Monitoring your fleets event logs - Part 2


Install Splunk - It's free!

Modify Program Files\Splunk\etc\system\local\inputs.conf

Add the lines

evt_resolve_ad_obj = 1


Then we need to reboot splunk, in Splunk click Settings, then Server controls and click Restart Splunk

Next we need to add our data source, click Add Data from the launch screen, then monitor


Choose Local Events then ForwardedEvents and click Next


Click Create a new index, call it ForwardedEvents, click Save, change the Index to ForwardedEvents and then click Review, Submit

Give it some time to collect a few logins, then go to Search & Reporting

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=1) endswith=eval(EventCode=2) | table ComputerName, duration

So I'm using the selected data, filtering for 4 event codes, then getting the time between event code 1 and 2, and putting it into a table..

Edit: This search can be a bit funny, the delay ended up being between synching the roaming profile so I've also ran

index="forwardedevents" LogName="Microsoft-Windows-User Profile Service/Operational" (EventCode=1 OR EventCode=2 OR EventCode=6 OR EventCode=7)  | transaction ComputerName startswith=eval(EventCode=6) endswith=eval(EventCode=7) | table ComputerName, duration

Then click on the Visualization tab

This also lets you dive into each login by clicking one and get the event logs!

You can save this as a report, dashboard and share with people.


There is so much more you can do with this software, and it takes some time to learn it. Will post more as I do..



Monitoring your fleets event logs - Part 1

Windows has an amazing feature that let's you collect logs from remote computers, it's called Windows Event forwarding and is pretty easy to set up. Once we have this data we can use free tools such as Splunk or GrayLog to analyse the data, find patterns, fix.


Below is the way to get started collecting the user profile logs to analyse things such as login performance with roaming profiles, something we are dealing with right now! Please note you need to enable winrm on your computers for forwarding to work.

First you need a machine that will be the data collectior.

  1. On that machine open Event Viewer and right click Subscriptions. You may get the following message to enable the service on startup

2. Now you should only collect data that you will use, in this example we are collecting the Microsoft-Windows-User Profile Service/Operational events so we will call it Microsoft-Windows-User Profile Service - Operational

3. Change the type to Source computer initiated and click Select Computer Groups

4. Add the group of machines to the Computer list and click OK

5. Click Select Events

6. We now select the Applications and Services Logs\Microsoft\Windows\User Profile Service

7. You can configure advanced settings to control how the computers forward the events.

8. Click OK

9. To get clean data we need to change the format of returned events by running the command:
wecutil ss "Microsoft-Windows-User Profile Service - Operational" /cf:Events

10. Next you deploy a group policy that tells your computers to go to the data collector for jobs

Create a group policy using Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding

11. Select Configure target Subscription Manager

12. Set to Enabled

13. Click Show

14. Insert the line

15. Replace SERVER.FQDN with your data collector's name.

16. To test run GPUPDATE /FORCE on the remote machine

17. If successful, on the data machine you will see the number of source computers change and logs in the forwarded events

Visit for more information.





Disabling Windows File Explorer banner advertising

Microsoft has soo much advertising power with Windows 10, they can now put banners up in Windows Explorer via updates. You may see one such as this:
'Save your documents and photos to OneDrive' or 'Get the best deal on your cloud storage with OneDrive'

The setting is called Show Sync Provider Notifications however it has been used for other purposes such as when you do a feature update




To prevent this from happening push out a group policy User preference

Value: ShowSyncProviderNotifications
Value Type: REG_DWORD
Value Data: 00000000
Base: Hex

Error message when no Asset Tag Detected

Set the computer name using the BIOS Asset Tag

If you are setting the Asset Tag the same name that the computer is, it makes sense to only have to input it once. I created a powershell script that will do the following:

If VM or Mac: Exit 0

If  computer exists in SCCM: Exit 0

If AssetTag Exists/Not empty: Set OSDComputerName to AssetTag, Exit 0

If AssetTag doesn't exist: Bring up an error message, Exit 1


Tested with HP and Dell machines.

Download Script

Update: Added optional script that uses the HP Ownership Tag

How to use:
Create a package for the script

Copy serviceUI.exe (From MDT Toolkit) to the same folder.

In the Task Sequence after initial format of the drive create a Run Command Line step using the package that you created

with the command: ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File AssetTag.ps1


Thanks Nickolaj and Dave Green for the initial form


MDT Toolkit files fail to download - could not resolve source


If this happens during OSD, it is likely due to 2 settings in the BIOS.


I recommend

WIN7 -

Boot mode: Legacy
Sata mode: AHCI


Boot mode: UEFI
Sata mode: AHCI



From the log:
The task sequence execution engine failed executing the action (Use Toolkit Package) in the group (Initialization) with the error code 2147942561
Action output: ... ursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath( sNormalizedPath, psa ), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,159)
DownloadContentLocally (pszSource, sSourceDirectory, dwFlags, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,3582)
TS::Utility::ResolveSource (pszPkgID, sPath, 0, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\runcommandline.cpp,399)
cmd.Execute(pszPkgID,sProgramName, dwCmdLineExitCode), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\main.cpp,372)
Failed to resolve the source for SMS PKGID=PS10098B, hr=0x800700a1
Install Software failed to run command line, hr=0x800700a1. The operating system reported error 2147942561: The specified path is invalid.


Build and Capture fails if KB3160005 IE sec cumulative update is installed

Update: Adding more scratch space to the boot wim seems to have resolved the problem on Windows 10, Windows 7 seems to still have issues.

Update: This update is also in Windows 10 CU 3163018, causing the same error. No workaround yet 

If your build and capture is failing at the capture step make sure you don't have the cumulative Security Update for IE11 KB3160005. It's somehow stopping the registry load part of the step.

The task sequence execution engine failed executing the action (Capture the Reference Machine) in the group (Capture the Reference Machine) with the error code 2147943850
Action output: ... software" into HKLM\OfflineRegistry1
RegLoadKey( oRegKeyHKLM, sRegKey, sRegHivPath), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineregistry.cpp,68)
LoadHive( szPathBuffer, m_sRegKeySoftware, m_oRegKeySoftware ), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineregistry.cpp,190)
m_oOfflineRegistry.Init(pszSystemRoot), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineos.cpp,737)
rDefaultOs.initialize(sTargetSystemRoot), HRESULT=800705aa (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,613)
VerifySystemForCapture(DefaultOs), HRESULT=800705aa (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,859)
Finished with error code 0x800705AA
Failed to load "C:\WINDOWS\system32\config\software" (0x800705aa).
Failed to load the offline SOFTWARE registry (0x800705aa).
Failed to validate for capture. 
nsufficient system resources exist to complete the requested service. (Error: 800705AA; Source: Windows). The operating system reported error 2147943850: Insufficient system resources exist to complete the requested service.


Hey Cortana! How do I add additional speeches during OSD so you work?


For Cortana to work with your language you need to install the appropriate speech pack however if you are connected to an enterprise WSUS you won't be able to see additional downloads for your language.

To work around this you can get the language cab files from the 'Windows 10 Features on Demand' iso available via volume license and MSDN downloads, then use dism commands to apply the desired language packages. Currently the available ones are

  • German - Germany (
  • English - Australia (
  • English - Canada (
  • English - United Kigndom (
  • English - India (
  • English - United States (
  • Spanish - Spain (
  • French - France (
  • Italian - Italy (
  • Japanese - Japan (
  • Chinese - China (
  • Chinese - Hong Kong (
  • Chinese - Taiwan (

Note: Cortana is currently only available in United States, Japan, Australia, and Canada and India (in English) however having the speech packs installed will help your deployment if other markets open up.

You can also install the Text to speech pack along side. For example adds Aussie Catherine and British James however Cortana doesn't use them.

Cortana speech settings


To deploy during OSD create a package with the desired speech packs and an Install.bat file. The following  example of install.bat sets up English-Australia and also adds text to speech voices, you can add additional packages by changing the PackagePath:

DISM /Online /Add-Package /
DISM /Online /Add-Package /

And then create a Run Command Line step in the task sequence referencing the package with Disable 64-bit file system redirection

OSD Cortana Speech



To set the default Speech Language you need to modify the default user reg. This can be achieved in 3 commands during the task sequence

Load Default User Registry

reg load HKU\DefaultTemp "C:\Users\Default\NTUSER.DAT"

Set Default SpeechRecognizer

reg add "HKU\DefaultTemp\Software\Microsoft\Speech_OneCore\Settings\SpeechRecognizer" /v RecognizedLanguage /t REG_SZ /d en-AU /F

Unload Default User Registry

 reg unload HKU\DefaultTemp

OSD default profile

Ensure the Operating System applys to C: drive not D: drive


This problem will increase more and more as everyone starts to use wim's instead of the OS media in SCCM.

There are a few workarounds for this problem however the best method is to force the new OS the reevaluate Drive Letters with 3 easy steps after applying the OS

Create a Run Command Line step for each of the 3 commands

Reg.exe load HKLM\Temp %OSDTargetSystemDrive%\Windows\system32\config\system

Reg.exe delete HKLM\Temp\MountedDevices /va /f

Reg.exe unload HKLM\Temp


This forces the default behaviour of Windows to choose the drive letter.


For more information and other workarounds see

Creating Collections to deploy ConfigMgr client updates (the easy way)


Get the Servicing Exstension from Microsoft NOW as it does all the work!!!

Once you have this, in the Admin node, there's a site servicing section -> client targeting. You click 'Create Query' and it makes a nice query for your collections.


Then you go about creating your collection.

Screenshot 2015-02-05 09.39.11

click next. Select Add Rule -> Query Rule


Click Import Query Statement and choose the nice query microsoft made for you.

Screenshot 2015-02-05 09.44.29

Deploy the cumulative update to the clients.



Format failed (0x80070057) during task sequence.






If this is happening to you I recommend importing the boot wim again creating a new one and only adding the network drivers (in the surface pro 3 case) and test using that boot wim with a copy of your task sequence. Then add existing sata/network drivers you need for other devices using latest versions.

I recieved an email from someone that has the same issue, he noticed that Microsoft ships with either a Hynix SSD or a Samsung SSD. The Samsung SSD has never had any issues. From my SCCM data we have 20% Hynix drives - possibly due to change of hard drive supply or shortage, I'm not sure. This will explain why you may be going crazy not understanding why encountering imaging issues after having success.

In this scenario the formatting of the disk fails and then the disk just dissapears even in diskpart until next reboot.

Solution is to get the correct SATA driver for the device. This happened on one of the Surface Pro 3's yet all the others imaged fine. Using the driver provided by the driver pack in the boot wim the task sequence was able to successfully format the disk.


Text from the smsts.log:

Format failed (0x80070057) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360)
CVolume::Format( sDrive.c_str(), (*iter)->getFilesystem(), (*iter)->getVolumeName().c_str(), 0, (*iter)->getIsQuickFormat() ? CVolume::foptQuick : 0, FormatProgressCallback, NULL), HRESULT=80070057 (e:nts_sccm_releasesmsclientosdeploymentosddiskpartmain.cpp,1003) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360)
Failed to format drive C: (0x80070057) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360)
FormatPartitions(oDisk), HRESULT=80070057 (e:nts_sccm_releasesmsclientosdeploymentosddiskpartmain.cpp,1279) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360)
Failed to format partition(s) for disk 0 (0x80070057) OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360)
OSDDiskPart.exe failed: 0x80070057 OSDDiskPart 15/12/2014 4:33:23 PM 864 (0x0360)
Process completed with exit code 2147942487 TSManager 15/12/2014 4:33:23 PM 1088 (0x0440)
!--------------------------------------------------------------------------------------------! TSManager 15/12/2014 4:33:23 PM 1088 (0x0440)
Failed to run the action: Format and Partition Disk (UEFI). This is usually caused by a problem with the program. Please check the Microsoft Knowledge Base to determine if this is a known issue or contact Microsoft Support Services for further assistance.
The parameter is incorrect. (Error: 80070057; Source: Windows) TSManager 15/12/2014 4:33:23 PM 1088 (0x0440)