Archive for the ‘Configuration Manager 2012’ Category

So a while back I implemented a working Windows XP to Windows 7 refresh using Configuration Manger 2012 R2, some of you may be aware that this was an issue initially as there was a bug with the client being unable to stage the boot image just prior to the initial restart into WinPE. To address this a hotfix was released however the whole process had a lot of caveats to it working and was generally painful to implement.

Good news, nothing has changed with that! So last week I was thinking maybe my existing process can be used to achieve a Windows XP to Windows 10 refresh, surely that’s possible assuming that the original change Microsoft made in the client to support staging a Windows PE 3.1 boot image had been retained in the latest Configuration Manager 2012 R2 SP1 client? Well I’m happy to report that with a few changes this is indeed possible, although totally unsupported my Microsoft!

A note before proceeding. This¬†is not supported by Microsoft and I take no responsibility for any adverse outcomes if you choose to implement this in a production environment ūüôā

So with that out of the way how do we go about this?

Well the main problem with trying to do this is the issue of staging the boot image to Windows XP – so make sure that you have a Windows PE 3.1 boot image and that you have a Configuration Manager client on your Windows XP OS that is 5.00.8239.1203 or higher. If you get this wrong, you will see an error in the logs relating to an inability to stage the image as per the below screen grab. The other main issue your likely to run into is a lack of drivers in your Windows PE 3.1 boot image, so spend some time making sure you have all of your hardware models NIC and storage drivers added to the boot image that are required.


A few assumptions are going to be made by me here.

  • You have a working Configuration Manager 2012 R2 SP1 site with Cumulative Update 1 installed + hotfix¬†KB3084586
  • You have installed the Windows ADK 10 and have a working USMT 10 package
  • You have installed MDT 2013 Update 1 and have integrated it with your Configuration Manager instance
  • You have a working USMT 4 package (You can download the Windows AIK to grab the USMT files, usually in c:\Program Files\Windows AIK\Tools\USMT)
  • Your Windows XP machine has a working, active Configuration Manager agent installed at version 5.00.8239.1203 or higher
  • You have a working custom Windows PE 3.1 x86 boot image with your hardware model network and storage drivers injected into it – follow this guide for building your own boot image. You can use DISM to inject drivers in a mounted wim file with this documentation. Remember that you will need to inject the correct driver versions relevant to the PE 3.1 boot image, in most cases this will be the Windows XP equivalent for each of your hardware model types.
  • You have added this Windows PE 3.1 x86 boot image to your Configuration Manager environment and have replicated it to your Distribution Points


  • You have a Windows 10 reference image

The process

  • Create your USMT 4 package and distribute the package to your Distribution Points. As mentioned previously the source files can be obtained from the Windows AIK.


  • Create a new MDT Client Replace Task Sequence specifying your Win PE 3.1 boot image, MDT Files package, Windows 10 OS reference image, Client package, USMT 10 package and your Settings Package. Make sure that you add any driver packages, applications and other settings for your Windows 10 OS such as Start Menu Layout file import steps, etc. Also don’t forget to set a local administrator password, time zone and any other Task Sequence specific settings that need to be addressed.



  • Edit the newly created Task Sequence so that the Capture User State step runs your USMT 4 package. Even though Microsoft have documented that USMT 10 supports capturing files and settings from Windows XP, it fails with an execution error about scanstate.exe not being a valid Win32 Application. Note that you could use USMT 5.0 however I already had a working USMT 4.0 Files package so for this blog I have chosen to leave the version at this level. You can leave the Restore User State step as USMT 10 as it will restore the data from the Capture User State step.


  • Create a new collection for deployment and review your Task Sequence.
  • Check that your Windows XP client is running the correct Configuration Manager client version of 5.00.8239.1203 or higher¬†and add your Windows XP client to the collection.







  • Review your results.¬†Its worth mentioning that the User State Migration Process doesn’t restore the wallpaper settings between Windows XP and Windows 10 and I don’t believe this is possible. However I’m happy to be corrected on this one if anyone does manage to achieve this. It does however migrate the source jpg and I’ve just reset this as the background image.





There are a number of aspects to our Windows 10 corporate branding / look and feel that I have implemented recently with three main changes involved. Its worth mentioning up front that I’m not using a corporate logo or style however you could easily substitute what I have done with your own images to achieve the same outcome.

With that out of the way!

These changes are:

  1. Setting a default lock screen wallpaper that is consistent with the Windows 10 operating system and the Microsoft color scheme.
  2. Removing the default Hero wallpaper that is displayed immediately after a Windows 10 workstation is started prior to logon.
  3. Setting a default desktop wallpaper (where required).

To achieve these changes I’ve used a combination of Group Policy and Operating System Deployment choices with our Configuration Manager 2012 Windows 10 Task Sequence.

Setting the Lock Screen Wallpaper

To implement this you will need to add the following to the Group Policy that is targeting your Windows 10 workstations under Computer Configuration/Policies/Administrative Templates/Control Panel/Personalization.

  1. Set Do not display the lock screen to Enabled (This is not required although in our environment we have chosen to enable this for other reasons)
  2. Set Force a specific default lock screen image to Enabled with a value of c:\windows\web\screen\yourcustomlockscreenimage.jpg

Don’t worry about the file not actually being present at the this location, as we are going to use our Configuration Manager Task Sequence to copy the lockscreen image to the workstation as part of the build process. Alternatively you could copy the image file using a group policy preference or even reference the image to a highly available DFS file share (Although I personally don’t like the idea of this for various reasons).2015-09-28_125040

Now that we have configured our Group Policy we need to create a simple package in our Configuration Manager 2012 environment and add a step to our Task Sequence.

  1. Create a new folder for your package under your source share. I’ve called ours DoJ Windows 10 Branding but its entirely up to you.
  2. Copy your JPEG image to the folder. This image should be formatted correctly for your environment with regards to size. If your using anything other than a solid color, then you may need to have multiple images of various sizes. This blog offers a good way to manage this, but for my blog this is out of scope as I am using a solid color background with a resolution of 3840 x 2160. The color I have chosen is the default blue that is included in Windows 10.
  3. Replicate your new package.
  4. Create a new Run Command Line Task Sequence step called Copy Corporate Branding Lockscreen Image (or similar) and specify the package details as per below.2015-09-28_130411
  5. When you build a workstation now you should now see your custom lockscreen image! Note that there is a small Group Policy bug in Windows 10 which requires you to restart after your Configuration Manager Task Sequence completes. This seems to be related to Windows 10 not applying Group Policy objects even though the SMSTSPostAction variable is set with a restart command.2015-09-28_130743

Removing the Default Hero Wallpaper

I’ve seen quite a few ways of implementing this, but basically it comes down to a registry change which set the value of¬†HKLM\SOFTWARE\Policies\Windows\System\DisableLogonBackground¬†from 0 to 1.

My preference is to do this during the Operating System Deployment process, but again this change could be implemented by Group Policy or as an additional step in your Task Sequence i.e. executing a reg add command or merging a reg file.

I’ve found that using unattend.xml for this process is quite effective and simple. It also has the added benefit of reducing administrative overhead that the other solutions offer.

  1. Open your unattend.xml using Windows System Image Manager and add the following to your specialize pass from the amd64_Micorosoft-Windows-Deployment_neutral component. Please ensure that the order value is 1. In the screen captures my order value is 2 because I am applying an additional registry key change which is not relevant to this blog.2015-09-28_1324262015-09-28_132656
  2. Save your unattend.xml and replicate the package so your Task Sequence uses the updated version.
  3. Now when you deploy your reference image this registry change will be added. Please note that again, you may need to restart your workstation after the Task Sequence has completed for the change to be effective.2015-09-28_134201

Setting a Default Desktop Wallpaper

Again with this change I’ve chosen to leverage Group Policy. We have a small group of workstations that require an enforced background.

To implement this you will need to add the following to the Group Policy that is targeting your Windows 10 users under User Configuration/Policies/Administrative Templates/Desktop/Desktop

  1. Set Desktop Wallpaper to Enabled and specify the location of your image file.

You could add an additional step to your Configuration Manager Task Sequence to copy the image file to c:\windows\web\wallpaper\yourcustomwallpaper.jpg however in my case as its only a small subset of workstations, I’ve pointed the group policy to my Distributed File System.2015-09-28_134423

I hope this blog helps those of you looking to implement some changes to the default appearance of Windows 10.




If you’re having difficulty setting default file associations using the dism import method then you can try the following alternative.

  1. Perform a basic Windows 10 deployment and set your file associations manually as per your preference
  2. Create an xml file of these file associations by running Dism /Online /Export-DefaultAppAssociations:<path to xml file>\AppAssociations.xml
  3. Rename this file to OEMDefaultAssociations.xml
  4. Create a Configuration Manager Package with this file and distribute to your DP’s
  5. Add a Run Command Line step in your Windows 10 Task Sequence which copies the file to c:\Windows\System322017-01-30_145524
  6. Windows 10 will use this xml file when setting default file type associations


I’ve updated the script I use to Powershell. Process is the same though.

Be aware that a lot of people have reported difficulty in setting file association defaults with them reverting back to their defaults at first login. This seems to be related to an update that was included in the April/May Windows 10 Cumulative Update. There is no fix presently that I’m aware of however some have had the issue and some do not which makes me think its related to the application itself and how its modifying the Windows 10 default file type settings. Hopefully this will either be addressed by developers releasing updated versions of their applications that conform with Microsoft’s expectations or Microsoft releasing an update to address the issue.

  1. Create a ps1 script with the following contents: dism.exe /online /Import-DefaultAppAssociations:$PSScriptRoot\AppAssociations.xml
  2. Copy that script to a package folder with your application associations xml file
  3. Add a Task Sequence step to execute the script


With Windows 10 now approaching its 2 month anniversary since RTM, I have finally finished the reference image our agency is going to use. Its taken quite a few attempts to get things right so hopefully some of my approaches to implementing solutions to some common issues will save you some time and effort.

Firstly lets establish how I’m creating my reference image.¬†I’m using two Hyper V Virtual Machines running on a solid state drive.

1 x Server 2012 R2 with MDT 2013 Update 1 Build 8298

1 x Server 2012 R2 running a WSUS instance

Then running a pretty standard Build and Capture task sequence with LTISuspend.wsf to allow for some minor changes.¬†With that out of the way – lets talk about how I’m setting my default file associations.

By default Windows 10 has a number of default associations which you may not wish to keep. For example, by default the PDF extension is associated with Microsoft Edge so if your deploying a 3rd party PDF reader, you’re most likely going to want to deal with this. Some other file types you may want to change may include what application is associated with photos and videos as by default these are associated with the built in modern applications.¬†You may also want to change the default browser from Edge to Internet Explorer 11.

You can control file type associations with group policy and there are quite a few blogs already about this. I’ve chosen not to use this approach as it enforces a baseline set of associations and I want my environment to be flexible to allow for variation if needed.

  1. On a reference computer running Windows 10, install all of your standard operating environment applications then set your default programs as per your preference.
  2. Once finished run an elevated powershell instance and  type Dism /Online /Export-DefaultAppAssociations:<path to xml file>\AppAssociations.xml2015-09-24_133139
  3. Next create a new Configuration Manager package that includes this xml file and distribute it to your DP’s. You can edit the file if you need to make further changes. Note that you don’t need to create a program.2015-09-24_133611
  4. Now we need to create two new Run Command Line steps in our Windows 10 Configuration Manager Task Sequence. One to copy the xml file locally to the target workstation and a second to execute the DISM import command. I’ve added these steps to my OSD Results and Branding group section of my Task Sequence. Make sure you disable 64-bit file system redirection otherwise your DISM import command will error out.2015-09-24_135038 2015-09-24_135343
  5. That’s it! You will now have a reference image that has a default set of file type application associations.

Recently we noticed some performance issues in laptops with shared graphics when the Windows 7 Basic Theme was being used (particularly with external monitors using display port cables) These issues were resolved when selecting the Windows 7 Aero Theme. We were even able to reproduce the problems on the manufacturers image.

I have asked on a few international Configuration Manager forums and apparently the Windows 7 Basic theme being used as a default is a well known issue / problem for people when you capture an image using a virtual platform such as Hyper V or VMWare. Some are deploying custom branded themes (which utilizes the aero technology) and others are setting the default Windows 7 Aero theme with Group Policy as we have done with this solution. Others are aware of the setting but have elected to do nothing and leave it as is with Windows 7 using the Basic Theme as the default.

We have applied two distinct actions.

1. Apply an additional step at the end of our build Task Sequences to run winsat.exe dwm which assesses the ability of a system to display the Aero desktop effects.


2. Created a new Group Policy which targets the Windows 7 OS version via a WMI query to set the Windows 7 Aero theme (Settings located at User Configuration \ Administrative Templates\ Control Panel \Personalization: Force a specific visual style or force Windows Classic & Load a specific theme file)



Our builds are now using Windows 7 Aero theme as the default upon login.



We recently implemented the Configuration Manager 2012 Management Pack with Operations Manager 2012 to improve our ability to analyse load, performance and health of our environment.

Following the installation we initially had some issues with only the Primary Site being partially monitored and no site system roles being reported as healthy. This also included components such as our Distribution Points and Management Point.

Eventually we were successful and the Management Pack is now monitoring our environment in full. We did the following in order to resolve the problem.

  1. Installed the SCOM agent on all of our servers running either Site System or Site Server Config Manager components
  2. Enabled Agent Proxy under the Security Tab on each managed server with Config Manager infrastructure running on it including the Primary. This is contrary to the Management Pack documentation.
  3. Created SCOM exclusions for our Anti-Virus (Initially we had to completely uninstall it on our SCOM server for the monitoring to fully work)
  4. Disabled the client discovery object as we are not running Config Manager clients on our infrastructure
  5. Decreased the Hierarchy Discovery time from 86400 seconds to 600 seconds
  6. Decreased the Central Site Discovery time from 14400 seconds to 600 seconds
  7. Increased the Site Services Discovery, Hierarchy Discovery and Distribution Point Drive Discovery timeout from 300 seconds to 500 seconds
  8. Performed a manual Site System Discovery and Hierarchy Discovery from the SCOM console
  9. Waited approx 6 hours for monitoring data to initially full populate


Out of the box the management pack provides monitors for all the Config Manager infrastructure which you don’t need to create overrides for. However if you want to start collecting performance data then you do need to create overrides for each specific area. You can refer to the MP documentation here for the full list.


I’ve created some custom dashboards in addition to inbuilt ones (Note these wont work until you have tuned the MP to your requirements by enabling additional rules). Hopefully these give you an idea of what is possible with the MP. We have a couple of these cycling through on a large LCD panel in our office which give the Service Desk staff a good overview of the status of the Config Manager environment.









MANAGEMENT POINT UTILIZATION – Authentication Requests / Sec, Hardware & Software Inventory Requested / Sec




I’ve only really scratched the surface with what you can monitor and report on. Hopefully this gives everyone a good idea of what’s possible and how to do some basic installation troubleshooting based on what we experienced.



I have applied the recently released Cumulative Update 1 to my System Center 2012 R2 Configuration Manager production environment today. I thought it might be useful to blog about the process I went through. Now to be clear, the ADK 8.1 Update is not a pre-requirement for 2012 R2 CU1. I have just taken the opportunity to apply it whilst applying CU1 as a restart is required for both processes. If your interested in the new ADK version and unsure if you should apply it here is a good blog on the subject.

Step 1: Update the ADK from 8.1 to 8.1 Update The new ADK provides a number of hot fixes including some for USMT 6. Here are the release notes and here is the download link. As I was already running the ADK 8.1 , I just ran the new versions setup and installed the updated components over the top of the existing ones. Note that the installer detects which components you have installed.



I checked out the USMT folder after the setup completed and I had rebooted. It leaves your existing custom files in place and just updates the changed components – new loadstate.exe and scanstate.exe versions for a start amongst others with a date modified of 20/2/2014.


Step 2: Download and apply Cumulative Update 1 (KB2938441) It can be downloaded from here. Running through the installation process is fairly straight forward although make sure you are installing the update with an account that has appropriate access to your SQL instance.




Opening the log file shows the standard msi file install process. The log file is created in the c:\Windows\TEMP directory




I only created an update package for the new Client as I only have a small environment with one Primary and no other site servers. I also only have 5 instances of the Configuration Manager Console and have chosen to manually apply the update on those computers.




The installation and update process only takes around 5 minutes.




Rebooting the server after installation is required.


Step 3: Tweak some settings and update your USMT package I have changed the option in each Client Update package that gets created so that the installation notification is suppressed. This will prevent any notifications from appearing on computers. You can of course leave it unchecked but why bother users.


If you have your USMT Tool Package setup correctly then it should point to the USMT folder within the ADK installation folder (Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\User State Migration Tool). So all you should have to do here is simply update your distribution points. If you have a separate package, the you will need to update your source files with the new versions and then replicate that packages content.


Step 4: Create / Update your client collections and deploy the new client:

You should end up with an x86 and x64 R2 CU1 client update package in the console. I have setup some client hot fix collections to target my x64 and x86 clients with appropriate limiting base collections to ensure that I’m targeting healthy clients. Against each collection I have a query to control collection membership.

The query syntax for x64 based clients that I’m using is:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId ¬†inner join SMS_G_System_SMS_ADVANCED_CLIENT_STATE on SMS_G_System_SMS_ADVANCED_CLIENT_STATE.ResourceId = SMS_R_System.ResourceId ¬†where SMS_R_System.Client = “1” and SMS_G_System_SYSTEM.SystemType = “X64-based PC” ¬†and SMS_R_System.Active = “1” and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.DisplayName = “CCM Framework” ¬†and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.Version != “5.00.7958.1203”

The query syntax for x86 based clients that I’m using is:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SMS_ADVANCED_CLIENT_STATE on SMS_G_System_SMS_ADVANCED_CLIENT_STATE.ResourceID = SMS_R_System.ResourceId where SMS_R_System.Client = “1” and SMS_G_System_SYSTEM.SystemType = “X86-based PC” and SMS_R_System.Active = “1” and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.DisplayName = “CCM Framework” and SMS_G_System_SMS_ADVANCED_CLIENT_STATE.Version != “5.00.7958.1203”

Be careful when copying and pasting as the inverted commas are often copied incorrectly into the query statement window.


Then deploy your client update packages to your collections. The upgrade is quite quick, taking only a few minutes.


You will end up with a client version of 5.00.7958.1203


Step 5: Modify your Task Sequences to include the client update

This is the final step that I have done. To ensure that client patches are applied during OSD I have previously created a separate Configuration Manager Client Package with Hotfixes as per this blog.

I’ve updated this package with the new client files and copied the new hotfix msp’s (configmgr2012ac-r2-kb2938441) to the respective updates folder.

Finally I’ve modified each of Task Sequences with the updated hot fix name.


Happy updating,



I’ve implemented this solution based on information provided in the following blogs – credit to these people for posting this information.

So I’ve moved on from my old process of corporate WIM image creation. I used to build up an image from a source ISO for a respective operating system using Hyper V, make my customisations, apply patches, then use MDT to do a sysprep and capture. I know, I know, there are probably numerous reasons why you shouldn’t do this. Well no more after watching Johan’s session from System Center Universe this year here¬†

The new process involves the more contemporary approach of doing a completely automated build and capture in one process with MDT performing any additional changes using scripts and additional steps. The session that Johan presented is in my view the best by far that I have seen.

One thing that wasn’t covered was how to remove the built in Windows 8.1 Modern Applications. In my case (like many others) we are deploying Windows 8.1 and do not wish to have all of these applications available.

Here is a solution you can implement which will remove these apps as part of your MDT or Configuration Manager Task Sequence. My example will be in MDT 2013.

Firstly create a new powershell script from the this blog, you can amend the script as required so that it only removes the applications that you want. Alternatively I have copied the script syntax into a word document here removemodernappsnew Рplease make sure that you edit this script in Powershell ISE to confirm that there are no syntax errors.

Copy the script to your MDT server sources folder.

Create a new MDT application and give it an appropriate name such as Remove Windows 8.1 Modern Applications


Use the following powershell wrapper command – credit to Johan who posted the install wrapper argument here

powershell.exe -Command “set-ExecutionPolicy Unrestricted -Force; cpi ‘%DEPLOYROOT%\Applications\Remove Windows 8.1 Modern Applications\RemoveWindows8Apps.ps1’ -destination c:\; c:\RemoveWindows8Apps.ps1; ri c:\*.ps1 -Force; set-ExecutionPolicy Restricted -Force”

Note you will need to adjust the path to your powershell script depending on how you setup the application in MDT.


Now just add an install application step in your existing MDT / Configuration Manager Task Sequence, its that easy.


If you implement a Suspend action in your MDT Task Sequence you can check that the apps have been removed.