Jump to content


Windows 7 Embedded Thinclient with Write Filter active

Recommended Posts

We have a bunch of thin clients that are running Windows 7 embedded with the write filter active on them. We have the CCM, CCMcache, CCMsetup folders, and the smscfg.ini file excluded so when things are written to these the changes are applied. We are currently running CM 2012 R2.


For a months these systems will be running fine, and then out of the blue they will start showing Inactive and they seem to stop talking to the server. When you look at the client activity it will show the devices haven't talked to the server in a long while. Eventually they switch to showing the client isn't even loaded anymore on the device.


If you look at the thin clients the sccm client seems to be running fine. The only way to get the device to start talking to the server again is to stop the SMS host agent, delete the smscfg.ini file, and then start the service again. We have around 300 thin clients and I can't keep doing this manually.


Does anybody have an idea of what might be causing these systems to go into this state?


Thanks in advance for any ideas

Share this post

Link to post
Share on other sites

I can help you with that :) I had the exact same problem and solved it with a Microsoft case. Loose from that, Do you use Windows Updates on your thin Clients (with SCCM) ? By seeing your WriteFilter Exclusion Config that also has a problem and will fail.


I post the solution later on (need to search the TechNet Forum Articles)


The inactive Clients has to do with 2 exclusion your probably missing.

The Windows Updates had to do with TO MANY exclusion.


Could you post your complete Exclusion List?

Share this post

Link to post
Share on other sites

Sure.....our full exclusion list is as followed


c:\Program Files\Citrix

c:\Program Files\Common Files\Mcafee

c:\Program Files\Imprivata

c:\Program Files\McAfee






c:\users\*specific usersname*\AppData\Local\Citrix











Share this post

Link to post
Share on other sites

Do you see In the ClientIDManagerStartup.log these errors<![LOG[GetRegistrationState failed (0x8009000b)]LOG]!>


You need to add the these settings to your WriteFilter:



  • C:\Windows\System32\Microsoft\Protect
  • C:\ProgramData\Microsoft\Crypto

And this to the register Filter:

  • HKLM\SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates

I have tested and applied this to 400+ Thin Clients with Windows Embedded 7 Standard. (you could use Powershell to applied the WriteFilter)

In advance Microsoft (with the windows embedded Updates problem) advised us to remove these settings from the WriteFilter:

Resolution: Remove this rules

fbwfmgr.exe /addexclusion C: "\windows\CCM"

fbwfmgr.exe /addexclusion C: "\windows\ccmsetup"

fbwfmgr.exe /addexclusion C: "\windows\ccmcache"

fbwfmgr.exe /addexclusion C: "\windows\system32\Wbem"

These folders are already Writefilter proof by design (since SCCM SP1) The SCCM Clients Handles this itself. By adding these to the filter you get very strange behavior.

More info on above: http://blogs.technet.com/b/configmgrteam/archive/2012/11/26/managing-embedded-devices-with-write-filters-in-configuration-manager-service-pack-1.aspx

Share this post

Link to post
Share on other sites

I am actively working on these Dell Wyse Thin Client WES 7 x32 using SCCM 2012 SP1 today as well. Its been a long journey getting these things to work properly and stable for the matter. Nonetheless getting support from Dell is nearly impossible to whom has experience with this and SCCM. Hoping perhaps if either of you spent time on these enough I could benefit this thread.


Would either of you know or seen where these devices go into Service Locking Mode and only the Administrator can log on? I've done some research on it and pointed to possibly the clientstate.dat is the culprit matter but not all the time. I think I've narrowed it down being the ccmsetup.exe for CU4 on the client but until you take action to put the client with Write Filter disabled and leave it for awhile, it will keep popping up. I haven't been able to locate how to Commit with Write Filter enabled, do you know?


Also, last question is how do you get GPO to persist, or do you have to remove Write Filter first then apply GPO, wait, reboot, turn Write Filter on, etc.? I am trying to set the GPO policy to Enable the "Disable Machine Password". I've been told that needs to be set or you will start seeing the machines fall off the Domain and we see it already on the old build...


T1ml can you update the hyper-link because it appears to be going to the wrong URL. I am curious what is posted.


Any help is greatly appreciated.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...