Posts

Disable the OneDrive Notification/Advertisement

This will popup for each user on first login. There is a registry entry that you can use to trick OneDrive to thinking it has already done this.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive

Name: ClientNotSignedInBalloonState

Type: REG_DWORD

Data: 2

 

To put this in your default profile during OSD:

reg load HKU\DefaultTemp "C:\Users\Default\NTUSER.DAT"

reg add "HKU\DefaultTemp\Software\Microsoft\OneDrive" /v ClientNotSignedInBalloonState /t REG_DWORD /d 2 /F

reg unload HKU\DefaultTemp

 

Edge browser crashes on load - Windows 1703

We have seen roaming profiles in Windows 10 1703 unable to use the Edge browser if the profile was originally first created with Windows 10 1607.

The address bar briefly displays ms-appx-web:///assets/errorpages/acr_error.htm#https://go.microsoft.com/fwlink/?LinkId=525773 then closes.

In our scenario, enabling the group policy ‘Prevent the First Run webpage from Opening on Microsoft Edge’ fixes the issue so it seems that the 1607 profile has an issue with first run.

Another fix (found in forums) is an undocumented one that does resolve crashes as well is

reg add "HKCU\Software\Microsoft\Internet Explorer\Spartan" /v RAC_LaunchFlags /t REG_DWORD /d 1 /f

however I don't recommend it as we don't know what it will affect. Maybe use it as a workaround temporarily.

 

 

SCCM client = None after deploying an operating system

In an environment where you use certificates this can happen.

CLientIDManagerStartup.log will mention

Regtask: Failed to refresh MP. Error: 0x80004005

alot of times...

Below I have the 2 fixes!

Fix 1 is to take advantage of the TS Variable SMSTSPostAction to restart the computer once completed
with the value 'shutdown /r /t 0 /f'

This should ensure the cert is requested.

Fix 2:

From testing - after Fix 1 you may need to re-start the SCCM agent.
To do this create a scheduled task that runs on start-up

Program: Powershell

Arguments: -Command "& {start-sleep 120; restart-service ccmexec; Unregister-ScheduledTask -TaskName 'Restart SCCM Initial boot' -Confirm:$false;}"

Run whether or not user is logged on.

 

Export the scheduled task as 'RestartSCCM.xml' and create a package and command line to run at the end of OSD

SCHTASKS.exe /CREATE /RU system /XML "RestartSCCM.xml" /TN "Restart SCCM Initial boot"

 

Happy deploying!

Setting the Client Status Settings for Client Activity based on AD logon

SCCM will mark a computer inactive if none of the activity checks happen

  • Client policy request
  • Heartbeat discovery
  • Hardware Inventory
  • Software Inventory
  • Status messages sent

See technet

The default settings are 7 days for each of these settings which can be fine for a lot of businesses. If there are many devices that don't often connect to the network if may look as if there is more client health issues than there really is. To get an idea of how many devices have been on the network within x amount of days you can run the following query in the SQL Management Studio:

select sys.Name0, ClientActiveStatus, ClientState, ClientStateDescription, LastOnline 
from v_CH_ClientSummary cli
join v_R_System sys on sys.ResourceID=cli.ResourceID
where DATEDIFF(d, LastOnline, GetDate()) < 7
order by LastOnline desc

This uses LastOnline (Connected to AD) to get a list of the last 7 days. Then all you need to do is modify the 7 in the query to higher values to get a number that represents a higher percentage of your fleet contacting the AD. It could be 14 days, 30 days.

This will change depending on VPN usage, Direct Access. Once you enable the Cloud Management Gateway this setting will need to be tweaked again not using this data as clients will request policy from the internet.

 

To configure these settings:

  1. In the Monitoring workspace, click Client Status, then, in the Home tab, in the Client Status group, click Client Status Settings.

     

Monitoring your fleets event logs - Part 2

 

Install Splunk - It's free! https://www.splunk.com/en_us/download/splunk-enterprise.html

Modify Program Files\Splunk\etc\system\local\inputs.conf

Add the lines

[WinEventLog]
evt_resolve_ad_obj = 1

 

Then we need to reboot splunk, in Splunk click Settings, then Server controls and click Restart Splunk

Next we need to add our data source, click Add Data from the launch screen, then monitor

 

Choose Local Events then ForwardedEvents and click Next

 

Click Create a new index, call it ForwardedEvents, click Save, change the Index to ForwardedEvents and then click Review, Submit

Give it some time to collect a few logins, then go to Search & Reporting

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=1) endswith=eval(EventCode=2) | table ComputerName, duration

So I'm using the selected data, filtering for 4 event codes, then getting the time between event code 1 and 2, and putting it into a table..

Edit: This search can be a bit funny, the delay ended up being between synching the roaming profile so I've also ran

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=6) endswith=eval(EventCode=7) | table ComputerName, duration

Then click on the Visualization tab

This also lets you dive into each login by clicking one and get the event logs!

You can save this as a report, dashboard and share with people.

 

There is so much more you can do with this software, and it takes some time to learn it. Will post more as I do..

 

 

Monitoring your fleets event logs - Part 1

Windows has an amazing feature that let's you collect logs from remote computers, it's called Windows Event forwarding and is pretty easy to set up. Once we have this data we can use free tools such as Splunk or GrayLog to analyse the data, find patterns, fix.

 

Below is the way to get started collecting the user profile logs to analyse things such as login performance with roaming profiles, something we are dealing with right now! Please note you need to enable winrm on your computers for forwarding to work.

First you need a machine that will be the data collectior.

  1. On that machine open Event Viewer and right click Subscriptions. You may get the following message to enable the service on startup

2. Now you should only collect data that you will use, in this example we are collecting the Microsoft-Windows-User Profile Service/Operational events so we will call it Microsoft-Windows-User Profile Service - Operational

3. Change the type to Source computer initiated and click Select Computer Groups

4. Add the group of machines to the Computer list and click OK

5. Click Select Events

6. We now select the Applications and Services Logs\Microsoft\Windows\User Profile Service

7. You can configure advanced settings to control how the computers forward the events.

8. Click OK

9. To get clean data we need to change the format of returned events by running the command:
wecutil ss "Microsoft-Windows-User Profile Service - Operational" /cf:Events

10. Next you deploy a group policy that tells your computers to go to the data collector for jobs

Create a group policy using Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding

11. Select Configure target Subscription Manager

12. Set to Enabled

13. Click Show

14. Insert the line
Server=http://SERVER.FQDN:5985/wsman/SubscriptionManager/WEC,Refresh=60

15. Replace SERVER.FQDN with your data collector's name.

16. To test run GPUPDATE /FORCE on the remote machine

17. If successful, on the data machine you will see the number of source computers change and logs in the forwarded events

Visit https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/ for more information.

 

PART 2 

 

 

Error message when no Asset Tag Detected

Set the computer name using the BIOS Asset Tag

If you are setting the Asset Tag the same name that the computer is, it makes sense to only have to input it once. I created a powershell script that will do the following:

If VM or Mac: Exit 0

If  computer exists in SCCM: Exit 0

If AssetTag Exists/Not empty: Set OSDComputerName to AssetTag, Exit 0

If AssetTag doesn't exist: Bring up an error message, Exit 1

 

Tested with HP and Dell machines.

Download Script https://github.com/happysccm/Files/tree/master/Check%20for%20Asset%20Tag%20-%20OSD%20AssetTag%20Check%20-%20Most%20code%20by%20Nickolaj%20and%20Dave%20Green

Update: Added optional script that uses the HP Ownership Tag

How to use:
Create a package for the script

Copy serviceUI.exe (From MDT Toolkit) to the same folder.

In the Task Sequence after initial format of the drive create a Run Command Line step using the package that you created

with the command: ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File AssetTag.ps1

 

Thanks Nickolaj and Dave Green for the initial form

 

Deploying Creative Cloud Packages 2017

Quick Post on the install order of  - Use your favourite App Packaging Wrapper / PSADT

Update: CloseApp Line for PSADT: 

	    Show-InstallationWelcome -CloseApps 'CreativeCloudPackager,Adobe Application Manager (Updater),PDApp,AAM Updates Notifier,Acrobat,Muse,Bridge,InDesign,lightroom,Outlook,Visio,Winword,Project,PowerPoint,Excel,Visio,AutoCAD,ImporterREDServer,dynamiclinkmanager,LogTransport2,SpeedGradeCmd,SpeedGrade,QuickTimeOoP,PhotoshopServer,Adobe QT32 Server,GPUSniffer,Incopy,Dreamweaver,Coldfusion,DreamweaverHelper,Jrun,Dreamweaver Beta,Dreamweaver Beta Helper,node,Fuse,AfterFX,Photoshop,Animate,CINEMA 4D Lite,CineRenderAE,aerender,SA Color Finesse 3 UI,mocha4ae_adobe,Illustrator,dvaaudiofilterscan,Adobe Premiere Pro,Character Animator,Flash,Adobe Prelude,Adobe Audition CC,CEPHtmlEngine' 
  1. If package has Exceptions
    Exceptions\ExceptionDeployer.exe --workflow=install --mode=pre --installLanguage=en_US
    Don't do en_GB - seems to break acrobat
  2. If package has Acrobat
    Build\Setup\APRO15.0\Adobe Acrobat\setup.exe
    Always do this where applicable or acrobat may break
    If you want to customize Acrobat customize the msi in here using the Acrobat DC Customization Wizard
  3. Run main setup
    Build\setup.exe --silent
    If you don't use silent, it never exits
  4. If package has exceptions
    Exceptions\ExceptionDeployer.exe --workflow=install --mode=post --installLanguage=en_US
  5. Firewall Exceptions
    Node.exe: netsh advfirewall firewall add rule name="Adobe Node"  dir=in action=allow program="%Programfiles%\adobe\adobe dreamweaver cc 2017\node\node.exe" enable=yes
    Scout.exe: netsh advfirewall firewall add rule name="Adobe Scout"  dir=in action=allow program="%Programfiles%\adobe scout cc\scout.exe" enable=yes
  6. Disable CC startup and set all office addins to only load if user chooses to
    regedit.exe /s AcrobatAddinReg.reg
    https://1drv.ms/t/s!Apq2Xflj18I1wGkFeyX_T3lbtM5G
  7. Remove shortcuts bat
    REM Delete Shortcuts
    del "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Adobe Creative Cloud.lnk" /F /Q
    del "%PUBLIC%\Desktop\Adobe Creative Cloud.lnk" /F /Q

 

If you are putting the apps in a base image you may need to run the main setup.exe if you want to avoid Acrobat crashing on first use.

Adobe CC Design 2017:
- No exceptions
- Has Acrobat DC

Adobe CC Enterprise 2017:
- Has exceptions
- Has Acrobat DC
- FW exclusion for Scout.exe
- FW exclusion for Node.exe

Adobe CC Exclusives 2017:
- Has exceptions
- FW exclusion for Scout.exe

Adobe CC Web 2017:
- Has exceptions
- FW exclusion for Node.exe

Acrobat Single Package
- No exceptions
- Has Acrobat DC

Disabling (Adobe's) Office Add-ins

I don't think outlook should be making PDFs.. You can disable the add-ins with group policy

Download Office ADMX files
2013: https://www.microsoft.com/en-au/download/details.aspx?id=35554

2016: https://www.microsoft.com/en-au/download/details.aspx?id=49030

Copy the files under ADMX to your policy central store

Now create a group policy, browse to

User Configuration > Administrative Template > Microsoft Outlook 2016 > Miscellaneous > List Of Manage add-ins

Edit the policy setting, click show

Then specify the add-ins you want to disable with a value 0

To block other add-ins you need to find the progID for the addin, they can be found in the registry for each app in the suite:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins or HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins

To block Adobe out of Office altogether:

Admin Templates - For each List of manage Add-ins

Microsoft Excel 2016:
PDFMaker.OfficeAddin 0

Microsoft Excel 2013:
PDFMaker.OfficeAddin 0

Microsoft Word 2016:
PDFMaker.OfficeAddin 0

Microsoft Word 2013:
PDFMaker.OfficeAddin 0

Microsoft Powerpoint 2016:
PDFMaker.OfficeAddin 0

Microsoft Powerpoint 2013:
PDFMaker.OfficeAddin 0

Microsoft Outlook 2016:
AdobeAcroOutlook.SendAsLink 0
PDFMOutlook.PDFMOutlook 0

Microsoft Outlook 2013:
AdobeAcroOutlook.SendAsLink 0
PDFMOutlook.PDFMOutlook 0

 

 

Another option (less harsh) is to change the load behaviour to 2 via registry after install or possibly a preference. This makes the plugin not loaded by default but allows the user to load it manually.

Example Reg https://1drv.ms/t/s!Apq2Xflj18I1wGkFeyX_T3lbtM5G

 

MDT Toolkit files fail to download - could not resolve source

IMG_6554

If this happens during OSD, it is likely due to 2 settings in the BIOS.

 

I recommend

WIN7 -

Boot mode: Legacy
Sata mode: AHCI

Win10-

Boot mode: UEFI
Sata mode: AHCI

 

 

From the log:
The task sequence execution engine failed executing the action (Use Toolkit Package) in the group (Initialization) with the error code 2147942561
Action output: ... ursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath( sNormalizedPath, psa ), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,159)
DownloadContentLocally (pszSource, sSourceDirectory, dwFlags, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,3582)
TS::Utility::ResolveSource (pszPkgID, sPath, 0, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\runcommandline.cpp,399)
cmd.Execute(pszPkgID,sProgramName, dwCmdLineExitCode), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\main.cpp,372)
Failed to resolve the source for SMS PKGID=PS10098B, hr=0x800700a1
Install Software failed to run command line, hr=0x800700a1. The operating system reported error 2147942561: The specified path is invalid.