With the release of WIM Witch v1.3.0, she now has new capabilities that were requested by the community. While there have been plenty of functional updates to WIM Witch since its release, this version brings enough change to warrant documentation. The features introduced in this release are all from user requests, and I want to […]
Over the years it’s been relatively common to include Microsoft DaRT into your boot image used for OSD in ConfigMgr and several blog posts have explained the process with a step-by-step approach. Some time back I found myself integrating DaRT a little bit more than I would allow myself for manually going through those guides, […]
Deploying a Cloud Management Gateway (CMG) with ConfigMgr requires access to an Azure Subscription. Additionally, the CMG is deployed using a resource provider named Microsoft.ClassicCompute. Newly registered Azure Subscriptions doesn’t have the this resource provider registered by default, which will cause the deployment of a CMG to fail with the first error message that as […]
Internet browsers have become more than just a means of accessing lines of HTML, JavaScript and CSS over the years. Today we use browsers to control core functions of our business, through portals into technologies including Azure, Office 365, AWS, Google Gsuite and many, many more. The one thing that has become apparent though over […]
Starting with version 1.4.0, WIM Witch can now import and apply Language Packs, Features on Demand, and Local Experience Packs. This feature set has been a constant request from the original release of WIM Witch, and I am really happy to have finally delivered it. There are known bugs, which are listed at the end […]
For earlier posts, please find them here: Passwordless journey with FIDO2 – Part 1 – Getting started with Security keys Passwordless journey with FIDO2 – Part 2 – Usage experiences So it’s been a few months since the last post, and I can tell that more and more people are starting their own journeys into […]
Recently I took on an new task assignment to migrate all users from the Office 2016 client to Office 365 Pro Plus. I thought I could finish this task in an hour, and I was totally wrong about that! Sure it was very easy to make Office 365 application and deploy the application using ConfigMgr. […]
I was recently pulled into a project with a client that is enrolling their estate into Autopilot. This would normally be unexceptional, but this client had a several challenges that made this process difficult. We devised a novel approach using WIM Witch and The Microsoft Deployment Toolkit (MDT) to mitigate risk, meet the client’s needs, […]
Last March, our own Sandy Yinghua challenged David James to a friendly competition of sharing the best tips and tricks for ConfigMgr. What resulted was a month’s worth of tweets from ConfigMgr team members and the community, highlighting useful tips and handy tricks. Due to the popularity of event, the quality and quantity of tips, […]
For many years, in fact, since I started my own career with Configuration Manager, the tried and tested method of building task sequences was to integrate MDT. MDT integration was seen to offer the best of both worlds, as MDT of course includes a lot of automation logic out of the box. The prospect of […]
The call We got a call from a customer stating that they where having issues with their cloud management gateway not working. I did spend some time on figuring out what the issue was so I though I should share it with you all. The customer gave us the following infomation. The status in the […]
All of us in SCConfigMgr are currently working from home, we would love this opportunity to meet the community in a virtual way (we thought it would be a good thing :)). Come Join Us On Tuesday 31st of March at 16:00 CET / 10:00Am EDT / 7:00AM PDT, we will welcome you to join […]
Lately there’s been a lot of talk about the newly introduced Microsoft Endpoint Manager solution, that’s aiming for bringing together the best from both worlds, where devices in both ConfigMgr and Intune can be managed from within the same console, the Microsoft Endpoint Manager admin center (MEMAC). In ConfigMgr Current Branch version 2002, the first […]
Back in January 2019 I wrote a series on setting up and customising MBAM (https://www.scconfigmgr.com/2019/01/12/step-by-step-microsoft-mbam/), a product that was part of the Microsoft Desktop Optimisation Pack, and a product that at the time was earmarked for retirement. At the time there were rumors’ that functionality would be imported into Configuration Manager, something that we learned […]
In part two of this three part series, I will run through how to customise the BitLocker Self Service portal in Configuration Manager build 2002. Series Links Goodbye MBAM – BitLocker Management in Configuration Manager – Part 1 (Server Components) Goodbye MBAM – BitLocker Management in Configuration Manager – Part 2 (Portal Customisation) Goodbye MBAM […]
In this, the final part of the series, we look at how the MBAM client and settings are deployed in the 2002 release of Configuration Manager. Series Links Goodbye MBAM – BitLocker Management in Configuration Manager – Part 1 (Server Components) Goodbye MBAM – BitLocker Management in Configuration Manager – Part 2 (Portal Customisation) Goodbye […]
The most requested feature for WIM Witch has been integration with Configuration Manager, and I am pleased and proud to announce this request has been fulfilled. WIM Witch now has the ability to create a new operating system image in ConfigMgr, as well as updating an existing image. Just like with previous versions, the ConfigMgr […]
Recently I took on an new task assignment to migrate all users from the Office 2016 client to Office 365 Pro Plus. I thought I could finish this task in an hour, and I was totally wrong about that! Sure it was very easy to make Office 365 application and deploy the application using ConfigMgr. Right? After I quickly make the application, I sit back and start thinking what else am I missing still, and then I realized there are some preparations and configurations that I need to do.
1. Visio and Project
My original plan was uninstall Office 2016, exclude Visio and Project, then install Office 365 64bit client, but soon I realized it is not supported to do so.
All installed products must be either the 32-bit version or the 64-bit version. For example, you can’t install a 32-bit version of Visio or Project on the same computer with a 64-bit version of Office.
Microsoft has done a great job adding more features to Office products in each builds, which means there are more setting can or should be managed. Currently the latest version of Office Administrative Template is published in Jan.22, 2020, it can be found from https://www.microsoft.com/en-us/download/details.aspx?id=49030
3. Privacy Control
Microsoft has made improvement of privacy control. Starting with Version 1904 of Office 365 ProPlus, there are new policy settings that will allow us to control Diagnostic data and Connected experiences , this is also one of the reason why we need update Office administrative template, all these policy settings are located under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center
Diagnostic data is used to keep Office secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This data does not include a user’s name or email address, the content of the user’s files, or information about apps unrelated to Office. There are two type of Diagnostic data: Required and Optional .
Required diagnostic data is the minimum data necessary to help keep Office secure, up-to-date, and performing as expected on the device it’s installed on
Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. If you choose to send optional diagnostic data, required diagnostic data is also included
You can use Configure the level of client software diagnostic data sent by Office to Microsoft policy setting choose what level of diagnostic data is sent to Microsoft. Just remember, disable this setting will send both diagnostic data to Microsoft, if you don’t want send any data, choose Enable-Neither.
Connected experiences use cloud-based functionality to provide enhanced Office features. I personally wouldn’t want my IT disable the feature for me, because I really love PowerPoint designer feature, it makes my presentation so pretty. You can find list of Connected experiences from https://docs.microsoft.com/en-us/deployoffice/privacy/connected-experiences .
Since I want to leave Connected experiences options open for my end users, I don’t want make decision for them whether or not they wants these features, I leave this policy “Disable Opt-in Wizard on first run” as Not Configured, so that they will see the first run wizard tell them about privacy control, and how they can configure those settings by themselves.
Don’t forget mobile devices! You can now use Office cloud police service manage privacy control settings as well.
4. Microsoft Teams
After install Office 365 client from Software Center, I didn’t find Teams from my Windows Start menu. I am using PSAppDeployToolkit to make my Office 365 package, so I added a force restart popup notification in the end. After restart, Teams is cached in users profile. I think logoff and login again will do the same, but since I am doing uninstall Office 2016 and install Office 365, a reboot will be better.
When first time login to Teams or active Office 365 apps, it gives this Workplace join notification. By default, “Allow my organization to manage my device” is checked, if user click Yes, this device will be Workplace joined. There are some benefits of this, it provides seamless second factor authentication and Single Sign-On to workplace resources and applications.
But I really don’t like this popup windows, because I had to make separated instruction explain to end users what this means. If you are like me, want prevent Workplace join notification, you can use this registry key
We love customize Windows 10, don’t we? . After updated to Office 365 client, we noticed our start layout looks very terrible, because we had pinned Office 2016 apps in start layout, now that Office 2016 is uninstalled, star layout only shows those crazy looking ~W icons. Fix this is easy, just need to make a new start layout, make a new Group Policy with WMI filter. WMI filter has configure only apply to Office 365 installed.
Filter for Office 365 64bits installed
SELECT path,filename,extension,version
FROM CIM_DataFile
WHERE path="\\Program Files\\Microsoft Office\\root\\Office16\\" AND filename="WINWORD" AND extension="EXE" AND version > "16"
Filter for Office 2016 32bit installed
SELECT path,filename,extension,version
FROM CIM_DataFile
WHERE path="\\Program Files (86)\\Microsoft Office\\Office16\\" AND filename="WINWORD" AND extension="EXE" AND version > "16"
Hope you enjoy reading my post and find it somehow helpful!
I was recently pulled into a project with a client that is enrolling their estate into Autopilot. This would normally be unexceptional, but this client had a several challenges that made this process difficult. We devised a novel approach using WIM Witch and The Microsoft Deployment Toolkit (MDT) to mitigate risk, meet the client’s needs, and create a simple process for enrollment.
The Scenario
– The organization is global
– Each location has its own unconnected forest and domain
– No centralized management had ever been implemented
– Local admin was enabled almost everywhere
– No consistency with vendor and models
– Many systems are field in remote locations with inconsistent and poor internet connectivity
The client also had a set of criteria to be met:
– They needed a break-glass solution in the event of enrollment or provisioning failure
– Had to be simple as the process would be user driven
– The process had to support multiple languages
– All existing data needed to be removed
– Minimal down time
While it would have been possible to have users enroll their devices in their existing state into Intune, there would have been an undesirable amount of administrative intervention to then wipe the devices post enrollment. This would have also increased user down time as the devices would essentially be provisioned twice. Additionally, since there was no consistency in the versions of Windows 10, systems would likely require a Feature Update along with provisioning.
The process we designed would use WIM Witch to handle the device enrollment into Autopilot, the various language needs, and break glass solution. We would then use MDT to deploy the WIM Witch image via Task Sequence on an ISO, allowing the device to be easily and quickly wiped and provisioned. The ISO would be written to USB and sent to the users.
WIM Witch
Like any other WIM Witch build, we imported a WIM and .Net binaries from a Windows 10 ISO. We also imported the three Language Packs and Local Experience Packs for the languages they needed to make available, as well as the Feature on Demand binaries.
Leveraging the Language Pack, Local Experience Pack, and Feature on Demand support introduced in version v1.4.0, we selected the required options to support their supported languages through their environment. We also opted to include .Net 3.5, updated the OneDrive client, and chose to apply the latest updates.
LP’s, LXP’s, and FOD’s selected, along with Updates, .Net, and OneDrive
Removing the In-box Apps
The client wanted to remove the gaming related apps. WIM Witch was happy to oblige.
Autopilot Enrollment
By using the “Retrieve Profile” option, we downloaded the JSON file that would correctly register the device to the appropriate profile. We enabled the option, and selected the downloaded file.
By all rights, the onboard Windows 10 drivers included in the image should be enough to get the machine up and running. Just to be safe, we opted to include the network drivers from the WinPE driver packs from HP and Dell (Lenovo doesn’t have an all-purpose PE driver pack). This would help ensure that Windows would have a better chance of connecting to the internet.
Breaking glass – leveraging the flexibility of WIM Witch v1.5
Version 1.5.0 of WIM Witch introduced a feature set that allows the user to add their own customizations to the build process. In this scenario, we leveraged the feature to meet the break glass requirement.
In this case, the plan was to create a folder off the root of C: called “BackUpPlan”. Within this folder we would add the installer for TeamViewer. If something were to go wrong during provisioning, helpdesk could coach the user through the installation of TeamViewer. Once installed, Help Desk could connect to the computer.
To make this magic happen, we needed one simple checkbox:
Making It So
The build process went off without a hitch, and WIM Witch dutifully handled the customizations we selected. Once our other customizations had been applied, WIM Witch paused the build process as expected. She displays the following warning:
The following dialog box pops up when the process is paused:
With the build process paused, we can manipulate the mounted image manually to satisfy the client’s break glass requirement. When an image is mounted, it’s files and folders are exposed. The structure can be manipulated as need.
We simply created our “break glass” folder at the root of the mount folder and copied over the TeamViewer installer.
Clicking “Yes” on the dialog box lets the process continue, which will give us our customized WIM file.
A word of caution on pausing the build process
In order for DISM to properly dismount an image, any connections to the mount path must be closed. This includes viewing the mount path with File Explorer, CMD, or other PowerShell sessions. If connections are not closed, the following error will occur.
Microsoft Deployment Toolkit (MDT)
There has been plenty written on the process of creating Task Sequences to support Autopilot for Existing Devices, so I am not going to go into detail in this post. In a nutshell, to make Autopilot work in this scenario, we need to copy the JSON file (the Autopilot Profile file) into a specific path, and then delete the Unattend.XML file. Since WIM Witch handles the JSON file for us, we only need to include the deletion of the Unattend.XML.
It’s worth noting that how one creates an ISO with MDT isn’t exactly obvious. The ability to do so resides in Advanced Configurations -> Media.
The media created under this option have their own discrete Windows PE configurations, which we used to add custom branding, make CMTrace available in WinPE, and control what prompts the users are presented.
To make the process simple, we added the rules to configure all the available options, except for which Task Sequence to select. We left this requirement so users wouldn’t inadvertently get stuck in a boot-loop if they left the USB key in and misconfigured their device’s boot order.
Once all of that was configured, all the remained was to generate the ISO and test it. After selecting the Update Media option, we had a useable ISO.
To validate the build, we spun up a VM and added the MDT created ISO as a boot option and fired up the machine. Upon boot, the user is greeted with one simple option:
The Task Sequence runs as normal, and it completes very quickly because all of our customizations have been applied directly to the WIM file. What would likely take at least 20 minutes to complete, had we applied each customization individually in the Task Sequence, takes less than 10 to finish.
Once the imaging phase completes, Windows starts OOBE. The first screen shows that our customizations are working.
After following the normal prompts, the user is prompted to enter their corporate credentials
At this stage, Autopilot is in full control of the provisioning process!
All that is left is to burn the ISO to USB and distribute.
Due to the popularity of event, the quality and quantity of tips, and the sheer amount of fun that was generated, we are doing again in 2020!
This year’s event is “21 Days of MEM Tips”, with the hashtag #21DaysOfMEMTips.
Starting on March 5th, feel free to post your best or favorite tips for anything related to Microsoft Endpoint Manager. These can include ConfigMgr, Intune, Autopilot, Community Tools, PowerShell, SQL, or whatever you think would be beneficial. When posting, please include the hashtag #21DaysOfMEMTips so your tip can be properly archived and attribution given.
With the release of WIM Witch v1.3.0, she now has new capabilities that were requested by the community. While there have been plenty of functional updates to WIM Witch since its release, this version brings enough change to warrant documentation. The features introduced in this release are all from user requests, and I want to […]
Over the years it’s been relatively common to include Microsoft DaRT into your boot image used for OSD in ConfigMgr and several blog posts have explained the process with a step-by-step approach. Some time back I found myself integrating DaRT a little bit more than I would allow myself for manually going through those guides, […]
Deploying a Cloud Management Gateway (CMG) with ConfigMgr requires access to an Azure Subscription. Additionally, the CMG is deployed using a resource provider named Microsoft.ClassicCompute. Newly registered Azure Subscriptions doesn’t have the this resource provider registered by default, which will cause the deployment of a CMG to fail with the first error message that as […]
Internet browsers have become more than just a means of accessing lines of HTML, JavaScript and CSS over the years. Today we use browsers to control core functions of our business, through portals into technologies including Azure, Office 365, AWS, Google Gsuite and many, many more. The one thing that has become apparent though over […]
Starting with version 1.4.0, WIM Witch can now import and apply Language Packs, Features on Demand, and Local Experience Packs. This feature set has been a constant request from the original release of WIM Witch, and I am really happy to have finally delivered it. There are known bugs, which are listed at the end […]
For earlier posts, please find them here: Passwordless journey with FIDO2 – Part 1 – Getting started with Security keys Passwordless journey with FIDO2 – Part 2 – Usage experiences So it’s been a few months since the last post, and I can tell that more and more people are starting their own journeys into […]
Recently I took on an new task assignment to migrate all users from the Office 2016 client to Office 365 Pro Plus. I thought I could finish this task in an hour, and I was totally wrong about that! Sure it was very easy to make Office 365 application and deploy the application using ConfigMgr. […]
I was recently pulled into a project with a client that is enrolling their estate into Autopilot. This would normally be unexceptional, but this client had a several challenges that made this process difficult. We devised a novel approach using WIM Witch and The Microsoft Deployment Toolkit (MDT) to mitigate risk, meet the client’s needs, […]
Last March, our own Sandy Yinghua challenged David James to a friendly competition of sharing the best tips and tricks for ConfigMgr. What resulted was a month’s worth of tweets from ConfigMgr team members and the community, highlighting useful tips and handy tricks. Due to the popularity of event, the quality and quantity of tips, […]
For many years, in fact, since I started my own career with Configuration Manager, the tried and tested method of building task sequences was to integrate MDT. MDT integration was seen to offer the best of both worlds, as MDT of course includes a lot of automation logic out of the box. The prospect of […]
The call We got a call from a customer stating that they where having issues with their cloud management gateway not working. I did spend some time on figuring out what the issue was so I though I should share it with you all. The customer gave us the following infomation. The status in the […]
All of us in SCConfigMgr are currently working from home, we would love this opportunity to meet the community in a virtual way (we thought it would be a good thing :)). Come Join Us On Tuesday 31st of March at 16:00 CET / 10:00Am EDT / 7:00AM PDT, we will welcome you to join […]
Lately there’s been a lot of talk about the newly introduced Microsoft Endpoint Manager solution, that’s aiming for bringing together the best from both worlds, where devices in both ConfigMgr and Intune can be managed from within the same console, the Microsoft Endpoint Manager admin center (MEMAC). In ConfigMgr Current Branch version 2002, the first […]
Back in January 2019 I wrote a series on setting up and customising MBAM (https://www.scconfigmgr.com/2019/01/12/step-by-step-microsoft-mbam/), a product that was part of the Microsoft Desktop Optimisation Pack, and a product that at the time was earmarked for retirement. At the time there were rumors’ that functionality would be imported into Configuration Manager, something that we learned […]
In part two of this three part series, I will run through how to customise the BitLocker Self Service portal in Configuration Manager build 2002. Series Links Goodbye MBAM – BitLocker Management in Configuration Manager – Part 1 (Server Components) Goodbye MBAM – BitLocker Management in Configuration Manager – Part 2 (Portal Customisation) Goodbye MBAM […]
In this, the final part of the series, we look at how the MBAM client and settings are deployed in the 2002 release of Configuration Manager. Series Links Goodbye MBAM – BitLocker Management in Configuration Manager – Part 1 (Server Components) Goodbye MBAM – BitLocker Management in Configuration Manager – Part 2 (Portal Customisation) Goodbye […]
The most requested feature for WIM Witch has been integration with Configuration Manager, and I am pleased and proud to announce this request has been fulfilled. WIM Witch now has the ability to create a new operating system image in ConfigMgr, as well as updating an existing image. Just like with previous versions, the ConfigMgr […]
. After updated to Office 365 client, we noticed our start layout looks very terrible, because we had pinned Office 2016 apps in start layout, now that Office 2016 is uninstalled, star layout only shows those crazy looking ~W icons. Fix this is easy, just need to make a new start layout, make a new Group Policy with WMI filter. WMI filter has configure only apply to Office 365 installed.
I like to add a lot of notes to the Description and make step names meaningful, but sometimes you have more info than can fit in those fields.