You are browsing the archive for ConfigMgr SP2.

MMS 2015 unplugged: Unable to publish application globally if targeted user-based within Configmgr workaround

2:55 pm in App-V, App-V 5.0, Application Model, applications, AppV, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr SP2, ConfigMgr, sccm, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, SCCM v.Next by Kenny Buntinx [MVP]


If you have been to our session called App-V standalone compared to CM12 Integrated: The Good, The Bad and The Ugly at MMS 2015 , we have showed you that some things by default cannot be done in Configmgr .

We showed a strong business case around the Application model in CM12 SP1 and using App-V 5.0 to do user-based software targeting. As most people are doing App-V integration in Configuration Manager and exploring the possibilities , they ran into some challenges I believe are critical and needs to be solved in a certain way . What the correct way is , I leave that up to the smart engineering guy’s in Redmond .

One of the great promises of application virtualization is dynamic delivery of software to end-users; however delivering plug-ins or add-ons to installed (i.e. not virtualized) software has thus far been a stumbling block. Internet Explorer has been particularly challenging due to the inability to separate the browser from the OS in a supported manner. So using App-V to deploy plug-ins like Flash or Java has meant changing the user experience with virtualization or falling back to standard install methods. Since App-V 5.0 SP2 this is very good news though, with the ability to seamlessly run an installed application inside a specified virtual environment. This means that the Flash plug-in can be delivered as a virtual package and made available to Internet Explorer without resorting to hacks or changing the user experience by providing a special shortcut.

The only requirement for specific Virtual Extensions (like the flash add-in) is that the package needs to be published Globally… only it doesn’t work great when deploying all your virtualized apps to users with System Center Configuration Manager and App-V 5.x. The table below will explain in what cases you will have to use Global publishing.


We can overcome that hurdle with a sort of workaround that we are not going to explain in absolute detail as every customer has specific needs. See the steps below as a guide to think outside the box.

Workaround :

1. We are going to create a scheduled task which triggers on a eventID action 1003 from the eventlog “Microsoft-AppV-Client/Operational”

The script to create the scheduled task :

param( [Parameter(ParameterSetName='Register')] [switch]$Register, [Parameter(ParameterSetName='UnRegister')] [switch]$UnRegister ) switch($PsCmdlet.ParameterSetName){ "Register"{ $Xml = Get-Content (Join-Path $PSScriptRoot "ScheduledTaskTemplate_Publish.xml") $hReplace = @{ _Date_=(Get-Date -Format s) _Author_="Publish_User2Global_1.0_EN" _WorkingDirectory_=$PSScriptRoot } foreach($key in $hReplace.Keys) { $Xml = $Xml -creplace $key, $hReplace.$key } Register-ScheduledTask -Xml ($Xml | Out-String) -TaskName "1_user_Publish_User2Global" -TaskPath "Microsoft\AppV\Publishing" -Force | Out-Null $Xml = Get-Content (Join-Path $PSScriptRoot "ScheduledTaskTemplate_UnPublish.xml") $hReplace = @{ _Date_=(Get-Date -Format s) _Author_="UnPublish_User2Global_1.0_EN" _WorkingDirectory_=$PSScriptRoot } foreach($key in $hReplace.Keys) { $Xml = $Xml -creplace $key, $hReplace.$key } #Register-ScheduledTask -Xml ($Xml | Out-String) -TaskName "1_user_UnPublish_User2Global" -TaskPath "Microsoft\AppV\Publishing" -Force | Out-Null } "UnRegister"{ Get-ScheduledTask -TaskPath "\Microsoft\AppV\Publishing\" -TaskName "1_user_Publish_User2Global" | Unregister-ScheduledTask -Confirm:$False | Out-Null #Get-ScheduledTask -TaskPath "\Microsoft\AppV\Publishing\" -TaskName "1_user_UnPublish_User2Global" | Unregister-ScheduledTask -Confirm:$False | Out-Null } }

The script is based on the following templates :

<?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns=""> <RegistrationInfo> <Date>_Date_</Date> <Author>_Author_</Author> <URI>\Microsoft\AppV\Publishing\1_user_Publish_User2Global</URI> </RegistrationInfo> <Triggers> <EventTrigger> <Enabled>true</Enabled> <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Microsoft-AppV-Client/Operational"&gt;&lt;Select Path="Microsoft-AppV-Client/Operational"&gt;*[System[Provider[@Name='Microsoft-AppV-Client'] and EventID=1003]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> <ValueQueries> <Value name="ThePackageId">Event/EventData/Data[@Name='Package']</Value> <Value name="TheVersionId">Event/EventData/Data[@Name='Version']</Value> <Value name="UserSid">Event/System/Security/@UserID</Value> </ValueQueries> </EventTrigger> </Triggers> <Principals> <Principal id="Author"> <GroupId>S-1-5-18</GroupId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>true</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> <RestartOnFailure> <Interval>PT1M</Interval> <Count>3</Count> </RestartOnFailure> </Settings> <Actions Context="Author"> <Exec> <Command>powershell.exe</Command> <Arguments>-NonInteractive -ExecutionPolicy RemoteSigned -WindowStyle Hidden -File User2Global.ps1 -Publish -PackageId $(ThePackageId) -VersionId $(TheVersionId) -UserSid $(UserSid)</Arguments> <WorkingDirectory>_WorkingDirectory_</WorkingDirectory> </Exec> </Actions> </Task>

2. When the scheduled task is triggered by event-ID action 1003 from the eventlog “Microsoft-AppV-Client/Operational” , we kick-off the following Powershell script (see below). It will unpublished the  package from the user and will publish the package globally instead.

param( [Parameter(ParameterSetName='Publish')] [switch]$Publish, [Parameter(ParameterSetName='UnPublish')] [switch]$UnPublish, [guid]$PackageId, [guid]$VersionId, [string]$UserSid ) Function New-BurntToastNotification{ <# This function will show a BurnToastNotification #> [CmdletBinding(SupportsShouldProcess = $True)] Param ( [Parameter(Mandatory=$True)] $Text, [Parameter(Mandatory=$True)] $Title ) # create toast template TO xml [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] > $null $toastXml = ([Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent([Windows.UI.Notifications.ToastTemplateType]::ToastImageAndText02)).GetXml() # message to show on toast $stringElements = $toastXml.GetElementsByTagName("text") | select -First 1 $stringElements.AppendChild($toastXml.CreateTextNode($Title)) > $null $stringElements = $toastXml.GetElementsByTagName("text") | select -Last 1 $stringElements.AppendChild($toastXml.CreateTextNode($Text)) > $null # image $imageElements = $toastXml.GetElementsByTagName("image") $imageElements[0].src = "file:///" + "$PSScriptRoot\appv.png" # convert from System.Xml.XmlDocument to Windows.Data.Xml.Dom.XmlDocument $windowsXml = New-Object Windows.Data.Xml.Dom.XmlDocument $windowsXml.LoadXml($toastXml.OuterXml) # send toast notification $toast = New-Object Windows.UI.Notifications.ToastNotification ($windowsXml) [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier("App-V").Show($toast) } Import-Module "$env:ProgramFiles\Microsoft Application Virtualization\Client\AppvClient\AppvClient.psd1" $package = Get-AppVClientPackage -PackageId $PackageId -VersionId $VersionId -All switch($PsCmdlet.ParameterSetName) { "Publish" { try { Unpublish-AppvClientPackage $package -UserSID $UserSid if (! $package.IsPublishedGlobally) { Publish-AppVClientPackage $package -Global New-BurntToastNotification -Text "$($`nSuccesfully Published Globally." -Title "App-V User2Global" } } catch { New-BurntToastNotification -Text "Something went wrong while Publishing: `n$($" -Title "App-V User2Global" } } "UnPublish" { try { if (($package = Get-AppVClientPackage -PackageId $PackageId -VersionId $VersionId -All).IsPublishedGlobally) { $package | stop-AppVClientPackage -Global -ErrorAction SilentlyContinue | Unpublish-AppvClientPackage -Global New-BurntToastNotification -Text "$($`nSuccesfully UnPublished Globally." -Title "App-V User2Global" } } catch { New-BurntToastNotification -Text "Something went wrong while unpublishing: `n$($" -Title "App-V User2Global" } } }

You can choose how to deploy the script. You can create an App-V bubble or simply deploy this with Configmgr or GPO ….

Disclaimer : The script are delivered AS-IS and are not the complete solution to this story. It is an example on how to think outside the box and make a potential solution that will fit your specific company issue.

Hope it Helps ,

Kenny Buntinx & Roy Essers .

Configmgr 2012 : Broken Applications in your task sequences after an upgrade (error 615)

1:08 pm in 615, Application Model, applications, CM12, CM12 R2, CM12 R2 SP1, CM12 SP1, CM12 SP2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr SP2, coretech, err, error 615, OSD, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, troubleshooting, xmasblogroll by Kenny Buntinx [MVP]


Scenario: Upgrading a Configmgr 2012 RTM/SP1/R2 environment to a new R2 SP1 environment will end up into broken applications in your Task sequences with error 615 in the status messages.

Issue: After the upgrade was successfully performed , suddenly all applications within my OSD task sequence start failing with the following error code :

The task sequence failed to install application Intel Management Engine for action (Install HW Driver Applications for HP8540P) in the group () with exit code 615. The operating system reported error 615: The password provided is too short to meet the policy of your user account. Please choose a longer password.


To be honest with my blog readers, this particular message can be caused by multiple reasons. I will list all possible solutions / workarounds that I have come across to solve this issue.

Cause 1 – Applications have no ContentID associated:

I blogged about this beginning of 2013 at

After some checks, I saw that it concerned only applications and I discovered that had no ContentID associated to each Deployment Type. In other words, all the applications created and that are embedded in a TS with no direct deployments attached to the Application. It appears that the upgrade process broke all applications.

You can confirm this with the Application Catalog downloads as well. You will see “+++ Did not detect app deployment type”… in the AppDiscovery.log file. Additionally, the Software Center will show the error message “Failed”. Clicking on the details will result in “The software change returned error code 0x87D00607(-2016410105).”

We found as workaround, you have simply to add a comment to each DT and it will update the content ID. Nevertheless, the change means that a redistribution of your application on all your DP’s.

Following the steps as further discussed in this blog post at, the application will successfully install afterwards.

Cause 2 – Corrupt task sequence:

In some cases the policy that is related to the task sequence gets corrupt. This can be easily solved by creating a brand new task sequence and copying the steps from the older one side-by-side. Delete the old task sequence & create a new deployment for the just newly created task sequence.

Cause 3 – SMSMP parameter set incorrect:

I had also had problems after upgrading to SCCM R2 SP1. I was not able to install any applications as part of a task sequence as they all failed with error 615 or error 0x80004005. Installing applications outside of a Task sequence did work normally. The status message reported was exactly the same as described above "615 Password too short".

After investigating the client side log files it turned out, that the SCCM client was trying to download the application package using https first and after a few retry’s would switch to http only.

Because my DP is configured to accept http and https as like default behavior. I fixed the Problem by changing the value of the SMSMP parameter in the Task sequence step "Setup Windows and Configuration Manager" from


to this:


After this change, application installation worked as expected again.


Cause 4 – FIPS has been enabled :

Enabling FIPS mode makes Windows and its subsystems use only FIPS-validated cryptographic algorithms. An example is Schannel, which is the system component that provides SSL and TLS to applications. When FIPS mode is enabled, Schannel disallows SSL 2.0 and 3.0, protocols that fall short of the FIPS standards. Applications such as web browsers that use Schannel then cannot connect to HTTPS web sites that don’t use at least TLS 1.0. (Note that the same results can be achieved without FIPS mode by configuring Schannel according to KB 245030 and this blog post.)

Enabling FIPS mode also causes the .NET Framework to disallow the use of non-validated algorithms.

Microsoft advises not to use FIPS anymore as shown in the screenshot below :


In our case this solved the issue with the error 615. Probably it was a combination of things , but this is certainly something to disable and try.

Cause 5 – Use the latest CU2 on CM12 R2 SP1 :

Always make sure to use the latest CU’s as they include important fixes . You can download CU2 over here :

The two most important fixes that may help to avoid error 615 in CU2 for R2 SP1 are :

– Applications will not install when you use them with a dynamic variable list in a task sequence if no SMB package share was defined for the content. This affects only installations that use a dynamic variable list. Other installation methods are unaffected.

No Http location found
Failed to download content for SMS package PRI00080, hr=0x80004005
Install Dynamic software action failed to resolve content for packageID: ‘PRI00080′, programID: ‘TestApp’. Error Code 0x80004005

– In a Configuration Manager environment in which multiple certificates are deployed to client computers, the client may select the wrong certificate for use in management point communication. This occurs when one certificate is based on a version 2 template and one is based on version 3. The client will select the certificate that has the longest validity period. This may be the version 3 certificate, and this certificate may not be currently supported by Configuration Manager. Errors that resemble the following are recorded in the ClientIDManagerStartup.log file.

[RegTask] – Executing registration task synchronously.
RegTask: Failed to create registration request body. Error: 0x80090014


Hope it Helps ,

Kenny Buntinx

MVP Enterprise Mobility

Detect, Inventory and report about the encryption method used by Bitlocker thru ConfigMgr

6:54 pm in bitlocker, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 R2 SP1, ConfigMgr 2012 SP1, ConfigMgr Dashboards, ConfigMgr SP2, Encryption, Inventory, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 R2 SP1, SCCM 2012 SP1, SCCM Dashboards, sccm RTM, SCCM v.Next, sccm2007 by Kenny Buntinx [MVP]


Recently at a client, we needed to provide a report that was listing what Bitlocker Encryption strength method was used. That information had to be fed into the CMDB to make sure we had ‘256AES with Diffuser’ enabled.

Unfortunately, Configmgr 2012 does deliver out-of-the-box a way to determine what Bitlocker Encryption strength method, and that means the information is not in the registry or WMI.

Dependencies :

Well I tried to find an easy way , and the customer required a solution that was :

– Flexible and dynamic as they where constantly migrating from Mcafee Disk Encryption to Bitlocker and the CMDB had to be dynamically updated.

– Centrally managed code , meaning that if we needed to change anything to the code , it had to be intelligent enough to update it auto magically to all clients.

– Had to be reliable .

The solution :

– was to use a kind of detection powershell script for the Bitlocker Encryption strength using the standard powershell commandlet ‘Manage-bde’ .

– The script was to be used with a “compliance Item” and deployed thru a “Baseline” as one of my colleagues Henrik Hoe explains here : . By using a CI , you will meet the centrally managed code part , but also the automatically way of updating the detection logic to all clients.

Forget about the old package/program way and then a way to execute the script on regular basis ( That can all be done thru the Baseline deployment)

– The script will be executed and will write a registry value BitlockerEncryptionStrenght = “TheActualValue”  and the baseline will report complaint when it has the ‘256AES with Diffuser’ detected. When the machine is not bitlockered at all , we will write a value  BitlockerEncryptionStrenght = “None”

$ErrorActionPreference="silentlycontinue" $StrBEncryption = "" $objBEncryption = "" $objBEncryption=manage-bde.exe -status |Where-Object{$_ -like "*encryption method*"} $arrBEncryption=$objBEncryption.Split(":") $StrBEncryption=$arrBEncryption[1].Trim() If ($StrBEncryption.Contains("AES")) { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value $StrBEncryption -Property String -Force -ErrorAction SilentlyContinue | Out-Null if ($StrBEncryption -eq "AES 256 with Diffuser") { return 1 } } Else { New-ItemProperty -Path HKLM:\SYSTEM\ABPosdInstall -Name BitlockerEncryptionStrenght -Value "None" -Property String -Force -ErrorAction SilentlyContinue | Out-Null Return 0 }

– We will pick the value up later with a custom registry key hardware inventory extension and use that in our reporting later on. For more details on how to do it :

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configuration Manager 2012 OSD : Only import the Intel chipset drivers you really need for your brand/model !

6:31 pm in ConfigMgr 2007 R2, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, Deployment, Drivers, Operating System Deployment, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, sccm RTM, sccm2007 by Kenny Buntinx [MVP]


Yesterday I wrote a blogpost about the reason to keep your “Driver DB” and “driver packages” as clean as possible and that you do not need to import all the junk they provide in those so called “enterprise driver packages” for multiple models.

As a first tip for helping you accomplish that , we show you in this blog post how we can limit the number of *.inf files we need to import from Intel(R) Chipset Device Software . When downloading and extracting that Intel(R) Chipset Device Software package you will see that originally there are about  98 inf files present :


Now reduce the number of INF files :

Two override command switches for setup.exe from Intel(R) Chipset Device Software that will help us to reduce the *.inf files we need to import into our “Driver Package” :

-AONLY Extracts the needed INF files to install on the current system. If the install has been run once successfully, ‘-AONLY’ will not return any INFs when used in conjunction with ‘-OVERALL’ switch, all the needed INFs for the system will be extracted.

-P <Installation Path> Specifies the hard disk location to which the INF program files are copied. If this flag is not specified at the command line, the <Installation Path> directory is as follows: C:\Program Files\Intel\INFInst .

If this flag is used without the ‘-A’ option, only the Readme will be copied to <Installation Path>. The directory name can include spaces, but then a pair of double quotes (") must enclose the directory name. There should not be any space between the switch ‘-p’ and the directory name. This flag works in either Silent Mode or Interactive Mode.

Lets execute on the local brand/model that contains an intel chipset :

The result of running the setup with those parameters:

And then the result after running the tool on your local brand/model , you will see that the number of *.inf files are reduced to five (5) items ! isn’t that great ? Now copy those drivers to your regular driver import process and you reduced the number of bloat in your ConfigMgr driver database by 80% at least !




Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

How to Install Windows 7 Language packs online during OSD Task Sequence (or in your Hybrid base image)

7:27 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, language Packs, MUI, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, SCCM 2012 SP1, sccm2007, Task Sequence, Windows 7, Windows 7 SP1, Windows7 by Kenny Buntinx [MVP]


Windows 7 language pack setup, lpksetup, includes parameters to support a managed installation.  I successfully tested the following from the command prompt:

lpksetup.exe /i nl-NL /p . /r /s

I created and advertised a program with this command line, but it quickly failed on a windows7 x64. 


The test system returned an error status message, ID 10003: “An error occurred while preparing to run the program for advertisement….  The operating system reported error 2147942402: The system cannot find the file specified.”

Execmgr.log contained the following:

File C:\Windows\SysWOW64\CCM\Cache\…\lpksetup.exe is not a valid executable file
Invalid executable file lpksetup.exe

It turns out that lpksetup.exe on Windows 7 64-bit is a 64-bit-only process so with WOW file redirection in a 32-bit process C:\Windows\System32 redirects to C:\Windows\SysWOW64, which does not contain lpksetup.exe.  So I altered the ConfigMgr program command line to:

%WinDir%\SysNative\lpksetup.exe /i nl-NL /p . /r /s


Using the SysNative alias allowed the language pack to be successfully installed on Windows 7 64-bit from a ConfigMgr advertised program or Task Sequence.

The Language Packs are installed successfully as i can choose the installed languages after the installation.

I have got this valuable information from Aaron Czechhowski at

Hope it Helps ,

Kenny Buntinx

Configmgr 2007 / 2012 : Using AfterBackup.bat to Daily Archive a Backup Snapshot

8:23 am in backup, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, SCCM 2012 SP1, sccm2007 by Kenny Buntinx [MVP]


To ensure that a recent backup snapshot is always available, it is recommended that you archive the backup snapshot every time the SMS backup task completes a backup cycle. The standard backup task overwrites the previous created backup by default .

To accomplish that, you can use the AfterBackup.bat file to run a third-party tool (7Zip) that automatically archives the backup snapshot every time you back up your site. After successfully backing up the site, the SMS backup task runs the AfterBackup.bat batch file. The AfterBackup.bat file integrates the archive and the backup operations, thus ensuring that every new backup snapshot is archived.

All this script does is move the backup folder to a folder named the day of the week. If the destination already exists, then it is deleted first. Resulting in 7 days of backup or more

To use the AfterBackup.bat file

  1. Prepare an ASCII file with commands that archive your backup snapshot, or that perform any other post-backup tasks your site requires.
  2. Name the file "AfterBackup.bat" and save it in the SMS\inboxes\ folder. Now, every time the backup task runs successfully, it will run the AfterBackup.bat file.
  3. Every time after the AfterBackup.bat file archives the site’s backup snapshot, store that archive in a secure location.

Here is an Afterbackup.bat file that will make a daily backup of ConfigMgr Backup, so that you have a full week of backups.

  1. Place the file in the following location :


  1. Make sure you copy the 7zip (command line executable) in the root of the directory . When backup is daily ran , you should see this .



Hope it Helps ,

Kenny Buntinx

Configmgr 2012 : How to create custom boot images that will support #VMware’s native VMXnet3 NIC

8:46 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2012, ConfigMgr 2012 SP1, ConfigMgr SP2, configmgr2007, ConfigMgr2007 R3, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, SCCM 2012 SP1, sccm2007, Vmware by Kenny Buntinx [MVP]


Though VMware Tools does not support the WAIK or ADK’s WINPE 3.1 environment, you can take advantage of specific VMware Tools drivers, such as vmxnet3, and pvscsi by creating a customized Configmgr 2007/2012 Boot Image .

To create a customized Configmgr 2007/2012 Boot Image :

  • On your Primary site server Click Start > All Programs > Microsoft Windows AIK > Windows PE Tools Command Prompt to open the Windows PE Tools command prompt.
  • Run this command to create a Windows PE build environment in the WinPE folder.
      • for a 32bit boot wim – copype x86 C:\winpe-x86
      • for a 64bit boot wim – copype amd64 C:\winpe-amd64
  • Install VMware Tools on Windows 2008 and copy the entire contents of the C:\Program Files\VMWare\VMWare Tools\Drivers\pvscsi and vmxnet3 folders to a C:\VMDrivers folders on the virtual machine.
  • From the Windows PE command prompt (<Drive>:\winpe-x86), run this command to mount winpe.wim to the mount folder:
    dism /mount-Wim /wimfile:<drive>:\winpe.wim 1 /mountdir:<drive>:\WinPE_tmp
  • Run this command at the Windows PE Tools command prompt to copy the vmxnet, vmxnet3 (enhanced), and pvsci drivers:
    winpe.wim: dism /image:<drive>:\WinPE_tmp /Add-Driver /driver:c:\VMDrivers /recurse
  • Run this command to save the changes to winpe.wim:
    dism /unmount-Wim /Mountdir:<drive>:\WinPE_tmp /commit

Import your custom bootimages in Configmgr 2007/2012 and distribute them to your DP . Your done !

Hope it Helps ,

Kenny Buntinx

ConfigMgr 2007/2012 , WEDM 2011 & HP Thin clients with WES 7 : Part 1

7:40 pm in CM12, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr 2012, ConfigMgr SP2, ConfigMgr2007 R3, embedded, HP, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, SCCM 2012, System Center, Task Sequence, ThinClient, WES, Wyse by Kenny Buntinx [MVP]


Hi there ,

Your company has decided to invest in thin clients with Windows Embedded standard 7 ? You are already working with ConfigMgr 2007 or Configmgr 2012 ? Then you probably heard about WEDM 2011 ( WIndows Embedded Deivice Manager 2011) , which is a plugin on Configmgr .

Embedded devices such as HP’s thin clients utilize a Microsoft feature called enhanced write filtering. It’s a way of using local memory as a cache for storing the  changes that software makes when running on the client and it may try to write to the disk  but write filtering lets the disk’s original contents be instantly restored by simply rebooting and "forgetting" the changes.

That’s nice, until you want to make permanent changes to the operating system like security patches or install applications like flash player. You might have had to write a script that turned filtering off, applied the patch, then turned filtering on again. And someplace in that scenario, you worked in some time for praying it all worked right before re-engaging the filter. One of the benefits of using WEDM 2011 is that it knows how to programmatically disengage enhanced write filters prior to deploying updates or software.

Like any other vendor , HP , Dell or Wyse have their own way of Managing and deploying OS images. Usually the pre-installation of software on a system is not up-to-date or enough to serve the companies need . Embedded systems have historically been more difficult to manage and maintain than PCs. Until recently!

Hewlett-Packard announced that for the first time, it will offer thin client PCs – systems that run Windows Embedded Standard 7 already – that have Windows Embedded Device Manager 2011 (WEDM 2011) pre-installed. This way, out of the box, customers that run Windows Embedded 7 (based on the Windows 7 kernel) don’t have to install a separate server with their native HP tooling  (even if it’s just a virtual or cloud-based one) to monitor and maintain devices.Now that EDM comes pre-installed on a thin client like a t5570e (right) or t5740e (above) costing somewhere in the mid-three-digit range, depending on configuration, admins can use a thin client to capture and redeploy fully configured system images to a collection of clients.

Microsoft announced System Center 2012 Configuration Manager during MMS , though it will take time for ConfigMgr 2012 WEDM 2012  to make its way into the field. For now, HP’s solution supports SCCM 2007 and EDM 2011.

For managing those devices in ConfigMgr 2007 , you will need a few prerequisites :

Also have these hotfixes and articles by hand , you might need them :

Device Manager 2011 extends the capabilities of Configuration Manager to let you deploy a new or updated operating system image to thin client (a process referred to as device imaging). You can perform device imaging on one device or on a collection of devices using the Configuration Manager console. To do this, you must integrate the following components into your Configuration Manager installation:

That’s it for part 1 , check later for Part 2 when we explain how to implement all the above components for doing the actual work itself Smile

Hope it Helps ,

Kenny Buntinx

Installing Intel HD Graphics Driver for WinXP with SCCM 2007 SP2 fails with error code 14

11:26 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Intel, Operating System Deployment, OSD, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2 by Kenny Buntinx [MVP]

If you need to install the latest release of the Intel HD Graphics Driver via a SD package or OSD task sequence with SCCM 2007 SP2.

I downloaded the driver from the Intel website and built a package for a silent install (just adding -s to setup.exe) .

If I run it manually, it works fine. If I have it run by a SCCM SD program or OSD task Sequence , it runs fine, but the SCCM program log reports error 14.

The IntelGFX log shows no error, the drivers installs fine… why does SCCM say it didn’t ? SCCM reports that error code (14) is related to the product.


Workaround :

Make a .cmd that installs it, and add echo finish at the end so that the .cmd file is sending return code 0(Zero) to SCCM.


Hope it Helps ,

Kenny Buntnx

SCCM Out of Band Management Troubleshooting (Part1)

1:47 pm in AMT, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, OOB, out of band management, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, System Center Service Manager, Tokensize, Vpro by Kenny Buntinx [MVP]

It’s no secret for most people that KVM Remote Control is one of my favorite vPro features within System Center Configuration Manager  (System Center Configuration Manager 2007 R3 / System Center Configuration Manager 2012 Beta 2) or System Center Service Manager (System Center Service Manager 2010).

Why go to an end user to fix his PC when you can use KVM Remote Control to do it from your own desk? With a feature this awesome, it’s challenging to make improvements. With the next generation Intel Core vPro Processors, KVM Remote Control now supports resolutions up to 1920×1200 at 16 bits per pixel color depth.

In my previous blog posts I explained already where to download the Intel vPro KVM stuff for System Center Configuration Manager . You can read the article here at “SCCM 2007 : Intel AMT–VPRO KVM add-on for SCCM 2007

If you want to go and download the tools directly from the Intel site , please go to the following links  :

However to use any of the above plugins , your systems should be made ready to use Vpro. There are a lot of requirements to make it happen , that I am not going to explain here in detail . Here are all my System Center Configuration Manager 2007: Out Of Band Management blog posts. I am just going to list them up  :

After you have performed the installation by the book , it will probably not work directly out of the box and this could have multiple reasons. I will explain below  the necessary steps to debug your potential issues in different blog posts:

1. Kerberos Ticket Size issue !

If you have problem that the Out Of Band Management console won´t connect to client computer, then it might be that Kerberos Ticket size is too big. It means that your user account belongs to too many groups.

You can find more information here:


If you have problems to connecting client computer with OOB console then check OOBConsole.log  at <ConfigMgrInstallationPath>\AdminUI\AdminUILog .

I found this error message when I tried to connect with OOB console with user account which has too big Kerberos Ticket size after I modified the OOBConsole.exe.config file and set error logging value in the file to verbose.

[22.07.2011 13:54:32] :System.Management.ManagementException\r\nInvalid parameter \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
[22.07.2011 13:56:25] :RefreshAmtThirdPartyStorage fail with result:0x80338126
[22.07.2011 14:00:26] :GetAMTPowerState fail with result:0x800703E3


[22.07.2011 14:54:32] :System.Management.ManagementException\r\nInvalid parameter \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
[22.07.2011 14:56:25] :RefreshAmtThirdPartyStorage fail with result:0x80070005
[22.07.2011 15:00:26] :GetAMTPowerState fail with result:0x80070005

To see the value of the tokensize  , you need the following background information . Each AMT version has a different maximum tokensize as shown below in the table :



Below I have 2 accounts :

  • My account
  • SCCMAMT – An account especially created to be only in the AMT SCCM group and the rights to execute AMT stuff within SCCM

In the screenshot below , you will clearly see that my accounts tokenize is way to big (9418) :


While the SCCMAMT accounts Token Size is (2577) :



After Logging in with the SCCMAMT account , check OOBConsole.log at <ConfigMgrInstallationPath>\AdminUI\AdminUILog . You will see success to at least connect to the AMT/vPro device :

[9/08/2011 9:39:43] :GetAMTPowerState success with 2.
[9/08/2011 9:39:53] :GetAMTPowerState success with 2.
[9/08/2011 9:39:58] :Open SOL connection…
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :status message Type:Audit, ID:0x00000000C000766A, User:VVM\sccmamt, Machine: xxxx, Target: xxxxx add to queue, waiting for report.
[9/08/2011 9:40:01] :Closing SOL terminal…
[9/08/2011 9:40:01] :SOL terminal closed
[9/08/2011 9:40:02] :GetAMTPowerState success with 2.
[9/08/2011 9:40:12] :GetAMTPowerState success with 2.
[9/08/2011 9:40:21] :GetAMTPowerState success with 2.
[9/08/2011 9:40:31] :GetAMTPowerState success with 2.
[9/08/2011 9:40:40] :GetAMTPowerState success with 2.
[9/08/2011 9:40:50] :GetAMTPowerState success with 2.
[9/08/2011 9:40:59] :GetAMTPowerState success with 2.
[9/08/2011 9:41:08] :GetAMTPowerState success with 2.

You will see that you will connect to the AMT/Vpro chipset , but you still aren’t able to connect to the BIOS with a SOL / IDE connection with the following message “IMR_SOLOpenTCPSession fail with result:0x00000020”.

I will explain the fix for this error in SCCM Out of Band Management Troubleshooting (Part2) , that is under construction.

Hope it Helps ,

Kenny Buntinx