PS: Set ‘Allow users to interact’ on all existing Deployment Types

I wanted to users to be able to see when application installations are running on their machines. It allows me to set the Application behavior to Install for System and still have the users interact with it.

This is great if you are wrapping your applications in PS app deployment toolkit and have configured some applications that need to be closed before the installation can proceed or otherwise needs the user to interact with it.

closeapps
And with Configuration Manager 1802 this now works in system context. However the caveat is that if something goes wrong, the users will be able to interact with the executable in system context. They can potentially do something naughty.

So it should be used with care. That’s why I of course created this script to loop through all Deployment Types and set this for all deployment types. Code is heavily inspired from a post by Lars Halvorsen.

Foreach ($application in $AllApplications){
Write-Host -ForegroundColor Yellow ("Verifying application: " + $application.LocalizedDisplayName + "")
$AllDeploymentTypes = Get-CMDeploymentType -ApplicationName $application.LocalizedDisplayName | select LocalizedDisplayName
Foreach ($DeploymentType in $AllDeploymentTypes)
{
Write-Host -ForegroundColor White ("Evaluating deployment type: " + $DeploymentType.LocalizedDisplayName + "")
Set-CMDeploymentType -ApplicationName $application.LocalizedDisplayName -DeploymentTypeName $DeploymentType.LocalizedDisplayName -MsiOrScriptInstaller -RequireUserInteraction $true
}
}

Please note that the code executes with the speed of an old lady walking uphill in a hurricane. I’m sure it can be tweaked, Set-CMDeploymentType cmdlet should be replaced with Set-CMScriptDeploymentType or Set-CMMsiDeploymentType. But it gets the job done.

 

Advertisements

Remove the People bar from Taskbar Windows 10 1709

Windows 10 1709 Creators Fall edition enables the People functionality by default.
people1
Group Policies are updated for Windows 10 1709 – download the ADMX files from here. And check this overview to see what has changed. Update your central store and find you way to the new user setting:

User Configuration \ Policies \ Administrative Templates \ Start Menu and Taskbar \ Remove the People Bar from the taskbar (Enabled)

people3

Alternatively it can be set in the user registry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People\PeopleBand (32-bit DWORD)

0 to disable and 1 to enable

people2

Quote

Capture Windows 10 (1703) Reference Image in Config Manager, sysprep error

If you get a sysprep error trying to capture Windows 10 1703, please read Johan’s blog, but if you are using SCCM and not MDT to capture the reference image. Read on.

Expected image state is IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE, actual image state is IMAGE_STATE_COMPLETE, sysprep did not succeed.
FAILURE ( 6192 ): ERROR – Sysprep did not complete successfully, check C:\windows\system32\sysprep\panther\setupact.log for details

“Why do you use MDT?” That was a common question asked by speakers at MMS 2017. And not a lot of people had a really good answer. Most said it because they followed Niall Brady, Johan Arwidmark or Mikael Nyström’s guides.

If you need the MDT gather function, then consider using Jason Sandys UI++. You don’t have to replace your OSD method of applying images, just include the tool silently to do the gather and populate the variables for you.

Monitoring via. MDT is the only thing I can think of (right now) that might be a reason to keep using MDT. But I haven’t heard of anyone using it very much.

So I decided to try a live without MDT in my latest Configuration Manager build. And so far it’s possible, but it does make it harder to steal with pride from Johan:

  1. Johan’s Visual Studio C++ Redistributables scripts won’t work of the bat. You can steal ZTIUtility.vbs and include it in the package and alter the path in the WSF file to include the script.
  2. Disable Windows store script won’t work either. So I made a quick a dirty one in powershell

It’s not pretty, it assumes a lot of paths compared to the other dynamic script – so please adapt it to your needs:

### Title: Disable Windows Store Updates during Reference Image Capture
### Purpose: To prevent sysprep to fail because the refernece PC had internet access and updated Windows Apps. https://deploymentresearch.com/Research/Post/615/Fixing-why-Sysprep-fails-in-Windows-10-due-to-Windows-Store-updates
### Date and author: Bo Bertelsen, 2017-09-19

reg load 'HKLM\NewOS' 'C:\Windows\system32\config\software'
$registryPath = "HKLM:\NewOS\Policies\Microsoft\WindowsStore"
New-Item $registryPath -Force | Out-Null
$Name = "AutoDownload"
$value = "2"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
[gc]::collect()
reg unload 'HKLM\NewOS'

 

 

CU install failed – 0x800f0821 / 80242008 / 8024000B

Recently in my test setup my ADR deployed the latest set of patches, and it all went smoothly expect for all my Window Server 2016 installations. They all failed trying to install: “2017-08 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4034658)”

After checking that everything looked okie dokie from the basic SCCM viewpoint; download of content etc. I looked to WindowsUpdate.log to see if it gave me anything to go on. Then realizing the log is empty in Server 2016 and I have to use the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log (which is then copied to your desktop)

The log shows that after waiting for 10 minutes it throws the errors 0x800f0821 / 80242008 / 8024000B

An operation being done by the update handler was cancelled. / Operation was cancelled.

Source: Windows Update Agent

A quick google points towards the Maximum run time limit of the patch being the main offender. This is configured individually in the updates. You can mass select the updates in your update group and change it for all the patches.

I changed this from the default 10 minutes to 180 minutes, and after waiting and refreshing the client policies the appropriate amount of times the update installed smoothly when given more time. It’s important to note here that if you are using maintenance windows you should keep the max run time lower than than maintenance window, otherwise it won’t attempt/trigger the installation

Max

Why the default time is only 10 minutes is not clear, and there’s no way of changing the default value. You have to change it afterwards on all your patches either manually or via. powershell. Seeing that MS is switching to CU’s across the board I would like to see the default value raised. According to this popular uservoice it’s been “addressed” in Configuration Manager 1706 (which I am running), but only for Windows 10.

Please consider upvoting this uservoice raising it for Server 2016 too.

 

 

Remote check KMS status of a client

Connect to the remote computer via. Powershell

Using Right Click Tools (Recast RCT from Now Micro) I started an Interactive Remote Powershell session with my client. Alternatively you can connect manually if allowed in your environment.

Output readable in PS prompt

To get the script to output the data in a way I could read it instantly was by parsing the output locally and the reading it in the prompt. Alternatively you can change the output to a share.

cscript c:\Windows\system32\slmgr.vbs /dlv > c:\Windows\logs\dlv.txt
more c:\Windows\logs\dlv.txt

Set up your Config Mgr Test environment part 1

Introduction

We should all have a place to test different things in Configuration Manager without risking affecting production clients. If you need a million good reasons why to establish a test environment, please ask MVP Johan Arwidmark and I’m sure he will be able to provide them as that’s something he is very passionate about.

In this series I will attempt to explain how to setup the basis of your own test setup on your own hardware. I will not re-create Configuration Manager setup guides as there are hundreds of them out there, but I will focus on the things that’s I’ve learned gather the pieces for the complete setup with several links for the stuff that other people already have covered better than I ever will.

Alternatives

Microsoft Hands-on Labs – Self-paced Labs
If you need a place to test Configuration Manager settings, but don’t have the hardware for it (or can’t get your boss to pay for it). With the hands-on lab, You get a set of tasks to complete, but you can ignore them and just use the test setup to test what ever you need. The test environment is live for approx. 2 hours, and will then be scrapped, so plan out what you need to test beforehand.

Windows 10 Deployment and Management Lab Kit
This option requires you to have the hardware for it too, but it gives you premade virtual hyper-v computers/servers to turn on with Config Mgr CB, MDT and Windows 10.

Azure DevTest Labs
This option is not free. But it frees you from having acquire your own hardware, it requires an Azure account which can be created for free. However you pay for usage of the DevTest.

Hardware requirements

CPU: Intel i7 or Xeon capable virtualization

RAM: minimum 16 GB – recommended 32 GB

Hard drive: Extra hard drive where the host OS is not located – SSD. Minimum 500 GB recommended 1 TB

Example: Lenovo ThinkPad W541, replace optical drive with hard drive bay adapter, 500 GB SSD and 4x 8 GB (non-ecc) RAM

Choice of OS

Depending your hardware you could either go with Windows 10 Enterprise or Windows Server 2016 for your Hyper-V host. I’ve chosen Server 2016 although all my hardware isn’t fully supported driver wise in Server 2016; Wifi, fingerprint etc. – the components that matter are.

I will end this blog post here and follow up very shortly with Part 2 where we’ll go into detail with Hyper-V, DeDup and NAT with powershell.