Uninstall Internet Explorer 9 from Systems

Recently, I had to uninstall IE9 from a bunch of production machines for a client whose site I am working at. Because of other mitigating circumstances, this had to be done during the day, with notification to the user and without forcing a reboot. After a little bit of digging, I stumbled upon MS article 2579295, and after a little tweaking I was able to create a program with this command:

FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*9.*.mum /c “cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /quiet /norestart”

Worked well executed in both a task sequence and as a program. Cheers.


Use PowerShell to connect to multiple domains

To administer a second or third domain in AD via PowerShell, you’ll need to connect to the other domain thusly:

Import-Module ActiveDirectory
New-PSDrive -Name ADDriveName -PSProvider ActiveDirectory -Server 'mydomain.com' -root '//RootDSE/'</pre>
This cmdlet will allow you to create the connection as another drive in PowerShell, the same way that the AD: connection is created when you import the AD module.  Now, just type Set-Location ADDriveName: and you’re off.

McAfee Access Protection Prevents creation of boot disk in SCCM 2012 SP1

This has been driving me crazy the past couple of days:


Last week I started on an install for SCCM 2012 SP1 for a customer who has McAfee as the main security solution in their environment.  I have some previous experience with McAfee, and i hadn’t previously experienced any issues with it.  All of the previous clients I had that used McAfee were on 2012 RTM, and this was the first one I had done with SP1.  Sp1 uses the ADK, instead of the AIK, of course, and all has not gone smoothly.

The first problem I encountered was with the site installation itself: the site seemed to install fine, but no boot images were created.  This seemed a bit odd, so I checked the ConfigMgrSetup.log file located on the root of C:\


The boot images were not created properly during setup.  The boot image files were both at their default location (\\server\SMS_sitecode\osd\boot) but they weren’t in the console.  I decided to try and import them manually:


A bit of an odd error message, however, the DISM log file showed that SCCM was unable to insert the OSD binaries into the WIM.  Now we’re getting somewhere.  I figured I’d try creating one from scratch with MDT.  That was also unsuccessful.


Searching around the web was not very helpful  as most people seemed to be reporting problems related to permissions.  Given the access denied error that others reported, and the fact that my permissions were fine, I believed the culprit would be McAfee.  Since the logs didn’t show McAfee blocking or deleting anything, I didn’t have much to go on.  I talked to the security team and got them to allow me to temporarily disable McAfee, and like clockwork, I was able to create a boot image.  My first thought was to exclude C:\Windows\Temp\BootImages from McAfee, but the customer’s security team wanted specific justification before adding any exclusions.  We tried it as a troubleshooting step, but once Access Protection was reactivated, the problem returned.

Earlier today I came across the article above from McAfee, hopefully they’ll come to a more permanent solution, but for the time being, we need to turn off Access Protection whenever we update or edit any boot image, or perform offline servicing on a WIM.  I’ve been in other environments with SCCM 2012 SP1 and other AV solutions, such as Symantec Endpoint Protection, Kaspersky, and of course SCEP, but haven’t experienced this issue yet.

AV White-list Considerations

This issue has prompted me to review some of the community resources concerning AV policy on an SCCM site server.  My personal feeling is to exclude these locations from any AV client:

  • %programfiles%\Microsoft Configuration Manager\Inboxes\*
  • %programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*
  • <C:>\ConfigMgr_OfflineImageServicing – defaults to the same drive the site is installed on
  • C:\Windows\TEMP\BootImages

You may want to review the following links for more information:



SCCM 2007:  http://blogs.technet.com/b/configurationmgr/archive/2010/11/30/configmgr-2007-antivirus-scan-and-exclusion-recommendations.aspx


SCCM 2012 SP1 CU1


Cumulative Update 1 is now available from Microsoft, and it fixes, amongst other things, the obnoxious problem with the MicrosoftPolicyPlatformSetup.msi file that prevents client installs from working out of the box.

Luckily, the install is quite simple, after you download the hotfix, begin by extracting the hotfix, then launch the executable.











During the setup, SMS services will shutdown and be unavailable, so be sure to schedule an outage if your company policy dictates it.  The whole process only takes about 5 to 10 minutes.



These packages, which we selected during the installation, are automatically created for you, with programs ready for deployment.

Deploying the updates


After verifying the update is successful, and testing each of the packages, you’re ready to roll it out to your environment.

To do that, I’ve created 3 collections, and then just set mandatory advertisements to each of them.  I turned off client notifications and set the program to “rerun if failed previous attempt”.  From that point, it was mostly just monitoring.

Here are the collections, ready for import into your environment.



Java as an Application in SCCM 2012

The new application model in SCCM 2012 quickly became one of my favorite features, and has remained so across every deployment I work on. With its comparatively advanced deployment and detection methods, it is extremely useful for applications of all sorts, even those that require frequent updates.
In SCCM 2007, everytime a new version of Java or Adobe Reader came out, you’d have to create a new package and advertisement, and then turn around and update all of your task sequences. This was at best tedious. Sure, there are tools like SCUG that can help with this, but they are not always available to all organizations, and they had their own problems and limitations.
By making use of the new application model, administrators can much more easily keep up on these updates.

Source Files:

Begin by downloading the bits:  http://java.com/en/download/manual.jsp

The 64-bit version is for 64-bit browsers. So you’ll probably still need the 32-bit version for 64-bit Windows.

Get the MSI:

Launch the executable. Once the splash screen appears, the files will have been extracted. Navigate, for the 32-bit version to


and for the 64-bit version to


Copy the files to your source location for SCCM packages.

Make the transform:
Next, use Orca to edit any custom settings you need. Some of the most common ones can be found under the Property table. In this example, I’ve changed AUTOUPDATECHECK, JAVAUPDATE, and JU all to 0 to prevent any kind of updating. I’ll also change IEEXPLORER and MOZILLA to 1 to enable java in browsers.

You may have other changes to make, such as a custom install location, all of those kinds of changes can be made into a transform with Orca.  Once finished, I then save the custom transform in the application source directory and create it in SCCM.


Deployment Type:

Be sure to edit the installation method to include your new custom transform file:

msiexec /i “jre1.7.0_17.msi” TRANSFORMS=custom.mst /q

Now, you can set this application to supersede the previous version of Java you are using.  Or, if this is the first version of Java your placing into SCCM, then you can use this method to keep your Java clients up to date.  When a new version comes out, build it this way and have it supersede the old version.  You’re now one your way to automating that much more of your environment.

You may also want to look into removing old versions of Java if you’re trying to get old versions out of your environment.


Uninstalling Java Versions

Need to uninstall Java on a series of machines?  Either because, you need to do a fresh install, or updates are failing?  Or maybe your client is a public school system that has a mandate to remove all JRE 6 versions because of security issues?  …yeah that’s the one.

Remove JRE 6

wmic product where "name like 'Java(TM) 6%%" call uninstall /nointeractive

That’s the script that went into my package that I recently finished running on about 15,000 systems or so.  If you’d like to remove them all, you can do that too.

Remove all Java

wmic product where "name like 'Java%'" call uninstall /nointeractive