On Twitter I asked the following to David James (Director of Engineering, ConfigMgr, Microsoft) and Johan Arwidmark (CTO @ TrueSec):
With Windows 10 1607, Microsoft introduced Dual Scan functionality, which allows the computer to connect with Microsoft Updates besides using WSUS or SCCM. Steve Henry from Microsoft: “It is for the enterprise that wants WU to be its primary update source while Windows Server Update Services (WSUS) provides all other content.” I’ve seen various blog posts not covering all the steps I had to take to ensure Windows only looks to SCCM/WSUS. Especially covering Windows 10 deployments with System Center – Configuration Manager.
So you are signing your PowerShell scripts as a Best Practice from Microsoft. Good job! You’ve configured the PowerShell Execution Policy as AllSigned and you’ve created an application in SCCM where you run the signed script as:
PowerShell.exe -File .\Script.ps1
The application installs just fine on your machine from the Software Center. During the Task Sequence, the application cannot be installed and in the Event Viewer. You’ll find the following error message:
PowerShell.exe: File <Filename> cannot be loaded because running scripts is disabled on this system. For more information, see about_execution_policies at…”
You open up PowerShell to see the current ExecutionPolicy. “Get-ExecutionPolicy -List” shows that all scopes have undefined execution policies. With “Get-Help about_Execution_Policies” you find out that Undefined policy is equal to a restricted policy and that “Permits individual commands, but will not run scripts”.
Go back to your application in SCCM and make sure you set the ExecutionPolicy to AllSigned so it will work both during a Task Sequence and while working in OS.
PowerShell.exe -ExecutionPolicy AllSigned -File .\Script.ps1
Recently I was trying to apply a lock screen image with a GPO. I distributed the image to the C:/Windows/Web/Wallpaper directory and configured the Windows 10 GPO to that location. After running the Windows 10 Task Sequence successfully, the default lock screen image came up. I was using a large image from the client so that it still looks good on bigger screens. I’ve found out that after resizing the image back to 1080P, the image was applied successfully after locking the machine. Looks like a strange bug if you would ask me.
Multicast during an SCCM 2012 R2 SP1 (1511 release) Task Sequence fails with error “Failed to get MCS key (Code 0x80004005)”. This error is found in the smsts.log log file on the (Windows 10 Enterprise x64 1511) client machine.
If you see the following error in your IIS Logs (C:\inetpub\logs\LogFiles\W3SVC1), it’s possible that the CRL of your Certificate Authority isn’t reachable or valid anymore:
<IP Address> GET /SMS_MP/.sms_aut MPLIST 443 – <IP Address> SMS_MP_CONTROL_MANAGER – 403 13 2148081683 5701 18
Export a certificate from your personal certificate store, for example, an SCCM Client Certificate to your C: drive. Open a command prompt with elevated rights and type:
certutil -url “C:\Certificate.cer”
Check if the CRL can be verified. Open the CRL manually and check that the BASE and DELTA CRL’s aren’t expired. In this case, the AD CS service wasn’t started and the Delta CRL’s were not up-to-date. The service may have been crashed because the startup type was set to “Automatic”.
Because I wanted to configure Device Guard with Windows 10, I need the Hyper-V Hypervisor to be enabled on Windows 10. I tried to do this with DISM and an answer file, but it’s not possible to enable Hyper-V during the Task Sequence Deployment because Hyper-V requires a couple of reboots.
Create a new “Set Task Sequence Variable” task in your Task Sequence. This will run the PowerShell command after the Task Sequence ends. I’ve set this task before enabling the Driver Package, but it should be possible to place this task anywhere you like.
Task Sequence Variable: SMSTSPostAction
Value: powershell -ExecutionPolicy ByPass -Command “Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Hypervisor -all -NoRestart;Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All,Microsoft-Hyper-V-Services -NoRestart”
This will do the following:
- Enable all the Hyper-V Features after the deployment
- Remove the Hyper-V Tools and Services (Management Tools) afterwards. I found out that this is the best way to only add the Hyper-V Hypervisor.
You still need to reboot the system a few times to enable this feature. Because I enabled the BitLocker PIN, I can’t reboot the machine because it will ask for a PIN a few times.