How to exclude specific applications with Lumension Endpoint Security

Open the Windows Registry Editor on the client machine.
Navigate to:

Create a new DWORD (32-bit) value.
The NAME is the file path to the driver \application that you want to exclude, for example if you are excluding the Skype application:
For 64 bit: C:\Program Files (x86)\Skype\Phone\Skype.exe
For 32 bit: C:\Program Files\Skype\Phone\Skype.exe

The Value data is 0 (zero)
Restarting the application or the machine may be required for the change to take effect.
The application specified in the registry entry name will be excluded from protection by Lumension Endpoint Security.

You can of course automate this task by running something like this:

:: Set the file you would like to exclude
SET EXCLUSION="C:\Program Files\Skype\Phone\Skype.exe"

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk\Parameters" /v %EXCLUSION% /t REG_DWORD /d 0 /f

Automate your BIOS update in MDT

This universal script will automate your BIOS updates in MDT. In order for this script to work, you will need to configure your MDT deployment share with the following folder structure:

Inside of the BIOS folder, you will need a folder for each model that you are supporting in your deployment. The folder names must match the model name that MDT queries with ZTIGather.
You can run wmic computersystem get model to get this value.

Folder Structure Example:
DeploymentShare$\Scripts\Custom\BIOS\HP EliteBook 8560w

Inside of these folders, you will need to place all the files needed to install your BIOS update. You will also need to create custom files needed to silently install and determine the latest BIOS version.

1st File: BIOS.txt
In this txt file, you will place the BIOS version of the update. This is used to compare the BIOS version installed on the machine and the latest update version.

2nd File: UpgradeBIOS.cmd
In this file you will add all the commands needed to silently install your BIOS update.

REM Setting Current Directory
cd "%~dp0"
WINUPTP.exe -s

Once you have the the folder structure completed, you will want to add a Reboot task to your Task Sequence. With this task, you will need to add an if statement with the following configuration:

Reboot Task Configuration

And now for the actual Powershell script!

# Load MDT Task Sequence Environment and Logs
$TSenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$logPath = $tsenv.Value("LogPath") 
$logFile = "$logPath\BIOS_Update.log"

# Start the logging 

Write-Output "Logging to $logFile." > $logFile

# Collect data
Write-Output "Collecting Data" >> $logFile
$ScriptRoot = $tsenv.Value("ScriptRoot")
$Model = $TSenv.Value("Model")
$CompBiosVersion = (Get-WmiObject WIN32_BIOS).SMBIOSBIOSVersion
$CurrentBiosVersion = Get-Content "$ScriptRoot\Scripts\Custom\BIOS\$Model\BIOS.txt"
$Installer = "UpgradeBIOS.cmd"

try { 
    Test-Path $CurrentBiosVersion -ErrorAction Stop
catch {
    Write-Output "$CurrentBiosVersion does not exist" >> $logFile

# Checking for BIOS update
if($CompBiosVersion.replace(' ' , '') -eq $CurrentBiosVersion.replace(' ' , '')) {
    Write-Output "BIOS is up to date." >> $logFile
else {
    Write-Output "Updating BIOS $CompBiosVersion to $CurrentBiosVersion." >> $logFile
    Start-Process "cmd.exe" "/c $ScriptRoot\Deploy\Scripts\Custom\BIOS\$Model\$Installer" -Wait
    $tsenv.Value("NeedReboot") = "YES"
    Write-Output "Update has been completed successfully." >> $logFile

How to enable used space encryption using Invoke-MbamClientDeployment.ps1

First and foremost, if you have not had a chance to read the latest Technet article on how to enable BitLocker by using MBAM, please do so here!

It is an excellent guide that explains how to configure MBAM and Bitlocker inside of MDT. Unfortunately the guide does not explain how to enable used space encryption when you are not pre-provisioning your drive. It’s actually pretty simple and can be done by just modifying the registry.

Now I’m assuming that you have Invoke-MbamClientDeployment.ps1 in your task sequence but if you have not set everything up, please read the Technet article that I referenced earlier.

In your task sequence, please navigate to the step that calls Invoke-MbamClientDeployment.ps1. If you followed the Technet guide, the task name should be “Configure BitLocker for MBAM”. Now go ahead and add a Run Command Line step before the “Configure BitLocker for MBAM” step. Let’s name this step “Enable Used Space Encryption”.

In the command line field, you will want to enter the following command:

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v OSEncryptionType /t REG_DWORD /d 2 /f

And.. That’s it!

How to configure your Windows 10 default file associations in MDT

You will first need to configure all your file associations on a test machine. Once this has been done, you will want to run the following command to export your file associations:

Dism.exe /Online /Export-DefaultAppAssociations:%USERPROFILE%\Documents\DefaultAppAssociations.xml

The XML file will be exported to your Documents folder

Now you will want to place the XML file that we just exported into your Scripts folder inside of your MDT Deployment Share.

Once that is done, launch MDT and open your deployment task sequence. Locate the PostInstall folder and add a command line task above the Inject Drivers task.

Set File Associations
Set File Associations - 2

Lets go ahead and name the task Set File Associations. In the command line field, insert the following command:

Dism.exe /Image:%OSDisk%\ /Import-DefaultAppAssociations:%SCRIPTROOT%\DefaultAppAssociations.xml

Now you’re all set!

Automatically join a machine to your domain

This short script will join a machine to your domain. This can be useful as a post start up script that will launch after a machine has been imaged.

$domain = "DOMAIN"
$password = "PASSWORD HERE" | ConvertTo-SecureString -asPlainText -Force
$username = "$domain\USERNAME HERE" 
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
Add-Computer -DomainName $domain -Credential $credential

Feel free to comment if you have any questions!

One Column Start Layout

If you haven’t done it already, please read my post on how to deploy a customized start menu in your Windows 10 image.

Do you have a similar start layout that you would prefer to slim down and not have to do it manually for each profile?

Well you can do this by configuring LayoutModification.xml to display only one main column and all you have to do is edit the following line:

<LayoutOptions StartTileGroupCellWidth="6" />

And add StartTileGroupsColumnCount=”1″

<LayoutOptions StartTileGroupCellWidth="6" StartTileGroupsColumnCount="1" />

Customize a Windows 10 Start Layout

To customize the Start Menu in your images, you will need to export a ‘reference’ Start Menu using the Export-StartLayout PowerShell cmdlet.

First you will need to setup the Start Menu exactly the way you want it, and then export the layout.

Export-StartLayout –path C:\LayoutModification.xml

Now, you can import the custom XML into the Default profile before sysprep.
Note: Only new user profiles will be able to see the new layout

Import-StartLayout -LayoutPath LayoutModification.xml -MountPath $env:SystemDrive\

If for some reason you have problems with the import, you can just copy the custom XML file into the Default profile.
Note: Only new user profiles will be able to see the new layout

copy /y LayoutModification.xml “C:\Users\Default\AppData\Local\Microsoft\Windows\Shell”

How to programmatically pin icons in Windows 10

UPDATE 01/01/2017:
Microsoft finally released an approved method to pin icons to the taskbar. I would highly suggest using this method since Syspin is a 3rd party tool that is not approved.
You can find out more info here:

In previous versions of Windows, you used to be able to use the verb Pintotaskbar to programmatically pin programs to your taskbar.

Example on how to pin Powershell ISE to the taskbar in Windows 8.1:

    $shell = new-object -com "Shell.Application"  
    $folder = $shell.Namespace((Join-Path $env:SystemRoot System32\WindowsPowerShell\v1.0))
    $item = $folder.Parsename('powershell_ise.exe')

This is no longer the case with Windows 10 and retrieving the verbs with $item.Verbs() from the script above, returns all verbs except for “Pin to taskbar”.  If you right click the file via the GUI, you will see that this verb does indeed exist.

Powershell verb

After a while of researching, I found a great third party tool that can easily pin icons to your taskbar in Windows 10.

The tool is called SysPin and you can download it from the following URL:

Below are some instructions on how to use the tool:

Usage : syspin ["file"] c:#### or syspin ["file"] c:"commandstring"
        c:5386  : Pin to Taskbar
        c:5387  : Unpin from Taskbar
        c:51201 : Pin to Start
        c:51394 : Unpin to Start

Samples :
  syspin "%PROGRAMFILES%\Internet Explorer\iexplore.exe" c:5386
  syspin "C:\Windows\notepad.exe" c:"Pin to Taskbar"
  syspin "%WINDIR%\System32\calc.exe" c:"Pin to Start"
  syspin "C:\Windows\System32\calc.exe" c:51201

Unfortunately I haven’t found a way to unpin Edge and the Microsoft App store with this utility but I have been successful using the following tutorial to unpin everything before sysprepping the machine.

Good luck and I hope this helps someone!

Windows 10 Upgrade

Depending on your environment, you may or may not need to have prerequisites that need to be done before starting an upgrade. These tasks may include, disabling your antivirus or uninstalling any software that may not be compatible with Windows 10. Once you have automated these tasks you can start the Windows 10 upgrade process by using the following command:

"setup.exe" /auto upgrade /quiet /copylogs %SystemDrive%\Temp\Deployment_Log 

This is a very basic way to silently upgrade your computers to Windows 10.  You can add further customization such as adding a post script that will launch after the upgrade is done.  To do this you can add the /PostOOBE<location>\[setupcomplete.cmd] switch to the command above.

Once you have your scripts ready, you can deploy them with the software that you use to push out your packages (Kaseya, LANDesk, SCCM, etc).

Read more

Windows 10 Sysprep Issue

Recently I noticed that when you sysprep Windows 10 and use CopyProfile=TRUE in your unattend.xml, it will copy over the last used folders and recent files of the built-in admin.

Quick Access

In order to remove the Quick Access history, you will need to place a batch file inside the built-in admin’s %appdata%\Microsoft\Windows\Start Menu\Programs\Startup folder in Audit Mode before running Sysprep.

Read more