WMI/WQL “LIKE” Query Wildcards

Quick post today.

Standard Windows/DOS wildcards don’t work in WMI “LIKE” queries as they use WQL language instead:

Multiple Characters = "%" (Percentage)
Single Character    = "_" (Underscore)

For reference, the corresponding Windows wildcards are:

Multiple Characters = "*" (Asterisk)
Single Character    = "?" (Question Mark)

/ JC

Posted in OSD, Tips, Windows | Leave a comment

Use RoboCopy in ‘Run PowerShell Script’ SCCM Task Sequence Steps

I like to use PowerShell for all my scripting these days (all VB and batch files have now been rewritten in PoSh) and I also like to use RoboCopy for any file copies that I need to do such as in an OSD Task Sequence.

The pain in the arse with RoboCopy is the return/exit codes it uses which cause issues when used in PowerShell scripts.

The return codes used by PowerShell are:

0 No files were copied. No failure was encountered. No files were mismatched. The files already exist in the destination directory; therefore, the copy operation was skipped.

1 All files were copied successfully.

2 There are some additional files in the destination directory that are not present in the source directory. No files were copied.

3 Some files were copied. Additional files were present. No failure was encountered.

5 Some files were copied. Some files were mismatched. No failure was encountered.

6 Additional files and mismatched files exist. No files were copied and no failures were encountered. This means that the files already exist in the destination directory.

7 Files were copied, a file mismatch was present, and additional files were present.

8 Several files did not copy.

Because PowerShell expects an exit code of ‘0’ for success, if RoboCopy completes with an exit code of ‘1’ (i.e. All files were copied successfully) then it throws an exit code other than ‘0’.

In an OSD Task Sequence this is picked up as an error and will therefore cause the Task Sequence to fail. Bollocks.

This can easily be prevented using a wee bit of code at the end of the script used to run the RoboCopy.

In the example below I am copying a single ISO image using a PowerShell script in a Task Sequence (using a ‘Run PowerShell Script’ task). The resulting PowerShell exit code will equal ‘1’ as “all files will be copied successfully”.

    Copies VM Bootable ISO
	Copies the VM Bootable ISO from the package folder to C:\Media
	PowerShell.exe -ExecutionPolicy ByPass -File <ScriptName>.ps1
	Author:		Jonathan Conway
	Version:	1.0
	Created:	29/11/2017

# Set variable for newest ISO in package folder (in case there are more than one then the most recent will be chosen)
$ISO = Get-ChildItem '.\*.iso' | Sort-Object 'LastWriteTime' | Select-Object -last '1' | Select-Object -ExpandProperty 'Name'

# Run ROBOCOPY to copy the Bootable ISO image to "C:\Media"
& ROBOCOPY ".\" "C:\Media" $ISO

# Robocopy for a single file returns a exit code of "1" (i.e. All files were copied successfully) which causes a Task Sequence error - this "if" statement changes exit code to a "0"
if ($LASTEXITCODE -eq '1') {
    EXIT 0

To prevent a Task Sequence failure I can intercept the ‘$LASTEXITCODE’ variable and exit the script with a ‘0’ using an ‘if’ statement.

This will then be picked up by the running Task Sequence and consumed as a ‘success’ which will subsequently allow the Task Sequence to progress without error.


/ JC

Posted in OSD, PowerShell, SCCM Current Branch, Uncategorized | Leave a comment

Check TPM Status from the Command Line (Enabled | Activated | Owned)

Quick and simple way to see if the TPM on a computer is Enabled, Activated and Owned – all of which are required before using them for BitLocker:

wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsEnabled_InitialValue
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsActivated_InitialValue
wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get IsOwned_InitialValue

As long as they all return as “True” you’re good to go.

/ JC

Posted in BitLocker, PowerShell, Uncategorized | Tagged , | 3 Comments

Confirm Service Account Credentials The Easy Way with PowerShell (e.g. SCCM Network Access Account)

Sometimes you will have an AD Service Account configured and you might not be sure what the password is – a good example of this that sometimes catches me out is the SCCM Network Access Account.

To safely test the account username and password we can use PowerShell with the following simple and safe command:

Start-Process -FilePath winver.exe /c -Credential (Get-Credential)

This will attempt to run “winver.exe” and a prompt will appear asking for credentials:


If the account credentials that you enter are not correct you will see the following error:


But if the credentials provided are correct then “winver.exe” will open as expected and no error message will be produced:


Simple but effective ūüôā

/ JC

Posted in PowerShell, SCCM Current Branch, Tips, Uncategorized, Windows | Leave a comment

Add CMTrace.exe to Computers Being Deployed via Task Sequence

To make sure you have CMTrace.exe available for use on machines that are deployed via SCCM Task Sequences you can add a “Run Command Line” task immediately after the “Apply Operating System Image” that copies the executable from the boot image being used to deploy the OS (CMtrace.exe is included by default SCCM Current Branch WinPE boot images – WinPE is mapped as X:\ during OSD) and results in it being available once OSD completes:

 cmd /c xcopy X:\SMS\BIN\x64\CMTrace.exe %OSDTargetSystemDrive%\Windows\System32\ /E /H /C /I /Q /Y

This command line will need to be amended in the unlikely scenario (it’s 2017 after all) that you’re deploying a 32-bit Operating System to change the xcopy target path accordingly.

/ JC

Note: This was originally documented on TechNet yonks ago: Link

Posted in OSD, SCCM Current Branch, Tips, Uncategorized, WinPE | Leave a comment

Use Task Scheduler to Schedule Server Reboot Out of Hours

You may from time to time have a requirement to reboot a server out of hours after implementing a change that requires a restart.

Rather than logging in at Silly O’Clock at night you can use the Windows Task Scheduler to set up a Task to have an unattended reboot occur out of hours.

Open “Task Scheduler” from the Start menu and select “Create New Task“.

Complete the “General” tab¬†by adding the following values for “Name“, “Account” and “Configure for“:


By using the “SYSTEM” account we can be sure that the required permissions to reboot/shutdown the computer are present.

On the “Triggers” tab click on “New” and configure a time suitable for your environment. In my example I have chosen a one time event at “22:00:00” as this is deemed out of hours:


On the “Actions” tab click on “New” and configure the task as per below:


In the “Program/script” field add the word “shutdown“.

In the “Add arguments (optional)” field make sure the following is added:

/r /t 0 /c "Planned Server Reboot via Task Scheduler Task" /f

Click “OK” twice and you’re done.

The command that you have just configured passes the following instructions to the “Shutdown.exe” executable:

  • /r = Reboot
  • /t 0 = waits 0 seconds before restarting
  • /c = comment to be added into the System log in Event Viewer
  • /f = forces the reboot even if users are logged on, programs are open, files are locked etc.

/ JC

Posted in Tips, Windows | Leave a comment

MBAM Client Deployment PowerShell Error 0x803d0006 – SCCM OSD in Disconnected/Offline Environments

Whilst deploying MBAM as part of a Windows 10 OSD Task Sequence in SCCM CB the “MbamClientDeployment.ps1” task was failing I was getting the error message shown below in the client “smsts.log” file:

 HRESULT: 0x803d0006 

I logged into one of the failed clients,¬†opened Internet Explorer and attempted to connect to the URL for the MBAM Core Service manually – this took 42 feckin seconds! Obviously this is far too slow for the connection via the PowerShell script to be successful so the next question was why was this taking so long…

After a period of frustration, emotion and profuse swearing I ended up digging a bit deeper to see what was happening under the hood when trying to connect to the URL of the MBAM Recovery and Hardware Service (i.e. https://mbam01.testlab.local/MBAMRecoveryAndHardwareService/CoreService.svc).

To do this I installed a tool called¬†Fiddler¬†(sounds dodgy but it’s a lightweight freeware tool for monitoring web connections – far simpler¬†to implement and use when compared to WireShark or Microsoft Message Analyzer) on a client and once again accessed the URL via Internet Explorer to see what connection attempts were being made by the client when attempting to access the MBAM service.

Turns out that calls were being made to Windows Update URLs and various “crl.microsoft.com” URLs. Basically the clients were trying to download the latest Root level Certificate Revocation Lists/Certificates from Microsoft’s servers over the internet. Because the clients didn’t have access to the internet due to firewalls blocking, the clients eventually timed out trying to connect to Microsoft which subsequently took the response time for the MBAM service connection over the allowed limit. This resulted in a timeout occurring when MbamClientDeployment.ps1 ran.

If the clients were able to access the internet (and able to connect to the URLs they were reaching out to) then there wouldn’t have been a problem and the script would have completed without any problems.

To make absolutely sure I tested this by unchecking the Internet Explorer option “Internet Options | Advanced | Check for server certificate revocation” on the client – rebooted the client and retried: I was able to hit the MBAM web service immediately with zero delay. Ticked the box again, rebooted, retried and the response was back up to 42 seconds (i.e. buggered again).

I don’t think it’s possible (or desirable) to disable certificate revocation checking for all certificates so another solution had to be found to this problem.

In the end the solution was to disable the automatic updating of the Root CA certificates/CRLs using the following registry key:

 HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot "DisableRootAutoUpdate" | Dword = 1 

I accomplished this via a PowerShell script running as part of the Task Sequence.

  1. PowerShell script to set¬†the “DisableRootAutoUpdate” registry key
  2. Reboot
  3. MbamClientDeployment.ps1

This disables the automatic update of the Root CA’s resulting in there being no delay in the MBAM service connection and consequently the MBAM PowerShell script completes successfully.

The PowerShell script to make the registry changes contains the following lines of code:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates" -Name "AuthRoot" -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" -Name "DisableRootAutoUpdate" -PropertyType "Dword" -Value "1"

Once the “MbamClientDeployment.ps1” script has completed Root certificate auto update needs to be re-enabled (so SSL websites work as expected) by deleting the registry key that we created with the above PowerShell.

This can be done in your Task Sequence using a “Run Command Line” step called something like “Enable Certificate Checking” with the following command:

 reg.exe DELETE "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" /f 

Hopefully this will save someone else the hours of misery that I endured to get this bastard to work…

/ JC

Posted in MBAM, OSD, PowerShell, SCCM Current Branch | 2 Comments