Latest posts
SCCM / ConfigMgr, WDAC, OSD and the occasional trauma dump.
-
Emergency repair disk to disable UWF (Unified Write Filter)
To remove the UWF filter uwfvol, the only way outside of Windows is to edit the registry by loading the system hive and removing it from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{71a27cdd-812a-11d0-bec7-08002be2092f} – LowerFilters Below is a script that will create a winpe iso that modifies the value, note: your value may have different filters to keep. It also injects…
-
What size is your CM Inventory History?
SCCM functions slowing down such as collection update, run scripts? Probably some SQL/Options that needs tuning.I dont think Config Manager was designed to handle some of the newer inventory data at least at the frequency we get it. Having large tables of unneeded history will slow you down. If you are getting history like daily…
-
Smart App Control Policy affects/breaks App Control (WDAC)
Windows enables Smart App Control Audit mode for the first 48 hours. This has been causing unpredictable results with App Control for Business. To fix it, it needs to be disabled in the unattend file in Specialize.
-
Re-imaging SCCM 0xc000000f 0xc0000098
If you are getting these errors after applying the OS, it’s likely you have the SkuSiPolicy.p7b deployed to EFI – See Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates – Microsoft Support / Secure boot revocations previous advice. Once you deploy that, Secure boot requires the file or newer to be on…
-
Get ConfigMgr Management points and Distribution points working with CIS
CIS sets the Network access: Remotely accessible registry paths group policy. Adjust to include SOFTWARE\Microsoft\SMS ie;System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion, SOFTWARE\Microsoft\SMS
-
How to manage WDAC
This post isn’t about creating your initial policies and assumes you know how to create the first base policy, and supplemental policies. This will also setup SCCM to be a managed installer. Just a quick post to hopefully save someone some time. Ask me anything, I may have skipped over something. Setup Download Scripts Create…
-
SCCM WDAC Managed Installer
If you use SCCM to deploy WDAC via the wizard, you will get constrained language mode in powershell. It’s best to deploy it via a script, also enable the managed installer reg for sccm or managed installer just doesn’t work
-
Task Sequence stops responding during msi install
Recently trying to deploy Nitro PDF Pro during OSD the task sequence would just hang. This is due to the msi package wanting to copy over msvcp140.dll killing any processes using it (CcmExec, WmiPrvSE, policyHost). If you encounter any package like this you can add the switch MSIRESTARTMANAGERCONTROL=Disable which will bypass the check.
-
CM Console fails to connect to site server due to WDAC
If you have WDAC deployed and included the recommended block rules the console will install but not correctly due to rule ID_DENY_INSTALLUTIL_1_0
-
Inject dot net 3.5 into Windows 11 wim before adding image to SCCM
Previously Windows has been ok with using a dot net package from a different month, so you could add it during the task sequence without much trouble. Now you need the right version. Best way to do this is have a process to inject the wim then copy it to the network folder. Script lets…