Search This Blog

Thursday, 17 June 2021


Hi There,

My name is Dan, I currently work in London as a SCCM consultant on a working holiday from Australia.

I will be updating this blog from time to time with tips on application packaging and OS Deployment , specifically using MDT/SCCM.

If you have any questions dont hesitate to contact me.




Friday, 13 January 2017

Migrating User Profiles & Resetting Permissions - Powershell

I recently begun to look at migrating user profile data for a client. Existing user profiles were hosted on a Windows file server and these profiles were being used in conjunction with folder redirection and offline files. After discussions the client decided to move to Work Folders (native to Windows Server 2012). Work folders requires users are owners of their "workfolder" (see here) and the existing data had many broken SIDs and unnecessary permissions set so it was a requirement to strip everything and start again.

'Special Folders' used by folder redirection (Desktop, Favorites, Documents) were completely broken and no user other than the owner had read access to them, therefore copying the data would prove difficult. I attempted to initially use RoboCopy for the task however this fell over when trying to copy these special folders. The client had an install of Dell Secure Copy on an old file server so i was able to leverage that, i believe it copies at the disk level and does not honor OS NTFS permissions.

The below script is what i ended up coming up with for the copy. The client would be migrating individual users initially therefore the script is prompting for paths and usernames but the code could easily be modified to facilitate groups of users.

The below code basically:

  1. Reads in values for Source and Destination
  2. Copies data to destination
  3. Sets the AD user to modify and makes them the owner.

Hopefully this script helps someone in a similar position.


Monday, 5 September 2016

Deploying Windows 10 1607

Following on from my post last year Building a Clean Windows 10 Reference Image - MDT 2013 U1 this entry will go rehash over some of the same steps that were discussed there as well as additional steps to deploy Windows 10 1607.

For this build i am using:

Windows 10 1607 -

MDT 2013 Update 2 -

SCCM 1606 -

ADK 1607 -

Reference Image:

From here i will assume you have all of the above running however you do not need to be on the latest SCCM version (1606) for these, you will however want to have the ADK and MDT up to date.

1. To build your reference image please follow the steps in this post. However do not update your deployment share (one of the last steps)

2. Watch this video from the 8:00 till 13:20 to learn how to tweak CMTrace.exe and SMSTS.ini to bolster your OSD experience. , once you have done this go back and update your deployment share and continue with Johans Post.

Boot Wim: 

1. Check out my post here  on how you can leverage DART for dynamic remote control for your OSD builds.

Prepare OSD Scripts and Logs:


On your SCCM Site server create a share to store log files eg :\\configmgr\logs$ , insure your staff have access to this path. The final steps in your task sequence should be to copy logs if successful or not to this share (will outline how later). Within this logs folder make two folders named:


There is a reason i am not using a folder named "OSD_Failure" - each time CmTrace detects the word "fail" in your SMSTS.log file you will see an "error" which in this case is just the name of the step, so to make your logs nicer to read, avoid using the word "failure" wherever possible. 


The following scripts are used throughout my task sequence:

Scripts Share

UI++  (Nice UI to allow you to set variables to kick start your TS) -

adcompdesc.vbs (Sets AD computer description during OSD ) - See scripts share

adgroup.vbs (Sets AD computer group membership during OSD ) - See scripts share

DefaultAppAssoc.xml (Sets defaults for application association - Acrobat in example is set ) - See scripts share

DumpVar.vbs (Dumps SMSTS variables to file for testing) - See scripts share

SetDefaultsW10.cmd (Sets various OSD settings, speech etc ) - See scripts share

StartLayout1607.xml (Sets start menu and taskbar layout  ) - See scripts share

Place these files (tweaked to your liking) in a share in SCCM sources folder and create a package (with no program) . This package will be called upon multiple times during your task sequence.

Create Unattended.XML

Log onto your SCCM box and open Windows System Image Manager.  From here you can modify your unattended as much as you like, here is mine.. with some info redacted.

Note:  <Logo>c:\windows\media\COMPANYLOGO.bmp</Logo> . This file is being copied to my WIM during my reference image creation.This will allow you to show your logo and in windows "system" page.

Create Task Sequence

Create a new TS (with MDT integration) and add the following steps.
(I will not go through every option just specific settings to improve OSD)

Set the following 3 Variables at the beginning of your TS. 

Name: SMSTSPostaction
Value: shutdown /r /t 5
Why: Forces the machine to reboot at the very end of the TS, this helps with post TS cleanup tasks and gpo application

Name: SMSTSRebootDelay
Value: 0
Why: Will force reboot instantly after each step to 0 seconds. Improves TS time. 

Name: SMSTSErrorDialogTimeout
Value: 86400
Why: Sets the error delay to 86400 seconds , which will let you know that there has been an error until you interact with it (default is too fast)

Add step for apply OS, use the Unattended.xml you created earlier. (This can be placed into your OSD scripts folder)

Add step to copy CMTrace: Add the following step AFTER apply OS step: 

Type: Run Command Line
Value: cmd /c xcopy x:\sms\bin\x64\CMTrace.exe %OSDTargetSystemDrive%\windows\system32 /E /H /C /I /Q /Y

Add step to for Set AD Group (see scripts folder)

Name: adgroup.vbs (run command line)
Value: wscript.exe adgroup.vbs "ADGROUP"

Add step to for Set AD Description (see scripts folder)

Name: adcompdesc.vbs  (run command line)
Value: cscript.exe adcompdesc.vbs "[%VALUE%] - [%VALUE%] - [%VALUE%]"

Add step to for Set W10 Defaults (see scripts folder)

Name: Apply W10 Settings (run command line)
Value: cmd /c SetDefaultsW10.cmd

Add step to Tattoo the registry

Name: Tattoo (run command line)
Value: cmd.exe /c reg add HKLM\SOFTWARE\COMPANY/v COMPANYOSD-Name /d "[%_SMSTSPackageName%]" & reg add HKLM\SOFTWARE\COMPANY/v COMPANYOSD-Time /d "[%date%]-[%time%]" /t REG_SZ  & reg add HKLM\SOFTWARE\COMPANY /v COMPANYOSD-ImagedBy /d "[%XAuthenticatedUser%]" /t REG_SZ

Add step to set Windows 10 Start Menu  (see scripts folder)

Name: Set Windows 10 Start Menu Layout (run command line)
Value: powershell.exe -executionpolicy bypass import-startlayout -layoutpath .\StartLayout1607.xml -mountpath C:\

Add step to Remove Windows 10 Apps  (see scripts folder)

Name: Remove Windows 10 Apps (run command line)
Value: %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file .\RemoveApps2.ps1

Add step to block windows 10 apps installing 
Name: Block New W10 Apps (run command line)
Value: reg add HKLM\Software\Policies\Microsoft\Windows\CloudContent /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f

Add LOGS folder logic.

Here we will add logic to do a Try/Catch for any errors.

Copy these steps changing for your own folder names.

From here copy the same logic as the previous steps but change to Not_success

To be continued... 

Wednesday, 31 August 2016

Suppress Office 365 "First Things First"

You may have noticed when installing Office 365 via the Click to Run installer you get a popup like this for each user.

You will no doubt have seen many methods to make this go away, however in my testing none of the popular suggestions actually work, like:

1. Setting key for OptInDisable in SOFTWARE\Microsoft\Office\16.0\Common\General
2. Setting key for ShownFirstRunOptin in SOFTWARE\Microsoft\Office\16.0\Common\General
3. Setting key for Authorized in SOFTWARE\Microsoft\Office\16.0\Common\General
4. Setting key for AcceptAllEulas in SOFTWARE\Microsoft\Office\16.0\Common\General

These methods may work for standard Office 2016 installers (usually set via OCT) but for 365 because it is licensed per user this notification will be generated for each user account that runs office.

If you would like to properly suppress this you need to perform the following during OSD.

1. Find a step after you install Office 365 in your task sequence. 
2. If you have a batch file or script that does windows customisations add the following to it (or create a new script).

(Step in TS - script is in SetDefaultsW10,cmd)

What we are doing here is loading in the Default User registry hive and adding the entry which is created when each user accepts the EULA.

We do this via OSD as the key has the computers hostname within it, and making this dynamic from a Group Policy preference is not easily achieved.

Also, i set the following

Disable "Make Skype better "

Value: UserConsentedTelemetryUpload
Key: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\General

Disable "file type prompt on EU only"

Value: ShownFileFmtPrompt
Key: HKCU\SOFTWARE\Microsoft\Office\16.0\Common\General

NB. In SetDefaults,cmd i also set speech language to en-GB and set up DesktopInfo.



Monday, 15 August 2016

Disable Microsoft Edge First Run

To disable Microsoft Edge first run you have to jump through a few hoops. Luckily i've done this for you.

Many blogs state that you just need to change the value of "IE10TourShown" in the following:

[HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main]

However this is not enough. To fix edge you need to set these values.

I deploy these values by Group Policy Preferences.

Open your relevant workstation policy and navigate to :User Configuration>Preferences>Windows Settings>Registry 

From here add a registry items for all settings above from HKEY_CLASSES_ROOT.

Next, create a folder (collection item) and within in add all the items above from HKEY_CURRENT_USER. Once added, right click on your collection folder, navigate the "common" tab, and select "Run in logged-on users security context (user policy option)" .

And thats it, with this set users should not see the "first run" edge wizard. Further configuration of edge can be made from Admin Templates>Windows Components>Microsoft Edge. 



Thursday, 19 May 2016

DirectAccess Troubleshooting

Hi All Direct Access users, 

If you experience clients who have not been able to ever connect to direct access, it may be because the initial GPO for Direct Access was never processed 100% successfully.

Please perform these troubleshooting steps.

Open command prompt and enter: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

If you see this:

This means IPV6 has not been enabled, to fix this, open the registry and change this value to 0.

You will now see.

If IPV6 Is fine, perform a “Ipconfig /all”

You should see the the adaptors named:


If you do not see these adaptors, you need to manually install the Teredo Adaptor. To do this Open Device Manager > View: Show Hidden Items

Click “Action/Add Legacy Hardware”


Click Next>”Install the hardware I manually select from a list”

Scroll to “Network Adaptors” and click Next, wait.

Select Microsoft/Microsoft Teredo Tunneling Adaptor and install.

Reboot and test direct access again, it should now work.



Tuesday, 17 May 2016

Windows Phone 8.1 Will Not Enroll To Intune

Oh Microsoft.. you mysterious beast.

I was recently informed by one of my Techs that he could not enroll a Windows Phone to our Hybrid Intune/SCCM setup. I found this quite strange as nothing on our end had changed significantly, well other than updating my SCCM to 1602 a few weeks prior. I tested a IOS device and it enrolled just fine.

A small diagram on how Intune in Hybrid mode should work:

The user he was trying to enroll was getting the following error on a windows phone:

Early investigating led me to checking the relevant log files for Intune, this is what i saw in the dmpdownloader.log

ConnectorSetup.log  showed the following:
 "<05/09/16 16:42:29> CTool::RegisterManagedBinary: Failed to register C:\Program Files\Microsoft Configuration Manager\bin\x64\IntuneContentManager\Microsoft.ConfigurationManager.IntuneContentManager.dll with .Net Fx 2.0"

The SC_Online_Issuing certificate was showing the following:

Steps i performed to attempt to remedy these issues were:
I did the following:

1.       Manually removed cert.

2.       Removed service connection point

3.       Removed Intune subscription

4.       Rebooted site server

5.       Setup intune/scp

6.       Certificate regenerated.
After performing the above i tried re-enrolling a Windows Phone 8.1 and received the same error. I ended up performing the same steps above a number of times. 
At this point i took to Microsoft and logged a support call. I was already drinking heavily at this time in frustration to what seemed to be an unfixable problem. I tried everything i could think of......but sometimes the most painful issues have the stupidest fixes...or so it is when dealing with Microsoft products. 

This is the resolution from microsoft!

Go to Administration >>Cloud Services>>>Right Click on the Intune Subscription >>>and configure Platforms
Click on Windows Phone 8.1 uncheck, then apply the change, then recheck. 

Of course! why didnt i think of that! I would have assumed removing the ENTIRE CONFIGURATION four times would have accomplished this. From what i can see this isnt documented anywhere, so i hope this solves your issue if you run into the same problem.

NB. The errors you see in the screenshots like "check whether this site has an intune subscription" seem to be a red herring, they dont actually indicate an issue as far as i can tell.