CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged Configuration Manager

Configuration Manager 1704 Technical Preview was released yesterday, some really awesome stuff in there this time for all OSD fans for sure!

If you aren’t running Technical Preview in a test environment you really should! It is a great way of getting to know the new features and a great way of providing feedback to make the features even more valuable for your organisation. Technical Preview 1703 is the current baseline you can grab it here: then you can upgrade that to 1704 TP.

You can make it easy for you and use Johan Arwidmarks excellent hydration kit to get a test environment up and running.

Now let’s look at what is new in 1704 Technical Preview.

Nested Task Sequences

This is something that many of has dreamed about for years and wished for and now it is finally here, we can call a Task Sequence from a Task Sequence. We have a new Task Sequence Step called “Run Task Sequence” which will give use great possibilities to make our Task Sequences smarter. There are some limitations in this Technical Preview release that you should be aware of so check the documentation so you now what is possible or not.


Android for Work app configuration

Android for work will be the way to manage Android devices in the future and now we got the ability to configure Android for Work apps in the same way we can do with iOS apps today. This is great news making the Android platform a real challenger for companies.

Android for Work configuration

Secure Boot Inventory

We got the possibility to inventory if UEFI is enabled or not before and now we can inventory if Secure Boot is enabled or not as well. It is inventoried per default.


Reload the Boot images with the latest WinPE version

We need to update the ADK and WinPE version used twice a year as it looks now with the current release cadence of Windows 10 and supportability with Configuration Manager. We got a new way to do this which makes it much easier we can simply select to update the WinPe version when we distribute the boot images to our DP’s.

Reload Boot Images

Powershell support to create advanced detection methods

A long awaited addition, we can now create advanced detection methods for applications using Powershell.

Eliminate Duplicate Records when converting BIOS-UEFI

This is an issue that has been raised and seen when convertin BIOS-UEFI we get a dupliate record as the under-laying hardware ID could change, these duplicate records are now elimated in the TP 17+04 release. We actully could use that as a hotfix to the 1702 release as well…

High DPI support in the admin console

Now that we have cool devices with high resolution this has been an issue that the SCCM Admin Console didn’t support High-DPI very well. now that is solved as well. Long awaited!! :D

OS version Column in the System Images node

We can now see what OS version an OS Image is based on in one of the Columns in the System Images Node, makes life a little easier.

OS version

More efficient logging in SMSTS.log

Improvements have been made to the SMSTS.log file and logging which will make it easier to read the logs. Will test that and see how much difference it makes when time allows.

Installing the 1704 TP update

Another thing to note as well is the new behavior that updates aren’t automatically downloaded any more bin the Updates and Servicing node, we need to decide which updates to download. The reason behind this is that you don’t have to download updates/hotfixes that you perhaps skip and don’t install.

Download Update

For a full list of features check out the documentation here:

In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.

Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.

In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.

When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point.  At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.

Pre-release features

To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.

DataWareHouse Service Point

We add the SQL Database Server Name, database name and Port to be used.

DataWareHouse Service Point 2

We can then configure how often it should synchronize the data.

DataWareHouse Service Point 3

We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.

DataWareHouse reports

When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.

Error Displaying Reports

We grant the SQl Reporting Service user account the data reader role.

Reporting user permissions

After granting the Reporting Services user account permissions to the database the reports now run as they should.

Reporting user permissions_2

The Data Warehouse role is a great feature so you should try it out!

I wrote a blog post a while ago where I used a vbscript that will distribute the content of newly added package and check the “copy content in this package to a package share on Distribution Points”. i still use it and it works great… My college Johan Schrewelius re-wrote it to use Powershell instead and it also handles boot images, OS images, driver packages and packages.

If you been working with SCCM for a while you have most probably experienced this? You created a new program package, driver package or perhaps added a new OS image; but you forgot to distribute it.

Failed to run TS

Another possible problem is that your deployment is configured to “Access content directly from a distribution point when needed by the running task sequence” and that you instead forgot to mark the new package to be copied to a package share on distribution points.

Data Access

To make life easier we decided to create a status driven script to automatically handle this.

Every time a new package is added we will get a new status message with ID: 30000

Message ID

This “Message ID” can be used to trigger the execution of a custom script that automates distribution and also, if desired, copies the content to a share, making sure that we from now on don’t have to bother anymore. The script can be downloaded from here:


1.Place the script in a “scripts folder” on you Site server.

Powershell Script

2. Find the name(s) of your distribution point group.

DP Group Name

3. Open the script and let it know the name(s) of your distribution point group.

Config Script

If you wish to auto distribute to several groups add them to the list like:

$DPgroups = @(”Group One Name”, ”Group Two Name”)

If you don’t want to copy your packages to a share on DP’s, change $CopyToShare = $false


1. Right click your “Site” and press “Status Filter Rules” on the context menu.

Status Filter Rule

2. Press “Create” to open the Rules Wizard.

Status Filter Rules

3. Give the new Rule a Name (Auto Distribute new Package) and make Message ID 30000 the trigger. Press Next

Status Filter Message ID

4. Specify the Action for the new Rule = Run the script with Powershell. Press Next when done.

Run Program

Program: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -executionpolicy bypass -file “C:\Scripts\AutoDistributePackages.ps1″ %msgis02

5. Check the Summary and press Next.

Status filter summary

6. Close wizard


7 You should now have a new Status Filter Rule. Press OK to close the Window.

Status Filter Rule Done!

8. Done!

Next time you create a package, driver package or add an OS image, Distribution will be automatically handled for you.


-It’s only possible to choose Distribution point groups, if you need DP resolution, feel free to edit the script, or write a dedicated.

-Script must run on a server with the SCCM Admin console installed.

I should have written this post a while ago but haven’t had time yet. When using the new BIOS-UEFI conversion solution in Configuration Manager 1610, If you are still on 1606 or earlier you can still use this method:

I have seen the below error 0×80070490 when the computer tries to restart the first time after the OEM tools are used to convert from BIOS-UEFI, it has been different reasons behind it.

Error code

Let’s start with what is new behind the scenes, the reason this wasn’t possible before is that the restart computer step checked that the partitioning matches the Booted Operating System, so if we booted in Legacy BIOS it checks that the partitions are correct otherwise it fails, this is overridden with the new variable used for the UEFI partition, “TSUEFIDrive”.


There are new files in the boot images that makes this possible, “BCD-EFI-64” in the x64 Boot image and “BCD-EFI-32” in the x86 boot image. This file is required and used when the computer restarts the first time from booted after conversion to UEFI is done. They are in the OSDinjection.xml file so they are added to the boot image when they are created.


And that is exactly what is causing the above error at least from what I have seen it could probably be more reasons for it to fail but the two reasons I have seen are the following

1. The Boot image used are not updated since the upgrade to Configuration Manager 1610. In that case the new file is not present in the boot image and the restart will fail.

Boot Image updated

Solution: Simply update the boot images on the DP, then the needed file is added to it.

2. If you have modified the OSDinjection.xml file manually after 10/26/2016 then the file is newer than the osdinjection.xml that is included with the Configuration Manager 1610 upgrade, and then the upgrade process will NOT replace the osdinjection.xml file. Also causing the same error as above.


Solution: This can be solved by either adding the missing lines for the new files in the osdinjection.xml file or copy it from the following path:            <ConfigurationManagerinstalldir>\EasySetupPayload\c43a89e4-b642-4fc8-abf0-255bf5d88d82\SMSSETUP\BIN\X64 if you haven’t made any modifications to it.

And then update the boot images after that.

Every time I have seen that error it has because one of the above and it has solved the issue for me every time :D

There is some post and forum posts stating that you must upgrade to ADK 1607 for it to work, that is not the case from what I have seen. It could solve the issue though as you will create new or update existing boot images and then the new files are added.

There are some issues in ADK 1607, driver installation on Windows 7 and 802.1x support for instance so some will still need to use ADK 1511 and it works just fine.

After playing around a while with Configuration Manager 1701 Technical Preview build I thought it was time to share some info and some nice screenshots.

The biggest new feature without competition is the fact that SCCM clients will now select Software Update point using Boundary Groups just like it would with an MP, DP … This is awesome news as it replaces the random selection a client does today! Right now there are some limitations to it in the Technical Preview, all information about what is included in 1701 Technical Preview can be found here:

Software update points and Boundary Groups improvements

A look a the new setting for SUP fallback in the Boundary Groups, it is not fully implemented yet in the Technical Preview.. but it looks nice! New clients will use the SUP assigned to the in the Boundary Group but existing clients will use the one that has been selected randomly until it fails to contact it. Something to keep in mind when implementing it if that is how it will work when it is released.

Boundary Group SUP

Hardware inventory now inventories UEFI information

UEFI is extremely important for all new security features in Windows 10 and going forward. In 1701 Hardware Inventory now inventories UEFI information as well. A Dashboard as well that shows Credential Guard, Device Guard state would be great as well. Configuration Item for it works just fine.. but if I could wish.

UEFI Inventory

UEFI Inventory_1

Improvements in Operating System deployment

There are many small but great updates to the Task Sequence as well, updates to Standalone Media, expiration dates, additional content.

In the task Sequence editor we can now multi select applications and instead of a maximum of 9 applications per step it is now possible to add 99.


All steps in a Task Sequence that reference a package, driver package, application and so on will have it packageID/applicationID shown as well. making it much easier to find and troubleshoot, an example would be the Setup Windows and Configuration Manager step.


Validate device health attestation data via management points

We can now configure our Management Points with a list of On-Premise Device Health attestation points it should use to report device health. Device health attestation is not the most used feature as far as I know but it will be when we get rid of all the “old” hardware that doesn’t support TPM 2.0 for instance.

MP device helath

Host software updates on cloud-based distribution points

A feature that has been requested but is debated as well, as for Microsoft Updates the clients can download the content from Microsoft Update as it will introduce an additional cost for hosting them in the Cloud DP. Something to think about.

The features listed I wrote about here is far from complete, check out the documentation for a complete list.. It is great to follow the development of the product that is being done now, impressive!

In Configuration Manager 1606 we got a new option to tweak our PXE boot times, TFTPWindowsSize which we can change in the registry on our PXE enabled DP’s.
PXE booting a machine can never be fast enough!

Name: RamDiskTFTPWindowSize

The default value is 1 (1 data block fills the window)

We can also tweak the TFTPBlockSize which has been around for many versions of Configuration Manager.

Name: RamDiskTFTPBlockSize
Value: <customized block size>

The default value is 4096 (4k).

So I did a lot of testing and when it comes down to it, you need to verify the settings that are best in your environment with your network configuration, your computermodels and so on.

What we know for example:

  • That HP Probook for instance doesn’t support a higher TFTPBlockSize value than 1456 otherwise it freezes.
  • Vmware 5.x doesn’t support a higher value for TFTPWindowsSize than 8.

I put together this list that could be a good starting point when testing out the different TFTP values, I used a Latitude E7450 and an Optiplex 7010 and Max, who helped me PXE boot otherwise I would have overdosed on Coffee by now!


Conclusion UEFI boot is slower! and the values used will be different for many customers as there are now optimal values that will be best in all environments.

Changing the TFTP settings was really boring so when I did the tests I wrote this little powershell tool as well to help in setting the values. I am planning to update it next week to be able to use it on Remote DPs and some more error handling. But you can use it as it is now to do you your testing. Run it as administrator so you have the permisisons necessary to change the registry values.

SCCMTFTPBootChangerIt can be downloaded here: SCCMTFTP

I hope this can be of use!

Yesterday the Configuration Manager 1608 technical preview was released and just love the fact that we get a better end user experience in Software Center, I just had to write this.
One of the new features in Software Center is that we can both see if there are new items and which item is new.

1608 Whats New

And also we have Application request in Software Center and not in the Application Catalog.
Application Request

Application Request 2

Awesome new feature for the end users!

More new features are, from the blog post:

  • Improvements to Asset Intelligence: We have added a field to the properties for inventoried software that lets you set a parent and child relationship with other software. In the Inventoried Software list, you can view the parent of any software and also hide all child software.
  • Improvements to the Prepare ConfigMgr Client for Capture task sequence step: The Prepare ConfigMgr Client step will now completely remove the Configuration Manager client, instead of only removing key information. When the task sequence deploys the captured operating system image, it will install a new Configuration Manager client each time.
  • Keyboard Translation for Remote Control: By default in a remote control session, characters typed on the viewer’s keyboard are sent to the controlled device instead of the keys – whether or not their keyboard layouts match. This behavior may be turned off in the Remote Control viewer Action menu.
Let’s focus on Remote Control, it is great that Remote Control gets some developer love, one thing I would like to see is the possibility to control the startup of the Remote Control Service on all clients from Automatic(Delayed) to Automatic using a Client Setting.
I created a user voice item for it so if you feel the same way, please vote for it here:

The documentation of what is new in Configuration Manager 1608 Technical preview can be found here:

This solution has been created and tested by a colleague of mine Johan Schrewelius, he has done most of the work so I cannot give him enough credit for this. We have been using it for a while now and it works great, it is 100% unsupported ;-) as we change values on a read-only variables in the TS.

If you are using Configuration Manager 1610 or later there is now a supported built-in way to do this.

1         Background

The release of Windows 10 in combination with steadily increasing security demands means an operating system upgrade, or fresh install, today also includes security measures that not long ago where sort of luxury or only experimental.

Two major such are UEFI and Secureboot; a significant challenge as not even Configuration Manager 1602 supports a seamless transformation from Legacy Bios to UEFI.

This post describes our method of achieving the desired; one (1) Task Sequence that starts in Legacy mode and results in an UEFI configured computer with Secureboot enabled. A script and files for configuring HP computers have been included as example. No PXE boot is required as we boot from the local disk when we reboot. This is a short flow of what happens:

1. Configure Bios to UEFI and Secureboot using the tool for the vendor/model

2.Then we partition the local disk to GPT and format it

3.Copy an exported Boot image from a package to the local disk

4.Change the value for a read-only variable _SMSTSServiceStart using the 1E tool

5.Restart the computer and boot to the local installed Operating System

6.Change the second read-only variable _SMSTSBootUEFI to true and then the TS and all builtin steps for formatting will see that it is a machine running UEFI.

In the Task Sequence it looks like this:



To implement our solution, you need to download Legacy2Uefi as well as TSEnv2.exe from 1E ( 1E has been generous enough to share this powerful tool with us, and we cannot thank them enough.

2         Obstacles

There are two major obstacles that prevents us from achieving our goal using a standard TS.

Firstly, we will not be able to apply a boot-image nor an operating system to a GPT disk on what is detected as a MBR System.

Secondly, if we (which we nevertheless will do later) apply bootable media to disk by running a script we will not be able to restart the computer in a controlled fashion as built-in controls (smsboot.exe) will prevent this based on inconsistencies in TS configuration, i.e.  the TS-variable “_SMSTSServiceStartType” not being set to auto, which is required to allow rebooting to an installed operating system. Unfortunately, this variable is read-only and we cannot modify it using supported means. But what if we use unsupported means……

3         Read-only TS-variables < TSEnv2.exe

It is usually not recommended to use unsupported means; this however could be the time when circumstances call for it? TSEnv2.exe is able to modify read-only TS-variables and since that is what stands between us and a successful Legacy to UEFI transformation, that’s exactly what we are going to do.

TSEnv2.exe comes in both 32- and 64-bit versions, it is also depending on native Configuration Manager libraries, at least tscore.dll. This makes it reasonable to include it in our boot images using OSDInjection.

4         OSDInjection

To include TSEnv2.exe in already existing, as well as in new, boot images do the following on the primary site server or CAS that “owns” the images. And yes you can use the MDT feature as well to include the files when you create a new MDT Boot Image instead.

  1. Localize your ..\OSD\bin directory.
  2. Copy the corresponding version of TSEnv2.exe to the x64 as well as the i386 subfolder.
  3. Once the files have been copied we need to tell ConfigMgr to actually include them the next time an image is created or updated. This is done by editing “osdinjection.xml” which is found in ..\bin\x64:

Remark – there’s only one osdinjection.xml, not one per architecture.

Remember to Backup osdinjection.xml before editing.

osdinjection.xml holds the “recipe” for boot images and needs to be supplemented with information about the new files.

Open osdinjection.xml in notepad or similar.

As we know there’s already a native file with similar name (tsenv.exe) we will search for that and copy the section, thus avoiding misspelling.

First hit when searching should give you this:


Copy (duplicate) the section and replace the file name:


The result should look like this:

Repeat for x64 (second hit when searching for tsenv.exe):

Save and close osdinjection.xml. Next time a boot image is updated on distribution points TSEnv2.exe will be included.

5         Bootable media Package

As stated earlier we will apply bootable media to disk by script, therefor we will need to create a package containing the necessary files. Use the same procedure as when creating bootable media for use on a USB boot stick, then mount the iso-file and copy the entire content to a new folder on your package share.

Remark – you cannot reuse an old iso; it has to be “fresh” with TSEnv2.exe included.

Make sure to also include “copy.cmd” from

Create a package in ConfigMgr from the folder, do not create any program.

6         Task Sequence

At this point boot images should be updated and include TSEnv2.exe. We should also have a new package including the small copy.cmd command file. The rest of the work is done in the TS-editor, let’s start….

6.1       Create a new group

Create a new group, call it “Transform to UEFI”.

In our case we have a few extra conditions but as a minimum you should check that the machine isn’t already configured for UEFI (_SMSTSBootUEFI equals False).

The steps within in the group will be explained over the next couple of pages.

6.2       TS Steps

6.2.1      UEFI Config

This step will have to be adapted to local circumstances. It’s simply an example that shows how to reconfigure a HP Laptop to UEFI mode. contains a folder with only two files:

ConfigUEFI.ps1 is designed to utilize HP’s Bios Configuration utility, which is not included. You also need to create your BIOS password file with the HP tool.

uefi.txt contains a minimum of settings to configure UEFI with SecureBoot.

To make this fully operational more files are needed, these files must be added locally. If you’re an administrator with experience in HP computer this is hopefully enough information to get it working, this is a picture of a functional set of files:


As we prefer keeping bios config files on a network share the step looks like this at most of our customers:

Command: powershell.exe -NoProfile -ExecutionPolicy ByPass -File “%BiosShare%\%Model%\BCU\ConfigUEFI.ps1″

If your running Dell, Lenovo or any other brand – modify as needed. If you don’t have Powershell included in your boot images the script is useless and has to be replaced.

6.2.2      Partition Disk 0 – UEFI Simple

Use a standard “Format and Partition Disk” step to create a GPT disk with a minimal UEFI-compatible partition. The automatically assigned drive letter will be stored in “OSDisk”.

6.2.3      Copy Boot Media to Disk

This is a straight forward “Run Command Line” step that uses the media package and “copy.cmd” to copy the media (iso) content onto the new partition.

”OSDisk” contains the drive letter and tells copy.cmd where to put the content.

Command: copy.cmd %OSDisk%

6.2.4      SET _SMSTSServiceStartType=auto

Another “Run Command Line” step; that invokes TSEnv2.exe and sets ”_SMSTSServiceStartType” to ”auto”.

Command: TSEnv2.exe set _SMSTSServiceStartType=auto

6.2.5      Restart Computer

Next we restart the computer using a standard “Restart Computer” step. Because of the previous modification of the read-only TS-variable we will now be allowed to reboot to the currently installed default operating system, e.g. our media (iso).


6.2.6      SET _SMSTSBootUEFI=true

Finally, we need to modify a second read-only TS-variable. When the TS started the computer was running “Legacy BIOS” and “_SMSTSBootUEFI” was set to “false”.

We need to correct that, as we are now running in UEFI mode.

Command: TSEnv2.exe set _SMSTSBootUEFI=true

7         Done

The rest of the Task Sequence will after the reboot execute as UEFI, no PXE boot needed totally unattended, except for Lenovo Thinkcentre machines but that is a different topic.