ConfigMgr – Applications with Runtime Dependencies

[Updated Feb. 2, 2019] – Added Report Sample and Download URL

Recently, Andreas Stenhall posted a fantastic blog post showing some PowerShell code to identify applications that are dependent upon other runtime frameworks such as .NET for Visual C++.  This got me extremely excited as Visual C++ 2005 is already End Of Life and VC++ 2008 will be going EOL early next year.

Being able to quickly and easily identify applications that could be impacted if one or more of these legacy frameworks are removed has been, up until now, been primarily a manual effort.

This post is designed to expand upon Andreas` work and extend his solution into SCCM where a majority of us actually manage our systems.

Extending SCCM Inventory

The first step is to extend your ConfigMgr inventory to collect the proper WMI Class data during Hardware Inventory.

To do so, open up your Configuration Manger Console and browse Administration > Client Settings > Default Client Settings and open Properties.

Select Hardware Inventory and hit the Set Classes button.

Click Add, Connect to a computer and search for the following WMI classes

  • Win32_Installedwin32Program
  • Win32_InstalledProgramFramework

Hit OK thru the remaining windows to save your changes.  During the next inventory cycle the information should begin to populate in your ConfigMgr Database.

Creating a Report

Now that we’ve inventoried the data, we need to do something with it.  Creating a report is a great first start as we can start searching for applications running EOL or near-EOL frameworks and begin either upgrading those applications or working with the Application Developers or 3rd Party ISV’s to get them updated to use a newer framework.

Now, for those of you who are used to writing SQL Queries and reports against inventoried data, I caution you to leverage the SQL Code below and/or the RDL I’ve attached to this post.  The v_GS_INSTALLED_WIN_32PROGRAM View can get HUGE.  This in turn dramatically slows down the SQL.  Especially in an environment with tens of (or hundreds of (thousands of clients.

If you simply want a SQL dump of all the Programs and their associated frameworks, you can use the following SQL code:

SELECT DISTINCT prog.Vendor0, prog.Name0, prog.Version0, pf.FrameworkName0, pf.FrameworkVersion0


LEFT JOIN (SELECT ProgramId0, Vendor0, Version0, Name0 From v_GS_INSTALLED_WIN_32PROGRAM) prog on pf.ProgramId0 = prog.ProgramId0

This query has been optimized so that it executes within about 25 seconds in my environment with ~30K systems.  To further improve this (as I have done with the report), add on a WHERE statement to filter the information down even further by the FrameworkName as such:

SELECT DISTINCT prog.Vendor0, prog.Name0, prog.Version0, pf.FrameworkName0, pf.FrameworkVersion0


LEFT JOIN (SELECT ProgramId0, Vendor0, Version0, Name0 From v_GS_INSTALLED_WIN_32PROGRAM) prog on pf.ProgramId0 = prog.ProgramId0

WHERE pf.FrameworkName0 = @FrameworkName AND pf.FrameworkVersion0 = @FrameworkVersion

ORDER BY prog.Name0, prog.Version0, pf.FrameworkName0, pf.FrameworkVersion0

The above query is what I use within the report. You will notice two SQL Parameters which correspond to the FrameworkName and FrameworkVersion that you want to query against.  This allows you to search for systems based on a specific framework and version (think EOL hunting).

Download Report –  You’ll need to update the datasource within Report Builder and point it to your own data source.

The Report

In the report you are provided with two parameter options.

Framework Name – This is the name of the actual framework as gathered by Hardware Inventory.  None of this is “normalized” though you could do that in the SQL query if you wanted to.

Framework Version – I’ve configured this as a multi-select parameter option so you can look for multiple versions of a particular framework in one go.

In the example below, we’ll be looking at Visual C++ Runtime versions 2005 (8.0) and 2008 (9.0).  You can find the latest supported versions here:



You may download the report from my public GitHub Repository – Application Framework Dependencies.rdl

NOTE: Please ensure you change the Data Source to point to your own ConfigMgr Data Source.

Wrap Up

Now that you have access to the data, you can begin identifying applications that are dependent upon older versions of software frameworks including Visual C++, Java, etc.  From there, start building collections of systems that have these older applications installed to handle upgrades as well as the (eventual) removal of the legacy run times.



ConfigMgr User Device Affinity (UDA) Collection Query

I was at the Midwest Management Summit at the Mall of America (#MMSMOA) this past week and met a ton of people.  Many of whom I have conversed with over Twitter and even more that I haven’t.  If you haven’t been to MMSMOA, I highly suggest you go next year (May 2018!).

At the end of one of the sessions, I engaged in a discussion about deploying software/updates to a Device Collection based on the systems Primary User.  Well, I promised I would post a blog so here it is.  To do this, we will leverage the User Device Affinity (UDA) functionality of ConfigMgr.

If you are unfamiliar with User Device Affinity, I suggest you read first to familiarize yourself with the technology and how to configure it in your environment.

In order to create a collection based User Device Affinity relationships, you need to have two things:

  1. User Device Affinity assigned according to the link above (Either based on Client Settings or manual assignment)
  2. An Active Directory Security Group of user objects you wish to query against.  This group must be enabled in Active Directory Group Discovery located within Hierarchy Settings.

Warning: Be very careful when configuring your collection.  It’s possible for UDA to be enabled (either manually or via Client Settings) on both Clients and Servers.  Be sure to configure your Limiting Collection appropriately to ensure the end result contains ONLY the systems you expect.

select distinct
from SMS_R_System JOIN SMS_UserMachineRelationship ON
WHERE SMS_UserMachineRelationship.Types=1 AND
SMS_UserMachineRelationship.IsActive=1 AND

There is a caveat to this whole process.  If using Client Settings to configure automatic discovery of Primary Users, you won’t catch everything right away.  This functionality is based on system usage over a period of time so it’s possible the relationships could fluctuate over time depending on how the system is used.

Too the people I spoke with at MMSMOA, and for everyone else, I hope you find this useful.  If anyone reading this has a more accurate query, please post in the comments and share the love.



SCCM Collection Queries Running Slow? Split ‘Em up!

Like many of you, my SCCM environment contains a rather large number of collections (1000+).  These collections are used for various purposes from identifying systems with certain Software installed, or identifying systems by Hardware Attributes such as Make, Model or Free Disk Space.

For each one of these collections, we have different ways we can populate them with members.  We can use Direct Memberships, Collection Queries, or Collection Include/Exclude rules.  Microsoft has a nice little guide showing How to Create Collections which gives an explanation of each.  Go ahead and read up, I’ll wait…

Ok, now that you are all caught up on the various Collection Membership Rules, I want to dive into the Query Rule a bit further.  Again, Microsoft has some information on How to Create Query Rules.  If you are unfamiliar with this process, please read up before continuing.


Lets say your environment has 10,000+ clients and you need to define a collection of systems that have Microsoft Visio Professional 2016 installed.  Lets lay out the criteria for this collection before we build it.

  • The collection must contain ALL instances of ‘Microsoft Visio Professional 2016’ regardless of architecture (x86 and x64)
  • The collection should be updated once per day and NOT use incremental updates.

If we take the above parameters into account, we should be able to come up with a collection query rule that looks something like this:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType



,SMS_R_SYSTEM.Client from SMS_R_System

inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId

inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId

where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = 'Microsoft Visio Professional 2016'

or SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = 'Microsoft Visio Professional 2016'

As you can see from the above query, we are looking at both the 32-Bit and 64-Bit ADD_REMOVE_PROGRAMS WMI class.  Once the new collection is created, it will take a few moments for the Collection Evaluator to update the collection membership so we can see how many systems we have.  Each environment will vary on how long it takes to execute this query, and how many members the collection has once it has updated.

Analyzing the Results

The Collection Evaluator is the Site System component responsible for executing Collection Membership Queries and ultimately keeping your collections up to date.  Microsoft has an excellent tool that comes with the ConfigMgr Toolkit called CEViewer.exe which can be used to see all of your collections and details about their most recent evaluations.  Microsoft has a nice post on How to use CEViewer.exe.

If we open CEViewer on our Site Server and look at the last evaluation time for our new collection, we can see how much time it took for that evaluation to occur.   In our case here, we see that it took 28.18 seconds to evaluate.


You may be asking what is an “acceptable” threshold for collection evaluations.  Unfortunately, I haven’t seen anything from Microsoft on the subject so here is my own personal recommendation.  If a collection evaluation takes more than 20 seconds, you should look at optimizing the query rules.

Help!  My collection evaluations are taking too long!

There are a couple of really simple tweaks we can make to help reduce our overall collection query evaluation times.  (NOTE: Making changes to existing collections or collection queries will immediately cause that collection to update its membership)

  2. Split up your Query Rules into individual Queries.

Lets start with the first item.  Using SELECT DISTINCT on all your query rules ensures that when a query rule is evaluated, each potential system will only be returned one time.  We can see the behavior of this using the Monitoring > Queries node in the ConfigMgr console.  Lets take a look at the difference between these two queries.  First, the “bad” way.

If we copy the query rule from above into a new Query Rule (Monitoring > Queries > New Query Rule) and execute it, we can see from the following screenshot that each Resource ID gets returned multiple times.  In this instance, they were each returned 59 times!


Now, lets try it using SELECT DISTINCT.

select distinct SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType



,SMS_R_SYSTEM.Client from SMS_R_System

inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId

inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceID = SMS_R_System.ResourceId

where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = 'Microsoft Visio Professional 2016'

or SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = 'Microsoft Visio Professional 2016'

After running this new query, you can see that each Resource ID is only listed once and the total execution time is waaaay less.


Now, lets go back to our collection and change it to use SELECT DISTINCT.  There are two ways you can do this.  First, is to edit the WQL directly as I’ve shown above.  The other (easier) way, is to just check this box.  And if you ask me, this should be checked by default!


Divide And Conquer

The second way to speed up your collection evaluations is to split up your query rule into multiple query rules.  In our example, we are joining three different WMI classes (SMS_R_SYSTEM, SMS_G_ADD_REMOVE_PROGRAMS, SMS_G_ADD_REMOVE_PROGRAMS_64).  Running this query essentially pulls all results from all three classes, checks for the matches against DisplayName and THEN finally pulls them into the collection.  Even with SELECT DISTINCT, we are still having to pull ALL DISTINCT results from each class.

To improve the performance here, simply split out your query against SMS_G_ADD_REMOVE_PROGRAMS and SMS_G_ADD_REMOVE_PROGRAMS_64 into their own queries.  And don’t forget to use SELECT DISTINCT!


select distinct SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = "Microsoft Visio Professional 2016"

select distinct SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS_64 on SMS_G_System_ADD_REMOVE_PROGRAMS_64.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS_64.DisplayName = "Microsoft Visio Professional 2016"

Now if we evaluate collection membership and go back to CEViewer, we can see that the evaluation time has drastically been reduced to well within our artificially defined “threshold”.



To recap, use CEViewer to keep an eye on your Collection Evaluations.  In addition, when creating your collection queries make sure to use SELECT DISTINCT and split out your query rules to improve performance where possible.

Upgrading to Office 2016/365 using a ConfigMgr Task Sequence

Earlier this year I did a presentation at the Central Texas Systems Management User Group (CTSMUG) in Austin on migrating our company to Office 2016 (MSI).  I have provided a link to my Sway of that presentation for some general context however this blog post will be a more technical explanation of how I went about upgrading all our systems to Office 2016.


  • Working knowledge of ConfigMgr 2012/Current Branch Task Sequences.
  • An existing Application/Package for installing Office 2016/365, Visio, Project, etc. (If you need assistance with this, there is plenty of guidance here and here)

Before we get going, we need to create a new package called “Office 2016 Upgrade Files”.  This package will consist of detection scripts, Office Scrub scripts and any other custom code used for your overall upgrade process.  (NOTE: This package should NOT contain any of the actual Office installer binaries).

New-CMPackage -Name 'Microsoft Office 2016 Upgrade Files' -Path '\\SERVER\SOURCES\Microsoft Office 2016 Upgrade Files'


Start by downloading the following scripts:

  • Get-MSOfficeProducts.ps1 – I developed this script to detect as many Microsoft Office (non-server) products that I had in my environment (NOTE: The language packs section needs improvement to cover more languages).
  • IME14-Cleanup.ps1 – This cleans up registry keys associated with the Office IME (Input Method Editor).

Next, use the “Easy Fix Download” link to obtain and extract the Office Scrub scripts for Office 2010+

Task Sequence – Detection

Start out by creating a new (empty) Custom Task Sequence.  The first stage of our Task Sequence will include detecting the software currently installed on the system.  This is broken out (generally) into two different groups.

  • Microsoft Office Suites and Applications (i.e. Visio, Project, Language Packs)
  • Office-Dependent Applications – Other software packages that have a dependency on one or more Office applications that may need special attention (reinstall) during an Office upgrade.



The next section will contain various scripts and command lines that we’ll use to remove Office-Dependent products and Office itself. First off, create a group (generally via WMI query or a file check) to detect and remove each application.  Be sure to add a custom Task Sequence variable as indicated in the screenshot above so you can use that to re-install the software later.

You “CAN” upgrade Office in-place without removing previous suites, however I always run into legacy shared components that get left behind.  When these are left behind, the system still  downloads ALL of the updates for the full suite (including service packs) so I prefer to perform a rip and replace of the Office suite.

Once you have removed the Office-Dependent applications, the next set of steps will systematically remove Microsoft Office.  I’ll list this out in order of how we did it as we had excellent success with this specific order of operations no matter what the system had installed.

  1. Remove Microsoft Office – This uses the Get-MSOfficeProducts.ps1 script from the Detection step but with the added –Uninstall parameter.  This step works well to remove Office 2003 components and some of the newer components using standard methods. NOTE: There is an Office Scrub script for Office 2003 available however I never verified that it worked. image
  2. Uninstall Office 2007 – I used the main Office 2007 Professional Plus installation media with custom Uninstall XML files to remove SharePoint Designer, Proofing Tools and the rest of the suite (in that order) since I already had the original package used to install it.  I’m not doing anything else related to Visio/Project or Language Packs during this section. NOTE: There is an Office Scrub script for Office 2007 available however I never verified that it worked. image
  3. Uninstall Office 2010/2013/2016 – Microsoft has published “scrub” scripts for each version of Office that work incredibly well.  Set these up as Run Command Line Steps in your Task Sequence with the following Command Line parameters for each:

Scrub Office 2010

cscript.exe OffScrub10.vbs ALL /log "C:\Windows\Temp" /quiet

Scrub Office 2013

cscript.exe OffScrub15.vbs ALL /log "C:\Windows\Temp" /quiet

Scrub Office Click-To-Run – Use this if you are installing Office 2016 MSI

cscript.exe OffScrubc2r.vbs ALL /log "C:\Windows\Temp" /quiet

Scrub Office 2016 – Use this if you are installing Office 365 Click-To-Run

cscript.exe OffScrub16.vbs ALL /log "C:\Windows\Temp" /quiet

NOTE: The scrub scripts run twice as sometimes the scrub fails due to a corrupted installation.  Running it twice typically takes care of things.

NOTE: You’ll want to run the Office 2016/C2R scripts to remove any potentially conflicting applications before installing Office.  C2R and MSI (2016) builds cannot co-exist.

Install Office 2016/365

Before you start installing Office 2016/365, consider rebooting the system.  This can often be required if you had to remove other Non-Office applications as part of your upgrade path.

I’m using the Application Model for all Office installers.  I have separate applications for the Office Suite separating 32-bit/64-bit.  All other Office components have both 32-bit and 64-bit within the same application.

During this section is where we will leverage the Task Sequence variables created by the Get-MSOfficeProducts.ps1 script to determine which components to reinstall.

Microsoft Office ProPlus Suite (32-bit/64-bit)

Use the MsOfficeSuiteArch TS Variable to determine which architecture of Office to install.


Microsoft Project (Standard/Professional)

Use the MsProjectStd or MsProjectPro TS Variables to determine if Project Standard or Professional needs to be reinstalled.


Microsoft Visio (Standard/Professional)

Use the MsVisioStd, MsVisioPrm or MsVisioPro TS Variables to determine if Visio Standard or Professional needs to be reinstalled.


Microsoft Proofing Tools Kit

Use the MsProofKit TS Variable to determine if the Proofing Tools Kit needs to be reinstalled.


Microsoft Office Language Packs

We use the Application Model for installing Office Language Packs.  These are separated by Language, and contain Deployment Types for each Office Version/Architecture to make things easy (for us and the end user).  Take note of the priority order.


Use the following TS Variables for Language selection:

  • MsLpChinese
  • MsLpCzech
  • MsLpDanish
  • MsLpDutch
  • MsLpFrench
  • MsLpGerman
  • MsLpHebrew
  • MsLpItalian
  • MsLpKorean
  • MsLpPolish
  • MsLpRussian
  • MsLpSpanish
  • MsLpSwedish


Re-Install Additional Applications

Here is where we begin reinstalling all of our Non-Office applications back onto the system.  This could either be a simple re-install, configuration change, or an update to an application to enable compatibility with the Office 2016 suite.

License Activation

We ran into some issues with KMS activation during our upgrades (using the MSI installer) so we added in the necessary ospp.vbs commands to activate Office in an attempt to “force” activation immediately after installation.  This reduced the number of helpdesk calls we received when activation took longer than normal.imageEnd Notification

Finally, we end the deployment by forcing a machine policy update, copying off log files and notifying the end user that the upgrade is complete (Notification HTA runs via the RunOnce registry key).

ConfigMgr Updates and Servicing Download Issues

I recently rebuilt my lab environment using Johan Arwidmark’s excellent Hydration Kit.  As part of this lab environment, I also setup a Virtual Router using Johan’s other guide

If you haven’t considered using Johan’s hydration kit or virtual router setup, you should.  They are quick and easy (and repeatable).

I rebuilt the lab environment to test the new CM1606 upgrade in an environment setup more closely to my production environment.  After building the Domain Controller, Primary Site server and a couple clients to test with, it was time to start setting up all the necessary roles (Software Updates, Service Connection Point, etc.) and verify everything was working before testing the new CM1606 upgrade.


After verifying that the basics were working, it was time to upgrade to CM1602 and then 1606 using the nice new In-Console Updates and Servicing Node.  I checked the node, and it still said downloading.  I waited a day, restarted SMS_EXECUTIVE service, even rebuilt the entire lab using new media.

I checked the dmpdownloader.log and saw the error:

ERROR: Failed to call IsFileTrusted


I found another post with this same error but I the suggested fixes didn’t help me any.  I even tried the registry fix in the Release Notes.  Nothing.

Checking the EasySetupPayload directory I could see that the update files were actually downloaded.


Checking the corresponding directory… rats. Empty.




After a series of trial and error (and a bit of cursing), I stumbled across a solution to my problem.

As part of the Virtual Router setup and overall lab configuration, I configured an Internal Hyper-V network for all my lab VM’s to run on.  The Virtual Router was configured with two VM’s and setup in a NAT configuration so the LAB VM’s could get out to the internet.

Here’s the issue (kind of).  On my ConfigMgr Site Server, it was only connected to the Internal Hyper-V Network.  So I decided to bypass the Virtual Router and add a second External (CORP) Network Adapter to the ConfigMgr Primary Site Server.


After booting the VM back up, ConfigMgr was able to successfully download and extract the updates and I was able to proceed with the upgrade.


So if you are using a Virtual Router for your ConfigMgr lab, make sure you give your Site Server direct access to the internet instead of routing it thru a Virtual NAT router.

MBAM Supported Computers Collection Issues after ConfigMgr 1606 Upgrade

I’ve been running on ConfigMgr 1602 since it was released and have had my environment integrated with Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since day one.  It’s worked wonderfully up until I applied the ConfigMgr 1606 in-console update.

For those of you that are not familiar with MBAM and it’s integration with ConfigMgr, check out Eswar Koneti’s excellent guide:


After the ConfigMgr 1606 update (Site Upgrade, not clients), I noticed an issue with the MBAM Supported Computers collection (which gets created as part of the MBAM + ConfigMgr Integration).  There were only about 500 systems out of ~14,000 that were in the collection now!

Over the next few days, that count slowly (and I mean slowly) grew to about 1,500 clients.  The collection member count fluctuated a few hundred each day but never got above about 1,700 clients.


I looked at the usual suspects like the Collection Evaluator being slow, WMI classes on the clients, and verified that clients were actually submitting Hardware Inventory (they were).

Upon looking further, there was 1 SQL View that wasn’t fully populated.  v_GS_TPM (Win32_TPM in HW Classes) is available for inventory right out of the box.  However MBAM requires it to be extended to include 3 properties.


I checked the number of rows in this SQL view using the following SQL script:

Select *
From v_GS_TPM

This returned only about 600-700 rows out of nearly 15K!  Checking some of the other MBAM Views such as v_GS_MBAM_POLICY or v_GS_BITLOCKER_DETAILS resulted in the proper number of rows.


The solution I came up with was to simply force a Full Hardware Inventory Scan on every client.  Once the clients forced a full update, they started showing back up in the collection and were happy again.

Note: You’ll want to stagger this deployment so you don’t overload your site server(s)!

Here are the PowerShell commands I strung together (Credit to Kaido Järvemets @kaidja) and deployed out via Package/Program to all my clients:

$HardwareInventoryID = '{00000000-0000-0000-0000-000000000001}'
Get-WmiObject -Namespace 'Root\CCM\INVAGT' -Class 'InventoryActionStatus' -Filter "InventoryActionID='$HardwareInventoryID'" | Remove-WmiObject
Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name TriggerSchedule -ArgumentList "$HardwareInventoryID"

Root Cause

At the time this article was written I do not know the root cause but I have been talks with a PFE and members of the product group to track it down.  I hope that this post will help others out there until the root cause can be determined and a fix put in place.

IE Enterprise Mode Edge Redirect Overwritten by ConfigMgr Client Settings

Like most companies out there, my company is getting ready to migrate to Windows 10.  As part of our migration, we are using IE Enterprise Mode to handle many legacy web applications to ensure our end users get the best experience possible, and reduce the manual effort to ensure they are using the proper browser (and browser mode).

IE Enterprise Mode includes the ability to automatically re-direct sites from Microsoft Edge to Internet Explorer on Windows 10.  This is fantastic for those who choose to use Edge as their default browser (as I do).

This post will not be covering exactly HOW to implement IE Enterprise mode as there is plenty of that documentation out there on the web.  Instead, I’ll be focusing on a recent discovery that my colleagues and I made.


You’ve spent the last several months working with business partners to come up with a customized MS Edge redirect XML file and are ready to implement the file via GPP (or Compliance Settings or any other method you choose to set the registry key).  You choose to set this on a Per-User basis because you want it to follow the user, not the machine (don’t ask why, just assume this is the reason).

The registry key that gets configured with your custom MSEdge xml file is at:



In addition to the above, you are running System Center Configuration Manager build 1602 (v1511 may also be affected – see below).


You expect this new XML file to redirect your custom LOB apps, but it doesn’t.  Upon further inspection within Edge (HINT: Use about:compat in the URL bar of Edge), you ONLY see entries for your site server (specifically the server hosting the Application Catalog site).

The Solution

I messaged David James (@djammer) on the ConfigMgr Product Team to confirm that the ConfigMgr Client Settings to add the Application Catalog URL in Trusted Sites is, indeed, using an MS Edge redirect XML file similar to that from IE Enterprise Mode.


As you can see from that last tweet, the solution (workaround really) is to set the reg key using the same path in the HKEY_LOCAL_MACHINE hive instead of HKEY_CURRENT_USER.  Doing so allows your custom IE Enterprise Mode XML file to load and not be overwritten.

This can be verified by looking at SoftwareCatalogUpdateEndpoint.log and looking for this



I hope this information can help someone else out there.  IE Enterprise Mode and ConfigMgr are awesome products and will be integral to a successful migration.

Create Pilot Collection Console Extension for ConfigMgr 2012 R2

I recently started working on my first ConfigMgr Console Extension (aka. Right Click Tool).  For my first foray into this new territory I decided to tackle something that myself and my colleagues deal with on a regular basis, Pilots.  No, not pilots that fly airplanes.  Pilot deployments.  The thing you do before deploying something to Production.

So today I’m releasing my Create Pilot Collection Console Extension for ConfigMgr 2012 R2.  The purpose behind this tool is to support some internal business processes wherein we as packagers are required to deploy larger scale deployments to a smaller “pilot” collection first.  I would imagine that your company has similar requirements as well.

This tool was built using Sapien PowerShell Studio 2015 and was designed to provide a quick and easy way of generating a random sampling of “Pilot Members” for your pilot deployments.

Create Pilot Collection - Main Screen


I’d like to thank Nickolaj Andersen ( for writing and providing me with the Invoke-ToolInstallation.ps1 script to handle the installation of the Console Extension.  It’s been modified from his original version so I’ll provide a write-up on leveraging this script in a follow-up blog post.


You can download the Console Extension from the GitHub.

I’ve included the PowerShell Studio Project Files if you would like to tinker and modify for your own use.


To install the Console Extension, extract the .zip file you downloaded to a directory of your choice.  From an Administrative PowerShell Console, run the Invoke-ToolInstallation.PS1 script from the extracted directory.

NOTE: If you currently have the ConfigMgr Console open, you’ll need to close and re-open it.


To launch the tool, open your ConfigMgr console, and find a collection you wish to use as your “Base” collection.  This would typically be the collection you use for your final (Production) deployment.

The tool can be accessed from the Ribbon or the Right-Click Context Menu as shown below.

Right-Click MenuRibbon Icon

There are only two items you need to fill in.  The Pilot Collection Name and the Percentage of the original (base) collection to use as your pilot members.  The User Interface will update as you type to tell you how many members will be added to your new collection.

Create Pilot Collection - Main Screen

When you are finished, click the button, sit back and relax.  Once your collection is created you can deploy whatever you want to it.

NOTE: Large collections may take several minutes to process and add members.

Using a BitLocker Data Recovery Agent to unlock a BitLocker encrypted drive

This blog post is a follow-up to my first post on BitLocker, MBAM and Data Recovery Agents (DRA).

In this post we’ll cover actually USING the BitLocker DRA to recover/unlock a BitLocker Encrypted drive using the BitLocker DRA Certificate.


Installing a BitLocker DRA Private Certificate

Before you can actually unlock a drive using the DRA certificate, you must install the Private (.pfx) certificate file on your system. My recommendation is to install it under a local account (not a domain account) however to avoid a potential issue with Credential Roaming.

  1. Log into the system using a local (Administrative) account – again, this is to avoid the Private certificate from roaming with individual users and installing on multiple systems.
  2. Locate the BitLocker DRA (.PFX) private certificate file (obtained from your Certificate Authority) and double-click on it.
  3. Follow the wizard and provide the password for the private key (should be provided by your Certificate Authority also).

  4. Click Next thru the rest of the wizard pages.
  5. Delete the .PFX certificate file from the machine.

One other recommendation on this, I’d suggest that you keep track of who has this certificate and where it’s installed. When you have to renew the certificate this will make things much easier to go back thru and update the locally installed private certs.


Unlocking a BitLocker Encrypted Drive with a BitLocker Data Recovery Agent

Now that we have the Private (PFX) certificate installed, we can proceed with unlocking BitLocker encrypted drives. Unlocking a BitLocker Encrypted drive starts at the Command Prompt (Elevated) where we can then leverage the manage-bde.exe utility to work with BitLocker Drive Encryption.

  1. At the (elevated) Command Prompt, type manage-bde –protectors –get <drive letter> where <drive letter> is the drive you wish to unlock. You should see an output similar to below (Image credit: TechNet).

  1. Take special note of the Certificate Thumbprint highlighted above. That long string is your certificate ID which you will use to actually unlock the drive.

NOTE: It IS possible to have more than one Certificate listed here if your company uses more than one DRA cert for BitLocker. You may have to try each one until you get one to work

  1. To unlock the drive, type manage-bde –unlock <Drive Letter>: -Certificate –ct <Certificate Thumbprint>



That’s pretty much all there is to it. Recovering a BitLocker encrypted drive with a BitLocker DRA Certificate is pretty simple once it’s all setup. Of course I still would recommend using MBAM or Active Directory recovery methods as your primary recovery method (they are a lot easier) however this will hopefully give you that ‘warm & fuzzy’ feeling knowing that you can always unlock a BitLocker encrypted drive.

BitLocker, MBAM and Data Recovery Agents (DRA)

I’ve been using the Microsoft BitLocker Administration and Monitoring (MBAM) software from the Microsoft Desktop Optimization Pack (MDOP) for the past couple of years and I love it. It makes enforcement, reporting and key recovery for systems fairly simple once the pre-requisites have been met (i.e. TPM Enabled and Activated). In this post, I’ll be discussing a lesser known method of securing your BitLocker encrypted drives with Data Recovery Agents (DRA).

Data Recovery Agents – What are they?

A Data Recovery Agent, or DRA, is an account typically based on a Smart Card or Certificate which can be used for Encrypting and Decrypting a file or folder (EFS) or an entire drive (BitLocker). In our case we will be discussing a BitLocker DRA.

Why would I use a Data Recovery Agent when I have BitLocker

Honestly, most people don’t. MBAM already handles key escrow, enforcement, key recovery and reporting for the BitLocker environment and does a very good job at it. However, I’ve seen a few issues during implementation that prompted me to take a closer look at managing our overall BitLocker environment, outside of just what MBAM provides. Here are a couple of scenarios I’ve seen which has caused us issues in recovering drives:

  • MBAM cycles a new key but escrow back to the server fails.
  • Helpdesk or end user manually encrypts drives with BitLocker but MBAM doesn’t get installed.

There may be other instances in which MBAM is unable to escrow keys however the above were the ones I saw most. So, just how do we solve this issue? There are numerous ways we could look at this from a process perspective, but I want to reduce the amount of human error and interaction wherever possible. Some ideas are:

  • Required deployment of MBAM to all systems – This could cause unwanted prompts for compliance on end user systems and doesn’t solve issues where MBAM simply fails to connect back to the server.
  • Store everything in Active Directory – Again, you still need a connection to AD for this and in a large environment this can significantly increase the size of your DB (your AD team may not like this).
  • Implement processes for your Help Desk to validate that keys are being escrowed – This becomes cumbersome and unsustainable.

By implementing a BitLocker Data Recovery Agent, you always have an additional recovery method available just in case MBAM either isn’t there or (gasp!) fails to properly escrow a key. I use this as my failsafe, my life preserver, my backup because telling a user, manager or heaven forbid an executive that their data is lost because something “just went wrong” (and they forgot to make a backup or stopped the backup software) is not the most pleasant part of our job.

How do I create a BitLocker Data Recovery Agent

I’ll be the first to admit this, but I’m not well versed at managing a PKI infrastructure so instead of diving into the details and (possibly) getting it wrong, I’d suggest you reach out to your PKI team and request a certificate that can be used as a Data Recovery Agent for BitLocker. What they should provide you is two certificate files. A public .CER certificate which will be deployed to all your systems, and a private .PFX certificate which allows you to decrypt systems that were encrypted and have the DRA installed.

Setting up the BitLocker Data Recovery Agent

To configure and deploy the BitLocker Data Recovery Agent, we will leverage Group Policy. I use the same GPO that I use for configuring MBAM. The following steps will guide you in setting up your BitLocker DRA Certificate and other required/recommended settings for using a BitLocker DRA.

1 Edit the Group Policy Object that will apply to client machines.  
2 Expand Computer Configuration > Policies > Administrative Templates > Windows Components> BitLocker Drive Encryption  
3 Enable the setting Provide the unique identifiers for your organization. For BOTH the BitLocker identification field and Allowed BitLocker identification field use ‘MyCompany‘.

NOTE: The value you enter here is CASE SENSITIVE! Make sure it’s typed EXACTLY the same in both locations.

4 Expand Computer Configuration > Policies > Administrative Templates > Windows Components> BitLocker Drive Encryption >Fixed Data Drives  
5 Enable the policy Choose how BitLocker-protected fixed drives can be recovered and configure it EXACTLY as shown in the screenshot

Perform the same steps for Operating System Drives and Removable Data Drives

6 Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > BitLocker Drive Encryption

Right-Click it and select Add Data Recovery Agent

7 On the Welcome screen of the Add Recovery Agent Wizard, click Next.  
8 Click on the Browse Folders button and select the exported Certificate retrieved from your CA. (Make sure this is a .CER file which only contains the Public Key and NOT the .pfx file which contains the private key)
9 Click Next and Finish the wizard. You should then see the certificate of the DRA is listed.


This post concludes with you (hopefully) having a BitLocker DRA certificate installed in your environment which should provide you with an additional recovery method for your BitLocker encrypted drives. If you haven’t quite gotten that ‘warm and fuzzy’ feeling yet, stay tuned for my follow-up article on Using a BitLocker Data Recovery Agent to unlock a BitLocker encrypted drive.

%d bloggers like this: