Deployment

Automatically update your Configuration Manager boot images for CVE-2023-24932

As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.

Credit:

Many thanks to Gary Blok for collaborating with me and helping improve the script!

References:

Requirements:

  • The Configuration Manager module needs to be loaded before running the script
  • If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.

Parameters:

  • WIMFolder
    • Local folder that will be used to store the boot image WIM temporarily
  • MountFolder
    • Local folder where we will mount the boot image.
  • DownloadFolder
    • Local folder that will be used to store the downloaded May 2023 Cumulative Update

Script:

How to automatically hide the Widgets and Teams chat button in Windows 11

As many of you know Windows 11 was released yesterday. Right now I’m I’m currently testing the official release and running Procmon to figure out some of the new registry keys that were introduced with Windows 11. Here are the registry keys and values that will automatically hide the Widgets and Teams chat button from the taskbar in Windows 11:

How to hide the widgets button:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarDa”=dword:00000000

How to hide the Teams chat button:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarMn”=dword:00000000

How to bring back the Windows 10 start menu on Windows 11

Update (10/6/2021) – I just tested the official Windows 11 release today and it appears you cannot bring back the Windows 10 start menu anymore. However the following registry key still works to move the start menu to the left side of the screen.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarAl”=dword:00000000

As many of you know, Windows 11 will be introducing a new start menu layout. If you want to keep things consistent for your users you can add the following registry keys to your GPO when your company decides to roll out Windows 11.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarAl”=dword:00000000
“Start_ShowClassicMode”=dword:00000001

The Start_ShowClassicMode registry key will bring back the Windows 10 start layout and the TaskbarAl registry key will move everything to the left like it used to be.

Install-Font Function

Use the Install-Font function to install system fonts on Windows 10 1809 and above. Older scripts may not work with Windows 10 1809 and above since Windows will now try to install fonts in the user’s LOCALAPPDATA directory. This function will get around those issues and allow you to programmatically install fonts for all users again.

How to use the function:

Install Fonts from folder
Install-Font “C:\Temp\Helvetica Neue”

Install one font
Install-Font “C:\Temp\Helvetica Neue\HelveticaNeueLTStd-HvIt.otf”


Function Install-Font {

    <#  
 
    .SYNOPSIS Install system fonts for all users
 
    .PARAMETER FontPath Provide path to a font or a folder containing fonts

    .PARAMETER Recurse Scan subdirectories
 
    .EXAMPLE - Install Fonts from folder
    Install-Font "C:\Temp\Helvetica Neue"
 
    .EXAMPLE - Install one font 
    Install-Font "C:\Temp\Helvetica Neue\HelveticaNeueLTStd-HvIt.otf"
 
    #>

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$true)]
        [String]$FontPath,
        [Switch]$Recurse
    )

    If(Test-Path $FontPath) {
        
        $FontFile = Get-Item -Path $FontPath

        If($FontFile -is [System.IO.DirectoryInfo]) {

            If($Recurse) {

                $Fonts = Get-ChildItem -Path $FontFile -Include ('*.fon','*.otf','*.ttc','*.ttf') -Recurse

            }
            Else {

                $Fonts = Get-ChildItem -Path "$FontFile\*" -Include ('*.fon','*.otf','*.ttc','*.ttf')

            }
            If(!$Fonts) {

                Throw ("Unable to find any fonts in the folder")

            }

        }
        ElseIf($FontFile -is [IO.FileInfo]) {

            If ($FontFile.Extension -notin ('.fon','.otf','.ttc','.ttf')) {

                Throw ("The file provided does not appear to be a valid font")

            }

            $Fonts = $FontFile

        }
        Else {
        
            Throw ("Expected font or folder")
        
        }

    }
    Else {

        Throw [System.IO.FileNotFoundException]::New("Could not find path: $FontPath")

    }
    ForEach ($Font in $Fonts) {

        $FontName = $Font.Basename
        Write-Host "Installing font: $FontName"
        Copy-Item $Font "C:\Windows\Fonts" -Force
        New-ItemProperty -Name $FontName -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Fonts" -PropertyType String -Value $Font.Name -Force | Out-Null

    }

}

Registry Keys for Windows 10 Application Privacy Settings

The following registry keys in this post control the privacy settings in Windows 10. These settings can be found in the GUI by going to SETTINGS\PRIVACY.
Read more

How to install Office 365 ProPlus updates during your SCCM build and capture task sequence

Have you tried to install Office 365 ProPlus updates during your SCCM build and capture task sequence and it never installed? Well that is most likely due to a registry key that was not updated. The update channel registry key value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration should not be pointing to your ccmcache folder. If it is, then this fix will work for you.

In order to update this key, you should run the following command before the Install Updates step in your task sequence.:
“C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe” /update SCHEDULEDTASK displaylevel=False

Note: This command must run before you attempt to install any Office 365 ProPlus software updates in your task sequence. If it does not then your update channel value will still be pointing to the ccmcache which will stop the updates from running.

Find more information here:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/manage-office-365-proplus-updates#updating-office-365-during-task-sequences-when-office-365-is-installed-in-the-base-image

How to disable Microsoft Teams from running at logon

If you landed on this page you are probablly working on packaging Microsoft Teams and have been banging your head against a desk trying to figure out how to disable it from loading at startup. Fortunately for you, I figured out a solution that works 100% of the time.

What do you need?
Node.JS
Microsoft Teams
Notepad++

Where to download?
Node.JS – https://nodejs.org/en/
Microsoft Teams – https://teams.microsoft.com/downloads
Notepad++ – https://notepad-plus-plus.org/

Brief background
Essentially, Microsoft Teams is a webpage in the background. It was developed with Electron which is a framework that lets developers create cross-platform desktop apps with web front-end technologies. Some other popular applications such as Skype, and Visual Studio Code were also built with using this technology.

With Electron apps, most of the source files for the application will be packaged into a file named app.asar. You can open the file in Notepad but you cannot save it since it is a READONLY file. From my experience, any changes made to it via Notepad will crash the app and prevent it from loading.

How do you do it?

  1. Download and install Microsoft Teams
  2. Download and install Node.JS
  3. Open the CMD prompt as an Administrator
  4. Run: npm install -g asar
  5. Run: asar extract "%LOCALAPPDATA%\Microsoft\Teams\current\resources\app.asar" C:\Temp\asar
    Note – Try running “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnk” if the command prompt does not recognize the ASAR command.
  6. Navigate to C:\Temp\asar\lib
  7. Locate desktopConfigurationManager.js and open the file with Notepad++
  8. Search for OPENATLOGIN (There should be two references) and set the value to FALSE as shown below in the screenshots:
    disable teams at startup
    disable teams at startupli>

    Last but not least, it is time to repackage everything!

  9. Run: asar pack "C:\TEMP\asar" "C:\TEMP\app.asar" --unpack *.node

Now that you have a customized app.asar, you can silently install Teams and also not worry about it launching at startup. See the install script below for an example:

# Install Microsoft Teams
Start-Process "$PSScriptRoot\Teams_windows_x64.exe" -ArgumentList "-s" -Wait

# Copy customized app.asar
Copy "$PSScriptRoot\app.asar" "$env:LOCALAPPDATA\Microsoft\Teams\current\resources\app.asar" -Force

Add a new custom Powershell module path

You can use the following script to add a new module path to the PSModulePath environmental variable. Adding modules to this path will allow you to use them in your own scripts and if you have Powershell 3.0+ these modules will be automatically loaded when you call one of the custom CMDLET’s.

Notes:
Please replace the $ModulePath variable with the path that you would like to use.

$ModulePath = "YOUR PATH HERE"
$Path = (Get-ItemProperty -Path "HKLM:\SYSTEM\ControlSet001\Control\Session Manager\Environment").PSModulePath
$NewPath = "$ModulePath" + ";" + $Path

If($Path -notlike "*$ModulePath*") {
    Set-ItemProperty -Path "HKLM:\SYSTEM\ControlSet001\Control\Session Manager\Environment" -Name PSModulePath -Type String -Value "$NewPath"
}

AC Power Check For Laptops

The following script can be used in an SCCM or MDT upgrade task sequence to check if a laptop is connected to a charger. If the script detects that the laptop is not connected to a charger, it will prompt the user to connect the laptop to AC power.

$ChassisTypes = (Get-WmiObject -Class Win32_SystemEnclosure).ChassisTypes

Switch($ChassisTypes) {

    3 { $Chassis = "Desktop" }
    4 { $Chassis = "Desktop" }
    5 { $Chassis = "Desktop" }
    6 { $Chassis = "Desktop" }
    7 { $Chassis = "Desktop" }
    8 { $Chassis = "Laptop" }
    9 { $Chassis = "Laptop" }
    10 { $Chassis = "Laptop" }
    11 { $Chassis = "Laptop" }
    12 { $Chassis = "Laptop" }
    14 { $Chassis = "Laptop" }
    15 { $Chassis = "Desktop" }
    16 { $Chassis = "Desktop" }
    18 { $Chassis = "Laptop" }
    21 { $Chassis = "Laptop" }
    23 { $Chassis = "Server" }
    31 { $Chassis = "Laptop" }

}
If($Chassis -eq "Laptop") {

    Do {
      $PowerStatus = (Get-WmiObject -Class BatteryStatus  -Namespace root\wmi -ErrorAction SilentlyContinue).PowerOnLine

        If($PowerStatus -ne $True) {

            $TSEnv = New-Object -ComObject "Microsoft.SMS.TsProgressUI"
            $TSEnv.CloseProgressDialog()
            $wshell = New-Object -ComObject Wscript.Shell
            $wshell.Popup("Please Connect AC Power - Click OK to Continue",0,"AC Power Check",0)
    
        }
    }
    Until($PowerStatus -eq $True)

}

How to prevent the Edge shortcut from appearing on a desktop after the Windows 10 1803 upgrade

During my early testing of the Windows 10 1803 upgrade, I have noticed that Microsoft is now creating an Edge shortcut on the desktop.

This shortcut is not in the default profile but you can disable the functionality by running the following command:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer /v "DisableEdgeDesktopShortcutCreation" /t REG_DWORD /d "1" /f
Older Posts »
Page 1 of 4