CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts in System Center Configuration Manager

I wrote a blog post a while ago where I used a vbscript that will distribute the content of newly added package and check the “copy content in this package to a package share on Distribution Points”. i still use it and it works great… My college Johan Schrewelius re-wrote it to use Powershell instead and it also handles boot images, OS images, driver packages and packages.

If you been working with SCCM for a while you have most probably experienced this? You created a new program package, driver package or perhaps added a new OS image; but you forgot to distribute it.

Failed to run TS

Another possible problem is that your deployment is configured to “Access content directly from a distribution point when needed by the running task sequence” and that you instead forgot to mark the new package to be copied to a package share on distribution points.

Data Access

To make life easier we decided to create a status driven script to automatically handle this.

Every time a new package is added we will get a new status message with ID: 30000

Message ID

This “Message ID” can be used to trigger the execution of a custom script that automates distribution and also, if desired, copies the content to a share, making sure that we from now on don’t have to bother anymore. The script can be downloaded from here:


1.Place the script in a “scripts folder” on you Site server.

Powershell Script

2. Find the name(s) of your distribution point group.

DP Group Name

3. Open the script and let it know the name(s) of your distribution point group.

Config Script

If you wish to auto distribute to several groups add them to the list like:

$DPgroups = @(”Group One Name”, ”Group Two Name”)

If you don’t want to copy your packages to a share on DP’s, change $CopyToShare = $false


1. Right click your “Site” and press “Status Filter Rules” on the context menu.

Status Filter Rule

2. Press “Create” to open the Rules Wizard.

Status Filter Rules

3. Give the new Rule a Name (Auto Distribute new Package) and make Message ID 30000 the trigger. Press Next

Status Filter Message ID

4. Specify the Action for the new Rule = Run the script with Powershell. Press Next when done.

Run Program

Program: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -executionpolicy bypass -file “C:\Scripts\AutoDistributePackages.ps1″ %msgis02

5. Check the Summary and press Next.

Status filter summary

6. Close wizard


7 You should now have a new Status Filter Rule. Press OK to close the Window.

Status Filter Rule Done!

8. Done!

Next time you create a package, driver package or add an OS image, Distribution will be automatically handled for you.


-It’s only possible to choose Distribution point groups, if you need DP resolution, feel free to edit the script, or write a dedicated.

-Script must run on a server with the SCCM Admin console installed.

My college Johan Schrewelius wrote a script to copy log files from OSD to a network share like the functionality we have in MDT so I thought I would post it here as it is brilliant. It can be downloaded here:

The script “CopyOSDLogs.ps1” can be run anywhere in an OSD TS but is most often used in the Error Section, thus only run in case of a failed deployment. I wrote a post here a while ago as well on how to add some basic error handling in a standalone TS.

There are a couple of pre-requisites to make it work:

·         We need to make sure that Powershell support is added to our Boot image.

·         We need a location (file share) to save the logs.

·         A TS Variable holding the UNC path to the share.

·         The “First” Network Access Account must be granted “Modify” permissions on the share.

Make sure that Powershell is added to the boot image by adding it if it isn’t added already.


The script will use the Network Access Account for authentication; making it work also in the event of a failure during Windows PE, where we cannot use the computer account, as the machine is not yet domain joined

Check the name of your “first” NAA, if you have several it should be the one on top.


Make sure the Account has been granted “Modify” permissions on your log share:


Create a TS Variable “SLShare” and assign it the UNC-Path to your log share:

TS Step1

Create a Package (without program) or put the script in an existing scripts package, incorporate in TS as:

TS Step2

When the script runs, could be in event of a failure or if you want it to run always, the SMSTSLogs folder will now get zipped and stored as a single file on your log share:


If we combine it with the script also published on Technet Galleries to safely dump TS variables it will also be incorporated in the log files save, that script filters out all password and sensitive information so they are not part of the log file.

That is great if we want to troubleshoot afterwards for instance which applications was installed dynamically using variables.

I hope you find it useful.

Configuration Manager Technical Preview 1702 includes a lot of new features, amazing how much features that are put into each Technical Preview version of Configuration Manager. For a complete list of news in Configuration Manager 1702 TP see the documentation here:

Here are some notes and screenshots of the new features.

Improvements to Software Center settings and notification messages for high-impact task sequences

This is one of the most voted for items on user-voice, and that is to be able to change the information to a user when starting a Task Sequence from Software Center. In Configuration Manager 1702 TP we got more than one new feature. The default message displayed when a Inplace upgrade task sequence is executed from Software Center is now changed and it doesn’t tell our users that all their data will be lost. :D

Task Sequence customizable 1

We can also choose to customize the message in the properties of the Task Sequence.

Task Sequence customizable 21

Then it looks like this for the end-user when they start the Task Sequence from Software Center. Very Nice!

Task Sequence customizable 2

Configure Software Center properties

We can also configure the information show in Software Center for a Task Sequence, Restart required, Download Size and Estimated run time. This is also great, now we only need to train our users to use Software Center….

TS properties

Check for running executable files before installing an application

This feature has improved since previous technical preview releases, now we can display a Friendly Name as well for the application, so it doesn’t say “Iexplore.exe” anymore.

Application1It looks like this when launched from Software Center, which looks so much nicer! Now we want a “close my application now” and “retry” button as well and I am sure we will see a lot of new options in this new feature in the future.

Application2_IEWe can also choose to close the running apps that are blocking the application installation if it is deployed as a “required” deployment. Note: this will not prompt the user to close the applications, they will be closed automatically when the deployment runs.


Create PFX certificates with S MIME support

We can now use the same feature that has been around for a while in Intune Standalone and that is to create and distribute .PFX certificates as well as SCEP as has been the case before. This is great news as a .PFX certificate on mobile devices can be used for S MIME support for instance. (It is also much easier to setup than NDES/SCEP)

Hybrid PFX

Hybrid PFX 2

Android for Work support

Android for work support, there have been traces of it in previous Technical Previews but not it is fully operational! :D With the same features that are available in Intune Standalone.

Android for work

Android for work 2

More Improvements:

There are even more improvements that I haven’t covered here, one I really like is the option to use Azure Active Directory Domain Services, great new feature that shows that Configuration Manager has a great future ahead as well!!

  • New compliance settings for iOS devices
  • Compliance assessment for Windows Update for Business updates
  • Antimalware client version alert
  • Conditional access device compliance policy improvements
  • Use Azure Active Directory Domain Services to manage devices, users, and groups
  • Peer Cache improvements
  • Changes for Updates and Servicing

To follow up on my post earlier this week about how to enable UE-V during OSD and get it to sync Internet Explorer favorites I will cover UE-V templates Powershell and a template share.
In UE-V we can define a central template share where we can drop a UE-V template and the clients will automatically pick it up. New in Windows 10 1607 is that we also must register even the builtin templates so if we just enable UE-V no templates are imported. In UE-V 1607 the builtin templates are placed in C:\Programdata\Microsoft\uev\InboxTemplates. We can register them with a Powershell script during OS deployment for instance.

In this example I will register all of the templates in the inbox templates which I don’t think you should. I will get 35 templates in my Templates folder that contains registered templates after they are imported.Template 1

And everything works just fine.

If I then specify a central template share and then restart the computer… I am left with only 26 + the Google Chrome one from my template share. The rest is removed.


Conclusion: When using UE-V register all templates during OS deployment that you want to make sure that they are used the first time the user logs on and add all the Office related templates to a template share if a template share is used, otherwise they are unregistered after the first reboot.

User Experience Virtualization(UE-V) is builtin Windows 10 1607 and no longer a standalone installer as it has been before. This is great as UE-V is a very powerful solution to Synchronize application settings like for instance Outlook signatures; IE favorites, Windows themes and so on.

When we design and build our new Windows 10 platform we should move away from legacy solutions and use new features to build a modern client.

I have had an issue that Internet Explorer favorites doesn’t sync in Windows 10 1607, and we tried a couple of workarounds but they never synced on the first logon for the user which is very annoying.

What we ended up with solving this is to configure the following to UE-V settings using Powershell: WaitforSyncOnApplicationStart and WaitForSyncOnLogon (it turns out that it is the waitforsynconlogon that actually solves it.)

After that the Internet Explorer favorites synchronizes as expected :-)

The script we currently use to enable UE-V looks like this, can be run during OS deployment or as a package/program.


Set-uevconfiguration -computer -EnableWaitforSyncOnApplicationStart -enablewaitforsynconlogon

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftInternetExplorer2013Backup.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftNotepad.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftOutlook2016CAWin64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win32.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftSkypeForBusiness2016Win64.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\MicrosoftWordpad.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\NetworkPrinters.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml

Register-UevTemplate -LiteralPath $env:ALLUSERSPROFILE\Microsoft\UEV\InboxTemplates\ThemeSettings2013.xml

I will write another post this week about the templates and how it works when you use a Template share which is also very interesting.

I should have written this post a while ago but haven’t had time yet. When using the new BIOS-UEFI conversion solution in Configuration Manager 1610, If you are still on 1606 or earlier you can still use this method:

I have seen the below error 0×80070490 when the computer tries to restart the first time after the OEM tools are used to convert from BIOS-UEFI, it has been different reasons behind it.

Error code

Let’s start with what is new behind the scenes, the reason this wasn’t possible before is that the restart computer step checked that the partitioning matches the Booted Operating System, so if we booted in Legacy BIOS it checks that the partitions are correct otherwise it fails, this is overridden with the new variable used for the UEFI partition, “TSUEFIDrive”.


There are new files in the boot images that makes this possible, “BCD-EFI-64” in the x64 Boot image and “BCD-EFI-32” in the x86 boot image. This file is required and used when the computer restarts the first time from booted after conversion to UEFI is done. They are in the OSDinjection.xml file so they are added to the boot image when they are created.


And that is exactly what is causing the above error at least from what I have seen it could probably be more reasons for it to fail but the two reasons I have seen are the following

1. The Boot image used are not updated since the upgrade to Configuration Manager 1610. In that case the new file is not present in the boot image and the restart will fail.

Boot Image updated

Solution: Simply update the boot images on the DP, then the needed file is added to it.

2. If you have modified the OSDinjection.xml file manually after 10/26/2016 then the file is newer than the osdinjection.xml that is included with the Configuration Manager 1610 upgrade, and then the upgrade process will NOT replace the osdinjection.xml file. Also causing the same error as above.


Solution: This can be solved by either adding the missing lines for the new files in the osdinjection.xml file or copy it from the following path:            <ConfigurationManagerinstalldir>\EasySetupPayload\c43a89e4-b642-4fc8-abf0-255bf5d88d82\SMSSETUP\BIN\X64 if you haven’t made any modifications to it.

And then update the boot images after that.

Every time I have seen that error it has because one of the above and it has solved the issue for me every time :D

There is some post and forum posts stating that you must upgrade to ADK 1607 for it to work, that is not the case from what I have seen. It could solve the issue though as you will create new or update existing boot images and then the new files are added.

There are some issues in ADK 1607, driver installation on Windows 7 and 802.1x support for instance so some will still need to use ADK 1511 and it works just fine.

After playing around a while with Configuration Manager 1701 Technical Preview build I thought it was time to share some info and some nice screenshots.

The biggest new feature without competition is the fact that SCCM clients will now select Software Update point using Boundary Groups just like it would with an MP, DP … This is awesome news as it replaces the random selection a client does today! Right now there are some limitations to it in the Technical Preview, all information about what is included in 1701 Technical Preview can be found here:

Software update points and Boundary Groups improvements

A look a the new setting for SUP fallback in the Boundary Groups, it is not fully implemented yet in the Technical Preview.. but it looks nice! New clients will use the SUP assigned to the in the Boundary Group but existing clients will use the one that has been selected randomly until it fails to contact it. Something to keep in mind when implementing it if that is how it will work when it is released.

Boundary Group SUP

Hardware inventory now inventories UEFI information

UEFI is extremely important for all new security features in Windows 10 and going forward. In 1701 Hardware Inventory now inventories UEFI information as well. A Dashboard as well that shows Credential Guard, Device Guard state would be great as well. Configuration Item for it works just fine.. but if I could wish.

UEFI Inventory

UEFI Inventory_1

Improvements in Operating System deployment

There are many small but great updates to the Task Sequence as well, updates to Standalone Media, expiration dates, additional content.

In the task Sequence editor we can now multi select applications and instead of a maximum of 9 applications per step it is now possible to add 99.


All steps in a Task Sequence that reference a package, driver package, application and so on will have it packageID/applicationID shown as well. making it much easier to find and troubleshoot, an example would be the Setup Windows and Configuration Manager step.


Validate device health attestation data via management points

We can now configure our Management Points with a list of On-Premise Device Health attestation points it should use to report device health. Device health attestation is not the most used feature as far as I know but it will be when we get rid of all the “old” hardware that doesn’t support TPM 2.0 for instance.

MP device helath

Host software updates on cloud-based distribution points

A feature that has been requested but is debated as well, as for Microsoft Updates the clients can download the content from Microsoft Update as it will introduce an additional cost for hosting them in the Cloud DP. Something to think about.

The features listed I wrote about here is far from complete, check out the documentation for a complete list.. It is great to follow the development of the product that is being done now, impressive!

In WinPE 1607 Dot3svc fails to load as I and many others have noted before. Today on the comment to my post “Robert” posted the following workaround which seems to be working just fine!


Copy the following files from a windows 10 1607 installation to winpe:

%windir%\l2schemas\OneX_v1.xsd %winpewindir%\l2schemas\OneX_v1.xsd

%windir%\system32\l2gpstore.dll %winpewindir%\system32\l2gpstore.dll

%windir%\system32\onex.dll %winpewindir%\system32\onex.dll

%windir%\system32\en-US\onex.dll.mui %winpewindir%\system32\en-US\onex.dll.mui

%windir%\system32\wbem\en-US\l2gpstore.mfl %winpewindir%\system32\wbem\en-US\l2gpstore.mfl

Thanks Robert for sharing this! All credit to your work!