How to enable OneDrive Known Folder Move using SCCM (System Center Configuration Manager)


Last week the OneDrive team presented a new feature called ‘Known Folder Move’. In short, it enables us to move the content and location of the Desktop, Documents and Picture folders into OneDrive. This comes really handy when switching computers and you find your desktop, documents and picture folder exactly as you left them on the previous computer.

More about the feature right here:

Above post also covers how to enable the feature manually or by using group golicies. As usual, we don’t like to do stuff manually and we don’t like old school group policies either. So, how about enabling this feature using Configuration Manager?

Read more…

SCCM Client Health Monitor: Automatically remediate Provisioning Mode and corrupt local Group Policy files


Update: This post has been superseded with this:

A ConfigMgr/SCCM client stuck in provisioning mode or having corrupt local group policy files (Registry.pol) are two very common and nagging issues in a Configuration Manager environment.  Where it’s rather easy to use Configuration Manager to remediate the corrupt policy files, it’s another story with a SCCM client stuck in provisioning mode (the client has very limited functionality). I haven’t personally been seeing clients in provisioning mode that often, but I do occasionally see it happen following an Windows in-place upgrade .

Both scenarios will cause a drop in compliance in regards to Software Updates and general software deployments, and unless being very thorough when walking through compliance reports, clients being affected by either issues can be difficult to spot, especially in larger environments.

So I hereby give you my solution to how you can automatically remediate both issues outside of Configuration Manager using Powershell and thus increase the compliance and overall health of your environment.

Powershell snippet from running the SCCM ClientHealthMonitor script

Read more…

Back to basics: How can I fully automate the patching of Windows 10 using SCCM (System Center Configuration Manager)


I have been spending some time on the Configuration Manager forums on Technet lately, and questions about Software Updates (among others) frequently pops up. So I thought of creating a series of blog post explaining some of the basics of Configuration Manager or explaining some of the topics I often see being repeated as questions on the forums.

This will be the very first in such series, where I will give an example on how you can use SCCM to fully automate the patching of Windows 10. All of these examples will be based on the latest version of Configuration Manager Current Branch.

Peak at the Automatic Deployment Rule we will be creating and configuring in this example

Read more…

Switch default browser the enterprise way using the Software Center in SCCM (System Center Configuration Manager) and Powershell


In this post I will talk about Windows 10, file associations and how you can let the user in an enterprise switch default browser through the Software Center in SCCM (System Center Configuration Manager). All of this is done in an environment where file associations are tightly managed and locked through group policies (as they should be in an enterprise) on computers running Windows 10. Curious on the topic? Read on 🙂

Read more…

Enable password reset on the login screen of a Hybrid Azure AD joined Windows 10 1803 device


More Windows 10 1803! Password reset directly from the login screen of Windows 10 has been possible since Windows 10 1709, but only in a cloud-only scenario. This changed with 1803, and users having a hybrid Azure AD environment, are now able to offer this service to their users as well. (assuming they roll on the latest and greatest Windows 10 version). This guide explains what’s required in a Hybrid environment and how to leverage Configuration Manager to apply the proper configuration on the client.

For this to work, there are a few prerequisites:

  • Windows 10 1803 or newer
  • Password writeback enabled in Azure AD Connect
    • Proper permissions in on-premise AD for the AAD Connect account
  • Password reset enabled in Azure AD
  • Enable password reset on the 1803 clients (in this scenario through ConfigMgr)

Read more…

How can I deploy RSAT (Remote Server Administration Tools) for Windows 10 1803 using SCCM (System Center Configuration Manager)


Continuing on the Windows 10 1803 journey from last week. RSAT (Remote Server Administration Tools) is available as well. This is a quick guide on how you can deploy RSAT for Windows 10 1803 using an application in the Software Center of Configuration Manager. RSAT is available for download following this link:

The files available for download includes following. Select the one appropriate for your running OS.

  • WindowsTH-RSAT_WS_1803-x64.msu
  • WindowsTH-RSAT_WS_1803-x86.msu
  • WindowsTH-RSAT_WS2016-x64.msu
  • WindowsTH-RSAT_WS2016-x86.msu

Read more…

How can I in-place upgrade to Windows 10 1803 using Powershell App Deployment Toolkit and SCCM (System Center Configuration Manager)


Update July 26, 2018: I have made an update to below content. Please find the new post on the link below. Note that the content in this post is still relevant.

Windows 10 1803 is out (old news I know). Nevertheless, its always a good idea to be ahead and start thinking and planning the upgrade of your environment. Configuration Manager offers a lot of flexibility in terms of servicing plans and the use of task sequences.

Task sequences is the preferred method in our environment, and I thought I’d share how you can deploy the Windows 10 1803 upgrade through the Powershell App Deployment Toolkit, some custom Powershell script and an application in the Configuration Manager Software Center. Curious? Read on. 🙂

Read more…

Deploy a forced installation of the Windows Defender Google Chrome extension using SCCM (System Center Configuration Manager)


A few days ago Microsoft released a new extension for the Google Chrome browser. More specifically, they released the Windows Defender Browser Protection extension, which leverages the same security technologies used by Microsoft’s own browser; Edge. Microsoft describes their new extension with following words:

The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

With that in mind, why not make that a permanent part of securing your environment and do so by forcing an automatic installation and thus render the users unable to disable or remove the extension. Read on, this is how you can do that using Configuration Manager.

Read more…

Converting from BIOS to UEFI with Powershell (During OSD using SCCM on Lenovo laptops)

Following my previous post, this is an quick example on how to use my Powershell script to convert from BIOS to UEFI in a bare metal scenario. (Again, only Lenovo laptops is working with this script)

Most of the magic lies within the Task Sequence itself, so I will break it down in pieces:

  • Create a group in your Task Sequence called “Prepare Computer (BIOS)” with the condition _SMSTSBootUEFI not equals true (This will make sure the content of the group only runs if UEFI is not enabled already)

  • Next step, format the disk with following settings (Step: Format and Partition Disk (BIOS))
    • Disk type: Standard (MBR)
    • Partition type: Primary
    • 100% remaining disk
    • File system: NTFS

  • Next step, create a new group called Config Lenovo BIOS with following condition: SELECT * FROM Win32_BIOS WHERE Manufacturer = “Lenovo” (This will make sure the step only runs on a Lenovo computer)

  • Next step, run my Powershell script directly from a package like shown below. The parameter -EnableSecureBoot will also enforce UEFI to be enabled.

  • Next step, format the disk with following settings (Step: Format and Partition Disk (BIOS to UEFI))
    • Disk type: GPT
    • Partition type: Primary
    • Size: 600Mb
    • File System: FAT32
    • Variable: TSUEFIDrive
  • Add another partition:
    • Partition type: Primary
    • Size: 100% of remaining space
    • File system: NTFS
    • Variable: None

  • Next step, one final reboot to the boot image currently assigned to this task sequence. When the task sequence returns from the reboot, the Lenovo BIOS will be set to SecureBoot AND UEFI and Windows will continue installing.

Ultimately, you can have 2 steps to take care of when the computer is coming with either BIOS setting or UEFI, and act accordingly. Se below snippet for inspiration.

Enjoy! 🙂


Powershell: Enable virtualization and Credential Guard in an instant (Lenovo laptops)

Windows 10 Credential Guard is currently another hot topic considering cyber security. Credential Guard is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash.

To be able to enable Credential Guard in Windows, you need to have virtualization enabled on the CPU in the BIOS. Virtualization is rarely enabled by default, and as such you will need to enable it manually (F1, enter BIOS, modify the setting) or better yet, find a solution to do so remotely and automatically.

I have created following script in Powershell, that initially enables virtualization in the BIOS (Note: We only use Lenovo laptops, hence this is made for Lenovo laptops only) and then apply the registry-keys to enable Credential Guard. All steps are logged into c:\Windows\EnableCredentialGuard.log

The script can be targeted to the proper Windows 10 versions through SCCM collections (I this example I only target W10 1607 and 1703, as these Windows 10 versions no longer require the Isolated User Mode feature when enabling Credential Guard, as it’s now embedded into the Hypervisor)

When deploying powershell script from SCCM, remember to create the program with a command line like this: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File .\CredentialGuard\Enable-VirtualizationCredentialGuard.ps1

    Enable virtualization in Lenovo Bios and enable Credential Guard in Windows 10
    This script will only run on Lenovo computers. If run on Lenovo computer, the script will check if virtualization is enabled in BIOS. 
    If not, virtualization will be enabled in the process of enabling CredentialGuard.
    Also appends actions to logfile: EnableCredentialGuard.log
    FileName:    Enable-VirtualizationCredentialGuard.ps1
    Author:      Martin Bengtsson
    Created:     19-07-2017

$Logfile = "C:\Windows\EnableCredentialGuard.log"

#Create LogWrite function
Function LogWrite
   Param ([string]$Logstring)

   Add-Content $Logfile -Value $Logstring

#Get computermanufacturer
$Lenovo = Get-WmiObject Win32_ComputerSystemProduct | Select-Object Vendor

#If not a Lenovo laptop, write to log and exit script
If ($Lenovo.Vendor -ne "Lenovo"){
    LogWrite "Not a Lenovo laptop - exiting script"
    Write-Warning -Message "Not a Lenovo laptop - exiting script" ; exit 1

Else {
    Write-Host -ForegroundColor Yellow "Collecting Lenovo_BiosSetting information" ; LogWrite "Collecting Lenovo_BiosSetting information"
    $VirtEnabled = Get-WmiObject -Class Lenovo_BiosSetting -Namespace root\WMI | Where-Object {$_.CurrentSetting -match "Virtualization*"} | Select-Object CurrentSetting

If ($VirtEnabled.CurrentSetting -eq "VirtualizationTechnology,Disable"){
    Write-Host -ForegroundColor Cyan "Virtualization disabled - trying to enable virtualization" ; LogWrite "Virtualization disabled - trying to enable virtualization"
    Try {
        (Get-WmiObject -Class Lenovo_SetBiosSetting -Namespace root\wmi).SetBiosSetting("VirtualizationTechnology,Enable")
        (Get-WmiObject -Class Lenovo_SaveBiosSettings -Namespace root\wmi).SaveBiosSettings()

    Catch {
        Write-Host -ForegroundColor Cyan "An error occured when enabling virtualization in the BIOS" ; LogWrite "An error occured when enabling virtualization in the BIOS" ; exit 1
    Write-Host -ForegroundColor Cyan "Virtualization Successfully enabled" ; LogWrite "Virtualization Successfully enabled"

#Add required registry key for Credential Guard
$RegistryKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
    If (-not(Test-Path -Path $RegistryKeyPath)) {
        Write-Host -ForegroundColor Yellow "Creating HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard registry key" ; LogWrite "Creating HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard registry key"
        New-Item -Path $RegistryKeyPath -ItemType Directory -Force
    #Add registry key: RequirePlatformSecurityFeatures - 1 for Secure Boot only, 3 for Secure Boot and DMA Protection
    New-ItemProperty -Path $RegistryKeyPath -Name RequirePlatformSecurityFeatures -PropertyType DWORD -Value 1
    Write-Host -ForegroundColor Yellow "Successfully added RequirePlatformSecurityFeatures regkey" ; LogWrite "Successfully added RequirePlatformSecurityFeatures regkey"
    #Add registry key: EnableVirtualizationBasedSecurity - 1 for Enabled, 0 for Disabled
    New-ItemProperty -Path $RegistryKeyPath -Name EnableVirtualizationBasedSecurity -PropertyType DWORD -Value 1
    Write-Host -ForegroundColor Yellow "Successfully added EnableVirtualizationBasedSecurity regkey" ; LogWrite "Successfully added EnableVirtualizationBasedSecurity regkey"
    #Add registry key: LsaCfgFlags - 1 enables Credential Guard with UEFI lock, 2 enables Credential Guard without lock, 0 for Disabled
    New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name LsaCfgFlags -PropertyType DWORD -Value 2
    Write-Host -ForegroundColor Yellow "Successfully added LsaCfgFlags regkey" ; LogWrite "Successfully added LsaCfgFlags regkey"
    Write-Host -ForegroundColor Yellow "Successfully enabled Credential Guard - please reboot the computer" ; LogWrite "Successfully enabled Credential Guard - please reboot the computer"

Snip of the logfile when everything succeeds: