Happy Thanksgiving – 2018 Edition

Hey friends, family, tweeps, and supporters. First off, Happy Thanksgiving. I hope that wherever you are in the world, and whether or not you celebrate actual Thanksgiving, that you know you are loved and appreciated. I have a lot to be thankful for this year – I’ve moved into the beautiful new home that I built.

I am going to be making some personal changes, some of which I alluded to with a tweet not too long ago. Fam, it’s 2018 (soon to be 2019). Traveling the globe is getting old and it’s super disruptive, not to mention extremely expensive.

Traveling to conferences means finding care for the dogs, horses, and boy. This tends to get a little ridiculous in the cost and planning department. It also impacts my son quite a bit as he has to go live with somebody else (family at least) for 8-10 days. He’s going to be officially starting Kindergarten so regular school attendance is going to be mandatory for the next 13 years. I know for every parent/child care taker reading this/watching this that I’m preaching to the choir .

In 2019, I plan to travel to exactly three conferences: MMS, Blackhat, and Ignite (which I realize is three more than most people get to go to). I will be focusing more on the local user group I’ve co-founded with some cool people, as well as online community efforts such as MVP Days (if they will have me), webinars, and Deployment News. While you can’t beat the networking you get by physically attending conferences, I think it’s worth exploring how to maximize virtual networking to help everybody stay in the loop without spending an insane amount of money and losing an insane amount of time going to a conference.

As for blogs – amicasto.com is where you’ll find general posts like these in addition to more Intune focused topics. The 2Pint blog is where you’ll find all the super cool stuff my team is posting about all things network related. Also, don’t forget to checkout the Deployment News Newsletter signup as we are looking forward to getting the newsletter rolling.

Happy day and remember – don’t try to deep fry a frozen turkey!


Links mentioned:

TechMentor Orlando

My blog

2Pint Blog

Newsletter Signup

Case of the Unexplained: Using PsKill to troubleshoot failed ConfigMgr update download

Every once in a while, I run unto a bit of bad luck downloading a new version of ConfigMgr technical preview. I can’t say I’ve ever had this exact problem happen to me in production, but I *know* it’s happened several times in my technical preview lab.

When a new update is available in the console, it will get stuck on downloading:

Console showing CM update is downloading

Console showing CM update is downloading.

One of the first troubleshooting steps you can do is restart the SMS_Executive service. If that doesn’t work then I like to stop/start the SMS_Executive service and empty the contents of the EasySetupPayload folder (found in the ConfigMgr install directory). But what happens when you can’t stop the service? This is where I have that “sometimes this happens, but only in this particular environment” problem. I can’t stop the service 🙁

The service is stuck in “stopping” and I can’t fix it at this point without some help from PsKill

I know this isn’t a limitation of a ConfigMgr environment because I can go to my “prod” (Current Branch) site server and stop that service quite easily. My first go-to at that point is to just reboot the site server. It’s a lab, and that’s a fairly benign and extremely useful troubleshooting tool to have available. I don’t know of too many places that are typically very happy for you to reboot production servers whenver you run into issues 🙂

After the site server came back from the reboot, I saw that I was still plagued with the same issue: the download is stuck and I can’t do anything to the service. At this point, I’m not exactly as happy to throw in another reboot as a troubleshooting step.

Einstein quote

I’m guilty of this probably more often than I should admit.

Now, the ConfigMgr team has published an update reset tool which I could have used, but it meant I needed to go find the TechNet article and remember how to run the tool (it’s really simple, and you can get more info at the bottom of this post).

The super fast way, to get to the bottom of the problem is to use PsKill. You can get the latest version of it from https://live.sysinternals.com/

I opened a command window as admin (note: I was already in PowerShell, but it’s not necessary to use PowerShell to run the tool. I was simply using PowerShell to try to stop the service first) and used the following syntax .\pskill.exe -t smsexec.

It’s not required to run the tool from PowerShell, I was simply using PowerShell to attempt to stop the SMS_Exec service

Once smsexec.exe was stopped, I could go into the EasySetupPayload folder and delete the update. At that point, I could restart the service, and I saw the download was pretty happy. Now I’m running the install.

How did I know to kill the smsexec process? If you go to properties on the service (from Services (msc) you get the path to the exe <install location>\Microsoft Configuration Manager\bin\x64\smsexec.exe. You can accomplish the same thing in Task Manager from the Services tab. Just right click the service and pick “go to details”- it takes you to the running process in the details tab.

By the way, if you want to use the Update Reset tool that the ConfigMgr team published, follow this link for more info: https://docs.microsoft.com/en-us/sccm/core/servers/manage/update-reset-tool You need the package GUID, your site database name at the toplevel, the FQDN of the toplevel SQL server. The tool is located  If SQL is on the same box as your primary, then lucky you, you already know the FQDN and database 🙂 However, I’ve walked into plenty of environments where I wasn’t the one who architected the setup and documentation either doesn’t exist or wasn’t transferred. What typically goes hand in hand with that scenario is that opening a ticket to even get any info about the remote SQL (yuck, but I get why some companies do it) takes exponentially longer than running pskill would take.


Troubleshooting Intune Error 80180014

young business woman and futuristic graphical user interface concept, Internet of Things, Information Communication Technology, Heads up display, abstract mixed media

This lady is a professional and probably knows more about Intune than I ever will.

I ran into an unexpected issue when enrolling a new device. I kept getting the following error message, “Your organization does not support this version of Windows. (0x80180014).

Screenshot of error code

Can’t enroll due to error 80180014

I did a quick search to find out that the error code means the platform isn’t supported. The recommendation was to upgrade the OS. (See: https://msdn.microsoft.com/en-us/library/windows/desktop/dn574815(v=vs.85).aspx )

Screenshot of Microsoft Docs translating the error code and recommending to upgrade

Documentation recommends upgrading.

I wasn’t too sure this was really an accurate error, or even solid remediation advice. I felt like Intune was trolling me with a “have you tried turning it off and on again” bit of help. The device in question was running Windows 10 v1703. I tried again on a device running Windows 10 v1709 expecting success this time. Instead I was greeted with the same error code.

This time I went to the event log on the device to see what I could glean from there. In event log, under Applications and Services – Microsoft – AAD – Operations, there were plenty of fun errors and warnings. Take this one for example:

A warning message in the event log stating that the text associated with the error message couldn't be found.

The text associated with this error code could not be found.

There were a few other cryptic errors as well. Then I stumbled across one that started to point me to believe there was something wrong with my tenant.

Error message stating I might have tried to authenticate to the wrong tenant

“You might have sent your authentication request to the wrong tenant.”

At this point, I turned to my tenant to review settings. As far as I could tell, everything was ok. I reached out to Jan-Ketil Skanke for a sanity check. We reviewed my settings together. Turns out my tenant was blocking (all) device enrollment for some reason. Here’s where it becomes super obvious that I’m an Intune noob 🙂 Also a good time to point out that there’s nothing at first glance on this page that would suggest you should click the text you see to uncover more settings #ImJustSaying.

A view of enrollment restrictions in Intune

They couldn’t put an arrow or a “click here” type indicator that there may be more settings to drill into? (Spoiler alert: if you actually hover over an item you can tell if it is expandable) #IntuneNoobProblems

Screenshot showing settings expanded in Intune

OK, so it miiiiight be my fault.

I enabled Windows devices and waited a few minutes. I returned to both Windows devices and tried to enroll again. This time with success!

Customizing Intel NUC BIOS with Intel Integrator Toolkit

I’ve noticed that the newer models of NUCs that I’m purchasing (specifically the NUC7i7BNH) ship with a 12 character serial number populated in BIOS. A while back, I wrote a post about how to add it should it be missing. The utility used in that post is no longer available for download, and the last time I used it, the NUC  bricked, so I set off to find a new tool to interact with NUC BIOS. Enter the Intel Integrator Toolkit.

This is a really pretty picture, strategically placed to reduce your disappointment that you will encounter in the next paragraph 🙂

Now, don’t get mad at me, but to use the Intel Integrator Toolkit, you have to disable Secure Boot to turn on the “Internal UEFI Shell” feature (which isn’t something you should leave on because it requires a keystroke to quit before it interrupts normal boot into Windows). I’m not really fond of tools that not only provide little automation in the end, but that also require you to turn off security features just to use it. Especially when you can manipulate BIOS properties of other major PC vendors from within Windows and it can be automated and distributed via a sequence engine and leave Secure Boot turned on.


Look, I have no idea what they were thinking. I’m just as confused as you.

Now on to the purpose of this post:

If you want to use the Windows Autopilot Script on your Intel NUCs, you’re in for some failure if the serial number is missing on account of the script requires a serial number 🙂

So, to fix it in a scenario where you want to add/change/remove/whatever a serial number or other bios properties, you need to:

  1.  Download the Intel Integrator toolkit (which is a .EFI file and some documentation)
  2. Format a USB drive in FAT32
  3. Copy the .EFI file from the download to your formatted USB drive
  4. Disable Secure Boot
  5. Enable Internal UEFI Shell

Now to manipulate the Serial Number property, simply boot into the Internal UEFI Shell (if it’s enabled in BIOS, it will give you a few seconds to cancel out of before it interrupts the normal Windows boot process, so best not to leave this turned on outside of this scenario).

To edit the serial number use the following syntax:

ITK6.efi –s –t system –f serial –v mySerial

Where “mySerial” is the serial number you want to enter. The -s, -t -f are flags that drill specifically to the Serial Number property. Full documentation on how to use the switches is in the guide that ships with the toolkit.

Here’s a list of customizations you can do with v 6.1.6 of the toolkit:


Product Name

Serial Number

SKU Number


Asset Tag

Chassis Type

OEM String (up to 3)




OneDrive Woes in the Win10 AU

I have a *workaround* for anybody experiencing One Drive crashing in the Windows 10 AU (1607). What I’m doing isn’t a sustainable practice if you’ve got the error across a large environment.

Not so shiny error in the event log!

Not so shiny error in the event log! Faulting application name: OneDrive.exe

Event Name: SkyDriveClientError

Event Name: SkyDriveClientError

My environment:
-Bare metal deployment of AU
-Domain Joined
-The domain account logging in is not an administrator account, although when signing in with an admin account, the problem persists.

I did my homework:
-There are no GPOs blocking MS accounts or One Drive – it works in Windows7, Windows 8.1, and Win10 1511.
-McAfee Enterprise: see above – it works in other environments, we’ve got nothing configured that would interfere.
-Firewall/QoS/etc: see above – nothing that would prevent the app from running.
-Obtained media from VLSC and imported into MDT – zero customization done here.

After doing a lot of reading, I’m kind of relieved I’m not the only person with the issue, a lot of you are having it. The only workaround I ever saw posted was to roll back to 1511 or check EMET settings. Neither applies here because I did a bare metal deployment and we aren’t using EMET.

So, if I can’t rollback, what can I do?
I decided to add a Microsoft account (not the same one I was using for One Drive mind you) as a user on the PC. I didn’t make it administrator, just a regular user. BAM! One Drive works. That MS account had ~20GB data I was able to sync. Time to test on the domain account – and what do you know? Now it works and is happily syncing 200GB data.

Edit: I’m told by Sandy that in an upgrade scenario if you’re having the issue you can delete HKLM\Software\Policies\Microsoft\Windows\OneDrive

#SQLSunday – Find Device Collections and Collection Membership

I try to use the ConfigMgr console as little as possible these days (long story).  So, here’s a SHINY and FUN thing you can do in SQL!

Want to know what device collection an endpoint belongs to?

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Here's the collections my MDT server currently belongs to.

Here’s all the collections my MDT server currently belongs to in this environment.

Alternatively, want to return all the rows?

select * from v_FullCollectionMembership
where name =’MDT01′

And the most useful I’ve found from that view for reports is:

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Very SHINY columns are returned when running this query!

Very SHINY columns are returned when running this query!

OSD – HP Driver Tips

Working on certifying drivers for some older model HPs in the shop. My options are:

1. Use Mikael Nystrom’s PowerShell is King – Export drivers from Windows good stuff if you have a box already configured how you want and it’s not Windows 7

(do a get-command export* and you'll see you can't use export-windowsdriver in Win 7)

(do a get-command export* and you’ll see you can’t use export-windowsdriver in Win 7)

Good Windows 7 Options:

2.  If you get stuck installing a driver as an application, check in Program Files/Program Files (x86) for the unpacked files to see if an .inf was dropped there.  Be careful pulling the .inf file as some of the softpaqs need the software stack to work properly (see method 4 below for this scenario).

Found the driver for bluetooth in this folder in Program Files (x86)

Found the driver for Bluetooth for a ZBook in this folder in Program Files (x86)

3. If HP, I generally find the majority of the unpacked files in c:\swsetup and then I search Program Files.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

4.  Another HP trick is to use the HP Softpaq Download Manager.  Once you load up the model you want, you can right click on any of the given drivers to get the fly out menu and select cva file.  If it exists, it will give you install + silent install instructions for those pesky drivers that need to be installed as applications.

Using HPSDM to get the driver package and install instructions.

Using HPSDM to get the driver package and install instructions.

Install instructions are in a cva that you open with notepad - then scroll to the install section.

Install instructions are in a cva that you open with notepad – then scroll to the install section.

A fun tip about the cva file is if you know the softpaq number, you can just find it in this URL  (this only works if there is actually a cva – not everything has one – but better than nothing, right??)

SQL Report: Unused Applications SCCM

This post is inspired by System Center Dudes post on auto uninstalling unused apps in your environment. It also has the same requirements (aka have Software Metering working in your environment if you want actual usage stats vs is this thing installed or not.)

Disclaimer: I’m non-technical so these SQL queries come without warranty.  The good news is it’s only reads, so you’re not destroying anything 🙂

System Center Dudes post uses WQL to create device collections that allow you to gather info on specific installed applications and also to be able to uninstall a specific application if it hasn’t been used within a certain time frame (120 days is good enough for me!) it’s an awesome idea, but I simply want to report on the presence of software and said usage to help management decide if we should buy the same amount of licenses for a specific software at renewal time.

Here’s what I came up with:

--Specific Product Installed
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
inner join v_GS_INSTALLED_SOFTWARE on v_GS_INSTALLED_SOFTWARE.ResourceID = v_r_system.ResourceID
v_GS_INSTALLED_SOFTWARE.ProductName0 like 'Stata%'

--Usage count Last 120 Days
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
inner join v_MonthlyUsageSummary
on v_R_System.ResourceID = v_MonthlyUsageSummary.ResourceID
inner join v_MeteredFiles
on v_MonthlyUsageSummary.FileID = v_MeteredFiles.MeteredFileID
v_MeteredFiles.ProductName like 'Stata%' AND DATEDIFF (day, v_MonthlyUsageSummary.LastUsage, GetDate()) < 120

Find text using PowerShell

I totally broke the setup of a non ConfigMgr system that I’ve been tasked with setting up.

Oops, I did something wrong!

Oops, I did something wrong!

Some how, in some way, I hard coded the TEST SQL server/database rather than the PROD SQL server/database into a config file.  The bigger problem was that this is a system I had never heard of  until a few days ago, so my only hope was combing through logs to find my error.

Log files always have the answer ;)

Log files always have the answer 😉

Once I found it, I started clicking through the install directory only to see there were too many config files and folders to know where to start.  I had two options, open every file or find it in PowerShell.

Here’s what I came up with to find what I was looking for:
dir "C:\program files\Ami FP Test" -I *.* -R | select-string SQLTEST
Sure enough, here’s the very config file where I made the mistake.

PowerShell is KING!

PowerShell is KING!

Found my mistake!

Found my mistake!

Hey, Scripting Guy has a more “pretty” and correct way of using this same method and you should read it.  But if you’re new to PowerShell, I want you to know that if it works, it doesn’t have to be pretty.  Use what works as your base to learn better ways to do things.

Create Local User Based on Serial Number

If you ever find yourself wanting to create a local user based on something super specific (like Serial Number) then this post is for you.

First you need your script:

#Created by Ami Casto Twitter:@MDTPro Blog:http://amicasto.com
#This script will create a local user account based on Serial Number, set the password to never expire, prevent user from changing the password, and add it to the Local Admin Group
#Make it all clean - this could be commented out if unwanted
$Error.clear() # Clear errors
#Queries Win32_Bios for Serial Number and pulls out the serial number to return it on a single line which gets captured as a variable
$SN = gwmi win32_bios | Select-Object -Expandproperty SerialNumber
# $SN now equals the hardware's Serial Number and this variable is used to create a user account, set a password, and prevent that user from changing it
net user $SN P@ssw0rd /add /passwordchg:no
#This step sets the password to never expire
wmic useraccount where "name='$SN'" set passwordexpires=false
#This step adds the newly created account to the Local Admin group
net localgroup administrators $SN /add

Just copy/paste and save it as user.ps1 in the Scripts folder.

In MDT, open your preferred task sequence and create a new group where you would like the step to go.  Since this account is a local user and won’t be able to access anything specific to the deployment anyway, I’m adding the account near the end.

I've added the PowerShell script in a group I created for this step.

I’ve added the PowerShell script in a group I created for this step.

Notice that I call on it this way %SCRIPTROOT%\user.ps1 .  You could create a separate folder within the scripts folder, but you’ll have to remember to include that in the path as well, otherwise your deployment will fail.

And, Success!


It worked as expected – the user account matches what’s in the Serial Number property.

Disclaimer: It is very important that you pick a property that is short and doesn’t have special characters.  So I wouldn’t do this on a VM for example, I’d pick something from win32_bios such as model.

If you want to make this work on a Intel NUC, then you need to read my post about how to assign a Serial Number for your NUC.