master-client(-management)

Take Windows Up to 11

Category: SCCM

Windows 10 1909 nice to know for IT Pros and Enterprise admins (curated link list)

Latest Update: November 15, 2019

Even though Windows 10 1909 is only a small update compared to 1903 (NTK 1903) I have created this list with interesting links for IT Pros regarding this release. A place where I can store articles about new features, settings or bugs. I will update the post with new content as soon as I find it.
If you find something new before me or if I missed anything important please write a comment or send me a message via Twitter.

General

Topic Description Source
What’s new for IT Pros New and Updated Features of interest to IT Pros Link
What’s new What’s new in Windows 10, version 1909 Link
Release Status Known issues and notifications Link
Removed features Features and functionality removed in Windows 10 Link

Group Policies

Topic Description Source
WMI Filter Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE "10.0.18363%" and ProductType = "1" Link
ADMX ADMX files for 1909 Link

Autopilot, OSD, SCCM and MDT

Topic Description Source
No new ADK Windows 10 1903 ADK is used with 1909 Link
Servicing not Updates Even though the 1903 to 1909 Enablement package is a very small update it is classified as an upgrade and can be found in the servicing node Link

Misc

Topic Description Source
Supported CPUs Windows Processor Requirements Link
Delivery Options Windows 10, version 1909 delivery options Link

Windows 10 1903 nice to know for IT Pros and Enterprise admins (curated link list)

Latest Update: November 06, 2019

With the release of Windows 10 1903 I want to start a curated link list for every Windows 10 release. A place where I can store interesting articles about new features, settings or bugs. I plan to update with new content as soon as I find it.
If you find something new before me or if I missed anything important please write a comment or send me a message via Twitter.

General

Topic Description Source
What’s new for IT Pros New and Updated Features of interest to IT Pros Link
What’s new in WUfB What’s new in Windows Update for Business in Windows 10 Link
Release Status Known issues and notifications Link

Group Policies

Topic Description Source
New GPOs Group Policy Changes in Windows 10 1903 Preview Link
New GPOs New GPO settings in Windows 10 1903: enforce updates, Storage Sense, and logon Link
Security Baseline (Final) Security Baseline (Final) for Windows 10 1903 Link
Security Baseline 1903 Security Compliance Toolkit Link
WMI Filter Select Version,ProductType from Win32_OperatingSystem WHERE Version LIKE "10.0.18362%" and ProductType = "1" Link
ADMX Download of 1903 ADMX files Link
Start Menu crash Continue experiences on this device Group Policy setting kills the Start Menu Link

Autopilot, OSD, SCCM and MDT

Topic Description Source
WSUS category Windows 10 1903 has ist own WSUS product category, SCCM 1902 required to manage 1903 Link1 Link2
What’s new in ADK Changes to the ADK especially the known issues Windows SIM x64 error Link WSIM Update
Autopilot The latest news on Windows Autopilot Link
Autopilot Companion Example Companion App to change settings during White Glove deployments Link
Autopilot White Glove Windows Autopilot for white glove deployment Link
High CPU SCCM WoL Proxy High CPU consumption of SCCM wake-up proxy due to DHCP data storage changes Link
MBR2GPT PE error MBR2GPT.exe will not run successfully in 1903 PE because ReAgent.dll is missing Link
Autopilot needs longer Why does “Preparing your device for mobile management” take longer with Windows 10 1903? Link
Autopilot ESP Bitlocker Since June 26th update of 1903 Autopilot will wait after OOBE (ESP) to begin encrypting Link
Autopilot Known issues Windows Autopilot known issues in Windows 10 1903 Link

Apps

Topic Description Source
Apps, AppX Windows 10 1903 Built-In Apps: What to Keep Link
Builtin AppX Understand the different apps included in Windows 10 Link

MDM

Topic Description Source
What’s new in MDM What’s new in MDM for Windows 10, version 1903 Link
MSfB Apps not deployed Take Action to Ensure MSfB Apps deployed through Intune Install on Windows 10 1903 Link

Misc

Topic Description Source
Sandbox Enable Windows Sandbox on 1903 with and without PowerShell Link
Sandbox Configuration How to configure Windows Sandbox Link
Sandbox Mapped Folder If you use mapped folder in Windows Sandbox, note that the ReadOnly value should be in lowecase like “true” and not “True” Link
Run in Sandbox Run file in Windows Sandbox from right-click and Context menu Link
Reserved Storage Windows 10 and reserved storage Link
WSL What’s new for WSL in Windows 10 version 1903? Link
Provisioning error on Wi-Fi for AAD Known issue: Provisioning error on Wi-Fi for Azure AD joined Windows 10 version 1903 Link
HV DHCP Default Switch Hyper-V Default Switch not handing out DHCP addresses for VMs or Mobile Hotspot Link
SBS Essentials connector broken Windows 10 1903 feature update breaks the SBS, Essentials client connector Link
Always On VPN RASMAN service issue The Remote Access Connection Manager (RASMAN) service may stop with error “0xc0000005” Link
VSM enabled by default Virtualization-Based Security: Enabled by Default on capable hardware since OS Build 18362.387 Link

Install Microsofts January Meltdown / Spectre Updates during SCCM or MDT Build and Capture Task Sequence

Problem

I tried to create images of Windows 7 and Windows 10 (1607, 1703, 1709) with a SCCM Build and Capture Task Sequence. I deployed the January Windows Updates to the imaging clients so that the images should include the fixes for the Meltdown and Spectre vulnerabilities. But unfortunately this did not work. The reason is that the Antivirus compatibility Registrykey mentioned in this article had not been set before the updates were installed.

Update: After testing Build and Capture of Windows 10 with MDT I have added the necessary steps to the article.
Update 2: Thanks to @manelrodero for pointing out that a reboot is not required between setting the key and the Install Update step.
Update 3: Microsoft announced that this is not longer necessary beginning with the Cumulative Update 03-2018

Solution

You just have to add the registry in your Build and Capture sequence right before the update step performs the update scan.

SCCM

  1. Add a Run Command Line Step to your Build and Capture Task Sequence before the Install Updates step containing the following line
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /T REG_DWORD /D "0x00000000" /F

QualityCompat Key
2. Make sure that the box Evaluate software updates from cached scan results is not checked in the first Install Updates step.

Install Updates step

MDT

  1. Add a Run Command Line Step to your Build and Capture Task Sequence before the Windows Update (Pre-Application Installation) step containing the following line
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v cadca5fe-87d3-4b96-b7fb-a231484277cc /T REG_DWORD /D "0x00000000" /F

QualityCompat Key

Create LAPS managed user with SCCM Configuration Item

Microsoft has released LAPS (Local Administrator Password Solution) to easily allow different complex passwords for the local Administrator account on every client. It also allows to manage another user than the Built-in Administrator with the Well-Known SID (-500). But it does not create such a user.

In this article, I show you how to configure a SCCM Configuration Item to create such a user with a dynamic password.

Update: I removed an issue in the remediation script which did not always delete the password expiration time in a multi domain environment.

I won’t go into the details of configuring LAPS in your environment, there are already some really good articles about that topic.

The validation script

The validation script checks the following:

  • is LAPS enabled?
  • is LAPS installed?
  • is an Admin Account Name specified in the GPO?
  • Does the Admin Account exist?

The remediation script

The remediation script creates a local user with the name specified in the Group Policy and sets a random complex password. After that it deletes the expiration time attribute (ms-Mcs-AdmPwdExpirationTime) from the Active Directory computer object so that LAPS will set a new password on the next policy update. Finally, it triggers a policy update.

It does not add the user to the Administrator group. I recommend to do this with Group Policy.

Group Policy setting

If you want to manage another local user than the Built-in Administrator you have to configure the following policy setting in your Group Policies:

Computer Configuration\Policies\Administrative Templates\LAPS\Name of the administrator account to manage

Set it to enabled and enter the name of the local account you want to create.

LAPS GPO setting

Configuration Manager

Create Configuration Item

In the SCCM console go to Assets and Compliance - Compliance Settings - Configuration Items and click on the Create Configuration Item .

Specify a name and select Windows Desktops and Servers (custom) as type.

Select the Operating system versions you want to support (requires PowerShell).

Click on the New… button.

Specify a name for the setting and select as Setting type Script and as Data type String.

Click on the upper Edit Script… button in the Discovery script area. Then select PowerShell, and copy paste the following script to the script area.

Do the same with the lower Edit Script… button in the Remediation Script area with the following script.

Change to the Compliance Rules Tab and click on the New… button.

Define a Name for the rule select Rule type Value. The value returned by the specified script should be Equals the following values True.

Make sure you select the Run the specified remediation script when this setting is noncompliant checkbox.

You can choose the severity of this rule. For me Warning is high enough.

After that you can complete the creation of the Configuration Item.

Create Configuration Baseline

Now you have to create a Configuration Baseline in Assets and Compliance - Compliance Settings - Configuration Baselines .

Choose a Name for the baseline and Add the configuration item you have created earlier.

Deploy Configuration Baseline

After that you can Deploy the Configuration Baseline to a collection.

Please make sure to select the Remediate noncompliant rules when supported and the Allow remediation outside maintenance window check boxes.

Besides,you have to select how often this rule will be checked. I selected once per day.

Test the Configuration Baseline

After successfully deploying the baseline you should check the Configurations Tab in the Configuration Manager Properties Control Panel on one of your clients.

If the rule was not already evaluated press the Evaluate button.

After successfully evaluating the rule it will be shown as Compliant and the user was created.

The LAPS agent now has a target user and will soon change the password of the user and save this new password to the Active Directory object of the computer.

Hints

  • Check the DcmWmiProvider.log if you get any errors executing the baseline. There you can see the real PowerShell error.
  • If you see a message there like the one in the screenshot below you have to configure PowerShell execution policy to Bypass in the Computer Agent section in the Client settings or you have to sign the scripts with a Code-Signing-Certificate.


SCCM CB client push is not working on devices with TP agent

Problem

If you have installed the SCCM agent of a recent Technical Preview Build on a client it is not possible to push the current branch agent to it. I tested this with TP 1706 / CB 1702 and with TP 1707 / CB 1706.

This does not work even if the options Always install the client and Uninstall existing Configuration Manager client before the client is installed are selected.

As you can see in the log the request is skipped because a newer agent version is already installed.

Solution

You have to manually uninstall the Technical Preview agent before pushing from the CB console

%windir%\ccmsetup\ccmsetup.exe /uninstall

Task sequences are not showing up in SCCM Software Center when multiple users are logged on

Problem

I recently ran into the problem that the task sequence I wanted to test won’t show up in the SCCM Software Center. I checked for a common misconfiguration like

  • Deployment schedule
  • Configuration Manager Client active
  • Client in the correct collection
  • Deployment deployed to the correct collection
  • Client in a boundary with a distribution point
  • Packages deployed to the Distribution Point
  • Check the _SCCLient_%USER%.log, LocationServices.log, PolicyAgent.log, PolicyEvaluator.log,…
  • etc.

But all this was configured correct or did not show any errors.

Solution

I found out after some time that my colleague was still logged on to this computer. After logging him off the Deployments appeared as expected in the Software Center.

Knowing what to look for I found this thread:

Technet: Applications but not Programs showing in Software Centre

What have I learned:
Check if you have the lowest session ID when multiple sessions exist!