Set PoSh ExecutionPolicy For SCCM TS

I have some powershell scripts to run as part of an OSD Task Sequence, to configure things like Power Plans and Optical Drive lettering for instance.
The first thing I want to do is set the execution policy on the target machine to RemoteSigned.

How do you remotely change the execution policy on a machine when you cannot run a script against it?

You can use the input parameters of the powershell.exe (EXE):

use the command switch to input a script block.

powershell.exe -noprofile -command “& {set-executionpolicy remotesigned -force}”

Use ‘noprofile’ to run without loading a powershell profile and the ‘-force’ switch to suppress the confirmation request.

For SCCM, create a Software Distribution package containing the scripts, then create a program with the command line as above.


TriggerSchedule Method on SCCM Clients

A really useful powershell snippet when creating deployments and testing application packages….

I was creating a Windows 7 image and wanted to add applications to the build task sequence, a base application set for the image, and once I had the packages created in SCCM I was using Advertised Programs to test the installations on a newly built image. To do this I was using a VMWare machine, so I was running the console for the client and in my impatience cycling the policy updates manually to see if the apps would deploy ok. Anyway I got annoyed with VMWare console mouse-handling on this machine and decided it would be much better to advertise the program then refresh the policy on the client with a powershell script.
A good friend of mine, we’ll call her Emma because that’s her name, wrote a neat little utility to invoke the TriggerSchedule methods on SCCM Clients, so I borrowed from that:
$tb_Client = “ClientPC”
$SMSCli = [wmiclass] “\\$tb_Client\root\ccm:SMS_Client”
# Machine Policy Retrieval & Evaluation

This works nicely on domain machines but my client was not yet domain-joined so I needed to pass credentials. Unfortunately the [wmi] and [wmiclass] type accelerators don’t allow you to pass credentials.

GWMI? That returns an instance but does not allow access to the static methods associated with the class.

Fortunately another good friend, Marc, was on hand to point me in the right direction.

“You need the class not the instance (as the class has the static methods you need)
But you need to do that remotely and the [WMICLASS] accelerator does not give you the option to authenticate with different credentials.
Solution is here to make the connection yourself, as that is more flexible as using the accelerator, using a management scope

In your case this would look like this :

$server = ‘Server’

$ms = new-object
$ms.path = “\\$server\root\CCM”

$options = $ms.Options
$Options.Username = ‘domain\user’
$Options.Password = ‘Password’

$ms.Options = $options

$mc = New-Object System.Management.ManagementClass($ms , ‘sms_client’,$null)

The next line, to generate a computer policy cycle is:

Fantastic, we all get by with help from our friends.

Thanks to Emma Harlow and Marc van Orsouw for this blog post.

Please check out

Task Sequence Error 80004005 Unspecified Error

I ran into this error today, building a Windows 7 image from a Build and Capture Task Sequence. The SMSTSLog showed the following at the “Setup windows and ConfigMgr” step:

The task sequence execution engine failed executing the action (Setup windows and ConfigMgr) in the group (Build the Reference Machine) with the error code 2147500037
Action output: on information to C:\_SMSTaskSequence\unattend.xml
Successfully initialized driver information
Command line for extension .EXE is “%1” %*
Set command line: “\\SCCMSERVER.LOCAL\SMSPKGD$\100004\SOURCES\SETUP.EXE” “/unattend:C:\_SMSTaskSequence\unattend.xml” /noreboot
Executing command line: “\\SCCMSERVER.LOCAL\SMSPKGD$\100004\SOURCES\SETUP.EXE” “/unattend:C:\_SMSTaskSequence\unattend.xml” /noreboot
Process completed with exit code 31
Windows Setup completed with exit code 31
EnteringReleaseSource() for \\SCCMSERVER.LOCAL\SMSPKGD$\100004reference count 1 for the source \\SCCMSERVER.LOCAL\SMSPKGD$\100004\ before releasing
Released the resolved source \\SCCMSERVER.LOCAL\SMSPKGD$\100004exitCode == 0, HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\setupwindows\setupwindows.cpp,440), HRESULT=80004005 (e:\nts_sms_fre\sms\client\osdeployment\setupwindows\setupwindows.cpp,1707)
Exiting with code 0x80004005
Windows setup failed, code 31. The operating system reported error 2147500037: Unspecified error

The task sequence execution engine failed execution of a task sequence. The operating system reported error 2147500037: Unspecified error

It turns out that this was due to using a MAK Product key from the customer in the Task Sequence, the indicator was the “Windows setup failed, code 31” error.

Removing the key solved the problem. Using a Volume key should be ok but haven’t got one to test this out yet.

Hope this helps.


Configure ConfigMgr Pre-Reqs with Powershell

Something you have to get right, and getting it right first time if preferrable, when installing your SCCM Site Servers is to configure IIS, BITS and WebDav Publishing.
This simple Powershell script takes care of these pre-requisite configurations: (You can also create a package and deploy as part of a standalone media set if you want to fully automate your build)

Script body follows: (copy following text into notepad and saveas .ps1)


# add Server Manager CMDLETS
Import-Module servermanager

# add Windows Features Required for SCCM Site Server
Add-WindowsFeature WAS-Process-Model
Add-WindowsFeature WAS-Config-APIs
Add-WindowsFeature Web-Server
Add-WindowsFeature Web-ISAPI-Ext
Add-WindowsFeature Web-ISAPI-Filters
Add-WindowsFeature Web-Net-Ext
Add-WindowsFeature Web-Net-Environment
Add-WindowsFeature Web-ASP-Net
Add-WindowsFeature Web-ASP
Add-WindowsFeature Web-Windows-Auth
Add-WindowsFeature Web-Stat-Compression
Add-WindowsFeature Web-Metabase
Add-WindowsFeature Web-WMI
Add-WindowsFeature Web-HTTP-Redirect
Add-WindowsFeature Web-Log-Libraries
Add-WindowsFeature Web-HTTP-Tracing
Add-WindowsFeature BITS-IIS-Ext
Add-WindowsFeature Net-Framework-Core
Add-WindowsFeature RDC
Add-WindowsFeature Web-Dav-Publishing

# enable WebDav
“C:\windows\System32\inetsrv\appcmd.exe set config “”Default Web Site”” /section:system.webserver/webdav/authoring /enabled:true /commit:apphost”
# add Authoring Rule WebDav
“c:\windows\system32\inetsrv\appcmd.exe set config “”Default Web Site/”” /section:system.webServer/webdav/authoringRules /””+[users=’*’,path=’*’,access=’Read’]”” /commit:apphost” | Invoke-Expression
# allow Hidden Files WebDav
“c:\windows\system32\inetsrv\appcmd.exe set config “”Default Web Site/”” /section:system.webServer/webdav/authoring /fileSystem.allowHiddenFiles:true /commit:apphost” | Invoke-Expression
# allow Anonymous Property Find WebDav
“c:\windows\system32\inetsrv\appcmd.exe set config “”Default Web Site/”” /section:system.webServer/webdav/authoring /properties.allowAnonymousPropfind:true /commit:apphost” | Invoke-Expression
# DON’T allow Custom Properties WebDav
“c:\windows\system32\inetsrv\appcmd.exe set config “”Default Web Site/”” /section:system.webServer/webdav/authoring /properties.allowCustomProperties:false /commit:apphost” | Invoke-Expression
# allow Infinite Property Depth Find WebDav
“c:\windows\system32\inetsrv\appcmd.exe set config “”Default Web Site/”” /section:system.webServer/webdav/authoring /properties.allowInfinitePropfindDepth:true /commit:apphost” | Invoke-Expression
# DON’T allow Hidden Segment Filtering WebDav
“c:\windows\system32\inetsrv\appcmd.exe set config “”Default Web Site/”” /section:system.webServer/security/requestFiltering /hiddenSegments.applyToWebDAV:false /commit:apphost” | Invoke-Expression


I used Invoke-Expression with appcmd.exe because I as yet have not developed the pure Powershell.

Hope this helps