015/12/ManageTaskbar-1.0.zip

It consists of two different scripts as the Taskbar is per-user I use a .CMD file to copy all the files needed locally and then add a Runonce command to the default user profile so that the Taskbar is imported once for each user when the profile is created.

Couldn’t this be done in the default user profile? No, as the Edge icon is added as well when the user profile is created. I will post later in the week how to export/import a Custom Taskbar to add the IE icon instead of the Edge icon.

To implement it:

  1. Download the file above and extract it and place it in your Package Source structure, the content of the file looks like this.
    Managetaskbar1
    The .cmd file will copy the following files to C:\Windows\ManageTaskbar where the Runonce command will run the Powershell script from.
    Managetaskbar2
  2. And then create a Package in Configuration Manager without a program and add use the folder created with the files as package source and distribute it to your DP’s.
  3. In your Task Sequence add the taskbar.cmd command using the Run Command Line task.
    Managetaskbar3
    Managetaskbar4
  4. Then you are ready to test it out.

The script will import the registry file, copy the ManageTaskBar folder and then restart the Explorer process so that the users TaskBar is updated. The Powershell windows will show for 2 seconds, this can be solved in different way’s like calling the Powershell script using a Vbscript.

In my deployment the TaskBar will look like this with some help from Group Policies after the script is implemented.

Managetaskbar5

I hope it is useful! I will post an how-to later in the week on how to use the same scripts to import a Custom Taskbar with an IE icon as well.

Earlier this week the new ADK 10, 10.0.10586 was released or made available on Microsoft Download. I downloaded it as I and many others have had some issues with .Net applications and Powershell scripts in WinPE on X64 UEFI Machines when PXE booting them and the new ADK solves that problem :D

However it creates a new issue and that is that it cannot initialize the Network connection during WinPE if you do a Refresh from within Windows. You will get the error message below.

ADK10586

And the following in the SMSTS.log file.

Failed to configure adapter 0 (0x80220014)

So do not upgrade yet!! Further investigation is on it’s way.
A big thanks to Johan Schrewelius and Johan Arwidmark for testing and confirming the issue! :D