CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged Configuration Manager

In Configuration Manager CB 1511 the Windows 10 Servicing feature was introduced which gives us a great view of the Windows 10 versions used in our environment and a tool to schedule the updates of Windows 10 versions.


What is happeing when we create Service Plans is basically an ADR which deploys the Windows Upgrade packages according to the Service Plan. In 1511 there was an issue that all Windows 10 versions where downloaded when the ADR ran, there are some workarounds like blocking the non wanted versions of Windows 10 using the WSUS Console. This is now fixed in 1602, there is a new option to filter out which versions of Windows 10 we want to deploy.

The new step in 1602 is Upgrades it didn’t exist in 1511. In my case i select “Swedish” and “Enterprise,” using the “,” to filter out the Enterprise N version which I don’t want to download or deploy.


The preview feature is great! using it we can make sure only the Windows 10 versions we want to deploy will be downloaded and used.
Windows10Servicing3If you haven’t tried the new Windows 10 servicing feature before it is time to start now.
The new update model of Configuration Manager is great, fixing issues and adding feature faster than ever before!!

When managing Windows Defender on Windows 10 with Configuration Manager you will see an error when you use the Group Policy Management Console to view the Group Policy Result on a computer. Looking something like this.

Defender3The reason for this is that Configuration Manager writes the values that you set in a policy as DWORD but the Group Policy will write the values as String instead. That is the reason why the error “Registry Value…… is of unexpected type. Both will work so this is more a cosmetic error and basically only visible under Group Policy Result in GPMC.

It can be illustrated easy by creating a Group Policy that applies an exclusion for .wim and in the Configuration Manager Antimalware policy we create an exclusion for .iso. When looking at the registry key on a client under the Policies key we can see that the values are of different type.


Is this a big problem, NO as the Windows Defender client reads and use both values in the example above so basically the only thing that is impacted is the Group Policy result view in GPMC. Note that I used the example above and applied different exclusions using GPO and Configuration Manager, this is not recommended to use in a production environment from a troubleshooting perspective.

The fix for the refresh scenario that doesn’t work with ADK 10586 that I blogged about a while ago which has been a pain for many of us got a fix last week, Really great! :D :D

I realized that I have many environments to create new boot images and apply the hotfix in so I wrote two simple .cmd files to create them for me, so I thought I would share them here as well. The .CMD file is a combination of the instruction for how to apply the hotfix and the great blog post by Brandon which can be found here:

Both of the .cmd files can be downloaded here:Download

A short how to create new boot images using WinPE 10.0.15086

1. If you are using an older ADK uninstall it on the Primary Site Server.

2. Download and install the new version of the ADK

3. Reboot the Site Server

4. Download the .cmd files from the link above

5. Download the ADK hotfix from the link:

6. Create a folder, example D:\Temp\ADKHotfix

7. Extract the Hotfix and the .CMD files to that directory.

8. Check the two .dat files for any alternate stream according to the KB article.

9. Edit the .cmd files so that it has the correct path’s for your environment, change the path to the ADK and the Mount folder to be used by DISM.


10. Open the “Deployment and Imaging Tools Environment” command prompt

11. Execute the .cmd file for the architecture that you want to create a boot image for and you are done!

BootImageADKhotfix2Then you go and grab a “Configuration Manager cup of coffee” as a customer once called it.. and when you return you have a new fixed Boot Image that can be imported in Configuration Manager.

Hope it is helpful!

In Windows 10 Onedrive is builtin, in some scenarios you don’t want to use it as, for instance if you use both Onedrive and Onedrive for Business installed as that is confusing for the user. Yes, you can turn of Onedrive using a Group Policy but the Onedrive Setup will run for every user creating a profile on the system anyway. In many scenarios we don’t want it to run at all.


How does this work then? In the default user profile there is a Run Command in the registry the runs for every user creating logging on to the computer.


What we use is the old trick in the book, to mount the default user profile during OS Deployment and simply delete the Run command from the registry then it will not execute at all for any user. We create a .cmd file with the following command lines to first mount the default user registry, remove the command and unmount it.


The .cmd file can be downloaded here: removeOnedrive.cmd

To implement it:

1. Download the file and copy it to a folder that you can use as a package Source for a package in Configuration Manager.

2. Rename the file to “RemoveOneDrive.cmd”

3. In Configuration Manager create a new package with the newly created folder as the source folder.

5. Then we distribute the content if you haven’t automated it already like I do ;-) :

6. Add a step to the Task Sequence to run the command, I like to use the Run Command Line step but you could create a program as well if you like. Note: It has to run after a reboot to the full OS, it cannot be run in WinPE.
RemoveOnedriveTS Then you are ready to test the deployment.

When deploying Windows 10 one of the most common things you want to do is to modify the default wallpaper. Windows 10 uses different backgrounds depending on the resolution you use. If you use any of the following resolutions, 768 x 1024, 768 x 1366, 1024 x 768, 1200 x 1920, 1366 x 768, 1600 x 2560, 2160 x 3840, 2560 x 1600, 3840 x 2160 the file matching the resolution  in the following folder %Windir%\Web\4K\Wallpaper\Windows will be used.

If the resolution used doesn’t match any of the above resolutions the default background %Windir%\Web\Wallpaper\Windows\img0.jpg will be used instead.

So a script that replaces these files will do the trick, the files however are owned by TrustedInstaller and TrustedInstaller is the only user that has permissions to change it as well.

To be able to replace them using a script either in MDT or SCCM we need to take ownership of the files and then change the permissions on them so we can replace them with our own custom background images.

I have created to script that can be used, on old school .cmd file and a Powershell script both works, so you can choose which one you want to use. Place your own custom backgrounds in the 4K folder and the img0.jpg file in the same folder as the script like this.


Important to note as well, if you use SCCM to deploy the script the System account will be used, you use MDT you need to change this to Administrators instead for the script to work as the Task Sequence isn’t executed in System context.

Download the script and create a package that can be used by either a “Run Command Line” step or “Run Powershell Script” step in the task sequence.

The .CMD file content:

takeown /f %WinDir%\WEB\wallpaper\Windows\img0.jpg

takeown /f %WinDir%\Web\4K\Wallpaper\Windows\*.*
icacls %WinDir%\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls %WinDir%\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del %WinDir%\WEB\wallpaper\Windows\img0.jpg
del /q %WinDir%\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg %WinDir%\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* %WinDir%\Web\4K\Wallpaper\Windows

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del c:\windows\WEB\wallpaper\Windows\img0.jpg
del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* C:\Windows\Web\4K\Wallpaper\Windows

And the Powershell Script:

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant 'System:(F)'
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant 'System:(F)'
Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg
Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*
Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

Both scripts can be downloaded here as well in this .zip file.

So why not just change the default background using a GPO for instance? One reason would be that you miss out on the dynamic selection of background that matches your resolution.

Stefan(  and I had the great honor of presenting Configuration Manager Community Jewels at TechED Europe 2014, it was great fun!
There are so many cool tools out there that can save a lot of time, increase the quality in what we do and improve the implementations out there as well. Thanks to all who contribute to the community and thanks to all who attended our session!

We have collected all the links to the tools we showed and many many more on a TechNet Wiki page so that everyone can edit and add their own favorite tools you use or create on your own.

I also do feel a need to apologize to all who have created tools that we haven’t found or didn’t have the time do mention or show. :-(

When preparing for our session a TechED 2014 in Barcelona on Community Tools, we found this nice little tool that adds BranchCache support in WinPE, which means that during OS deployment the client can download the content from a client on the local network instead of pulling it from a DP, this is great for small branch offices for instance without a DP. It can be found here: At TechED 2014 Europe it was also announced that BranchCache support will be added in WinPE in ConfigMgr vNext as well, so this is a technology that is coming.

I created an OSD Task sequence,updated the boot image, enabled BranchCache and added the tools and steps from the toolkit to my Task Sequence. To prestage the data on another client in the network I created a check in the start of the Task Sequence to see if the “Prestage” variable was set to TRUE, if so the Task Sequence will not install anything on the client but it will download all the content and add it to the BranchCache on the client.


Then I deployed the task sequence with the option “download all content locally before starting the Task Sequence” remember to make sure that the content will fit in the CCMCache.

After that I deployed a client and it used the BranchCache from the client on the same network, really cool! We like free stuff


The reporting is awesome as well be sure to check it out!


Here is a short video from 2Pint Software as well:

Just realized I missed a release of a Configuration Manager book, “Configuration Manager book: High availability and performance tuning” by fellow MVP Marius Sandbu. A good introduction to High-availability.

You can find it here on PactPublishing