Leaderboard

i don't have a lab in your state to test this on as mine already has bitlocker management enabled, so please go ahead and create a test bitlocker management policy, doing so will put in place things like bitlocker management services in IIS, back when this was first released in 1910 we had to run powershell scripts to get reports, but it's all integrated now

There should be some powershell commands to do this. aka edit the WMI data.

this method guides you through setting up a pki infrastructure as described, it does not cover what you are looking for however i'm sure once you are done setting this up, that setting up the remaining disaster recovery options will be doable, ask a PKI expert before you take on the task.

Introduction Sometimes you need to install Windows features that normally need internet access (to install other components), language packs installed today are done in a modular and different format from previous years. In previous times you could simply install a language pack for the associate language and all was good, now there are additional components that also need to be installed otherwise Windows will attempt to download them from the internet (and notify you via the notification center if it cannot). I needed to install Windows 10 LTSC version 2019 in an offline environment (with no internet access) and I also needed to configure language pack settings and configure keyboard layout. I came up with a solution that works for me and I thought I'd share it. You might know of a simpler or better way, if so feel free to comment. Note: The LTSC (Long Term Servicing Channel) version of Windows 10 is suited for special environments, and environments without Internet certainly are special. I've even verified that the equivalent version of Windows 10 (aka Windows 10 version 1809) behaves the same way, in fact the screenshots used here are from Windows 10 1809, I didn't import LTSC into my lab yet. I've also tested this method with Windows 10 version 2004 (and the associated version 2004 LP and FOD files and it works perfectly ! Step 1. Get the feature on demand packages Normally if you install a language pack on a Windows 10 computer with valid internet, it will automatically download the associated features on demand for that language and those can include: Display language Text-to-speech Handwriting Speech recognition Typing You can see these additional items listed in the screenshot below. Depending on the language pack capabilities, some will have all of these and some will have only a few. Most of these components (features on demand or FOD packages) can be found on the features on demand ISO for the respective operating system and you can download those ISOs from the Volume License Servicing Center (VLSC) website or go to Visual Studio downloads (formally MSDN). Below you can see some of the FOD packages listed on the mounted ISO. There are FOD packages for different types of function within Windows and the packages I was most interested in were any related to language (specifically). You may find that you want to install additional FODs for your particular solution. If you scroll down the long list of FOD packages you'll see some that begin with Microsoft-Windows-LanguageFeatures, and they are sorted by country code (where applicable) into the following sections. Microsoft-Windows-LanguageFeatures-Basic Microsoft-Windows-LanguageFeatures-Fonts Microsoft-Windows-LanguageFeatures-Handwriting Microsoft-Windows-LanguageFeatures-OCR Microsoft-Windows-LanguageFeatures-Speech Microsoft-Windows-LanguageFeatures-TextToSpeech such as below. This was my first clue to solve this. I decided to copy all the LanguageFeatures FOD packages from the ISO to somewhere local. The next thing I found on the ISO was Metadata, so I copied that also. Step 2. Get the Language packs Finally, there are also Language Pack ISOs available for download for your respective version of Windows 10, and on that ISO are larger cab files containing the client language pack for each language that is available. You can find the language packs in the architecture folder on this ISO. They'll look something like this. Step 3. Sort the downloads by country code Now that you've got the necessary files, you need to decide which languages you are going to support during OSD and sort them into their own respective folders. I copied language specific FOD packages and the client language pack for each language I was interested in into it's own separate folder like below (sv-SE for Sweden), and then copied those folders onto my package sources folder on the ConfigMgr server. Note that some languages may have more (or less) FOD packages available than others, so copy all that are available on the ISO and you should be good to go. The first cab file listed below is the Client Language Pack from the Language Pack ISO and the remaining 4 cabs are from the FOD ISO. Next create another folder with the Metadata files within it. Step 4. Create packages In ConfigMgr, create a separate package for each language you intend to add support for and point it to the folder containing the Client Language Pack and FOD packages. Once you've created all the language pack packages, don't forget to create the Metadata package. Distribute the packages to your distribution points. Step 5. Import the task sequence To save you a lot of effort all you need to do is import my task sequence and then modify the package references to suit your environment. Note: This is an MDT integrated task sequence so if you want to use it please integrate MDT with ConfigMgr. You will get messages about missing content during the import, choose 'ignore dependancies' and it will import the task sequence steps anyway. However, you must then step through each step in the task sequence that references a package, and point it to the equivalent package on your ConfigMgr environment. After importing the task sequence, make sure to add your language packages (and metadata) to the appropriate steps that reference them otherwise this won't work, pretty much all of the xcopy steps will need a package attached to them. Download the following, and import into ConfigMgr. Windows 10 LTSC language packs without internet.zip Step 6. A quick look at the task sequence logic The task sequence works by first setting a variable, called Location. You can set this as a step in the task sequence dynamically based on various inputs (such as DHCP IP address, gateway, computer variable, collection variable). That I leave up to you, I've forced this example to use Sweden as the location. Next, it dynamically sets Language specific variables based on the Location set previously. You need to add one of these dynamic groups for each language you intend to support. The below screenshot shows two languages configured but you could have multiple. Next (1) it injects the system, user, locale specific settings based on the dynamic variables set above. SysLocale UserLocale InputLocale Thee next group (2) copies the en-US language pack+FOD packages, and metadata. This is needed if you want to be able to switch languages via the input switch in the task tray (language bar). Next, it dynamically downloads (3) the FOD package containing the needed files to add features on demand plus the language pack for the language you are adding support for. It then uses a bunch of DISM commands (4) to inject the necessary FOD packages. After that it sets some reg-keys (5) to deal with known issues relating to language packs cleanup before adding some more steps to allow both languages (en-US and sv-SE in this example) to display on the login screen using the input methods switch. Step 7. Viewing the result After all that hard work you'll want to see the end result. In this lab I've disabled internet access by simply powering off my Smoothwall (which controls internet to the lab). We can see in WinPE that there is no internet. After selecting the task sequence it downloads the Operating System, applies it and then starts injecting the cab files and other dism operations. Below you can see it inject one of the FOD packages And below it's injecting the Client Language Pack, all of this is dynamic based on the Location variable. After installation is complete the login screen shows no internet in the LAN connection, but the language is in Swedish. When you attempt to login you'll see the language bar, awesome. And after logging in, you will see that your chosen language pack is installed along with the necessary FOD packages, automatically and dynamically even without internet ! Awesome or what ! And of course you can use PowerShell to verify the installation of your language pack with Get-WinUserLanguageList. Windows 10 version 2004 What about Windows 10 version 2004 ? it works perfectly using this exact same method, just switch out the Operating System wim file with the 2004 version and replace the FOD and LP packages with the correct version, see below. Recommended reading Add language packs to Windows - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-language-packs-to-windows Known issues - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/language-packs-known-issue Available languages - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/available-language-packs-for-windows Language and region feature on demand - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/features-on-demand-language-fod https://docs.microsoft.com/en-us/powershell/module/international/get-winuserlanguagelist?view=win10-ps

I saw the non-user version of the MSI from the original post didn't work anymore, so I uploaded my copies of them just in case anyone still needs it. TriggerBitlocker Windows-Noob v1.0.0.2 - User.7z TriggerBitlocker Windows-Noob v1.0.0.2 - System.7z

For anyone in the same situation - We simply deleted the failed classic CMG and recreated a new Scale Set CMG using the same service name and certificate. Changed DNS to point to the new URL and all worked fine. Clients reconnected to the new CMG without any issues.

We have WU blocked as all patching is handled by MEMCM. I found this workaround script to temporarily enable in the registry, add the feature, then set the registry back to what is was prior. $currentWU = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" | select -ExpandProperty UseWUServer Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value 0 Restart-Service wuauserv Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability –Online Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "UseWUServer" -Value $currentWU Restart-Service wuauserv

Use the application substitution rule, first do the uninstallation of the old version parameters or scripts, in the installation will first uninstall the old version before installing the new version

Hello, I am trying to deploy CMTrace as part of the TS (SCCM 2012 SP1, no MDT integration) and also set it as default log viewer. This is my powershell script: $RelativePath = (split-path $SCRIPT:MyInvocation.MyCommand.Path -parent)+"\" Copy-Item -Path $RelativePath"CMTrace.exe" -Destination "c:\temp\" -Force xcopy "c:\temp\CMtrace.exe" "c:\windows\System32" /y xcopy "c:\temp\CMtrace.exe" "c:\windows\SYSWOW64" /y $CMtraceKey = "HKCU:\SOFTWARE\Microsoft\Trace32" Set-ItemProperty -Path $CMtraceKey -Name "Register File Types" -Value 00000000 $Parameters = "assoc .log=logfile" cmd.exe /c $Parameters The xcopy commands do not work for some reason, and smsts log doesn't show me anything. Can somebody advise on why the copy commands do not work and how can I apply the HKCU key properly ? Thanks

I imported some VHD's from Microsoft Virtual PC to Hyper V, and I noticed that one of my VM's had a problem, I couldn't add a second network card to it (I could add it in settings, but it would never appear as a new device on the VM or in the VM's device manager), so I checked out the device manager, there was a device with a yellow exclamation mark on it called VMBus. Double clicking on that showed me the following error After some googling I found this post and the advice in there was spot on, I had already installed my Intergration Services Setup disk and rebooted, but my problem remained, the VMBus was now called Virtual Machine Bus but still no network, so I ran MSCONFIG, clicked on boot, then clicked on the advanced tab and put a checkmark in Detect HAL, I clicked ok and reboot, some windows drivers were redetected and lo and behold my problem disappeared ! cheers ! anyweb

Yes, I am very sure. I was communicating with other it users and they also encountered this situation

I'm glad you got it sorted

take a look at my two posts here, they cover everything you need to convert to https, they'll cover a bit more than Justins excellent video, so do please verify you didn't miss anything How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2 also, keep in mind that certs can expire, and when they do you'll have issues, like this https://www.niallbrady.com/2020/08/16/how-can-i-replace-an-expired-iis-certificate-in-a-pki-enabled-configmgr-environment/ if you want to really test PKI is working then try pxe boot (operating system deployment), if it fails you'll see it failing quickly in the logs, and that'll be a clue that you've missed something, also, on PKI managed clients, your configmgr client agent should report that the client is PKI, like this...

try setting it like this

Hi, Well guess what, it finally appeared after 5 days, I did not change anything since and this morning that appeared on the computer: Thanks to both of you for you answers and help! Have a nice day!

interesting problem, are you setting this variable to true as a matter of interest ? SMSTSDisableStatusRetry In disconnected scenarios, the task sequence engine repeatedly tries to send status messages to the management point. This behavior in this scenario causes delays in task sequence processing. Set this variable to true and the task sequence engine doesn't attempt to send status messages after the first message fails to send. This first attempt includes multiple retries. When the task sequence restarts, the value of this variable persists. However, the task sequence tries sending an initial status message. This first attempt includes multiple retries. If successful, the task sequence continues sending status regardless of the value of this variable. If status fails to send, the task sequence uses the value of this variable. and have you tried setting this variable after the reboot ? SMSTSMP Use this variable to specify the URL or IP address of the Configuration Manager management point. https://docs.microsoft.com/en-us/mem/configmgr/osd/understand/task-sequence-variables

There's an official MS doc update on this now at https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25). No clue how many companies are potentially affected by this ... but seriously, for anybody reading this post ... if you're currently using Invoke-MBAM with ConfigMgr's native BitLocker Management, just get it completely out of your task sequences now. Even if you're not on 2103 yet ... get it out so you don't get hit by this if / when you do upgrade to 2103. It's frustrating there's no supported way to escrow recovery info during OSD but trust me, you do not want to have a large environment get hit by this issue. If you are on 2103+ and have used Invoke-MBAM in task sequence scenarios since upgrading to 2103 ... I'd recommend you get in a support case with MS ASAP and then you too can join in the fun of waiting to see if and how your database / server WMI / client WMI can be salvaged.

Text=ERROR_WINHTTP_NAME_NOT_RESOLVED dns or network issues ? have you reviewed the required ports and other configuration that we've blogged about here ?

normally what I do is uninstall the existing ADK, restart the server, then install the latest applicable ADK, but it all depends on what version of ADK you have installed, and whether it's compatible with 2103 or not here's the list of supported ADK's https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/support-for-windows-10#windows-10-adk

have you reviewed this video yet ? if not skip through it to see what you've missed, it's based on ConfigMgr 1910 but it'll give you some clues hopefully

Introduction Microsoft released Windows Intune back in March 2011, this was their launch pad for the management of devices and users in the cloud. This was later renamed to Microsoft Intune and is now known as Microsoft Endpoint Manager. This cloud journey encompassed several new technologies and associated buzz words summarized below. Hybrid MDM – Depreciated, this was the first combination of ConfigMgr and Intune Co-management – The ability to manage devices via ConfigMgr and Intune Co-existence – Using a 3rd party MDM solution together with ConfigMgr Cloud Attach – Attaching cloud components to a ConfigMgr environment Tenant attach – Attaching ConfigMgr managed devices including servers to the cloud This part is the first part in a series of guides about cloud attach in Microsoft Endpoint Manager and the guides are co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. Paul is 4 times Enterprise Mobility MVP based in the UK and Niall is 10 times Enterprise Mobility MVP based in Sweden. If you use Twitter and want to see content when we release it then please do follow us: @ncbrady @SCCMentor Why are we writing this? Both Paul and I have worked on multiple cloud-based lab scenarios together over the course of the last year keeping ourselves educated and involved during lock down. We focused on expanding our knowledge about these exciting new technologies that come with the enabling of cloud attach features. That includes advanced cloud capabilities offered via a Cloud Management Gateway (CMG), co-management and additional capabilities available via Tenant attach. This area of modern management is rapidly evolving, now more than ever as workers find themselves working remotely during COVID-19, therefore it’s important to keep up with what’s new and what is changing. Below you can find all parts in this series. Cloud attach - Endpoint Managers silver lining - part 1 Configuring Azure AD connect <- you are here Cloud attach - Endpoint Managers silver lining - part 2 Prepare for a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining - part 3 Creating a Cloud Management Gateway Cloud attach - Endpoint Managers silver lining - part 4 Enabling co-management Cloud attach - Endpoint Managers silver lining - part 5 Enabling compliance policies workload Cloud attach - Endpoint Managers silver lining - part 6 Enabling conditional access Cloud attach - Endpoint Managers silver lining - part 7 Co-managing Azure AD devices Cloud attach - Endpoint Managers silver lining - part 8 Enabling tenant attach Cloud attach - Endpoint Managers silver lining - part 9 Renewing expiring certificates Cloud attach - Endpoint Managers silver lining - part 10 Using apps with tenant attach This multi part blog will focus on helping you get your organization cloud attached, and we will start by assuming that your environment has a few key aspects already setup: PKI enabled (guide) Intune Tenant created Azure Subscription (free trial) Licenses applied, you can grab a free trial of Enterprise Mobility plus Security which includes Intune and Azure AD Premium P2 here (free trial). In this part we will show you how to do the following: 1. Add a custom domain name to Azure 2. Set up a User Principal Name (UPN) for your on-premises Active Directory 3. Set up hybrid Azure AD Join using Azure AD Connect 4. Configure hybrid Azure AD join using Azure AD Connect So, let’s get started. Step 1. Add a Custom Domain Name to Azure Login to https://portal.azure.com select Azure Active Directory to add a custom domain name in Azure AD Directory. Select custom domain names in the left pane and then click the + Add custom domain link in the top ribbon. When presented with the Custom domain name window, enter the name of the domain you own and click the Add domain button. After adding the domain name, you’ll be shown a screen similar to the one below, you can choose to add a TXT or MX record on your DNS provider. In the example below we chose the TXT option. Enter the provided TXT record at your domain name provider. Below is example of the TXT record we entered at out providers DNS management portal. We’ve set the TTL to a low value to get this propagated quickly so that we can verify the domain. Tip: You can use a website such as dnschecker.org to see if the TXT record has propagated and can be queried, when this has happened go back to the Azure portal and click the Verify button to verify the domain. Once the domain is successfully verified, it will report as so in the Custom domain names blade. After the custom domain name is added, you can make it the Primary domain name. To do that do as follows. Select the custom domain name which you have verified above, and click on Make Primary. After doing that your custom domain name will be the new Primary domain name. Step 2. Set up a User Principal Name (UPN) for your on-premises Active Directory With the custom domain name added and set to primary we are going to add an alternative user principal name suffix into the on-premises Active Directory. This will match the domain name we have verified, so our example is azurenoob.com. This is fairly simple to set up, but once configured, we need to set this as the default for our users and we can use a PowerShell script to achieve this. Let us start off by setting the UPN, you will need to be a Domain Admin or Enterprise Admin to achieve this. Open Active Directory Domains and Trusts. Right click on Active Directory Domains and Trusts, and select Properties. Type in your new alternative name suffix into the Alternative UPN suffixes box, and click Add. Click OK. Below you can see we've added azurenoob.com. Now we need to set the alternative UPN as the default UPN for all our users. Thanks to the community we can use a PowerShell script which is already out there to achieve this, and we used a script from martinsblog.dk. You can be granular with this script, so that you only add in a specific OU for your users, or you could run it at the top level of the domain. Below is the properties of an user with the new UPN applied. Step 3. Set up hybrid Azure AD Join using Azure AD Connect You can use Azure AD Connect to integrate on-premises and online directories. It can synchronize computer, user and group objects and assist with single sign-on in both directories as well as password sync. When using the Azure AD Connect it’s recommended to download the latest release. You can obtain this from Microsoft Download Center. A minimum of version 1.1.819.0 is needed, but this is an old version, you would be better off downloading the latest and using the newer features available with that release. Download Azure AD Connect here. After downloading and installing the tool, launch it and Agree to the terms and conditions before clicking Continue. We have the choice of running an express installation or customizing the install. Microsoft recommends using the customize option if you have multiple forests or if you want to configure optional features, otherwise you can continue with the Use express settings option. In the steps below we run through the options you'll see when choosing Use Express Settings. Next, enter the Global Admin login details for your Azure Ad environment. Click Next and then enter the Enterprise Admin credentials for the on-prem Active Directory Domain Services. Note: The Azure AD sign-in configuration page only shows if you did not complete verify your domains in the prerequisites. If you see this page, then review every domain marked Not Added and Not Verified. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains. If you have domains marked as Not Added then see the next step. The azurenoob.com domain is Verified as we verified this domain in Azure AD. This also means we will be able to sign in with the same credentials in our on-premises Active Directory as we also added in the UPN. Select the checkbox to Continue without matching all UPN suffixes to verified domains if one of your UPN suffix values is not added, for example the windowsnoob.lab.local address is in the state Not Added. You will only have this checkbox available if you have a Not Added entry and you must check the box in order to continue. Click Install We have enabled the checkbox for Start the synchronization process when configuration completes as we want the synchronization process to start once we have completed the wizard. If you do not enable this, the sync will be configured but won’t run until you re-run the Azure AD Connect wizard. Click Install. After clicking Install the wizard will start configuring. And after a few minutes it’s complete. You can close the wizard by clicking on Exit. Step 4. Configure hybrid Azure AD join using Azure AD Connect With the express settings configured, we now need to configure Azure AD Connect for hybrid Azure AD join of our on-premises devices. Launch the Azure AD Connect wizard and click Configure to continue. On the Additional tasks page, select Configure device options, and then select Next. Select the option to Configure Device Options. On the next screenshot note that we are interested in Hybrid Azure Ad join and that Hybrid Azure AD join enables devices in your Active Directory forest to register with Azure AD for access management. Computers in your organization will automatically discover Azure AD using a service connection point (SCP) object that is created in your Active Directory forest. On the Overview page select Next. On the Connect to Azure ad page enter the credentials of your Global Admin. On the Device options screen, select Configure Hybrid Azure AD join to synchronize our on-premise devices and to configure them for Azure Ad join. The Service Connection Point (SCP) needs to be configured for each forest where you want to enable Hybrid Azure AD join. We only have the one forest. Click the Add button. Select Windows 10 or later domain-joined devices and then click Next. Select the check box beside your on premise domain and then click Add. Enter your Enterprise Admin Credentials when prompted. Click Next. And at the Ready to configure screen click Next. At the Configuration complete, click Exit. You can verify the success of the above by opening Adsiedit, selecting Services, expand Device Registration Configuration, as shown below in keywords and objectcategory. That's it for this part, join us in Part 2 where we will prepare your environment for a Cloud Management Gateway. Useful links Conditional Access mfa breaks azure ad connect synchronization - https://www.alitajran.com/conditional-access-mfa-breaks-azure-ad-connect-synchronization/ Cloud attach and Microsoft Endpoint Manager - https://techcommunity.microsoft.com/t5/business-continuity-and-disaster/cloud-attach-and-microsoft-endpoint-manager/m-p/1498577 Download Azure AD Connect - Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center Azure AD connect prerequisites - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites How to setup Azure AD Connect using express settings - https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express

ok first things first, the SMSTSPostAction variable is for use in operating system deployment task sequences to do an action after the task sequence has completed, are you planning on installing SEP as part of a task sequence ? if so use an Install Application step instead of Install Package if that's easier, or even run PowerShell script... but first, if you really want to install the app just using a powershell script then test the script on a virtual machine standalone, outside of a task sequence

If anyone gets an access denied error at the last step (certutil -crl), then please reboot your Issuing CA server once and then issue the command again. I had this issue and apparently several other users had this too per various forums.

Introduction I've been thinking about doing something with this issue for some time now and finally got around to implementing it, however credit where credit is due I've based this on a method developed by a colleague of mine (Magnus Mourujärvi) to work with a 3rd party's custom boot wims. Basically that method is a registry hack which takes place in the boot wim. Problem We've all seen this happening, you get new hardware, you PXE boot, it pulls down the boot wim but as you don't have network drivers in your boot wim the task sequence won't run, or worse it just reboots without telling you why. checking the SMSTSLog will give you clues as to the problem... Troubleshooting it further would involve doing some clever use of wbemtest to find out what the network card pnp device id is in order to identify what the right driver is to be added into your boot wim. It was this process that I wanted to simplify, making it easy to identify the problem and the helping the user identify the Network card in question. Solution Add two files to your boot wim, update them to the distribution points and sit back and watch the show. Well ok, not quite that easy, there are some steps to do, documented below. Step 1. Get the script Note: there is a newer version of the script here which also checks for SATA connections (storage) Download the CheckForNetwork.vbs script here. Yeah it's a vbs, if I get time I'll convert it to PowerShell. CheckForNetwork.zip Extract it to C:\Temp In the script locate the ServersToPing array and edit it to match one or more servers you want to ping in your address, and save the script. Step 2. Copy a file from the MDT 2013 Toolkit Locate your MDT Toolkit files package and browse to the folder matching the architecture of the boot image you intend to edit, for example if you plan on editing the x64 boot wim then use a path similar to below: \\sccm\d$\sources\os\MDT 2013\Toolkit\Tools\x64 Locate a file called windowhide.exe and copy it to C:\Temp Step 3. Create some temp folders On the C:\ of your chosen server, create the following folder structure C:\Mount C:\WinPEMount\ C:\WinPEMount\X64 C:\WinPEMount\X86 Step 4. Make a copy of your boot wim Identify your target boot wim in the Configuration Manager console as shown below, this will be the boot wim we are going to make changes to... Right click the boot wim and select the data source folder, make a note of the Image Path Make a backup copy of the boot wim (ctrl+c and then ctrl+v) and then copy the boot.wim file (or WinPE.wim if it's a MDT created boot wim) to C:\Mount as shown below. Step 5. Mount the boot wim and make some changes Using Run as Administrator, start the Deployment Imaging and Tools Environment cmd prompt as shown below In the CMD Prompt that opens, mount the boot wim by issuing the following command: dism /mount-wim /wimfile:c:\mount\boot.wim /index:1 /mountdir:c:\winpemount\x64 Tip: In the above command i'm mounting a Configuration Manager boot image called boot.wim, if this was a MDT Created boot image it would be named WinPE.wim. Now that the boot image is mounted, we can make our modifications. First we will edit a registry key but to do that, we need to mount it. Using REG.exe mount the SYSTEM hive of the mounted boot wim REG.EXE load HKEY_LOCAL_MACHINE\Mount\ "C:\WinPEMount\X64\Windows\System32\Config\SYSTEM" Once done, change the current value for CmdLine in the mounted registry hive to run our script instead reg add "HKEY_LOCAL_MACHINE\Mount\Setup" /v CmdLine /t REG_SZ /d "cscript.exe CheckForNetwork.vbs" /f Next we commit those changes to the mounted registry REG.EXE unload HKEY_LOCAL_MACHINE\Mount and now we copy two files from C:\Temp to C:\WinPEMount\X64\Windows\System32 (assuming you are editing the x64 boot image) copy c:\temp\CheckForNetwork.vbs c:\WinPEMount\x64\Windows\System32 copy c:\temp\windowhide.exe c:\WinPEMount\x64\Windows\System32 Now that we've made our changes, we want to commit them to the boot wim (write the changes) dism /unmount-wim /mountdir:c:\WinpeMount\X64 /commit as shown below Step 6. Copy the modified boot wim back to the Image Path in Step 4. Now that we've made the changes we need, copy the modified boot wim from C:\Mount back to it's original location Step 7. Update your boot image to the distribution points In the Configuration Manager console, locate your boot image, right click and update it to the distribution points as shown below Once done you are ready to test the new functionality in the boot image. Step 8. Review the changes If the network works ok in WinPE, the task sequence will load as normal and you won't see any popup, or notice anything other than an additional 12 seconds added to your boot time. However, in the event that you have no network and cannot ping any server in the array of server IP's listed in the script, you will see the following warning popup after WinPE starts (before the PXE password and before a task sequence is selected). Note: The script try's to hide Wireless nics from being displayed in the results as we don't use wireless nics for OSD, yet. As you can see from the message it provides the following info a reason for the popup (no network connectivity) lists the detected Network Card lists the PNP Device ID identifies the Computer model and gives the user some options click YES to retry (for example if the network cable was not connected) click CANCEL to open a CMD prompt if further troubleshooting is needed click OK to reboot. Below you can see what happens when the user clicks on Cancel well that's it ! have fun :-) cheers niall

Need help, I´ve followed your manual and I got error 0xffffffff on run command step. I don´t have timeout selected. Is there anything else what I can check? Thank you. @already solved by adding proper path to powershell.exe file in Win10. Thx

This list of guides is a living index, and i plan to update it whenever I write a new guide for the new versions of Microsoft Endpoint Manager Configuration Manager (MEMCM or SCCM) or Microsoft Endpoint Manager (MEM or Intune). The Current Branch release is meant for your production deployments and the Technical Preview releases are for testing new upcoming features in the product, and are aimed at Lab use only. The PKI guides are added as https communication within ConfigMgr and Intune is desired. These guides are broken down into different sections: Microsoft Endpoint Manager (MEM) - Intune Microsoft Endpoint Manager Configuration Manager (MEMCM) - Current Branch Microsoft Endpoint Manager Configuration Manager (MEMCM) - Technical Preview Setting up PKI Note: The guides in each section are sorted in the direction of oldest first. Microsoft Endpoint Manager (MEM) - Intune How can I find out version info about Intune Preview in Azure ? How can I unlock Windows Holographic for Business features in Intune Preview? How can I determine how long a blade loads in Intune Preview in Azure ? How can I check the status of my Intune service ? Intune Preview in Azure get’s a new look and Software Updates for Windows 10 ! What is Windows Information Protection and how can I use it to protect Enterprise data on Windows 10 devices using Intune Using Intune to enable WIP to protect Enterprise data on Windows 10 devices (MAM-WE) Getting started with Microsoft Graph and using PowerShell to automate things in Intune How can I integrate Microsoft Store for Business with Intune in Azure How can I create a dynamic group containing all Windows 10 version 1709 in Intune in Azure ? How can I enable MDM auto-enrollment in Azure How can I customize the start screen in Windows 10 using Intune How can I use Windows AutoPilot with a Proxy ? Troubleshooting “Something went wrong error 801c0003” during enrollment via Windows AutoPilot and Microsoft Intune Configuring BitLocker in Intune - Part 1. Configuring BitLocker Configuring BitLocker in Intune - Part 2. Automating Encryption Configuring BitLocker in Intune - Part 3. Testing the scripts How can I send notification messages using PowerShell in Microsoft Intune How can I deploy custom favorites in Microsoft Edge to Windows 10 devices using Microsoft Intune Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 1 – new features) Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 2 – iOS) Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 3 – Android) Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 4 – macOS) Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 5 – Windows) Learn how to leverage Intune support for Microsoft Graph and PowerShell to enable powerful automation and IT security- my notes How Microsoft uses Intune internally to manage Windows devices Android device management with Microsoft Intune – Part 1. Partnerships Android device management with Microsoft Intune – Part 2. Deployment Scenarios Android device management with Microsoft Intune – Part 3. Dedicated device management Android device management with Microsoft Intune – Part 4. Coming soon and what’s new How can I create dynamic groups for different HoloLens devices in Microsoft Intune Troubleshooting app deployment in Windows Autopilot Configuring the Registered Owner and Organization in Windows Autopilot delivered PCs Removing company data from Endpoint Manager enrolled phones Office 365 issues after Windows Autopilot Displaying a welcome page after Windows Autopilot completes Adding devices to an Azure AD group after Windows Autopilot is complete - part 1 Adding devices to an Azure AD group after Windows Autopilot is complete - part 2 Gathering logs and sending an email when resetting Windows Autopilot - part 1 Gathering logs and sending an email when you need to reset Windows Autopilot - part 2 Gathering logs and sending an email when you need to reset Windows Autopilot - part 3 Adding devices or users to an Azure AD group after Windows Autopilot is complete but only when the device is marked as Compliant Using the updated & secure Retire My PC app via Company Portal Prompting standard users to confirm or change Regional, Time Zone and Country settings after Windows Autopilot enrollment is complete Microsoft Endpoint Manager Configuration Manager (MEMCM) Current Branch Installation - How can I install System Center Configuration Manager (Current Branch) Configuring Discovery - How can I configure discovery for System Center Configuration Manager (Current Branch) Configuring Boundaries - How can I configure boundaries in System Center Configuration Manager (Current Branch) Using Updates and Servicing in Offline mode - How can I use Updates and Servicing in Offline mode in System Center Configuration Manager (Current Branch) Using Updates and Servicing in Online mode - How can I use Updates and Servicing in Online mode in System Center Configuration Manager (Current Branch) Setting up the Software Update Point - How can I setup Software Updates in System Center Configuration Manager (Current Branch) Installing the Client agent - How can I configure client settings and install the ConfigMgr client agent in System Center Configuration Manager Current Branch Upgrading to System Center Configuration Manager (Current Branch) version 1602 from System Center Configuration Manager (Current Branch) version 1511 How can I use the Upgrade Task Sequence in System Center Configuration Manager (Current Branch) ? How can I use servicing plans in System Center Configuration Manager (Current Branch) to upgrade Windows 10 devices ? How can I deploy Windows 10 with MDT 2013 Update 2 integrated with System Center Configuration Manager (Current Branch) Setting up PKI Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2 cheers niall

If you (like me) have used Quick Assist in the past you might be disappointed to know that the built in Windows 10/11 app is going to be killed off in the coming days and replaced with Quick Assist from the Microsoft Store. If you start the Quick Assist app today you'll see something like this (taken from my Windows 11 computer). the text below is taken from the official announcement. Why is this a big deal ? Well for a couple of reasons namely... If you were supporting users in Windows Autopilot using CTRL+Windows key + Q, then that built in ability will be gone. If your users are Standard Users (and they should be) then they won't be able to install the app from the Store as it requires local admin permissions. Below screenshot is from a Windows 10 vm running as a standard user. If the computer you are supporting has Store app issues (and that's a common problem, for example store apps not working after a Cumulative update was installed and waiting on a reboot). The new app uses characters as well as numbers, and that might confuse some people Ironically, the new Store apps provided instructions say nothing about the fact that the user has to download the Store app to get support. Some think this is a good thing as it means only admins can install the remote assistance app, but I think it'll just push people towards alternatives What are your thoughts on this ?