best practices

Some light reading for the bus ride home:

Download Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr

Configuration Manager 2012 adding Custom Security Role – Importing Computers

Great post by John Vintzel (ExEDS GM Account) on adding a cust Security Role into Configuration Manager. By default there is no built-in security role (apart from Full Administrator) to import devices into CM.

Here are the steps required:

  1. Create XML file with the code at the bottom of the page
  2. Navigate to Administration > Security > Security Roles in the CM Console
  3. Select Import Security Role from the ribbon
  4. Browse to the XML, click OK
  5. You will now see a new custom security role ‘Computer Import Manager’

XML Code:

<SMS_Role CopiedFromID=”SMS00001″ RoleName=”Import Computer Role” RoleDescription=”Add this role to an administrative user. Associate this security role specifically with All Systems.”>
<Operation GrantedOperations=”129″ ObjectTypeID=”1″ />
<Operation GrantedOperations=”524289″ ObjectTypeID=”6″ />

Configuration Manager 2012 Version and Build Numbers

Configuration Manager 2012 version numbers, build numbers and cumulative updates since the SCCM 2012 RTM release.

Get the version number:

  1. Open the Configuration Manager console
  2. Browse to Administration, Site Configuration then Sites
  3. Right-click on the site and select Properties
  4. The site version and build number are shown
Release Version Build Download Link
SCCM 2012 RTM 5.00.7711.0000 7711 N/A
SCCM 2012 RTM – CU1 5.00.7711.0200 7711 KB2717295
SCCM 2012 RTM – CU2 5.00.7711.0301 7711 KB2780664
SCCM 2012 SP1 5.00.7804.1000 7804 N/A
SCCM 2012 SP1 – CU1 5.00.7804.1202 7804 KB2817245
SCCM 2012 SP1 – CU2 5.00.7804.1300 7804 KB2854009
SCCM 2012 SP1 – CU3 5.00.7804.1400 7804 KB2882125
SCCM 2012 SP1 – CU4 5.00.7804.1500 7804 KB2922875
SCCM 2012 SP1 – CU5 5.00.7804.1600 7804 KB2978017
SCCM 2012 R2 5.00.7958.1000 7958 N/A
SCCM 2012 R2 – CU1 5.00.7958.1203 7958 KB2938441
SCCM 2012 R2 – CU2 5.00.7958.1303 7958 KB2970177
SCCM 2012 R2 – CU3 5.00.7958.1401 7958 KB2994331
SCCM 2012 R2 – CU4 5.00.7958.1501 7958 KB3026739
SCCM 2012 R2 – CU5 5.00.7958.1604 7958 KB3054451
SCCM 2012 R2 SP1 5.00.8239.1000 8239 N/A
SCCM 2012 R2 SP1 – CU1 5.00.8239.1203 8239 KB3074857
SCCM 2012 R2 SP1 – CU2 5.00.8239.1301 8239 KB3100144
SCCM 2012 R2 SP1 – CU3 5.00.8239.1403 8239 KB3135680
SCCM 1511 5.00.8325.1000 8325 N/A
SCCM 1602 5.00.8355.1000 8355 N/A


Windows Preinstallation Environment Version and Associated OS Version

WinPE Windows Windows Version Notes
1.0 Windows XP 5.1.2600.x First version of WinPE.
1.1 Windows XP SP1 5.1.2600.x
1.2 Windows Server 2003 5.2.3790.x
1.5 Windows XP SP2 5.1.2600.x Windows PE 2004.
1.6 Windows Server 2003 SP1 5.2.3790.x Windows PE 2005.
2.0 Windows Vista 6.0.6000.x
2.1 Windows Server 2008 6.0.6001.x
2.2 Windows Server 2008 SP2 6.0.6002.x
3.0 Windows 7 6.1.7600.x Windows AIK 2.0.
3.1 Windows 7 SP1 6.1.7601.x Windows AIK Supplement for Windows 7 SP1.
4.0 Windows 8 6.2.9200.x Windows ADK (Windows Kits 8.0).
5.0 Windows 8.1 6.3.9300.x Windows ADK (Windows Kits 8.1).
5.1 Windows 8.1 Update 1 6.3.9600.x Windows ADK (Windows Kits 8.1 Update).
10.0 Windows 10 10.0.10240.16384 Windows ADK (Windows Kits 10.0)

Re: Install Application Step fails in Task Sequence

Great blog post about a similar issue we were having in production.

Instances where application will not install after a reboot. Even when the logs say they installed correctly. We found this was more likely to happen on devices with SSD compared to SATA drives.

Looks like a know bug, but nothing a sleep command can solve:

Windows Tech Series – Windows 10 Deployment & Management

Just completed the three day course on Windows 10 Deployment and Management @ Auldhouse.

Windows 10 Deployment & Management

Perform an in-place upgrade from Windows 7

Go through configuring System Center 2012 R2 Configuration Manager SP1 to perform in-place upgrade and deploy the task sequence to a Windows 7 machine. At the end of this activity, the Windows 7 machine will be upgrade to Windows 10.

Windows 10 Provisioning

Use the Imaging and Configuration Designer to create and install provisioning packages.

Build and Capture a Reference System Image

Go through the process of configuring and creating a Windows 10 image using Microsoft Deployment Toolkit (MDT).

Prepare a Windows 10 Lite Touch Deployment

This activity will import the reference Windows 10 image created from the previous section and configure a task sequence for Lite Touch deployment with MDT. At the end of this activity, you would have completed configuring the image deployment task sequence.

Windows 10 Zero Touch Deployment

This activity describes how to configure Configuration Manager for operating system deployment.

Managing Windows 10 with Configuration Manager

Device Package Deployment – Create a device collection, add a device to the collection, add an application package to System Center 2012 R2 Configuration Manager SP1 and deploy the application to a device.

User Application Deployment – Create a user in Active Directory, add an application to System Center 2012 R2 Configuration Manager SP1 and deploy the application to that user.

Windows 10 Browsers

Show some common compatibility issues found while migrating existing web applications from IE8 to IE11. It demonstrates the tools and techniques to remediate these common issues. This lab is designed for developers and discusses ways to resolve the compatibility issues by updating the application code as it is the best long term solution to make you applications standards compliant and ensure compatibility with modern browsers.

Example: User Agent String Detection Issue, Box Model, Popup Blocker, className Attribute, GetElementByID, Z Index Default Value, Content Centering, ActiveX Controls.

Device Guard

Learn how to configure and deploy Code Integrity policies, sign and deploy application catalogue files and enable Device Guard in an enterprise.


Failed to run the action: Use Toolkit Package – Error: 80070002; Source: Windows


Failed to run the action: Use Toolkit Package.
The system cannot find the file specified. (Error: 80070002; Source: Windows)

Use Toolkit Package Error 80070002


System Centre 2012 R2 CU5 Integrated with MDT 2013. Deployment Windows 7 SP1 with Office 2013.


If the Drive Letter task sequence variable is configured to True. This does not occur if it is configured to False.


To work around this issue, create the following two Task Sequence variables at the very top of the Task Sequence:

SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

Place them immediately after the Execute Task Sequence group.

Decrypt Drive Then Wait Till Complete

I need to decrypt the D drive on devices performing a REFRESH task sequence. It is one thing to decrypt it, and another to wait till it has finished. This script will wait till the whole drive is decrypted.

I modified the PowerShell script from and it preformed perfectly.

Find and replace the C: with the drive letter. Then add into the task sequence.

Here is the script in case the page disappears:

$ComputerName = “.”
$BitLockerDrive = Get-Wmiobject -Namespace root\CIMv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -ComputerName $ComputerName -Filter “DriveLetter=’C:'”
$Status = $BitLockerDrive.GetConversionStatus()
if ($Status.ConversionStatus -eq 0) {
elseif ($Status.ConversionStatus -eq 1) {
    Invoke-Command {manage-bde.exe -off C:}
    Start-Sleep 3
    do {
        $BitLockerDrive = Get-Wmiobject -Namespace root\CIMv2\Security\MicrosoftVolumeEncryption -Class Win32_EncryptableVolume -ComputerName $ComputerName -Filter “DriveLetter=’C:'”
        $Status = $BitLockerDrive.GetConversionStatus()
        Start-Sleep 15
    until ($Status.ConversionStatus -eq 0)
if ($Status.ConversionStatus -eq 0) {

Installing Workgroup Client in System Center 2012 Configuration Manager

Just install the Configuration Manager client on a workgroup machine. Here are the steps I followed:

  1. Create and import a local computer PFX file for the workgroup machine
  2. Export then Import the Root Certificate
  3. Navigate to the share: \\server\sms_pri\client
  4. The client must be manually installed on each workgroup computer. Run the install command: ccmsetup.exe /UsePKICert /NoCRLCheck SMSMP=HTTPS:// SMSSITECODE=A01 SMSSLP=HTTPS://
  5. Approve the client in the Configuration Manager console


  • Workgroup clients cannot locate their default management point from Active Directory
  • Active Directory discovery methods will not discover computers in workgroups
  • Advertisements targeted to users are not possible

For more good info see Chris Sugdinis’s post, Peter van der Woude post regarding certificate creation and of course the TechNet site.