Template scripts for Intune Proactive Remediation

Need to create an Intune Proactive Remediation and don’t want to start from scratch? These simple template scripts can be used to easily create an Intune Proactive Remediation, which reports back success or error messages to the Intune portal.

, ,

Connect ConfigMgr to Power BI

I sometimes hear device management professionals saying something like, “I haven’t got around to using PowerShell yet” or “I haven’t had time to look into InTune and Azure yet”. Most people in the industry will agree that this is the future of device management, but getting started with a new technology takes some effort getting…

Dynamic drive maps with Group Policy Preferences

Yeah I know that cloud is the way to go and that everyone should use OneDrive and Teams instead of old style SMB drives. BUT…if you still need to do some dynamic drive mapping e.g. based on a user’s Active Directory group membership or the existence of a server or share, read on. To map…


Elevate privileges as a different user

Have you ever needed to start a program as a different user AND as an administrator at the same time?


Pre-provision BitLocker fails with Invalid command line argument ‘/full’

Do you you suddenly get this error during OSD after upgrading to SCCM 1806?

, ,

BitLocker clean up

Update 2021-03-12: I have corrected the description of this script to be more accurate. I have used this script on PC clients in production to check if BitLocker is already enabled and that the necessary protectors are created. If not, the script will add a TPM protector and a recovery password protector which will be…


Separate Group Policy service

If you get this error at the first logon after Windows 10 OSD: “The Group Policy Client service failed the sign-in. The universal unique identifier (UUID) type is not supported.”

BranchCache stats

This script will summarize the utilization of BranchCache on a single PC client…

, , ,

Replace TPM protector with new PCRs

Want to replace the TPM protector on an operating system volume the easy way? Grab this PowerShell script. Why would you want to do this? Because the default TPM platform validation profile (PCR values) on Windows 7 clients is quite sensitive to changes in the boot order, MBR, partition table, attached USB drives etc. If…

Set TPM Platform Validation Profile (PCR) during OSD

This PowerShell script can be used to control the TPM Platform Validation Profile used when protecting a BitLocker encrypted volume…

, ,

Reflections on [ADSI] and [ADSISEARCHER]

What the heck is [ADSI] and [ADSISEARCHER] ?

Get free disk space in percent from command line

This command can be run from a CMD prompt to get the percentage of free disk space on the C:\ drive:


Set Danish keyboard layout during OSD

Run this command as a pre-start command on your boot image to set the keyboard layout. This way you don’t have to remember how the default US keyboard is arranged.


Set high performance power scheme during OSD

Run this task sequence command line step immediately after the computer boots up in WinPE. This will reduce the time it takes to complete the “Apply operating system” step.

Move computer in AD during OSD

Let’s say you want to re-image a computer in your active directory domain. But you want it to move from e.g. the Windows 7 OU to the Windows 10 OU. If the PC already exists in AD, it will not be moved even if you specify the new OU in your SCCM task sequence in…

Windows 10 – Start menu and task bar

To deploy a customized Windows 10 start menu and task bar in a deployment or capture task sequence

, ,

List mounted PST files with PowerShell

Need to get a list of PST files in use in your enterprise? Look no further!

Move computer in Active Directory

Script which moves a computer object from one OU to another in AD. This script can e.g. be run on an SCCM server as a status filter rule whenever a task sequence has completed on a PC in your enterprise. It won’t work in WinPE since the AD powershell module is not present in the…

, ,

OSD collection script – PowerShell

Task sequence script which adds a computer to SoftwareCentral application deployment collections. It also removes a computer from one or more predefined OSD deployment collections. The script can be triggered by a Status Filter Rule in SCCM or as a “Run command line” step in an OSD task sequence.

, ,

SQL query – computers where an app is NOT installed

SQL query which will return the computers, where a given application is NOT installed…

, ,

PowerShell – export AD user account info to csv

This script can be used for exporting user account onformation fra Active Directory…


VB script with logging template

Dim objFSO, myLog, dt, dtformatted Const For_Writing = 2 Set objFSO = CreateObject("Scripting.FileSystemObject") Set myLog = objFSO.OpenTextFile("C:\temp\my.log", For_Writing, True) 'Main script writelog "yes it works now" myLog.Close Function LPad (str, pad, length) LPad = String(length - Len(str), pad) & str End Function Function WriteLog (str) dt = Now dtformatted = year(dt) & "-" & LPad(Month(dt),…
, ,

Lenovo BIOS update script

This script can be used in a task sequence (MDT or SCCM) to upgrade the BIOS on Lenovo PCs eg. during Operating System Deployment.


Deploy Microsoft .NET 4.7.1 on Windows 10 x64 via SCCM

Don’t waste a lot of time like I did 🙁 Here’s how to do it…


Powershell – list group membership for AD users

With two levels nested group memberships…

, , ,

Useful WMIC commands

Some WMIC  (and Get-WMIObject) commands that I use all the time…

, , ,

Extract drivers from Lenovo driver packages

Get-ChildItem -Path E:\T450S -Filter *.exe -Exclude getw10ver.exe -Depth 1 | ForEach { write-host $_.Fullname Start-Process $_.Fullname -ArgumentList '/VERYSILENT /Extract="YES" /DIR="c:\tempdriver"' -Wait } If you are running an older version of PowerShell you can use this alternative script: Get-ChildItem -Path 'E:\ThinkPad T480s' -Filter *.exe -Exclude getw10ver.exe,getw10ver4 -Recurse | ForEach { write-host $_.Fullname Start-Process $_.Fullname -ArgumentList '/VERYSILENT…
, , , , ,

Inject drivers in task sequence step

Run command line: DISM.exe /Image:C:\ /Add-Driver /Driver:.\ /Recurse Package: SCCM package with no program TS step conditions: WMI Namespace: root\cimv2 WQL query: select Model from Win32_ComputerSystem where Model like "%THINKPAD T450s%" and / or WMI Namespace: root\cimv2 WQL query: SELECT * FROM Win32_ComputerSystemProduct WHERE Version LIKE “%ThinkPad T420%”

Unlock task sequence in SCCM after console crash

Open SQL Server Studio Management (SSMS), select the Config Manager db and create a new query: select * from SEDO_LockState where LockStateID <> 0 Execute the query and copy the ID from the output. Then create a new query: DELETE from SEDO_LockState where LockID = '<LockID of the record identified in the previous query>' Execute…

Change BitLocker TPM Platform Validation Profile on the go

Scenario: You have enabled BitLocker in your enterprise with default settings. Now the service desk gets frequent calls from end users because their PCs have entered BitLocker recovery mode after a reboot.

Get the BitLocker TPM Platform Validation Profile in Windows 7 (and Windows 8.1 and 10)

  Scenario: You want to check which TPM Platform Validation Profile is in effect on a BitLocker enabled volume on a Windows 7 computer.


Behold, my first attempt at writing a blog. Subject…all things Windows with an emphasis on the management of the client OS using Active Directory, Group Policy Settings, PowerShell, SCCM (Configuration Manager) etc. /Peter J . Madsen