ConfigMgrDogs

DPUpgradeThreadLimit Modification

Matt Shadbolt [MSFT] — Mon, 15 Dec 2014 22:42:00 GMT

I’ve recently spent some time with a customer deploying a large amount of Distribution Points in their ConfigMgr 2012 R2 hierarchy. They were finding themselves running into bottlenecks during the deployment, and with the help of the ConfigMgr Product Group, a new Site Control File property modification is now being supported.

Distribution point installations or upgrades may take longer than expected in System Center 2012 Configuration Manager

http://support.microsoft.com/kb/3025353

The DPUpgradeThreadLimit property by default is set to five. The property should be carefully increased in environments where many Distribution Points are being installed/upgraded in parallel.

As the property is not visible by default, we need to create and set the new property. This will add the property and set it to the $newValue value across all of your Sites.

This script is provided as-is and provides no warranties. Please thoroughly test in a lab environment, and see the Configuration Manager SDK for more information.

param(
[string] $siteServerName=".",
[int] $newValue=10
)

$providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
$providerMachine = $providerLocation.Machine
$sitecode = $providerLocation.SiteCode
$providerNamespace = "root\sms\site_" + $sitecode
$siteFilter = "SiteCode='" + $sitecode + "'"

$distmgrConfig = gcim -ComputerName $providerMachine -Namespace $providerNamespace SMS_SCI_Component | ? {$_.ComponentName -eq "SMS_DISTRIBUTION_MANAGER"}

ForEach ($distMgrObject in $distmgrConfig) {

    $properties = $distMgrObject | select -ExpandProperty Props
    $threadLimitProperty = $properties | ? {$_.PropertyName -eq "DPUpgradeThreadLimit"}
    if($threadLimitProperty -eq $null)
    {
        write-host "Previous setting for DPUpgradeThreadLimit was using default, updating to $newValue"
        $newProperty = New-CimInstance -ComputerName $providerMachine -Namespace $providerNamespace -ClassName SMS_EmbeddedProperty
        $newProperty.PropertyName = "DPUpgradeThreadLimit"
        $newProperty.Value = $newValue

        $newPropertyList = @()
        $properties | % { $newPropertyList += $_}
        $newPropertyList += $newProperty

        $distMgrObject.Props = $newPropertyList
        scim $distMgrObject
    }
    else
    {
        write-host "Previous setting for $($DistMgrObject.SiteCode) DPUpgradeThreadLimit was $($threadLimitProperty.Value), updating to $newValue"
        $newProperty.PropertyName = "DPUpgradeThreadLimit"
        $newProperty.Value = $newValue

        $newPropertyList = @()
        $properties | % {
            if($_.PropertyName -eq "DPUpgradeThreadLimit")
            {
                $_.Value = $newValue
                $newPropertyList += $_
            }
            else
            {
                $newPropertyList += $_
            }
        }

        $distMgrObject.Props = $newPropertyList
        scim $distMgrObject }
}

Script to remind Office 365 users to enrol their device to InTune

Matt Shadbolt [MSFT] — Mon, 08 Dec 2014 22:08:17 GMT

When I have a little downtime (which isn’t often!), I like to sit around and think of cool things I can automate using PowerShell. I have a .txt file that I put all these ideas into and every now and then have a crack at solving one.

Just recently I was playing around with Office 365 and Windows InTune and this idea struck me.

With the licensing model of Office 365 being user based, people are syncing their mail to more and more devices. They’ll have Outlook on their work laptop, email syncing on their Windows Phone, and probably syncing on their Apple and/or Android tablet as well. The problem with having so many devices is IT tracking and managing their corporate data. Of course, InTune is the obvious tool to manage these devices.

Getting your users to enrol their devices into InTune is one of the main challenges. As the registration has to happen from the end users side, I thought I’d write a script to help pester your users into registering their iPads, iPhones, Androids and WPs into your InTune MDM.

The idea is for this script to be run as a scheduled task. It will connect to your o365 tenant subscription and discover all those users who have synced their device with o365 since the last scheduled task ran. It will then send that user an email reminding them to enrol their device to InTune.

The email to your users can obviously be customized, but here’s a look at what I’ve given you by default

I’ve also added a testing mode switch, so you don’t spam your o365 users while doing your dev and test.

Here’s the script.

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

$O365Username = "your@username.onmicrosoft.com" #Add your o365 admin username here
$SendEmail = $true #Change this to $false during testing. Output will be returned to the console
$DeviceRegistrationTimeFrame = -1000000 #Set this to the schedule of your scheduled task
$InServiceMode = $true #Configure this to $true when running as a scheduled task. This stops the PSSession from unloading everytime it's run

# Ensure o365 session
$SessionState = Get-PSSession
ForEach ($Session in $SessionState) {If ($Session.ConfigurationName -ne "Microsoft.Exchange") {Connect-O365}}
If (!$SessionState) {Connect-O365}

# Get o365 data
Get-MobileDevice | Where{$_.WhenCreated -gt (Get-Date).AddHours($DeviceRegistrationTimeFrame)} | ForEach-Object {

$User = Get-User -Identity $_.UserDisplayName
$AccountDisplayName = $User.DisplayName
$AccountFirstName = $User.FirstName
$AccountEmail = $User.WindowsEmailAddress
$DeviceId = $_.DeviceId
$DeviceOS = $_.DeviceOS
$UserDisplayName = $_.UserDisplayName
$ClientType = $_.ClientType
$IsCompliant = $_.IsCompliant
$IsDisabled = $_.IsDisabled
$Name = $_.Name
$WhenChanged = $_.WhenChanged
$WhenCreated = $_.WhenCreated
$Id = $_.Id
$IsValid = $_.IsValid

# Email authorization

If ($IsDisabled -eq $true) {$SendEmail = $false}
If ($IsValid -eq $false) {$SendEmail = $false}

# Mail info

$SMTPServer = "smtp.office365.com"
$SMTPPort = 587
$SMTPCredential = $UserCredential
$EmailRecipient = $AccountEmail
$EmailSender = $O365Username
$EmailSubject = "$AccountFirstName, don't forget to enroll your device to InTune!"
$Body = `
"<html>
<head>
<title>Enroll Your Device Today!</title>
<style>
body {
font-family: Verdana;
}
#HeadingTitle {
text-align: center;
font-size: large;
margin-top: 10px;
color: blue;
}
#HeadingBox {
width: 60%;
height: 70px;
background-color: yellow;
position: absolute;
top: 10px;
left: 20%;
right: 20%;
vertical-align: middle;
background-color: white;
}
#BodyText {
width: 60%;
height: 60%;
position: absolute;
top: 100px;
left: 15%;
right: 20%;
vertical-align: middle;
text-align: center;
}

table.center {
    margin-left: auto;
    margin-right: auto;
font-size: x-small;
position: relative;
top: 30px;
color: gray;
}

</style>
<body>
<div id=""BodyText"">

<img src=""https://secure.aadcdn.microsoftonline-p.com/aadbranding/1.0.1/aadlogin/Intune/logo.png""></img><p>

Hello $AccountFirstName, <p>

Thank you for syncing your device with Office 365! <p>

To ensure your device is fully managed and supported by the internal IT team, please now enrol your device into InTune via the link below <p>

<a href=""http://manage.microsoft.com"">Manage My Device!</a><p>

Thanks,<p>

<b>Your IT Team</b>

<table class=""center"">
<tr>
<td><b>Username</b></td>
<td>$UserDisplayName </td>
</tr>
<tr>
<td><b>Enrolled</b></td>
<td>$WhenCreated </td>
</tr>
<tr>
<td><b>Device OS</b></td>
<td>$DeviceOS </td>
</tr>
<tr>
<td><b>Device ID</b></td>
<td>$DeviceID </td>
</tr>
</table>
</div>
</body>
</html>"

# Send Email
If ($SendEmail -eq $true) {
Send-MailMessage -To $EmailRecipient -From $EmailSender -Subject $EmailSubject -UseSsl -Port $SMTPPort -SmtpServer $SMTPServer -Credential $SMTPCredential   `
-BodyAsHtml -Body $Body }
Else {
Write-Host "----- Output to console for testing -----"
Write-Host "----- To: $EmailRecipient -----"
Write-Host "----- From: $EmailSender -----"
Write-Host "----- Subject: $EmailSubject -----"
Write-Host "----- Body: Not added to testing -----"
}

}

# Close Session if not in service mode
If ($InServiceMode = $false) {
Get-PSSession | ForEach-Object {If ($_.ConfigurationName -eq "Microsoft.Exchange") {Disconnect-o365 $_.ID}}
}

Function Connect-O365 {

$UserCredential = Get-Credential -UserName $O365UserName -Message "Enter o365 password"
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

}

Function Disconnect-o365 ($SessionID) {

Remove-PSSession $SessionID

}

Matt Shadbolt

PowerShell Script to check active package distributions

George Smpyrakis — Tue, 02 Dec 2014 22:16:27 GMT

Hi All,

I had a need at a customer to write a script that would identify any active package distributions at a primary site via WMI. Although DPJobMgr will also give you more information and control this script returns a quicker result and in the case I was dealing with when you have a large number of active package distributions this can come in handy. Hopefully you'll find it useful.

The script is based on the SMS_DistributionJob Server WMI Class

(UPDATE. Matt just provided me with the following code that will give you your Primary site code automatically from WMI. thanks Matty.

##################################################

$providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"

$sitecode = $providerLocation.SiteCode

$providerNamespace = "root\sms\site_" + $sitecode

###################################################

Updated script below

)

####################################################################################################################################

##Check the content distribution queue on a primary

$providerLocation = gcim -ComputerName $siteServerName -Namespace root\sms SMS_ProviderLocation -filter "ProviderForLocalSite='True'"
$sitecode = $providerLocation.SiteCode
$providerNamespace = "root\sms\site_" + $sitecode

$count = (Get-WmiObject -Namespace $providerNamespace -Class SMS_DistributionJob).count

$Activethreadcount = (Get-WmiObject -Namespace "root\SMS\Site_$($SiteCode)" -Class SMS_DistributionJob | Where {$_.Starttime -ne $null}).Count

$Activethreads = Get-WmiObject -Namespace "root\SMS\Site_$($SiteCode)" -Class SMS_DistributionJob | Where {$_.Starttime -ne $null} | Format-List -Property Starttime, RemainingSize

Write-Output "Total Current Active Distributions $($count)"

Write-Output "Total Active Threads Count $($Activethreadcount)"

Write-Output "Current Threads" $Activethreads

####################################################################################################################################

Feel free to post any updates or even scripts that you've written in the comments below.

If you want to look at other classes that could provide you with more information just check out the following MSDN reference

http://msdn.microsoft.com/en-us/library/hh948405.aspx

20 Years Of SMS/Configuration Manager

Matt Shadbolt [MSFT] — Thu, 06 Nov 2014 21:00:00 GMT

On the 7th of November 1994, a little product called Systems Management Server (SMS) 1.0 was released. Since that date, there have been four major revisions (SMS 2.0, SMS 2003, ConfigMgr 2007 and ConfigMgr 2012), three Service Packs (ConfigMgr 2007 SP1 & SP2, ConfigMgr 2012 SP1), three Rx releases (ConfigMgr 2007 R2 & R3, ConfigMgr 2012 R2) and countless Release Candidates/Betas, Cumulative Updates (CU’s) and Hotfixes!

I thought it would be really cool to check out the Wayback Machine for the TechNet page for the day that SMS 1.0 was released, but back then TechNet.com wasn’t even around! (how did we ever find our supportability numbers!)

The first mention of SMS on the Wayback Machine TechNet is in mid 2000 and talked about deploying SMS 2.0, administering Inventory and Software Metering, as well as the standard Server Sizing advice we all so heavily rely on. (in their Contoso sizing example, the Central Site with 14k clients required a server with a whopping 300-MHz processor and 256 MB of RAM!)

http://web.archive.org/web/20000817202621/http://www.microsoft.com/technet/sms/

(I love that the comments and suggestions hyper-link is a mailto:technet@microsoft.com)

I was fortunate enough to not have really dealt with SMS, starting my Systems Management journey with Configuration Manager 2007 but some of my colleagues remember those days well.

Sebastian Baboolal, Senior PFE at Microsoft

I started with SMS 2.0. SP5 back around 2004.

I was working for Microsoft support back then. We had one week of training and we were put on the phones.Classic trial by fire. My first call was a critsit for a customer. They had a large environment at the time > 100K clients being managed. They had a top-level SMS site. Then sites under that with lots of other primary sites under those. One of the 2^nd tier primaries went belly up. Had to do a DR on that site. We didn’t cover DR at all in the training (just my luck). Back then you had to go thru like 20 pages of stuff to get the site back up. I was on that call for 14 hrs. Did not leave my desk. We got it fixed but then I was thinking what in the world did I get myself into.
Glad we’ve moved on from CAPs and smsclitoken accounts but did like die_evil_bug_die and dial_me_in_baby

George Smpyrakis, Senior PFE at Microsoft

I started with SMS 1.2 back in 1997. I had just started in IT straight out of Uni and helped setup these Site Servers that seemed to take an entire day to complete. I took these boxes out to a couple of remote sites and got them up and running then started the long and arduous procedure of attempting to install the client on the workstations. At the time we used it as a Remote control tool for the workstations and In the end it only lasted a couple of months before we removed it and that was a monumental effort in itself as the client seemed to never go away. A few years later a lovely virus called Nimda came along and brought the company I was working for to a halt. We literally had to go around the State of Victoria with floppy disks (Look it up for those under 30.) to patch each workstation so we could bring Internet access back. That’s when my Manager came up to me and said I want you to run with SMS so we never have to do that again. So I then Implemented and starting using SMS 2.0 and have never looked back…

Anthony Watherston, PFE at Microsoft

I started with SCCM 2007 implementing it because I had nothing better to do and looking to expand my horizons – some of my favourite memories.

Reading through log files in Notepad until my eyes hurt – then discovering trace32
The satisfaction of being able to remotely rebuild machines – we used to have people ship the box to us so it could be rebuilt
Finally patching an enterprise – then fighting with people because they wouldn’t reboot their machines when patches were installed
Releasing a hotfix to 180 secondary servers then watching as all the high impact tickets rolled in because all the site systems were reinstalling.
Learning patience when installing new sites – sometimes things just take time to appear in the console
Working all day on an issue – then doing a site reset and fixing it instantly

Through all this though it is one of the most complex systems management products and only limited by your imagination as to what you can do!

Russell Stevens, Senior PFE at Microsoft

I started with SMS (slow moving software) version 2.0 RTM in a distributed environment at a UK government department that may have had something to with mail in 2000…

Highlights include:

SMSServer and SMSClient connection accounts for hundreds of Primary and Secondary sites.
Software Metering ‘mark one’
Switching from NT 4.0 domains to Active Directory domains (see point one).
Restoring SMS 2.0 without a wizard, hours and hours and then monitoring for weeks and weeks.
Preinst.exe became a useful companion from 2.0 -> 2003 -> 2007 –> 2012
Seeing the feature packs become part of the Configuration Manager OSD\BDD, Software Updates (remember ITMU……..)
Gigantic DDR backlogs.

It has been a great ride with some ups and downs, and has delivered some outstanding results over the 20 years, loved it.

So here’s to ConfigMgr! May our next 20 years be full of smooth CU upgrades, clear of inbox backlogs and void of all accidental deployments!

Matt Shadbolt

Managing APP-V Deployments in ConfigMgr 2012

Ian Bartlett — Mon, 03 Nov 2014 05:30:32 GMT

Many customers are still configuring collection structures similar to 2007 and using collections to control the validity of who should receive which applications.

Where possible we should be changing how we now manage application deployments and move the validity processing of the application back to the client by using our Global Conditions (state based) to manage Requirement Rules. This works well for many Off The Shelf (OTS) applications that do not have specific procurement constraints as we can safely deploy this category of applications to ALL USERS and if needed implement an Application Approval workflow. Where I am increasingly seeing customers still reverting back to specific targeted of applications, normally based of an AD Security Group, is for APP-V application deployments.

I continue to see a large uptake of APP-V in many customer sites as we move towards a user-centric mobile environment, which is great, however I am seeing a lot of customers experiencing poor publishing times of virtual applications which is often a result of poor administrative processes.

In SCCM 2007 we had the option to instruct the virtual application advertisement to auto remove the virtual application when the advertisement was no longer available to a client. Unfortunately this option is no longer available in 2012 and as a result many customers have gone searching for a solution by looking to the ConfigMgr Community forums. Unfortunately a lot of members of the community are simply recommending to use the general deployment rule that an INSTALL deployment takes precedence over an UNINSTALL deployment. As a result many of the community forums have been instructing customers to simply create an UNINSTALL deployment for each virtual application and target this to the ALL USERS or ALL SYSTEMS collections. Please DO NOT DO THIS as you will continue to experience slow publishing times for APP-V applications.

If you are already doing this approach, I strongly recommend you read this blog to understand why this is a BAD idea and be VERY CAUTIOUS in your approach to undo this setup. DO NOT do a BIG BANG approach and remove all of the current UNINSTALL deployments in one hit and create the new recommended workflow as this will cause a huge amount of deployment policy objects potentially causing significant issues in your environment. It would be very advisable that you slowly stage the changes in your environment over a few days to prevent a mass number of policy changes in one hit.

When to use explicit collections for Tier 2 applications?

Only when you have specific LOB applications that require a REQUIRED Deployment.

Valid Reason: APP-V Deployments where an automatic unpublished workflow is required

AGAIN DO NOT Target APP-V Uninstall deployments to the ALL USERS / ALL SYSTEMS collection as mentioned in many other forums. This will only delay your application publishing times and add unnecessary load on your ConfigMgr environment.

Understanding WHY this is BAD practice

When a client polls for new policy changes, a SPROC is run by the Management Point consuming SQL resources.

The more records in ResPolicyMap and DepPolicyAssignment, the more CPU time required to process the “GET” SPROC like

MP_GetMachinePolicyAssignments – Machine Targeted Deployments

MP_GetUserAndUserGroupPolicyAssignments – User Targeted Deployments

ResPolicyMap maps the resource ID and PADBID, (unique identifier for the policy). You can Query the count of ResPolicyMap objects to determine the number of policies being targeted to each user / system that must be processed.

DepPolicyAssignment links a policy object with its dependency polices and are provided to both users &/or machines when a policy request is initiated.

Examples:

Application Requirement Rules defined
Multiple Deployment Types per application

How you should mange APP-V Deployments in your environment

Minimise the number of Required Deployments to the ALL USERS / ALL SYSTEMS Collections.
Prevent making any large policy changes that target the ALL USERS / ALL SYSTEMS collections, or any large number of objects in one hit.
Create an explicit UNINSTALL Collection for each REQUIRED Install Deployment.
Base the Collection membership on the compliance state of the application = true and exclude the INSTALL collection.

Below are examples of the Collection Queries you can use to manage an auto un-publish workflow for App-V deployments based off an AD Security Group.

USER Centric Deployments.

1. Create an AD Security group for the application you are deploying.

2. Create an INSTALL Collection for each Virtual Application with a dynamic query linked to the AD Security Group. Target the INSTALL Deployment for each APP-V Application to this Collection.

2. Create a specific UNINSTALL Collection for each Virtual Application with a dynamic query using the syntax below. Also add an explicit EXCLUDE Collection membership rule that excludes the INSTALL Collection for that application. Ensure the application name matches that listed in the ConfigMgr database.

select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain
from SMS_R_User inner join SMS_G_System_AppClientState on SMS_R_USER.UniqueUserName = SMS_G_System_AppClientState.UserName
where SMS_G_System_AppClientState.AppName = "APPLICATIONNAME"
and G_System_AppClientState.ComplianceState = 1

Example

Create and Target the UNINSTALL deployment policy to the UNINSTALL Collection.

The result will be…. When a User is added to the AD Security Group the virtual application will be made available to the end user and install silently. When the user is removed from the AD Security group that has previously successfully published the APP-V application, they will be added to the UNINSTALL collection resulting in the virtual application being automatically removed from the client only then. This approach will minimise the ongoing policy objects that every user in the organisation will have to process.

Disclaimer: The queries and examples provided in this post are offered “AS IS” and should be used at your own discretion. Please ensure extensive testing be done before implementing this solution into any production environment. While this solution has been tested and confirmed, the ConfigMgrDogs team takes no responsibility for any unexpected results this may have in your ConfigMgr 2012 environment.…

Monitoring ConfigMgr Clients Using System Center Operations Manager

Matt Shadbolt [MSFT] — Mon, 13 Oct 2014 03:43:02 GMT

Microsoft MVP and my Premier customer from last week, Tao Yang was telling me about his custom SCOM Management Pack used to monitor the health of your ConfigMgr clients.

Monitors include:

DCM Compliance
Missing hardware and software inventory
Failed application deployments
Pending software updates
CCMExec monitoring
Pending reboot detection
Many more…

http://blog.tyang.org/2014/10/04/updated-configmgr-2012-r2-client-management-pack-version-1-2-0-0/

This is an invaluable resource, and such a good example of the very smart MVP’s doing great work that benefits all of the System Center community.

Nice work Tao!

Matt

R2 CU3 Management point communications update

George Smpyrakis — Wed, 01 Oct 2014 02:48:02 GMT

Hi All,

with the release of R2 CU3 we now have the ability to restrict which Management points a client can talk to. This can be particularly useful in case you have a Remote MP or only certain MP’s a client can access.

All we simply need to do is

Install the Client Hotfix KB2994331 which comes with the CU3 update above. The Client version will be 5.00.7958.1401

add a new REG_MULTI_SZ (multi-string) type key under HKEY_LOCAL_MACHINE\Software\Microsoft\CCM on each client called AllowedMPs and add the FQDN of the Management Point we want to allow the client access to. (We can control this with Compliance Settings.)

After restarting the SMS Agent Host we can see that our MP is being forced in the Locationservices.log

and we can confirm that we are talking to the correct MP in ClientLocation.log

keep in mind the following Note from the CU3 update

Note After this value is defined, there is no fallback or other method for clients to communicate with other MPs. This new entry is only intended for permanently located workstation and server clients and is not portable to devices such as mobile PCs or tablets.

First 100 at TechEd Melbourne

Matt Shadbolt [MSFT] — Tue, 23 Sep 2014 23:19:00 GMT

Morning Gang,

Well, TechEd Australia 2014 is less than two weeks away, and Ian, George and I are furiously fine tuning our demos in time for our Wednesday session.

As a special treat for the first 100 people into our session, we’re giving away some very cool looking ConfigMgrDogs badges!

We’ll also have a t-shirt give-away for one lucky person who tweets a picture of themselves wearing their badge, hash tagging #ConfigMgrDogs.

Looking forward to seeing you all in Melbourne!

Matt

TechEd 2014 Australia: ConfigMgrDogs Troubleshoot ConfigMgr 2012 (Melbourne)

Matt Shadbolt [MSFT] — Wed, 17 Sep 2014 06:20:17 GMT

Hey ConfigMgrDogers!

The TechEd 2014 Australia schedule has been announced, and confirmed ConfigMgrDogs will be presenting at Melbourne only. Unfortunately, George, Ian and myself won’t make it to the Sydney TechEd, however our session will be recorded and posted on the ConfigMgrDogs blog. Please add the session to your schedule (we want the big room) and retweet to those you know attending.

See you all there!

Matt, Ian & George.

ConfigMgrDogs Troubleshoot ConfigMgr 2012

Date: Wednesday, 8 October

Time: 3:00 PM - 4:00 PM

Room: Datacenter and Infrastructure Management

Session Type: Breakout

Session Code: DCIM.004

Session Levels: 400

For those attending, here are all the relevant links:

Public Information : http://techedmelbourne.azurewebsites.net/SessionDetail.aspx?id=19005

Add to My Schedule : http://techedmelbourne.hubb.me/Sessions/Details/19005

Tweet about our session: https://twitter.com/intent/tweet?&hashtags=ConfigMgrDogs,ConfigMgrDogsAtTechEd,DCIM.004

Wake On LAN Proxy “Have You’s?”

Matt Shadbolt [MSFT] — Wed, 10 Sep 2014 03:48:00 GMT

If you’re trying to get the Wake On LAN Proxy feature of ConfigMgr 2012 SP1+ working, there’s a lot of steps required. Here’s a simple list of “have you’s?” to make sure you haven’t missed any requirements. For a more detailed guide, check out Muhammad Adil’s blog post.

1. Have you enabled Wake On LAN on the Site?

For traditional Wake On LAN (broadcast based), select the Subnet-directed broadcasts option. If you want to use the Wake On LAN Proxy feature, you must select the Unicast method.

2. Have you enabled the Wake On LAN features in your clients Power Management policy settings?

3. Have you ensured that Wake On LAN ports are being allowed through firewalls? Both hardware and software?

4. Have you got Hardware Inventory enabled?

5. Have you ensured the Hardware Inventory information correct?

The WOL features use the IP Address provided by the Hardware Inventory scan as the target addresses. If you’re running Hardware Inventory every 7 days, these addresses may be stale and obviously unusable/.

6. Have you confirmed your switches forward UDP packets?

Confirm with your networking team that UDP packet forwarding has been configured across every network switch between your ConfigMgr servers and the target clients. Don’t forget those $99 switches under someone's desk!

7.Have you ensured your BIOS hardware support wake-up packets? Is the feature turned on in BIOS? Is it enabled on the NIC?

(Note: this is a screen cap of my wireless network adapter as my laptop doesn’t have a physical NIC. We do not support Wake On LAN via the Wireless network adapter)

8. Have you checked that your network settings are not effecting supportability?

802.1X port authentication, MAC address binding on switches and MAC flapping being blocked will all cause unicast Wake On LAN to fail.

Matt

WMI / Powershell and the Configuration Manager Client

Anthony Watherston — Thu, 04 Sep 2014 23:00:00 GMT

A bit about me first :- my name is Anthony Watherston and I’m a Premier Field Engineer in Melbourne. Currently working with Configuration Manager and Orchestrator – plus I try to do everything I can with Powershell!

Last week I had a need for accessing the Configuration Manager client on a remote system. As this was developing an automated solution I didn’t have the option to use the Control Panel applet or the Configuration Manager console to trigger actions on the client. What I needed to find was a way to trigger actions remotely using Powershell – the answer lies in the methods associated with WMI classes.

As WMI is a class based system, each object has associated properties and many of these have methods as well. Below are some examples of how to call some of the built in WMI methods which are part of the Configuration Manager Client namespace. A detailed description of the client and its classes can be found at http://msdn.microsoft.com/en-us/library/jj874139.aspx

Determine if a system has a reboot pending

The Configuration Manager client has a class called CCM_ClientUtilities – in Wbemtest I can access it by connecting to root\ccm\clientsdk. In the diagram below we can see the methods associated with this class.

So how do I trigger these methods using Powershell – the Invoke-WMIMethod cmdlet.

To get a list of associated methods I can use the command below: -

Get-WmiObject -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -List | select -ExpandProperty Methods

This gives me the list of methods below:-

Now if I want to trigger one of these methods I can use my Invoke-WMIMethod cmdlet and supply the method name.

Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending

There is a lot of information in these results, I only want to know the value of the RebootPending flag. I can wrap my command in parentheses and specify the property name after a dot to only return that value.

(Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

Now that I have this information I could force the machine to reboot if the result is true using one of the other methods in this class – RestartComputer.

$rebootPending = (Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

if ($rebootPending)
    {
    Invoke-WmiMethod -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name RestartComputer
    }

Of course if I wanted to perform this on a remote machine I can use the WMIObject computername parameter and specify a remote machine.

$remoteMachine = "AW-SVR01"

$rebootPending = (Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name DetermineIfRebootPending).RebootPending

if ($rebootPending)
    {
    Invoke-WmiMethod -ComputerName $remoteMachine -Namespace root\ccm\clientsdk -Class CCM_ClientUtilities -Name RestartComputer
    }

Trigger a client action

I can use the same theory in order to trigger policy retrieval on a machine. Each action is specified by a schedule value, supplying these to the TriggerSchedule method will force the client to perform an action. For instance the script below will trigger a Machine Policy Retrieval & Evaluation cycle on a client.

$trigger = "{00000000-0000-0000-0000-000000000021}"

Invoke-WmiMethod -Namespace root\ccm -Class sms_client -Name TriggerSchedule $trigger

As with the other script I can supply a computer name parameter to the command to have it execute on a remote machine.

Determine assigned site

The last method is one which will allow you to determine a client’s assigned site. I can use the GetAssignedSite method to retrieve the site code.

(Invoke-WMIMethod –Namespace root\ccm –Class SMS_Client –Name GetAssignedSiteCode).sSiteCode

There are many more methods available to use within WMI – stay tuned for more.

BREAKING: ConfigMgrDogs Together for Teched 2014!

Matt Shadbolt [MSFT] — Wed, 27 Aug 2014 04:37:54 GMT

The ConfigMgrDogs boys will be getting together to deliver at TechEd Australia 2014!

George, Ian and I will be delivering the ConfigMgrDogs Troubleshoot ConfigMgr 2012 (Level 400) session at both Melbourne and Sydney. We’ve got some exciting demos planned, and a surprise or two to be announced via the blog and Twitter. Subscribe to the blogs RSS here, or follow us on Twitter.

Details haven’t formally been released, so stay tuned for more information!

To wet your appetite, check out our previous TechEd sessions.

Microsoft Application Virtualization 5.0: Introduction (TechEd 2012)

http://channel9.msdn.com/Events/TechEd/Australia/2012/WCL312

Implementing Security Compliance Manager for Compliance in SCCM 2012 (TechEd 2012)

http://channel9.msdn.com/Events/TechEd/Australia/2012/SIM424

PowerShell for ConfigMgr 2012 SP1 (TechEd 2013)

http://channel9.msdn.com/Events/TechEd/Australia/2013/WCL416

Modern Style ConfigMgr Visio Stencil

Matt Shadbolt [MSFT] — Mon, 25 Aug 2014 05:18:48 GMT

I went searching for some nice looking ConfigMgr Visio Stencils this morning and found the most amazing set created by Ryan Boud.

You can download the stencils here (http://gallery.technet.microsoft.com/Modern-Style-Visio-da5a7470) and visit his blog (http://hmmconfused.wordpress.com/)

Generic

Servers

Specialised

Thanks Ryan for such great work!

Matt

Test your Collection WQL queries using WBEMTEST and PowerShell

George Smpyrakis — Wed, 20 Aug 2014 11:05:29 GMT

Hi All,

one of the most useful tips I've learnt on the job is to use WBEMTEST on your Primary Site Server to test your Collection WQL queries. This is useful for doing things like testing the time it takes to run that query. This is especially useful when you get collections that take a very long time to run potentially causing backlogs and delays in collections updating. Using these tools can help you quickly test the queries for timing outside of Configuration Manager.

WBEMTEST

Log onto your Site Server or from your tools machine you can connect remotely. Ill show you both methods.

Start up WBEMTEST from a command line

Click Connect

In Namespace type in the following

root\SMS\SITE_XXX

replace XXX with your SiteCode

If your connecting remotely

\\Computername\root\SMS\SITE_XXX

then click Connect

Click the Query button

Enter your WQL query and click Apply

If you have a valid query you should see a result

PowerShell

You could also run a similar query using PowerShell (Thanks to my fellow PFE’s Ryan Hall and Anthony Watherston for this.)

just replace the value in the $WQL variable quotes with your query and of course PRI with your SiteCode.

$WQL = 'select * from SMS_R_SYSTEM'

$WMI = Get-WmiObject -Namespace Root\SMS\Site_PRI -Query $WQL

$WMI

and if I want to measure that command for approximate timing

Measure-Command -Expression {Get-WmiObject -Namespace Root\SMS\Site_PRI -Query 'select * from SMS_R_SYSTEM' }

PowerShell Script to list Software Updates in a Software Update Group

George Smpyrakis — Fri, 08 Aug 2014 07:07:33 GMT

Hi everybody,

In a recent Workshop that I was teaching I got asked how to list all of the security updates in a software update group. So I wrote a quick PowerShell script to do exactly that.

Here is the code I used while on R2 CU1

############################################################################################

$modulelocation = 'F:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1'
$SUG = 'Security Updates'

Import-Module $modulelocation
CD PRI:

$SoftwareUpdates = (get-cmsoftwareupdategroup | Where {$_.LocalizedDisplayN -eq $SUG}).Updates
Foreach ($SoftwareUpdate in $SoftwareUpdates){
(Get-CMSoftwareUpdate -Id $SoftwareUpdate).LocalizedDisplayName

}

############################################################################################

UPDATE

After going to R2 CU2 The cmdlets changed slightly.

Found a simpler command below

############################################################################################

$modulelocation = 'F:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\configurationmanager.psd1'
$SUG = 'Security Updates'

Import-Module $modulelocation
CD PRI:

(Get-CMSoftwareUpdate -UpdateGroupName $SUG).LocalizedDisplayName

############################################################################################

You will just need to change the two initial variables

$Modulelocation to where your psd1 sits. See Matts blog for details on this.

$SUG to the name of your Software Update Group.

This will simply list all of the updates so you can paste it into any Change Request you need to create for Software Updates.

Hopefully you find this useful but more than that hopefully this gets you started with some PowerShell. A fantastic free course that I always recommend to my students if you not sure where to begin is this MVA course run by Jeffrey Snover and Jason Helmick.

Getting Started with PowerShell 3.0 Jump Start

Feel free to comment with your own useful PowerShell script or even a new improved version of mine below…

ConfigMgrDogs on Twitter

Matt Shadbolt [MSFT] — Fri, 08 Aug 2014 05:14:37 GMT

We’ve finally got an official ConfigMgrDogs Twitter account!

https://twitter.com/ConfigMgrDogs

Please follow us for all blog posts and news from the ConfigMgrDogs team!

Follow @ConfigMgrDogs

Creating Custom RBAC Enabled Reports in ConfigMgr 2012 R2

Ian Bartlett — Mon, 14 Jul 2014 06:28:54 GMT

This post will step you through the process of creating custom reports in ConfigMgr 2012 R2 that will enforce your Role Based Access Control (RBAC) policies. Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. TechNet reference

Step 1: Determine the data you wish to report on

Using SQL Management Studio, confirm your SQL query against the new fn_rbac table views passing through the ('disabled') parameter to bypass the requirement of passing through a user SID

NOTE: all fn_rbac_<table> views can be found under "Tabled-valued Functions".

If you query v_<tables> than RBAC is ignored.

Step 2: Create a new custom report in ConfigMgr Management Console UI

Step 3: Editing your custom report will launch SQL Report Builder

Step 4: Design Your Report

Confirm you can see Dataset values and select the type of Report you want to create

Step 5: Design and format your report as required

Step 7: Configure the Dependencies for RBAC

Create a New Dataset

NOTE: If you do not see the REFERENCES option, try and run your report, it will fail however will present the References parameters

ALL DONE..

Step 8: Test your custom report

To test I have granted an admin account "sccm2012r2\Ian" that is limited only to the collection called "Ian's Collection"

Launch the ConfigMgr console using SCCM2012R2\Ian

Application Catalog Failed – “Application installation not started”

Matt Shadbolt [MSFT] — Mon, 07 Jul 2014 22:59:00 GMT

The application could not be installed. The most common reason is that software does not support the version of Windows currently installed on your computer. You can try starting the application installation from the Application Catalog again. If the problem continues, contact your network administrator

In the ConfigMgrSoftwareCatalog.log Silverlight log file (found at "C:\Users\mattsha\AppData\LocalLow\Microsoft\Silverlight\is\j2mecbot.hwg\v2uabsdl.022\1\s\s5i52ebhc445n0s2jyvmx5askg5zbspajpmi3e4bvujwll1luiaaaeda\f\ConfigMgrLogs\ConfigMgrSoftwareCatalog.log"), the following three lines were found.

[1][06/23/2014 17:46:43] :ApplicationDetailViewModel.RequestPolicyAssingmentForInstallCallback-Error:The policy information is empty or an error ocurred!

[1][06/23/2014 17:46:43] :ApplicationDetailViewModel.UpdatePageView:PageViewMode changed to:FastInstallError

[1][06/23/2014 17:46:43] :FastInstallPageView:Create Page View FastInstallError

Also in the ServicePortalWebSite.log (found "F:\Program Files\SMS_CCM\CMApplicationCatalog\Logs\ServicePortalWebSite.log") the following two errors

[28, PID:6060][06/23/2014 17:59:54] :The web method threw a fault exception - System.ServiceModel.FaultException`1[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError]: Invalid parameter

[28, PID:6060][06/23/2014 17:59:54] :System.ServiceModel.FaultException`1[[Microsoft.ConfigurationManager.SoftwareCatalog.Service.Faults5000.ServiceError, Microsoft.ConfigurationManager.SoftwareCatalog.Website.PortalClasses, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]: Invalid parameter

I spent agestrying to troubleshoot this issue without success, and gave up for a short time while I did other things.

A week later I was testing the Collection Evaluator Viewer program that comes with the R2 toolset and found that it was unable to connect directly to the database with a very similar error

A connection was successfully established with the server, then then an error occurred during the login process. (provider: SSL Provider, error:0 – The certificate chain was issued by an authority that is not trusted)

So now I can kind of tell that the issue is actually with the SQL db side, not necessarily ConfigMgr or the App Catalog site server roles.

Next, I checked to make sure SQL is not forcing an encrypted connection using SQL Service Manager.

All good there, however under the certificate tab I noticed we’ve got a self-signed certificate

And low-and-behold the certificate is having problems

I opened the IIS console to view the self-signed certificate

Exported the certificate

Import it into the Trusted Root Authorities

After the import, I attempted again to connect using the Collection Evaluation Viewer, this time it was successful as SQL now trusts the certificate

Back to the Application Catalog, and everything is now working nicely!

ConfigMgr 2012 Windows Update Client Process

Matt Shadbolt [MSFT] — Mon, 30 Jun 2014 00:13:00 GMT

Hi Gang!

So I provided this information to one of my customers recently, and Georgy said it would be quite helpful for you dedicated ConfigMgrDogs readers too, so here it is.

This is a high-level view of the Windows Update process from a ConfigMgr clients view utilizing a SUP (Software Update Point).

The Software Update process from the ConfigMgr client

Following the flow

After refreshing machine policy, kick off the Software Update Scan. We can then see the Software Update Scan Cycle has started via the WUAHandler.log (C:\Windows\CCM\Logs\WUAHandler.log)

The Windows Update Handler initiates the Windows Update service against the ConfigMgr SUP. (C:\Windows\WindowsUpdate.log)

After the scan is completed, we then run the Software Update Deployment Evaluation Cycle. Use the UpdatesDeployment.log to view this process (C:\Windows\CCM\Logs\UpdatesDeployment.log)

The Content Access Service finds the content on the CMPRI-MATTSLABS Distribution Point and downloads it

Update Deployment attempts to install updates, Service Window Manager blocks the installation (C:\Windows\CCM\Logs\UpdatesDeployment.log)

Service Window Manager blocking the installation (C:\Windows\CCM\Logs\ServiceWindowManager.log)

And when the window opens, the updates should install. Check the UpdatesDeployment.log

Also, the WindowsUpdate.log success

And reboot if required (and scheduled)

Update: An ex-colleague reached out to me to add some extra info around the process for the SCEP update trigger. As my SCEP knowledge isn't the greatest, it's something I'll be sure to remember and very helpful for the community.

The key difference that I can see is that the SCEP definition update initiates from the AntiMalware Policy configuration, not from the EndPoint client settings where I expected to see it, or the from Software Updates Schedule client setting. As opposed of course to Software Update scanning and installation as per your post. Also triggering a manual SCEP definition update is only done from the SCEP client and not the SCCM client actions from what I've seen so far.

Thanks David!

ConfigMgr 2012 Version Numbers

George Smpyrakis — Fri, 11 Apr 2014 00:16:00 GMT

Hi all,

as requested I’ve just listed all the ConfigMgr 2012 Released versions in a table below. We will do our best to keep this up to date as new updates are released. Note that the Client and Console versions will be exactly the same as the Release/Update version.

To see how to view the version see Matt’s earlier blog here. If you want to confirm a CU update see Neil’s blog here.

Release/Update	Version	Build
ConfigMgr 2012 RTM	5.00.7711.0000	7711
ConfigMgr 2012 SP1	5.00.7804.1000	7804
ConfigMgr 2012 SP1 CU1	5.00.7804.1202	7804
ConfigMgr 2012 SP1 CU2	5.00.7804.1300	7804
ConfigMgr 2012 SP1 CU3	5.00.7804.1400	7804
ConfigMgr 2012 SP1 CU4	5.00.7804.1500	7804
ConfigMgr 2012 SP1 CU5	5.00.7804.1600	7804
ConfigMgr 2012 R2	5.00.7958.1000	7958
ConfigMgr 2012 R2 CU1	5.00.7958.1203	7958
ConfigMgr 2012 R2 CU2	5.00.7958.1303	7958
ConfigMgr 2012 R2 CU3	5.00.7958.1401	7958

Orchestrator 2012 Logging and Debug Logging

George Smpyrakis — Mon, 03 Mar 2014 04:50:31 GMT

Hi All,

If you’ve started playing with Orchestrator I have detailed the areas where you can look for issues with your Runbooks and other components.

Runbook Designer

Log Tab

Firstly you can look at the Log tab while you’re Runbook is executing

Log History Tab

Or after it is complete you can check the Log History tab

Double Click on the entry you want to review and then check the status for each Activity.

To control the level of Detail available you need to go to the properties of each individual Runbook and select Store Activity-specific Published Data and or Store Common Published Data. NOTE This is only recommended in Dev and Test not production as these may significantly increase the size of your database (See the following TechNet reference for details. Database Sizing and Performance )

Do not have these turned on in Production unless you are troubleshooting.

Events

We can also get some useful information from the Events tab

Log Files

Another area is the component logs for Debug Logging.

Thankyou to Jeffrey Fanjoy who is a senior support escalation engineer based out of the US for this information.

if you go to the following Registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCenter2012\Orchestrator\TraceLogger

on a box with the Runbook Designer or Runbook Server you will see that for each component there is a LogFolder and LogLevel key. The LogFolder shows you where the actual log sits and the LogLevel is the actual Verbosity level. (NOTE You may need to restart services/ the server before this will take affect.)

Log Level	Detail
1	Errors
3	Errors and warnings
7	Errors, warnings and Information

Just keep in mind that the higher the verbosity the more information that will get put into the log so it should only be used for troubleshooting purposes and should not be left on by default.

I Wrote An App

Matt Shadbolt [MSFT] — Mon, 03 Feb 2014 02:21:39 GMT

Hi Gang.

Over the long weekend last week, I thought I’d have a crack at writing, submitting and publishing a Windows 8 app. It’s a very simple countdown to Windows XP’s End Of Life on April 8th (we are all very excited to see the end of XP).

http://apps.microsoft.com/windows/en-au/app/windows-xp-end-of-life-countdown/08bd1136-13f0-47bb-a574-c8f3626a9227

As I said, it’s very simple but functional, with a countdown screen and live tile that updates daily.

Please download and rate it in the store.

Matt

System Center 2012 R2 Configuration Manager Toolkit

George Smpyrakis — Mon, 23 Dec 2013 05:56:07 GMT

Hi Everyone,

just a very quick note to let you know that the Configuration Manager 2012 R2 Toolkit is available and is definitely worth a look.

some of the new tools include

CEViewer.exe for viewing collection update stats

and

DPJobManager a tool to help you monitor, suspend, cancel package distributions to Distribution Points

download link below

System Center 2012 R2 Configuration Manager Toolkit

Understanding ConfigMgr 2012 APP-V Virtual Environments

Ian Bartlett — Mon, 23 Dec 2013 05:26:15 GMT

ConfigMgr 2012 SP1 introduced APP-V Virtual Environments (VE). APP-V VE’s work differently to APP-V 5.0 Connection Groups in a “Full Infrastructure Model” (ie Publishing Server) so we need to do some application mapping before implementing APP-V Virtual Environments. You can think of ConfigMgr VE’s as a “Rule Set” that the ConfigMgr client evaluates when doing an application evaluation cycle. Once a client evaluates true to a VE “Policy”, the connection group is then created, The deviate in ConfigMgr is that an APP-V application can only be a member of one VE at anyone time. This blog aims to explain the reasons why this is the case and why application mapping is vital if your virtual application catalogue has a large number of applications that are highly dependant on other applications.

Let’s say I have a three Applications I need to configure in a Connection Groups, in Full Infra I could easily create three separate connection groups and use the Priority to determine which VFS wins in a conflict.

Full Infra Example (Firefox , Flash & Reader)

Connection Group 1 = Firefox and Flash, priority = 1

Connection Group 2 = Firefox and Reader, priority = 2

Connection Group 3 = Firefox and Flash and Reader, priority = 3

If I do not set my priorities correctly than as you know we get the following error

However in ConfigMgr we need to use a single Virtual Environment Rule Set per application that we need to manage a Connection group for, and set Logical operators to determine the priorities. By Default the Connection Group priority in a ConfigMgr integrated environment is always set to “4294967294” (ie, the priority in traditional terms is not used in ConfigMgr). This is the underlining reason why a ConfigMgr virtual application can only ever be a member of one VE at any one time. ConfigMgr manages the creation of the Connection Group XML that gets created and processed by the client when the Client meets the rules set defined in the Virtual Environment.

If I tried to setup the ConfigMgr Virtual Environment in the same way as I do in Full Infra, illustration below, This WILL NOT WORK! And we will end up with the same error as above

Misconfigured Example below

As I evaluate to True for both Virtual Environment Rule Set I configure both connection Groups but of course get the same ERROR

To configure this in ConfigMgr I need to use my Logical operators inside the VE to achieve the same result I would get if doing it in a Full Infrastructure environment

Examples:

Client 1: Has Firefox and Reader installed, ie No Flash. This meets the Virtual Environment rule configured so the “Firefox connection Group is created for Firefox and Reader.

Client 2: Has Firefox, Flash and Reader installed. This also meets the Virtual Environment however as I have all three applications, the Flash VFS will take precedence over the Reader VFS as we have set Flash with a high ‘Order” in the Virtual Environment’.

Hope this helps clear up some miss understandings on how APP-V VE’s work in ConfigMgr 2012 SP1 +..

Windows 8 and Windows 8.1 New Group Policy Settings

Matt Shadbolt [MSFT] — Sun, 10 Nov 2013 22:08:00 GMT

Windows 8 RTM

For full details, download the following file

Policy Setting Name

Allow all trusted apps to install

Allow deployment operations in special profiles

Block launching desktop apps associated with a file.

Block launching desktop apps associated with a protocol

Block launching desktop apps associated with a file.

Block launching desktop apps associated with a protocol

Do not display the lock screen

Prevent changing lock screen image

Prevent changing start menu background

Turn on PIN sign-in

Turn off picture password sign-in

Do not display the password reveal button

Device compatibility settings

Driver compatibility settings

Specify the search server for device driver updates

Turn off smart multi-homed name resolution

Turn off smart protocol reordering

Allow NetBT queries for fully qualified domain names

Prefer link local responses over DNS when received over a network with higher precedence

Turn off IDN encoding

IDN mapping

Use solid color for Start background

Turn on misconversion logging for misconversion report

Turn off saving auto-tuning data to file

Turn off history-based predictive input

Turn off Open Extended Dictionary

Turn off Internet search integration

Turn off custom dictionary

Restrict character code range of conversion

Do not include Non-Publishing Standard Glyph in the candidate list

Boot-Start Driver Initialization Policy

Turn off switching between recent apps

Turn off tracking of app usage

Do not allow Windows to activate Enhanced Storage devices

Do not throttle additional data

Send additional data when on battery power

Send data when on connected to a restricted/costed network

Do not throttle additional data

Send additional data when on battery power

Send data when on connected to a restricted/costed network

Windows To Go Default Startup Options

Allow hibernate (S4) when starting from a Windows To Go workspace

Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace

Turn off File History

Configure maximum age of file server shadow copies

Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.

Enable / disable TXF deprecated features

Enable optimized move of contents in Offline Files cache on Folder Redirection server path change

Redirect folders on primary computers only

Turn off offer text predictions as I type

Turn off insert a space after selecting a text prediction

Turn off autocorrect misspelled words

Turn off highlight misspelled words

Disallow copying of user input methods to the system account for sign-in

Block clean-up of unused language packs

Enable AD/DFS domain controller synchronization during policy refresh

Turn off Group Policy Client Service AOAC optimization

Configure Direct Access connections as a fast network connection

Change Group Policy processing to run asynchronously when a slow network connection is detected.

Configure Group Policy slow link detection

Specify workplace connectivity wait time for policy processing

Enable Hotspot Authentication

Turn off access to the Store

Turn off flip ahead feature

Turn on Enhanced Protected Mode

Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled

Always send Do Not Track header

Turn off encryption support

Show Content Advisor on Internet Options

Go to an intranet site for a one-word entry in the Address bar

Install binaries signed by MD2 and MD4 signing technologies

Prevent managing SmartScreen Filter

Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet

Turn off browser geolocation

Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects

Automatically activate newly installed add-ons

Turn off add-on performance notifications

Turn on ActiveX Filtering

Prevent deleting download history

Prevent deleting ActiveX Filtering and Tracking Protection data

Allow Internet Explorer 8 shutdown behavior

Specify default behavior for a new tab

Notify users if Internet Explorer is not the default web browser

Turn off URL Suggestions

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Allow Internet Explorer to play media files that use alternative codecs

Prevent configuration of top-result search on Address bar

Do not display the reveal password button

Turn off the WebSocket Object

Set the maximum number of WebSocket connections per server

Display tabs on a separate row

Establish InPrivate Filtering threshold

Establish Tracking Protection threshold

Turn off Tracking Protection

Use Policy List of Quirks Mode sites

Turn off ability to pin sites in Internet Explorer on the desktop

Set default storage limits for websites

Allow websites to store indexed databases on client computers

Set indexed database storage limits for individual domains

Set maximum indexed database storage limit for all domains

Allow websites to store application caches on client computers

Set application cache storage limits for individual domains

Set maximum application caches storage limit for all domains

Set application caches expiration time limit for individual domains

Set maximum application cache resource list size

Set maximum application cache individual resource size

Start Internet Explorer with tabs from last browsing session

Open Internet Explorer tiles on the desktop

Set how links are opened in Internet Explorer

Turn off flip ahead feature

Turn on Enhanced Protected Mode

Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled

Always send Do Not Track header

Show Content Advisor on Internet Options

Go to an intranet site for a one-word entry in the Address bar

Install binaries signed by MD2 and MD4 signing technologies

Prevent managing SmartScreen Filter

Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet

Disable Import/Export Settings wizard

Turn off browser geolocation

Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects

Automatically activate newly installed add-ons

Turn off add-on performance notifications

Turn on ActiveX Filtering

Prevent deleting download history

Prevent deleting ActiveX Filtering and Tracking Protection data

Allow Internet Explorer 8 shutdown behavior

Specify default behavior for a new tab

Disable changing secondary home page settings

Turn off URL Suggestions

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Render legacy filters

Enable dragging of content from different domains within a window

Enable dragging of content from different domains across windows

Turn off Print Menu

Allow Internet Explorer to play media files that use alternative codecs

Prevent configuration of search on Address bar

Prevent configuration of top-result search on Address bar

Do not display the reveal password button

Turn off the WebSocket Object

Set the maximum number of WebSocket connections per server

Display tabs on a separate row

Turn on Suggested Sites

Establish InPrivate Filtering threshold

Establish Tracking Protection threshold

Turn off Tracking Protection

Use Policy List of Quirks Mode sites

Turn off ability to pin sites in Internet Explorer on the desktop

Set default storage limits for websites

Allow websites to store indexed databases on client computers

Set indexed database storage limits for individual domains

Set maximum indexed database storage limit for all domains

Allow websites to store application caches on client computers

Set application cache storage limits for individual domains

Set maximum application caches storage limit for all domains

Set application caches expiration time limit for individual domains

Set maximum application cache resource list size

Set maximum application cache individual resource size

Start Internet Explorer with tabs from last browsing session

Open Internet Explorer tiles on the desktop

Set how links are opened in Internet Explorer

Install new versions of Internet Explorer automatically

KDC support for claims, compound authentication and Kerberos armoring

Warning for large Kerberos tickets

Specify KDC proxy servers for Kerberos clients

Disable revocation checking for the SSL certificate of KDC proxy servers

Fail authentication requests when Kerberos armoring is not available

Support compound authentication

Set maximum Kerberos SSPI context token buffer size

Kerberos client support for claims, compound authentication and Kerberos armoring

Hash Version support for BranchCache

Turn off Windows Location Provider

Show first sign-in animation

Do not enumerate connected users on domain-joined computers

Enumerate local users on domain-joined computers

Turn off app notifications on the lock screen

Automatic Maintenance Activation Boundary

Automatic Maintenance Random Delay

Automatic Maintenance WakeUp Policy

Turn off shared components

Prevent embedded UI

Support Email Address

Friendly Name

User Interface

Prefer Local Names Allowed

DirectAccess Passive Mode

Corporate Resources

IPsec Tunnel Endpoints

Custom Commands

Specify passive polling

Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails

Specify address lookup behavior for DC locator ping

Use urgent mode when pinging domain controllers

Internet proxy servers for apps

Intranet proxy servers for apps

Private network ranges for apps

Proxy definitions are authoritative

Subnet definitions are authoritative

Remove "Work offline" command

Enable file synchronization on costed networks

Detect compatibility issues for applications and drivers

Enable Automatic Hosted Cache Discovery by Service Connection Point

Configure Client BranchCache Version Support

Configure Hosted Cache Servers

Set age for segments in the data cache

Turn on Module Logging

Set the default source path for Update-Help

Turn on Module Logging

Set the default source path for Update-Help

Isolate print drivers from applications

Always rasterize content to be printed using a software rasterizer

Do not allow v4 printer drivers to show printer extensions

Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)

Turn off storage and display of search history

Always use automatic language detection when indexing content and properties

Do not sync

Do not sync app settings

Do not sync passwords

Do not sync personalize

Do not sync other Windows settings

Do not sync desktop personalization

Do not sync browser settings

Do not sync on metered connections

File Classification Infrastructure: Display Classification tab in File Explorer

File Classification Infrastructure: Specify classification properties list

Enable access-denied assistance on client for all file types

Clear history of tile notifications on exit

Prevent users from uninstalling applications from Start

Show "Run as different user" command on Start

Do not allow taskbars on more than one display

Set IP Stateless Autoconfiguration Limits State

Specify default connection URL

Limit maximum display resolution

Suspend user sign-in to complete app registration

Configure image quality for RemoteFX Adaptive Graphics

Configure RemoteFX Adaptive Graphics

Allow RDP redirection of other supported RemoteFX USB devices from this computer

Configure RemoteFX

Optimize visual experience when using RemoteFX

Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1

Select network detection on the server

Select RDP transport protocols

Turn Off UDP On Client

Turn off Fair Share CPU Scheduling

Use the hardware default graphics adapter for all Remote Desktop Services sessions

Configure image quality for RemoteFX Adaptive Graphics

Configure RemoteFX Adaptive Graphics

Enable Remote Desktop Protocol 8.0

Select network detection on the server

Select RDP transport protocols

Turn Off UDP On Client

Turn on TPM backup to Active Directory Domain Services

Configure the level of TPM owner authorization information available to the operating system

Standard User Lockout Duration

Standard User Individual Lockout Threshold

Standard User Total Lockout Threshold

User management of sharing user name, account picture, and domain information with apps (not desktop apps)

Download roaming profiles on primary computers only

Set user home folder

Choose drive encryption method and cipher strength

Configure use of passwords for operating system drives

Reset platform validation data after BitLocker recovery

Disallow standard users from changing the PIN or password

Use enhanced Boot Configuration Data validation profile

Enforce drive encryption type on operating system drives

Allow network unlock at startup

Enable use of BitLocker authentication requiring preboot keyboard input on slates

Allow Secure Boot for integrity validation

Enforce drive encryption type on fixed data drives

Enforce drive encryption type on removable data drives

Prohibit connection to non-domain networks when connected to domain authenticated network

Minimize the number of simultaneous connections to the Internet or a Windows Domain

Prohibit connection to roaming Mobile Broadband networks

Disable power management in connected standby mode

Location where all default Library definition files for users/machines reside.

Start File Explorer with ribbon minimized

Location where all default Library definition files for users/machines reside.

Configure Windows SmartScreen

Show lock in the user tile menu

Show sleep in the power options menu

Show hibernate in the power options menu

Do not show the 'new application installed' notification

Start File Explorer with ribbon minimized

Set a default associations configuration file

Allow the use of remote paths in file shortcut icons

Disallow WinRM from storing RunAs credentials

Require use of fast startup

Turn off the Store application

Allow Store to install apps on Windows To Go workspaces

Turn off Automatic Download of updates

Set Cost

Turn off tile notifications

Turn off toast notifications

Turn off toast notifications on the lock screen

Turn off notifications network usage

Set 3G Cost

Set 4G Cost

Windows 8.1

For full details, download the following file

Policy Setting Name

Allow development of Windows Store apps without installing a developer license

Prevent enabling lock screen slide show

Prevent enabling lock screen camera

Force a specific background and accent color

Force a specific Start background

Force a specific default lock screen image

Allow users to select when a password is required when resuming from connected standby

Restrict delegation of credentials to remote servers

Prevent adding

App switching

Charms

WinX

Automatically send memory dumps for OS-generated error reports

Configure Group Policy Caching

Configure Logon Script Delay

Turn off loading websites and content in the background to optimize performance

Turn on the swiping motion on Internet Explorer for the desktop

Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows

Allow Internet Explorer to use the SPDY/3 network protocol

Turn off phone number detection

Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar

Don't run antimalware programs against ActiveX controls

Turn off loading websites and content in the background to optimize performance

Turn on the swiping motion on Internet Explorer for the desktop

Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows

Allow Internet Explorer to use the SPDY/3 network protocol

Turn off phone number detection

Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar

Don't run antimalware programs against ActiveX controls

Prevent deleting ActiveX Filtering

Allow cut

KDC support for claims

Kerberos client support for claims

Automatic Maintenance Random Delay

Use DNS name resolution when a single-label domain name is used

At logoff

Run Windows PowerShell scripts first at computer startup

Run Windows PowerShell scripts first at user logon

Disable indexing of removable drives

Don't search the web or display web results in Search

Don't search the web or display web results in Search over metered connections

Set what information is shared in Search

Set the SafeSearch setting for Search

Do not sync Apps

Do not sync start settings

Pin Apps to Start when installed

Start Screen Layout

Default

Default app

Default search

Sort

Multimon

Pin Apps to Start when installed

Start Screen Layout

Remove and prevent access to the Shut Down

For tablet pen input

For touch input

Include rarely used Chinese

Set remote control session UAC desktop

Use advanced RemoteFX graphics for RemoteApp

Set remote control session UAC desktop

Set remote control permission request timeout

Enable Remote Desktop Protocol 8.0

User management of sharing user name

Choose drive encryption method and cipher strength (Windows Vista

Configure TPM platform validation profile (Windows Vista

Allow antimalware service to startup with normal priority

Turn on virus definitions

Configure local administrator merge behavior for lists

Define addresses to bypass proxy server

Define proxy server for connecting to the network

Randomize scheduled task times

Allow antimalware service to remain running always

Extension Exclusions

Path Exclusions

Process Exclusions

Turn on protocol recognition

Turn on definition retirement

Define the rate of detection events for logging

IP address range Exclusions

Port number Exclusions

Process Exclusions for outbound traffic

Threat ID Exclusions

Specify additional definition sets for network traffic inspection

Configure local setting override for the removal of items from Quarantine folder

Configure removal of items from Quarantine folder

Turn on behavior monitoring

Turn on Information Protection Control

Turn on network protection against exploits of known vulnerabilities

Scan all downloaded files and attachments

Monitor file and program activity on your computer

Turn on raw volume write notifications

Turn on process scanning whenever real-time protection is enabled

Define the maximum size of downloaded files and attachments to be scanned

Configure local setting override for turn on behavior monitoring

Configure local setting override for monitoring file and program activity on your computer

Configure local setting override to turn off Intrusion Prevention System

Configure local setting override for scanning all downloaded files and attachments

Configure local setting override to turn on real-time protection

Configure local setting override for monitoring for incoming and outgoing file activity

Configure monitoring for incoming and outgoing file and program activity

Configure local setting override for the time of day to run a scheduled full scan to complete remediation

Specify the day of the week to run a scheduled full scan to complete remediation

Specify the time of day to run a scheduled full scan to complete remediation

Configure time out for detections requiring additional action

Configure time out for detections in critically failed state

Configure Watson events

Configure time out for detections in non-critical failed state

Configure time out for detections in recently remediated state

Configure Windows software trace preprocessor components

Configure WPP tracing level

Allow users to pause scan

Specify the maximum depth to scan archive files

Specify the maximum size of archive files to be scanned

Specify the maximum percentage of CPU utilization during a scan

Scan archive files

Turn on catch-up full scan

Turn on catch-up quick scan

Turn on e-mail scanning

Turn on heuristics

Scan packed executables

Scan removable drives

Turn on reparse point scanning

Create a system restore point

Run full scan on mapped network drives

Scan network files

Configure local setting override for maximum percentage of CPU utilization

Configure local setting override for the scan type to use for a scheduled scan

Configure local setting override for schedule scan day

Configure local setting override for scheduled quick scan time

Configure local setting override for scheduled scan time

Turn on removal of items from scan history folder

Specify the interval to run quick scans per day

Start the scheduled scan only when computer is on but not in use

Specify the scan type to use for a scheduled scan

Specify the day of the week to run a scheduled scan

Specify the time for a daily quick scan

Specify the time of day to run a scheduled scan

Define the number of days before spyware definitions are considered out of date

Define the number of days before virus definitions are considered out of date

Define file shares for downloading definition updates

Turn on scan after signature update

Allow definition updates when running on battery power

Initiate definition update on startup

Define the order of sources for downloading definition updates

Allow definition updates from Microsoft Update

Allow real-time definition updates based on reports to Microsoft MAPS

Specify the day of the week to check for definition updates

Specify the time to check for definition updates

Allow notifications to disable definitions based reports to Microsoft MAPS

Define the number of days after which a catch-up definition update is required

Specify the interval to check for definition updates

Check for the latest virus and spyware definitions on startup

Configure local setting override for reporting to Microsoft MAPS

Specify threats upon which default action should not be taken when detected

Specify threat alert levels at which default action should not be taken when detected

Display notifications to clients when they need to perform actions

Display additional text to clients when they need to perform an action

Always automatically restart at the scheduled time

Specify Work Folders settings

Turn off tile notifications

Turn off toast notifications

Turn off toast notifications on the lock screen

Turn off notifications network usage

Turn off Quiet Hours

Set the time Quiet Hours begins each day

Set the time Quiet Hours ends each day

Turn off calls during Quiet Hours

Set 3G Cost

Set 4G Cost