Automatically update your Configuration Manager boot images for CVE-2023-24932

As many of you know, CVE-2023-24932 will require Configuration Manager admins to update their boot media before their organization or Microsoft enforces the revocations. If you do not update your boot images before the revocations are applied, you will not be able to load an unpatched WinPE image. Community members like Gary Blok and Sassan Fanai have already shared some excellent scripts that will automatically update your boot image. I just wanted to take it an extra step by automating some of the manual steps that would have to be performed. Using the ConfigMgr Module, we’re able to query the boot images to determine which updates are needed, find the update source URL for the May CU, then eventually update the boot image and reload the boot image properties so the console shows the correct build number. This will hopefully streamline the process for the community.


Many thanks to Gary Blok for collaborating with me and helping improve the script!



  • The Configuration Manager module needs to be loaded before running the script
  • If you have a Windows 11 boot image, please run the script on a Windows 11 host. DISM fails to apply the update if you do not.


  • WIMFolder
    • Local folder that will be used to store the boot image WIM temporarily
  • MountFolder
    • Local folder where we will mount the boot image.
  • DownloadFolder
    • Local folder that will be used to store the downloaded May 2023 Cumulative Update


Convert-CMAppToIntuneWin Function

The following function will automatically convert your ConfigMgr applications to .intunewin files that can be used in Intune to deploy Win32 applications. In my environment, we are using PSADT (Powershell App Deployment Toolkit) so this function worked great to convert my existing install scripts to something that I can use in Intune. Once the function has completed converting your applications, it will open the folder that will contain a subfolder for each Deployment Type that the application had. In those subfolders, you will find the .intunewin files.

Just keep in mind that if your install command in ConfigMgr is calling a file that is not in the content source path, the Convert-CMAppToIntune function will exit since the Win32 Content Prep Tool requires the setup file to exist with the content.


  • Internet Connection (this is required to download the Win32 Content Prep Tool from Microsoft’s official Github repository)
  • The setup file that you are calling in the install command must reside in the content source path.
  • You must be trying to convert a Win32 application install
  • ConfigMgr Module (Click here to learn how to load the module)


  • AppName (Required)
    • You will have to use the exact application name that you are using in ConfigMgr
  • OutputFolder (Optional)
    • By default the function will stage everything into your %TEMP% folder. However you can use this parameter to override that default location and stage your converted files anywhere.


Convert-CMAppToIntuneWin -AppName "Google Chrome"
Convert-CMAppToIntuneWin -AppName "VLC Media Player" -OutputFolder "D:\Intune"

Convert all of the applications in your ConfigMgr console:

Get-CMApplication | ForEach-Object { Write-Host "Converting $($_.LocalizedDisplayName)" ; Convert-CMAppToIntuneWin -AppName $_.LocalizedDisplayName }


Support Tool – WPF Form

It’s been a while since my last post but I just wanted to share something that I have been working on. Lately I have been trying to migrate all of my WinForms to WPF with Powershell and since I have started learning how to create WPF forms , I wanted to share a tool that I created called “About Me”. This tool will give your users common information that support would need to assist them. If Outlook is installed, it will give users the ability to draft an email automatically with the information that is displayed in the tool. I also have included a “Tools” section that has some shortcuts to commonly used utilities in the OS.

Device Information: This is the first section that users will see when launching the About Me WPF tool. If you have Outlook installed, you will see the Email Info button. Otherwise you will only see a Copy Info button instead which will place the device information into the user’s clipboard.

Tools Section: This is the tools section that users will see when they click the Tools button. This will give users and support the ability to run gpupdate and launch commonly used operating system utilities.

Read more

Automatically download Enablement Packages

Happy New Years everyone! I was recently reading a blog post by Gary Blok that explained how to upgrade to Windows 10 21H2 via Enablement Package using the ConfigMgr App Model. It is a great article and I actually plan on using an Enablement Package to upgrade all of my 20H2 PC’s to 21H2. However, due to my anxiety I didn’t like that I actually had to setup an ADR to download the Enablement Package. So instead of using an ADR, I wanted to see if I could accomplish this with the ConfigMgr Powershell CMDLETs. Fortunately with ConfigMgr 2107, Microsoft released a new CMDLET Get-CMSoftwareUpdateContentInfo that can help us easily retrieve the source path for the Enablement Package .cab files. All you need to make this work is a site with 2107 installed, ConfigMgr console installed on the device that you are running the script, Powershell 3.0 and above, and the following Products and Classifications:

Product: Windows 10

Classification: Upgrades

Powershell Script:

$DownloadFolder = "$env:TEMP\Enablement Packages"

If(!(Test-Path "$DownloadFolder")) { New-Item "$DownloadFolder" -ItemType Directory -Force }

Get-CMSoftwareUpdate -Fast | Where-Object { $_.LocalizedDisplayName -like "*Enablement Package" } | ForEach-Object {

    $SourceURL = (Get-CMSoftwareUpdateContentInfo -Id $_.CI_ID).SourceURL
    $LocalizedDisplayName = $_.LocalizedDisplayName -replace '(?= via Enablement Package).*',''

    If(!(Test-Path "$DownloadFolder\$LocalizedDisplayName")) { New-Item "$DownloadFolder\$LocalizedDisplayName" -ItemType Directory -Force }
    Invoke-WebRequest -Uri $SourceURL -OutFile "$DownloadFolder\$LocalizedDisplayName\$(($SourceURL -replace '.*([/])','').Split('_')[0]).cab"


Start $DownloadFolder

How to detect the Log4Shell vulnerability with Powershell

Recently I found a few solutions online that demonstrate how system administrators can detect the Log4Shell vulnerability with Powershell.


These scripts were great but I noticed they depended on Get-ChildItem to find .jar files on systems. As you may know, Get-ChildItem can be VERY slow to run. Especially when you are scanning entire drives for specific files. That’s when I decided to find an alternative that could run faster and use less resources. I first tried to use .Net but unfortunately that didn’t go anywhere because the EnumerationOptions class is not available to use with Powershell 5.0. Then I started searching Google for other options and someone on StackOverFlow recommended using RoboCopy without copying anything instead. Let’s just say I ended up canceling Get-ChildItem because it was still running after RoboCopy finished querying all of my drives for .jar files.

As you can see in the script, I also decided to not depend on a text file from GitHub that the other scripts were using ( It’s great that it was grabbing the latest .txt file but I didn’t feel comfortable using a file that could possibly be compromised at a later time. Instead I encoded the text file and decoded it so the script can be 100% standalone without any external dependencies.

Update 12/17/2021 – Since I have received a few requests to add custom file hashes, I have updated the script so you can easily add additional file hashes that the script can query. In order to do this, you will need to add the file hashes to the $CustomFileHashes variable.

Example on how to add additional file hashes:

$CustomFileHashes = @(

Well here is the script that you were waiting for. Hopefully it helps!

$CustomFileHashes = @(


Remove-Variable List,TotalResults -Force -ErrorAction SilentlyContinue
$Drives = (Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -gt 0 }).Root
$List = ForEach($Drive in $Drives) {
    Robocopy $Drive 'Dest' *.jar /l /njh /njs /ndl /ns /nc /fp /e /xj
[System.Collections.Generic.List[string]]$FileHashes = -split [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($EncodedHashes)) | Where-Object {$_.Length -eq 64 }
If($CustomFileHashes -ne $null) { $CustomFileHashes |  ForEach-Object { $FileHashes.Add("$_")} }

$TotalResults = ForEach($Item in $List.Where({$_}).Trim()) {
    If($Item.Length -gt 0) {
        $Hash = (Get-FileHash -Path $Item -Algorithm SHA256).Hash

            If($FileHashes -contains $Hash) {
                $Result = [PSCustomObject]@{
                    "Hostname" = $env:ComputerName
                    "File Hash" = $Hash
                    "File Name" = $Item

An automated solution for KB5006670 that breaks printer installs

Ever since KB5006670 was released, I have been receiving reports from our local support team that users are unable to install printers from our print servers. The specific error they were getting was “Windows cannot connect to the printer.” Operation failed with error 0x000006e4.

Thanks to a user on Reddit (NinjaAmbush), I was able to find the following fix which was to uncheck “Render print jobs on client computers” click apply and then recheck the setting. Since this had to be done for each printer on the server, I decided to find out if I could automate the steps with Powershell. Fortunately it was pretty straight forward and I was able to accomplish this with two native Powershell CMDLETS (Get-Printer and Set-Printer).

Here is the automated solution that needs to run on your print servers:

Get-Printer -Full | ForEach-Object { 

    If($_.RenderingMode -eq "CSR") {
        Set-Printer -Name $_.Name -RenderingMode SSR
        Set-Printer -Name $_.Name -RenderingMode CSR

    If($_.RenderingMode -eq "SSR") {

        Set-Printer -Name $_.Name -RenderingMode CSR
        Set-Printer -Name $_.Name -RenderingMode SSR



How to automatically hide the Widgets and Teams chat button in Windows 11

As many of you know Windows 11 was released yesterday. Right now I’m I’m currently testing the official release and running Procmon to figure out some of the new registry keys that were introduced with Windows 11. Here are the registry keys and values that will automatically hide the Widgets and Teams chat button from the taskbar in Windows 11:

How to hide the widgets button:


How to hide the Teams chat button:


How to create Outlook holidays with Powershell

The following script is a proof of concept to demonstrate that you can create Outlook holidays automatically with Powershell. The POC script will automatically create a “Test Holiday” on the date that you ran the script. I also added an IF statement to check if the holiday already exists. That way users wouldn’t see the holiday added multiple times. The script can easily be setup to run in a ForEach loop to add multiple holidays in one script. You would just need to update the $Date and $Subject variables for each holiday.

$Date = (Get-Date).ToShortDateString()
$Subject = "Test Holiday"
$Outlook = New-Object -ComObject Outlook.Application
$NameSpace = $Outlook.GetNameSpace("MAPI")

If($NameSpace.GetDefaultFolder(9).Items.Restrict("[Start] = '$Date 12:00 AM' AND [Subject] = '$Subject'").count -eq 0) {

    $tzs = $Outlook.TimeZones
    $NewEvent = $Outlook.CreateItem(1)
    $NewEvent.Subject = $Subject
    $NewEvent.Start = $Date
    $NewEvent.End = $Date
    $NewEvent.StartTimeZone =$tzs["Central Standard Time"]
    $NewEvent.EndTimeZone = $tzs["Central Standard Time"]
    $NewEvent.Location = "United States"
    $NewEvent.Categories = "Holiday"
    $NewEvent.AllDayEvent = "True"


How to bring back the Windows 10 start menu on Windows 11

Update (10/6/2021) – I just tested the official Windows 11 release today and it appears you cannot bring back the Windows 10 start menu anymore. However the following registry key still works to move the start menu to the left side of the screen.


As many of you know, Windows 11 will be introducing a new start menu layout. If you want to keep things consistent for your users you can add the following registry keys to your GPO when your company decides to roll out Windows 11.


The Start_ShowClassicMode registry key will bring back the Windows 10 start layout and the TaskbarAl registry key will move everything to the left like it used to be.

Get-LogonServer Function

I have noticed in my testing that the %LOGONSERVER% environmental variable can sometimes be unreliable. After searching some time on Google, I found that using the nltest /dsgetdc: command was the most reliable method of returning the logon server. This unfortunately provides some complications since the results of the command also gives additional information that is not needed if you just need the current logon server. This is why I created the following Get-LogonServer function so you could easily return the logon server and use it in a Powershell script.

Function Get-LogonServer {

    Try {

        (nltest /dsgetdc: | findstr 'DC: ').split(" ") | %{
	        If($_ -like '\\*'){

			    $DC= $_.replace('\\','')



    Catch {
	    $DC = $False

    If ($DC){


    Else {

        Return $False

Older Posts »
Page 1 of 11