CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged Configuration Manager

In Windows 10 Onedrive is builtin, in some scenarios you don’t want to use it as, for instance if you use both Onedrive and Onedrive for Business installed as that is confusing for the user. Yes, you can turn of Onedrive using a Group Policy but the Onedrive Setup will run for every user creating a profile on the system anyway. In many scenarios we don’t want it to run at all.


How does this work then? In the default user profile there is a Run Command in the registry the runs for every user creating logging on to the computer.


What we use is the old trick in the book, to mount the default user profile during OS Deployment and simply delete the Run command from the registry then it will not execute at all for any user. We create a .cmd file with the following command lines to first mount the default user registry, remove the command and unmount it.


The .cmd file can be downloaded here: removeOnedrive.cmd

To implement it:

1. Download the file and copy it to a folder that you can use as a package Source for a package in Configuration Manager.

2. Rename the file to “RemoveOneDrive.cmd”

3. In Configuration Manager create a new package with the newly created folder as the source folder.

5. Then we distribute the content if you haven’t automated it already like I do ;-) :

6. Add a step to the Task Sequence to run the command, I like to use the Run Command Line step but you could create a program as well if you like. Note: It has to run after a reboot to the full OS, it cannot be run in WinPE.
RemoveOnedriveTS Then you are ready to test the deployment.

When deploying Windows 10 one of the most common things you want to do is to modify the default wallpaper. Windows 10 uses different backgrounds depending on the resolution you use. If you use any of the following resolutions, 768 x 1024, 768 x 1366, 1024 x 768, 1200 x 1920, 1366 x 768, 1600 x 2560, 2160 x 3840, 2560 x 1600, 3840 x 2160 the file matching the resolution  in the following folder %Windir%\Web\4K\Wallpaper\Windows will be used.

If the resolution used doesn’t match any of the above resolutions the default background %Windir%\Web\Wallpaper\Windows\img0.jpg will be used instead.

So a script that replaces these files will do the trick, the files however are owned by TrustedInstaller and TrustedInstaller is the only user that has permissions to change it as well.

To be able to replace them using a script either in MDT or SCCM we need to take ownership of the files and then change the permissions on them so we can replace them with our own custom background images.

I have created to script that can be used, on old school .cmd file and a Powershell script both works, so you can choose which one you want to use. Place your own custom backgrounds in the 4K folder and the img0.jpg file in the same folder as the script like this.


Important to note as well, if you use SCCM to deploy the script the System account will be used, you use MDT you need to change this to Administrators instead for the script to work as the Task Sequence isn’t executed in System context.

Download the script and create a package that can be used by either a “Run Command Line” step or “Run Powershell Script” step in the task sequence.

The .CMD file content:

takeown /f %WinDir%\WEB\wallpaper\Windows\img0.jpg

takeown /f %WinDir%\Web\4K\Wallpaper\Windows\*.*
icacls %WinDir%\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls %WinDir%\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del %WinDir%\WEB\wallpaper\Windows\img0.jpg
del /q %WinDir%\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg %WinDir%\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* %WinDir%\Web\4K\Wallpaper\Windows

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del c:\windows\WEB\wallpaper\Windows\img0.jpg
del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* C:\Windows\Web\4K\Wallpaper\Windows

And the Powershell Script:

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant 'System:(F)'
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant 'System:(F)'
Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg
Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*
Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

Both scripts can be downloaded here as well in this .zip file.

So why not just change the default background using a GPO for instance? One reason would be that you miss out on the dynamic selection of background that matches your resolution.

Stefan(  and I had the great honor of presenting Configuration Manager Community Jewels at TechED Europe 2014, it was great fun!
There are so many cool tools out there that can save a lot of time, increase the quality in what we do and improve the implementations out there as well. Thanks to all who contribute to the community and thanks to all who attended our session!

We have collected all the links to the tools we showed and many many more on a TechNet Wiki page so that everyone can edit and add their own favorite tools you use or create on your own.

I also do feel a need to apologize to all who have created tools that we haven’t found or didn’t have the time do mention or show. :-(

When preparing for our session a TechED 2014 in Barcelona on Community Tools, we found this nice little tool that adds BranchCache support in WinPE, which means that during OS deployment the client can download the content from a client on the local network instead of pulling it from a DP, this is great for small branch offices for instance without a DP. It can be found here: At TechED 2014 Europe it was also announced that BranchCache support will be added in WinPE in ConfigMgr vNext as well, so this is a technology that is coming.

I created an OSD Task sequence,updated the boot image, enabled BranchCache and added the tools and steps from the toolkit to my Task Sequence. To prestage the data on another client in the network I created a check in the start of the Task Sequence to see if the “Prestage” variable was set to TRUE, if so the Task Sequence will not install anything on the client but it will download all the content and add it to the BranchCache on the client.


Then I deployed the task sequence with the option “download all content locally before starting the Task Sequence” remember to make sure that the content will fit in the CCMCache.

After that I deployed a client and it used the BranchCache from the client on the same network, really cool! We like free stuff


The reporting is awesome as well be sure to check it out!


Here is a short video from 2Pint Software as well:

Just realized I missed a release of a Configuration Manager book, “Configuration Manager book: High availability and performance tuning” by fellow MVP Marius Sandbu. A good introduction to High-availability.

You can find it here on PactPublishing


I wrote a post a long while ago which started as question in on Technet Forum on how to remove a computer from a collection using a status filter rule once the OS deployment Task sequence is successful, I posted the script here:
I still use it in almost all of my implementations of Configuration Manager. In one customer scenario I had to clear the PXE flag as well so I added that to the script so now you can select if you want the script to clear the PXE flag as well on the client when it is removed from the OS deployment collection.

The script works fine both in Configuration Manager 2007 and Configuration Manager 2012.

Why using a Status Filter Rule instead of a script in the TS run from the client side? Well you don’t have to open any firewall ports in the server for WMI e.t.c. You could also implement Webservices which do the same task for you, i like the simpleness in the status filter rule though.

The script can be downloaded here: Vbscript remove from Collection

To implement it:

1. Download the script and save it as “remove.vbs” in for instance E:\sccmtools or another folder on the Primary Site server.

2. Edit the following line with the collection/collections you want the computer removed from

sCollectionIDs = “00100053:0010004A:00100069″

You can now also configure if you want the script to clear the pxeflag by changing this value.

ClearLastPxe = “1″

You can also have the script to write to the eventlog on the Primary Site Server which Computername will be removed from which collections if you need to troubleshoot.

sEventlog = “1″

When that is done, save the file

3. Create a status filer rule, this screenshots are from Configuration Manager 2012 not that much differs.

4. Create a new status filter rule under Site Configuration\Sites choosing Status Filter rules.

5. Select Create


6. Configure it to use the following settings:

Name: Remove From Collection

Component : Task Sequence Manager

Message Id: 11171

Note: You have to type in “Task Sequence Manager” it is not available in the drop-down list as it is not a server component.


7.  Run a Program: C:\windows\System32\cscript.exe e:\sccmtools\remove.vbs %msgsys


8. The next screen confirms that you are finished.


Now you have successfully implemented the Status Filter rule and can start testing.

I wrote a post a while back on how to install the SCCM 2007 Admin Console including R3 and required hotfixes:

In that post i also promised to write a post on how to install the SCCM 2007 Admin Console + R3 + FEP.
It turned out to be a bit of a challenge as the FEP installation is either 32 or 64 bit depending on the operating system you install the admin console on. After a re-write here is the updated script, I used the RTM version of FEP and included the Update Rollup 1 in the script, so if you are using the updated media remove the part in the script and the folder for the KB.

The script has been tested on Windows 7 32 & 64 bit, the SCCM console will be installed to “C:\program Files\Configuration Manager 2007″ or “C:\program files(x86)\Configuration Manager 2007″ depending on the operating system architecture.

To implement it the following steps are needed:

  1. Download the ZIP-file containing the script and folder structure: Adminconsole_sp2_r3
  2. Unzip the files and folder to a catalog which will be used as source folder.
  3. Copy the necessary source files to the different directories from the original media:
    adminconsooleinstall_FEP1 Tip: you can skip the “WAIK” folder in the Configuration Manager 2007 Sp2 source files, then you will save a lot of disk space.
  4. As the FEP files and updates are both 32 and 64 bits the FEP_Console folder is divided in a 32 and 64 bit folder:
  5. The same goes for the FEP Update rollup 1 update, although they are not named the same and can be placed int the same folder. The update can be downloaded here:
  6. adminconsooleinstall_FEP5When all the source files are copied to their correct location, create a package using the folder created earlier with folder containing the “Install_FEP.vbs” as source folder.
  7. On the “Reporting” tab for the newly created package enter the below information, as the hotfix for SCCM 2007 R3 restarts many services including SMS Agent Host the script will generate a .MIF file which is the only way of reporting back that the installation was successful:
  8. Distribute the content to the DP’s
  9. Create a new program with the following command line “cscript.exe fep_install.vbs”
  10. Then advertise the program to a test collection and verify that everything is working as expected.

I hope it will be useful!

In Forefront Endpoint protection 2010 there is no possibility to password protect the uninstallation of the FEP client. This makes it possible for instance for local admins to remove the FEP Client.
I started testing to advertise the FEP client to the “Locally Removed” collection where the client will end up if the FEP client is uninstalled. At least that was what I thought…

The above statement is true if you install the FEP client using the Package/program and advertisement in SCCM if you deploy the FEP client using for instance an OSD task sequence, or manually the client is added to the “Not Targeted” collection instead.

Note: And if you wonder the installation and the uninstall of the FEP client triggers a SCCM hardware inventory on the client immediately, to speed up the process of reporting an updated inventory to the SCCM server.

So, I solved it using the following setup in SCCM, including a standard exclusion collection as the customer asked for the possibility to exclude certain computers from FEP.

I have created two sub-collections for my Microsoft FEP collection:

-FEP – Install

-FEP – Exclusion


The following query is used for the FEP – Install Collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.ResourceId not in (select distinct SMS_R_System.ResourceId from  SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Forefront Endpoint Protection") and SMS_R_System.Active = 1 and SMS_R_System.ResourceId not in (select ResourceID from SMS_CM_RES_COLL_02000087)

When you import the query change the SMS_CM_RES_COLL_02000087 in the query to reflect the CollectionID of the FEP-Exclusion collection in your environment.

The query includes:

  • Only active clients
  • Coputers where Microsoft Forefront Endpoint Protection client is not installed, both x86 and x64
  • Computers that are not members of the FEP-Exclusion collection.

You can limit the FEP-Install collection to for instance “All Windows Workstation and Professional Systems” if you don’t want to include servers.

Then I advertise the Microsoft FEP client package using the package/program included in the installation of FEP and advertise it with the following settings:


Then the installation will rerun even if the FEP client is removed and added back more than once.

I hope this is useful to more than me.