CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged SCCM

In Configuration Manager 1702 there is a new feature /site system role(pre-release) called Data Warehouse. This is a great addition as I cannot count the time I have setup and configured another database and then on a schedule moved data to that Database instead to be used both for historical data and by other systems that shouldn’t query our precious Configuration Manager database during production hours.

Many times, performance issues in Configuration Manager has been caused by developers querying the Configuration Manager database with really bad queries causing the overall performance being degraded.

In Configuration Manager 1702 the Data Warehouse feature holds all the answers to those issues. With the Data Warehouse Service Point role we can transfer SQL data to a another SQL database. That server doesn’t need to have the same high-spec as the Configuration Manager Database.

When we configure the Data Warehouse Service Point role we set a Schedule on when the data should be transferred to the Data Ware house and how often. Adding the Data Warehouse service connection point.  At is it still a pre-release feature you need to opt-in to using pre-release features, that is done in the Hierarchy Settings.

Pre-release features

To add the Data Warehouse service point we do add the Data Warehouse Service Point role to the server that should host the role.

DataWareHouse Service Point

We add the SQL Database Server Name, database name and Port to be used.

DataWareHouse Service Point 2

We can then configure how often it should synchronize the data.

DataWareHouse Service Point 3

We also get a couple of new reports that will show historical data from the Data Ware house database which are cool and useful as well if we have compliance rules applied to our business. No more exporting data at the end of each year to .CSV files for historical compliance reporting and Endpoint protection and software update compliance.

DataWareHouse reports

When configuring the Data Ware house don’t forget to grant the Reporting Service User account used in Configuration Manager “Data Reader” role permissions to the Data Warehouse Database, otherwise this message will show up when running the reports.

Error Displaying Reports

We grant the SQl Reporting Service user account the data reader role.

Reporting user permissions

After granting the Reporting Services user account permissions to the database the reports now run as they should.

Reporting user permissions_2

The Data Warehouse role is a great feature so you should try it out!

Updated!! With the new features in OSD that Aaron Czechowski shared on Twitter! Thanks Aaron, great stuff!

Every time a new Technical Preview of Configuration Manager is released is a late night upgrading and playing around with the new cool features! Last night it was time again TP 1703 was released. One of my favorite small but great feature is the Collapsible groups in the Task Sequence editor :D Will make navigating long and complex Task Sequences much easier.


More OSD news, Secureboot state can also be included in the hardware inventory, great important for Windows 10 deployments.


Importing a computer is also updated, it is now possible to add the computer to more than one collection, I wish we had that a long time ago!


The next feature proves how much investment is made in Windows Analytics and that you should look at starting to use these awesome FREE service now! We will be able to control the Commercial ID, Telemetry level and more in Client Settings in Configuration Manager hopefully eliminating the need of running the Windows Analytics script to configure the clients as we do today!


Next new feature is a new wizard to on board to all Azure Services, the one that exists there in TP 1703 is Windows Store for Business.


More new features:

PFX certificates for Configuration Manager Windows client computers
Direct links to applications in Software Center
Convert from BIOS to UEFI during an in-place upgrade
PFX certificates for Configuration Manager Windows client computers
Making it possible to deploy .PFX cert to Windows 10 client as well, great and important addition.
Direct links to applications in Software Center
This will make it possible to email or send a link to an application in Software Center to the users. Will have to try it out as well.
Softwarecenter:SoftwareId=*Application Identifier*
Convert from BIOS to UEFI during an in-place upgrade
With the new ADK for Windows 10 creators update it is now possible to convert BIOS-UEFI during an in-place upgrade as well, removing one of the biggest blockers for inplace upgrade. More information:

For more information on the improvements in Configuration Manager 1703 Technical Preview, check out the product documentation.

When deploying Windows 10 one of the most common things you want to do is to modify the default wallpaper. Windows 10 uses different backgrounds depending on the resolution you use. If you use any of the following resolutions, 768 x 1024, 768 x 1366, 1024 x 768, 1200 x 1920, 1366 x 768, 1600 x 2560, 2160 x 3840, 2560 x 1600, 3840 x 2160 the file matching the resolution  in the following folder %Windir%\Web\4K\Wallpaper\Windows will be used.

If the resolution used doesn’t match any of the above resolutions the default background %Windir%\Web\Wallpaper\Windows\img0.jpg will be used instead.

So a script that replaces these files will do the trick, the files however are owned by TrustedInstaller and TrustedInstaller is the only user that has permissions to change it as well.

To be able to replace them using a script either in MDT or SCCM we need to take ownership of the files and then change the permissions on them so we can replace them with our own custom background images.

I have created to script that can be used, on old school .cmd file and a Powershell script both works, so you can choose which one you want to use. Place your own custom backgrounds in the 4K folder and the img0.jpg file in the same folder as the script like this.


Important to note as well, if you use SCCM to deploy the script the System account will be used, you use MDT you need to change this to Administrators instead for the script to work as the Task Sequence isn’t executed in System context.

Download the script and create a package that can be used by either a “Run Command Line” step or “Run Powershell Script” step in the task sequence.

The .CMD file content:

takeown /f %WinDir%\WEB\wallpaper\Windows\img0.jpg

takeown /f %WinDir%\Web\4K\Wallpaper\Windows\*.*
icacls %WinDir%\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls %WinDir%\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del %WinDir%\WEB\wallpaper\Windows\img0.jpg
del /q %WinDir%\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg %WinDir%\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* %WinDir%\Web\4K\Wallpaper\Windows

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant System:(F)
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
del c:\windows\WEB\wallpaper\Windows\img0.jpg
del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
copy %~dp0img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
copy %~dp04k\*.* C:\Windows\Web\4K\Wallpaper\Windows

And the Powershell Script:

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg
takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant 'System:(F)'
icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant 'System:(F)'
Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg
Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*
Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg
Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

Both scripts can be downloaded here as well in this .zip file.

So why not just change the default background using a GPO for instance? One reason would be that you miss out on the dynamic selection of background that matches your resolution.

One very common request when implementing Intune is to distribute a Wi-Fi profile with WPA2 and a preshared password. This is currently not possible either with Intune standalone or with Intune integrated with Configuration Manager 2012 using the UI. I have already written a post on how to create a custom iSO profile using Apple Configurator and deploy it using Intune standalone here:

In this post I will use the same custom profile I used in the post above but distribute it using Configuration Manager 2012 R2 SP1 instead as deploying a custom iOS profile is a new feature.

In the Configuration Manager 2012 R2 Sp1 console do the the following:

1. Create a new Configuration Item, specify that it is a Mobile Device configuration item you want to create.

2. Select iOS Custom Profile as the settings group.


3. Enter a name for the profile note that it will be visible to the end-users, and the import the .xml file created as described in my earlier blog post, note that the SSID name in that .xml file is “Office1″CustomIOS3

4. Select which platforms the setting should be applied to, as it is only applicable on iOS devices there is no point in selecting anything else.


5. Then the Configuration Item itself is finished and ready to be added to a Configuration baseline.


6. Next step is to create a Configuration baseline so we can deploy the Wi-Fi policy to our devices. Select Create a new Configuration Baseline give it a name and add the Configuration Item we created earlier by clicking the Add button and selecting Configuration Item. Note that you can add more than one Configuration Item if you are deploying multiple settings to a group of devices it could be smart move to add them to the same baseline.


7. The next step is to deploy the Configuration Baseline, here we can select to generate an alert if a certain percentage fails to apply the policy and it is also here we select which collection we should deploy the Configuration Baseline to as well.


Then we are done and ready to test it, we can verify it easily one the iOS device by looking in the Management Profile and look for the Wi-Fi network we deployed.

Stefan(  and I had the great honor of presenting Configuration Manager Community Jewels at TechED Europe 2014, it was great fun!
There are so many cool tools out there that can save a lot of time, increase the quality in what we do and improve the implementations out there as well. Thanks to all who contribute to the community and thanks to all who attended our session!

We have collected all the links to the tools we showed and many many more on a TechNet Wiki page so that everyone can edit and add their own favorite tools you use or create on your own.

I also do feel a need to apologize to all who have created tools that we haven’t found or didn’t have the time do mention or show. :-(

When preparing for our session a TechED 2014 in Barcelona on Community Tools, we found this nice little tool that adds BranchCache support in WinPE, which means that during OS deployment the client can download the content from a client on the local network instead of pulling it from a DP, this is great for small branch offices for instance without a DP. It can be found here: At TechED 2014 Europe it was also announced that BranchCache support will be added in WinPE in ConfigMgr vNext as well, so this is a technology that is coming.

I created an OSD Task sequence,updated the boot image, enabled BranchCache and added the tools and steps from the toolkit to my Task Sequence. To prestage the data on another client in the network I created a check in the start of the Task Sequence to see if the “Prestage” variable was set to TRUE, if so the Task Sequence will not install anything on the client but it will download all the content and add it to the BranchCache on the client.


Then I deployed the task sequence with the option “download all content locally before starting the Task Sequence” remember to make sure that the content will fit in the CCMCache.

After that I deployed a client and it used the BranchCache from the client on the same network, really cool! We like free stuff


The reporting is awesome as well be sure to check it out!


Here is a short video from 2Pint Software as well:

KB2918614 which is part of the August patch Tuesday is released to solve a security issue in Windows Installer. What it does is change the way that Windows Installer handles repairs and advertised shortcuts as well. The description for the update doesn’t provide that much information.

UPDATE!! a workaround is described below

This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Normally a user could repair an application from the control panel without any additional permissions but after the update is applied if you try to repair for instance Adobe Reader you will, depending on your UAC setting be prompted for credentials.

UAC1This has caused some headache for many the last weeks not just for the auto-repair but for all using Activesetup and launches a msiexec.exe command in there to apply the users settings at first logon, and for advertised shortcuts as well.

Uninstalling the update brings back the normal behavior of Windows Installer again.


Thanks to HappySCCM who have posted the answer from Microsoft and a valid workaround..

Below if from HappySCCM’s site!


This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Workaround if you have problems with repairing application:
1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)

2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.

Below is a screenshot of the sourcehash file:

Just tested it and it works fine if you uninstall/install Adobe Reader again. After the installation the sourcehash file is generated and after that the repair is successful again.


Then at least newly installed computers can have the Update installed as it will not affect them.

Thanks for sharing HappySCCM!!

At TechED in Houston North America 2014 I had time to look at the Advanced Installer in the Expo Hall, I was impressed of the demo. I have always recommended Flexera AdminStudio as the tool to use for repackaging in the projects that I am involved with as this is a very powerful tool for repackaging software to Windows Installer packages/App-v packages.

Advanced Installer in the latest version looks like it could be an alternative to AdminStudio as there are many new features, App-V support, Snapshot support and so on.

I also have a feeling that many Flexera AdminStudio users, admins that do repackaging doesn’t really use all the features in AdminStudio and that Advanced Installer could be a less expensive option AdminStudio and provide enough features.

From a licensing perspective Advanced Installer is interesting as well if you are a consultant or an organization that repackages applications for customers, there is no additional license cost in the these scenarios for Advanced Installer. You can package applications using your license and selll them or give them to your customers.

If you haven’t had a look at it before more information on Advanced Installer can be found here:

Here is a short video on how to repackage 7-zip using Advanced Installer:

Here are some other free options, some with limited functionality, but all available out there for repackaging your applications/script or whatever teaks you are doing to .MSI:


Adminstudio Configuration Manager Edition:

Orca (the true hardcore tool):

AdvancedInstaller free: