ConfigMgr: Run "All" Client Actions During OSD
03-21-2021 1:38 PM
Last updated
03-21-2021 1:38 PM
Last updated
Disclaimer: All information and content in this blog post is provided without any warranty whatsoever. The entire risk of using this information or executing the provided content remains with you. Under no circumstances should mentioned persons or vendors, the author, or anyone else involved in creating these blog posts be held liable for any damage or data loss.
Warning: This is NOT supported by Microsoft!... But it works
A large international customer came to us with a desire to be able to run hardware inventory during OSD as they had some other systems that were depending on data from the hardware inventory in Microsoft Endpoint Configuration Manager. My colleague had tried different things without success and since I had previously encountered this "issue" it was something I had to investigate further - Now that it has gone into production at this customer, I can now share my solution it with you guys
Adam Gross had a similar idea and he asked the Microsoft devs about some registry keys that is set in provisioning mode to prevent client actions from being triggered during OSD.
The registry key Adam was talking about: "HKLM\Software\Microsoft\CCM\CCMExec\SystemTaskExcludes"
Their response was: If it is not documented, it is not supported! Leave it alone or you are running the risk of hitting unexpected behaviors.
Hardware inventory is one of many client actions and its job is to collect information about the hardware configuration of devices in your environment. To collect hardware inventory, you must enable it in client settings.
After hardware inventory is enabled and the client runs a hardware inventory cycle, the client sends the information to a management point. The management point then forwards this information to the primary site server, which stores the information in the site database.
Read more about hardware inventory here
During OS deployment task sequence, Microsoft Endpoint Configuration Manager places the client in provisioning mode. In this state, the client doesn't process policy from the site. This behavior allows the task sequence to run without risk of additional deployments running on the client. When the task sequence completes it exits provisioning mode.
Read more about provisioning mode here
Gary Blok has written a great blog post that dives deeper into client provisioning mode to find out what is going on when a system is in provisioning mode - it can be found here
My workaround is based on Adam's awesome client action task sequence script, which can be found here
So, the first thing I had to do, was to find out how to toggle in and out of provisioning mode and I ended up with two methods, one being a PowerShell command and the other a Command-line.
On the print screen below I have imported a new device "CL002" and as you can see, no hardware inventory has been collected on the device yet.
As we go through the steps with the Task Sequence Editor, we can see Adam's step in the group "Trigger Client Actions". The first step that I've added was a "Check Current Provisioning Mode State" which sets a "ProvisioningMode" variable to "true" if the devices is in provisioning mode.
This step will only run if the below registry condition is true.
My next step will temporarily disable provisioning mode in both HTTP and HTTPS (PKI) environments and the step will run if the variable condition "ProvisioningMode" is true.
PowerShell Script (Disable Provisioning Mode)
Now that the device temporarily is out of provisioning mode, we will be able to trigger "all" client actions created with Adam's client action task sequence script.
Warning: This is NOT supported by Microsoft!
Please use it with caution and always test in lab first! I have added quotes around "all" because I haven't tested them all and some of them may have been deprecated.
Command-line (Trigger Hardware Inventory)
My next step will enable provisioning mode in both HTTP and HTTPS (PKI) environments and the step will run if the variable condition "ProvisioningMode" is true.
PowerShell Script (Enable Provisioning Mode)
In both scripts and command-lines I've adjusted the sleep time to fit both of my lab environments, but you may need to tweak the values to fit your environment.
The only thing left to do now, is adding the client action task sequence at the end of your OS Deployment task sequence and test it on a device.
You can download my child task sequence here
I do not believe that we will see this as a supported feature in the near future. Yes this workaround does work! But please keep in mind that it is NOT supported by Microsoft! So, please use my solution with caution and always test in lab first! And also be aware that some of the client actions may have been deprecated.
This solution adds 10+ minutes to the overall OS deployment time, but you can try and tweak the sleep time values for your environment, you might be lucky to reduce it with a few minutes or in worst case add a few minutes before it will work perfect in your environment.
If you have any questions regarding this topic, feel free to reach out to me. I am most active on Twitter!
During my research I found out that a few client actions actually did work while the devices was in provisioning mode (e.g. Scan by Update Source - 00000000-0000-0000-0000-000000000113) and others not so much which gave me the idea to toggle in and out of provisioning mode to see if that would allow me to trigger hardware inventory - well it worked
Awesome! So, moving on with the unsupported workaround
I've decided to go with a small PowerShell script based on the above PowerShell commands, it may not be pretty, but it gets the job done. So, with that in place let's get started with the walkthrough of my solution. As mentioned above, it is based on Adam's client action task sequence script and I've then added a few extra steps to toggle in and out of provisioning mode. And yes! There will be a download link to my task sequence further down on this page
Now let´s see what the log "SmsClientMethodProvider.log" says! And the result *drumbeats*… No errors
If we check my previously imported device "CL002" we can now see that hardware inventory has been collected during OS deployment. Awesome