deployment

SCCM client = None after deploying an operating system

In an environment where you use certificates this can happen.

CLientIDManagerStartup.log will mention

Regtask: Failed to refresh MP. Error: 0x80004005

alot of times...

Below I have the 2 fixes!

Fix 1 is to take advantage of the TS Variable SMSTSPostAction to restart the computer once completed
with the value 'shutdown /r /t 0 /f'

This should ensure the cert is requested.

Fix 2:

From testing - after Fix 1 you may need to re-start the SCCM agent.
To do this create a scheduled task that runs on start-up

Program: Powershell

Arguments: -Command "& {start-sleep 120; restart-service ccmexec; Unregister-ScheduledTask -TaskName 'Restart SCCM Initial boot' -Confirm:$false;}"

Run whether or not user is logged on.

 

Export the scheduled task as 'RestartSCCM.xml' and create a package and command line to run at the end of OSD

SCHTASKS.exe /CREATE /RU system /XML "RestartSCCM.xml" /TN "Restart SCCM Initial boot"

 

Happy deploying!

Disabling Windows File Explorer banner advertising

Microsoft has soo much advertising power with Windows 10, they can now put banners up in Windows Explorer via updates. You may see one such as this:
'Save your documents and photos to OneDrive' or 'Get the best deal on your cloud storage with OneDrive'

The setting is called Show Sync Provider Notifications however it has been used for other purposes such as when you do a feature update

 

 

 

To prevent this from happening push out a group policy User preference
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Value: ShowSyncProviderNotifications
Value Type: REG_DWORD
Value Data: 00000000
Base: Hex

Error message when no Asset Tag Detected

Set the computer name using the BIOS Asset Tag

If you are setting the Asset Tag the same name that the computer is, it makes sense to only have to input it once. I created a powershell script that will do the following:

If VM or Mac: Exit 0

If  computer exists in SCCM: Exit 0

If AssetTag Exists/Not empty: Set OSDComputerName to AssetTag, Exit 0

If AssetTag doesn't exist: Bring up an error message, Exit 1

 

Tested with HP and Dell machines.

Download Script https://github.com/happysccm/Files/tree/master/Check%20for%20Asset%20Tag%20-%20OSD%20AssetTag%20Check%20-%20Most%20code%20by%20Nickolaj%20and%20Dave%20Green

Update: Added optional script that uses the HP Ownership Tag

How to use:
Create a package for the script

Copy serviceUI.exe (From MDT Toolkit) to the same folder.

In the Task Sequence after initial format of the drive create a Run Command Line step using the package that you created

with the command: ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File AssetTag.ps1

 

Thanks Nickolaj and Dave Green for the initial form

 

MDT Toolkit files fail to download - could not resolve source

IMG_6554

If this happens during OSD, it is likely due to 2 settings in the BIOS.

 

I recommend

WIN7 -

Boot mode: Legacy
Sata mode: AHCI

Win10-

Boot mode: UEFI
Sata mode: AHCI

 

 

From the log:
The task sequence execution engine failed executing the action (Use Toolkit Package) in the group (Initialization) with the error code 2147942561
Action output: ... ursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath(sPath.substr(0, nPos), psa), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,104)
RecursiveCreatePath( sNormalizedPath, psa ), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\core\ccmcore\path.cpp,159)
DownloadContentLocally (pszSource, sSourceDirectory, dwFlags, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,3582)
TS::Utility::ResolveSource (pszPkgID, sPath, 0, hUserToken, mapNetworkAccess), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\runcommandline.cpp,399)
cmd.Execute(pszPkgID,sProgramName, dwCmdLineExitCode), HRESULT=800700a1 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\main.cpp,372)
Failed to resolve the source for SMS PKGID=PS10098B, hr=0x800700a1
Install Software failed to run command line, hr=0x800700a1. The operating system reported error 2147942561: The specified path is invalid.

 

Build and Capture fails if KB3160005 IE sec cumulative update is installed


Update: Adding more scratch space to the boot wim seems to have resolved the problem on Windows 10, Windows 7 seems to still have issues.

Update: This update is also in Windows 10 CU 3163018, causing the same error. No workaround yet 

If your build and capture is failing at the capture step make sure you don't have the cumulative Security Update for IE11 KB3160005. It's somehow stopping the registry load part of the step.

The task sequence execution engine failed executing the action (Capture the Reference Machine) in the group (Capture the Reference Machine) with the error code 2147943850
Action output: ... software" into HKLM\OfflineRegistry1
RegLoadKey( oRegKeyHKLM, sRegKey, sRegHivPath), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineregistry.cpp,68)
LoadHive( szPathBuffer, m_sRegKeySoftware, m_oRegKeySoftware ), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineregistry.cpp,190)
m_oOfflineRegistry.Init(pszSystemRoot), HRESULT=800705aa (e:\qfe\nts\sms\framework\osdcore\offlineos.cpp,737)
rDefaultOs.initialize(sTargetSystemRoot), HRESULT=800705aa (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,613)
VerifySystemForCapture(DefaultOs), HRESULT=800705aa (e:\nts_sccm_release\sms\client\osdeployment\capturesystemimage\capturesystemimage.cpp,859)
Finished with error code 0x800705AA
Failed to load "C:\WINDOWS\system32\config\software" (0x800705aa).
Failed to load the offline SOFTWARE registry (0x800705aa).
Failed to validate for capture. 
nsufficient system resources exist to complete the requested service. (Error: 800705AA; Source: Windows). The operating system reported error 2147943850: Insufficient system resources exist to complete the requested service.

 

Adding Admin Elevated websites to trusted sites/intranet/etc

admin portal shortcut

It's very easy to customize the trusted sites for users by using group policy preferences without locking the settings down however what about websites that need to be ran as a different user?

To work around this I created a simple C Sharp program that sets the registry before launching the site in IE

 

using System;
using System.Diagnostics;
using System.ComponentModel;
using Microsoft.Win32;


namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\", "", ""); //Tree
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap", "", ""); //Branch
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains", "", ""); //Branch
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\happysccm.com", "", ""); //Branch
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\happysccm.com", "*", "1", RegistryValueKind.DWord); //Branch's value
            Process.Start("IExplore.exe", "http://portal.happysccm.com");
        }
    }
}

Zones:
Value Setting
------------------------------
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone

Create the Installer:

Compile the package and copy it to where you want it on the clients system. Then create a shortcut to the exe.

Copy the exe and shortcut to your network share.
Create an Install.bat:

xcopy.exe "Admin Portal.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\" /Y
xcopy.exe IDMAdmin.exe C:\ProgramData\IDMAdmin\ /Y

Deploy!

 

Microsoft Edge and Enterprise Mode

Microsoft really wants everyone to use it's shiny new browser, and I think everyone should. It is a completely new browser built for the modern web however there are limitations to building a browser just for the modern web mainly being legacy support of activex controls and Java so it's understandable that companies don't want Edge as the default browser however there is another way. The new Enterprise mode group policy lets companies decide what web pages will open in Internet Explorer instead. Ideally it would have been nice to have these sandboxed in an Internet Explorer tab however Microsoft wants the end user to know that this is what the organization has decided.

Setting up Edge Enterprise Mode

The first thing you need to do is download and install the Enterprise Mode Site List manager

https://www.microsoft.com/en-us/download/confirmation.aspx?id=42501

This is a simple tool that creates and versions a xml file that the client computer reads when launching the Edge Browser.

You can add and edit sites in this tool and then save as an XML File

Example adding ebay.com

enterprise mode for Edge

You can later turn off Open in IE once the business website is compatible with Edge.

Once you have made your list Click File > Save to XML

Now have a look at the xml file, it should look something like

 

<rules version="7">
<docMode />
<emie>
<domain exclude="true">ebay.com</domain>
<domain doNotTransition="true" exclude="false">cnet.com</domain>
</emie>
</rules>

This example sets eBay to load up in Internet Explorer and we have set cnet.com to now open in Edge from now on.

Once you are happy with your config it's time to test it as a group policy

The policy is Computer Configuration > Windows Components > Microsoft Edge > Configure the Enterprise Mode List

enterprise mode group policy

The value here can be

  • Drive Letter C:\EnterpriseMode.xml
  • Web URL http://localhost:8080/EnterpriseMode.xml
  • Network Share \\NetworkShare\EnterpriseMode.xml (I recommend placing this inside the group policy folder on Sysvol)

Alternatively you can also send all intranet sites to Internet Explorer using the group policy setting 'Send all intranet sites to Internet Explorer 11'

Testing

Using Edge browser enterprise mode

 

Hey Cortana! How do I add additional speeches during OSD so you work?

cortana

For Cortana to work with your language you need to install the appropriate speech pack however if you are connected to an enterprise WSUS you won't be able to see additional downloads for your language.

To work around this you can get the language cab files from the 'Windows 10 Features on Demand' iso available via volume license and MSDN downloads, then use dism commands to apply the desired language packages. Currently the available ones are

  • German - Germany (Microsoft-Windows-LanguageFeatures-Speech-de-de-Package.cab)
  • English - Australia (Microsoft-Windows-LanguageFeatures-Speech-en-au-Package.cab)
  • English - Canada (Microsoft-Windows-LanguageFeatures-Speech-en-ca-Package.cab)
  • English - United Kigndom (Microsoft-Windows-LanguageFeatures-Speech-en-gb-Package.cab)
  • English - India (Microsoft-Windows-LanguageFeatures-Speech-en-in-Package.cab)
  • English - United States (Microsoft-Windows-LanguageFeatures-Speech-en-us-Package.cab)
  • Spanish - Spain (Microsoft-Windows-LanguageFeatures-Speech-es-es-Package.cab)
  • French - France (Microsoft-Windows-LanguageFeatures-Speech-fr-fr-Package.cab)
  • Italian - Italy (Microsoft-Windows-LanguageFeatures-Speech-it-it-Package.cab)
  • Japanese - Japan (Microsoft-Windows-LanguageFeatures-Speech-ja-jp-Package.cab)
  • Chinese - China (Microsoft-Windows-LanguageFeatures-Speech-zh-cn-Package.cab)
  • Chinese - Hong Kong (Microsoft-Windows-LanguageFeatures-Speech-zh-hk-Package.cab)
  • Chinese - Taiwan (Microsoft-Windows-LanguageFeatures-Speech-zh-tw-Package.cab)

Note: Cortana is currently only available in United States, Japan, Australia, and Canada and India (in English) however having the speech packs installed will help your deployment if other markets open up.

You can also install the Text to speech pack along side. For example

Microsoft-Windows-LanguageFeatures-TextToSpeech-en-au-Package.cab adds Aussie Catherine and British James however Cortana doesn't use them.

Cortana speech settings

 

To deploy during OSD create a package with the desired speech packs and an Install.bat file. The following  example of install.bat sets up English-Australia and also adds text to speech voices, you can add additional packages by changing the PackagePath:

DISM /Online /Add-Package /PackagePath:Microsoft-Windows-LanguageFeatures-TextToSpeech-en-au-Package.cab
DISM /Online /Add-Package /PackagePath:Microsoft-Windows-LanguageFeatures-Speech-en-au-Package.cab

And then create a Run Command Line step in the task sequence referencing the package with Disable 64-bit file system redirection

OSD Cortana Speech

install.bat

 

To set the default Speech Language you need to modify the default user reg. This can be achieved in 3 commands during the task sequence

Load Default User Registry

reg load HKU\DefaultTemp "C:\Users\Default\NTUSER.DAT"

Set Default SpeechRecognizer

reg add "HKU\DefaultTemp\Software\Microsoft\Speech_OneCore\Settings\SpeechRecognizer" /v RecognizedLanguage /t REG_SZ /d en-AU /F

Unload Default User Registry

 reg unload HKU\DefaultTemp

OSD default profile

Ensure the Operating System applys to C: drive not D: drive

reeval

This problem will increase more and more as everyone starts to use wim's instead of the OS media in SCCM.

There are a few workarounds for this problem however the best method is to force the new OS the reevaluate Drive Letters with 3 easy steps after applying the OS

Create a Run Command Line step for each of the 3 commands

Reg.exe load HKLM\Temp %OSDTargetSystemDrive%\Windows\system32\config\system

Reg.exe delete HKLM\Temp\MountedDevices /va /f

Reg.exe unload HKLM\Temp

 

This forces the default behaviour of Windows to choose the drive letter.

 

For more information and other workarounds see http://blogs.technet.com/b/configurationmgr/archive/2014/04/28/how-to-ensure-that-windows-installs-on-c-during-a-system-center-2012-configuration-manager-osd-task-sequence.aspx

Creating Collections to deploy ConfigMgr client updates (the easy way)

main

Get the Servicing Exstension from Microsoft NOW as it does all the work!!! http://blogs.technet.com/b/configmgrteam/archive/2014/12/09/now-available-microsoft-system-center-2012-configuration-manager-servicing-extension.aspx

Once you have this, in the Admin node, there's a site servicing section -> client targeting. You click 'Create Query' and it makes a nice query for your collections.

CreateColls

Then you go about creating your collection.

Screenshot 2015-02-05 09.39.11

click next. Select Add Rule -> Query Rule

 

Click Import Query Statement and choose the nice query microsoft made for you.

Screenshot 2015-02-05 09.44.29

Deploy the cumulative update to the clients.