Cireson ConfigMgr Ticker WMI Permissions Fix

We encountered an issue with the Cireson ConfigMgr Ticker App recently where it stopped working on some clients. The log was reporting WMI permissions issues…

ConfigMgr Ticker WMI Log Errors
Errors in the log caused by WMI permission problems.

I had a quick look on the product forum and found someone with the same issue.

The problem is the Ticker App install adds a permission to the following WMI Class, which at times SCCM resets back to default.


You can check the permissions on this class using “wmimgmt.msc” -> right click on “WMI Control (local)” -> Properties -> Security Tab -> Expand tree to the class above -> Security. It should look like the screenshot below with the “HOSTNAME\Users” group having the “Enable Account” permission.

Screenshot of wmimgmt.msc permissions for Cireson ConfigMgr Ticker
Screenshot of wmimgmt.msc permissions for Cireson ConfigMgr Ticker

In certain circumstances, SCCM client repair and Windows 10 In-Place upgrade changes the permissions on this WMI class and it reverts back to default (the Users group is removed.) This breaks the Cireson Ticker App client.

Using a few blog posts I created a script to detect and remediate these permissions using a Configuration Manager Baseline.

Create a Configuration Item with a discovery script and remediation script

Discovery Script :
$namespace = "ROOT\ccm\Policy\Machine\RequestedConfig"
$computer = "localhost"
$compliance = "No"

Function Get-PermissionFromAccessMask($accessMask) {
    $WBEM_ENABLE            = 1
    $WBEM_FULL_WRITE_REP           = 4
    $WBEM_WRITE_PROVIDER          = 0x10
    $WBEM_REMOTE_ACCESS            = 0x20
    $READ_CONTROL = 0x20000
    $WRITE_DAC = 0x40000

    $WBEM_RIGHTS_STRINGS ="Enable","MethodExecute","FullWrite","PartialWrite","ProviderWrite","RemoteAccess","Subscribe","Publish","ReadSecurity","WriteSecurity"

    $permission = @()
    for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {
        if (($accessMask -band $WBEM_RIGHTS_FLAGS[$i]) -gt 0) {
            $permission += $WBEM_RIGHTS_STRINGS[$i]


$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@";Name="GetSecurityDescriptor";ComputerName=$computer}

if ($credential -eq $null) {
    $credparams = @{}
} else {
    $credparams = @{Credential=$credential}

$output = Invoke-WmiMethod @invokeparams @credparams
if ($output.ReturnValue -ne 0) {
    throw "GetSecurityDescriptor failed: $($output.ReturnValue)"

$acl = $output.Descriptor
$usercoll = @()
foreach ($ace in $acl.DACL) {
    $user = New-Object System.Management.Automation.PSObject
    $user | Add-Member -MemberType NoteProperty -Name "Name" -Value "$($ace.Trustee.Domain)\$($ace.Trustee.Name)"
    $user | Add-Member -MemberType NoteProperty -Name "Permission" -Value (Get-PermissionFromAccessMask($ace.AccessMask))
    $user | Add-Member -MemberType NoteProperty -Name "Inherited" -Value (($ace.AceFlags -band $INHERITED_ACE_FLAG) -gt 0)
    if (($user.Name -eq "BUILTIN\Users") -and ($user.Permission -eq "Enable"))
        $compliance = "Yes"
Remediation Script :
$namespace = "ROOT\ccm\Policy\Machine\RequestedConfig"
$operation = "Add"
$account = "BUILTIN\Users"
$allowInherit = $false
$deny = $false
$computer = "localhost"
[string[]] $permissions = "Enable"

$ErrorActionPreference = "Stop"

Function Get-AccessMaskFromPermission($permissions) {
 $READ_CONTROL = 0x20000
 $WRITE_DAC = 0x40000

 $WBEM_RIGHTS_STRINGS ="Enable","MethodExecute","FullWrite","PartialWrite","ProviderWrite","RemoteAccess","ReadSecurity","WriteSecurity"

 $permissionTable = @{}

 for ($i = 0; $i -lt $WBEM_RIGHTS_FLAGS.Length; $i++) {

 $accessMask = 0

 foreach ($permission in $permissions)
 if (-not $permissionTable.ContainsKey($permission.ToLower())) {
 throw "Unknown permission: $permission`nValid permissions: $($permissionTable.Keys)"
 $accessMask += $permissionTable[$permission.ToLower()]

if ($PSBoundParameters.ContainsKey("Credential")) {
 $remoteparams = @{ComputerName=$computer;Credential=$credential}
} else {
 $remoteparams = @{}

$invokeparams = @{Namespace=$namespace;Path="__systemsecurity=@"} + $remoteParams

$output = Invoke-WmiMethod @invokeparams -Name GetSecurityDescriptor
if ($output.ReturnValue -ne 0) {
 throw "GetSecurityDescriptor failed: $($output.ReturnValue)"

$acl = $output.Descriptor

$computerName = (Get-WmiObject @remoteparams Win32_ComputerSystem).Name

if ($account.Contains('\')) {
 $domainaccount = $account.Split('\')
 $domain = $domainaccount[0]
 if (($domain -eq ".") -or ($domain -eq "BUILTIN")) {
 $domain = $computerName
 $accountname = $domainaccount[1]
} elseif ($account.Contains('@')) {
 $domainaccount = $account.Split('@')
 $domain = $domainaccount[1].Split('.')[0]
 $accountname = $domainaccount[0]
} else {
 $domain = $computerName
 $accountname = $account

$getparams = @{Class="Win32_Account";Filter="Domain='$domain' and Name='$accountname'"} + $remoteParams

$win32account = Get-WmiObject @getparams

if ($win32account -eq $null) {
 throw "Account was not found: $account"

switch ($operation) {
 "add" {
 if ($permissions -eq $null) {
 throw "-Permissions must be specified for an add operation"
 $accessMask = Get-AccessMaskFromPermission($permissions)

 $ace = (New-Object System.Management.ManagementClass("win32_Ace")).CreateInstance()
 $ace.AccessMask = $accessMask
 if ($allowInherit) {
 } else {
 $ace.AceFlags = 0

 $trustee = (New-Object System.Management.ManagementClass("win32_Trustee")).CreateInstance()
 $trustee.SidString = $win32account.Sid
 $ace.Trustee = $trustee


 if ($deny) {
 } else {

 $acl.DACL += $ace.psobject.immediateBaseObject

 "delete" {
 if ($permissions -ne $null) {
 throw "Permissions cannot be specified for a delete operation"

 [System.Management.ManagementBaseObject[]]$newDACL = @()
 foreach ($ace in $acl.DACL) {
 if ($ace.Trustee.SidString -ne $win32account.Sid) {
 $newDACL += $ace.psobject.immediateBaseObject

 $acl.DACL = $newDACL.psobject.immediateBaseObject

 default {
 throw "Unknown operation: $operation`nAllowed operations: add delete"

$setparams = @{Name="SetSecurityDescriptor";ArgumentList=$acl.psobject.immediateBaseObject} + $invokeParams

$output = Invoke-WmiMethod @setparams
if ($output.ReturnValue -ne 0) {
 throw "SetSecurityDescriptor failed: $($output.ReturnValue)"

Settings for the CI :



Remove annoying Cortana Audio after 1703 OSD

When you build a W10 1703 machine with SCCM OSD, you may notice that once its complete you hear an audile voice saying something like ‘OK I got connected let’s check for updates’.

You can disable this with a simple command line task sequence step  :

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\OOBE" /v DisableVoice /t REG_DWORD /d 1 /f

Use Notepad++ To Convert a list into Powershell Array format


  • Paste list into Notepad++
  • Use Find and Replace (Search Mode – Extended) :
    • Find what : \r\n
    • Replace with : \r\n”
  • Use Find and Replace (Search Mode – Extended) :
    • Find what : \r
    • Replace with : “,
  • Add a double quote at the start of the first line and end of the last line

SCCM Application Dependency Graph / Tree

Sometimes we have very complicated apps we have to deploy and need to view the application dependency tree to help investigate failed deployments. I found the built in view in the SCCM console clunky, buggy and annoying. So I wrote a small script to query WMI, list app dependencies and then output this visually using graphviz dot language.

The first thing the script does is query all the apps on your site server WMI for a search term. It then displays a list of applications in a grid view. You then choose which Application you want to create a dependency graph for. Once you have chosen one, the script will recurse through all the dependencies and build a graph.

It’s still in its infancy, it doesn’t highlight AND / OR relations and may have some redundant code that needs tiding up… But I find it useful to demonstrate to support staff why some applications take a while to deploy due to the complexity and amount of pre-reqs required!

  • Install graphviz for windows from here
  • Add an entry in your PATH environment varibale to the location of dot.exe – on Windows 10 for me it was : “C:\Program Files (x86)\Graphviz2.38\bin”
  • Download the script from Github Gist Here
  • Edit the variables in the script
    • $server – should be the management point server with the WMI Provider for your SCCM Site
    • $sitecode – should be the sitecode for your site
    • $graph_filetype – filetype of the output (I’ve only tested png, svg and pdf so far…)
    • $query – should be an application search string, the first thing the script will do is search and list the applications found using this. You can then choose which app you want to see the dependency tree for.
  • Run the script!
  • You should get two output files in the output directory
    • AppName.gv
    • AppName.(pdf/png/svg – depending on selected output filetype)
An example output png from the SCCM App Dependency Graph script.
An example output png from the SCCM App Dependency Graph script.



Filter SMSTS.logs to view only the main action steps (using cmtrace)

If you have a long Task Sequence with lots of steps and want to pinpoint when specific actions ran, you can filter the log using Entry Text contains “The action (” in cmtrace.

If some steps are missing you may need to merge in the rolled over logs which are named smsts-xxxxx.log

SMSTS Filter


List Preparation for SQL Query

I often need to query a database using a where in filter and a list of items. The items are generally in a list format in an excel or csv file, once copied they are on different lines. This is how I convert to a usable string for an SQL query filter using Notepad++ :

  • Paste list into Notepad++
  • Open the Find and Replace dialog (Ctrl+F)
  • Change search mode to ‘Extended’
  • Find what : \r\n
  • Replace with : ‘,’
  • Add an quote mark at beginning and end of line
Screenshot of Find and Replace dialog in Notepad++

Then you can paste this string into a SQL ‘where in’ clause between the brackets.


Checking SCCM Task Sequence Variables using Powershell

While running an OSD task sequence you can use powershell to check the TS Environment variables.

I added a ‘Pause’ step using this guide. If, like me, you are using an x64 PE image, you need use the ‘serviceui.exe’ from either the Program Files location on the machine with MDT installed, or a MDT package :


Once you have your Task Sequence paused, you can press F8 (if enabled in the boot image) and start powershell.

$env = New-Object -COMObject Microsoft.SMS.TSEnvironment

This will create an interface to the com object we need to use to interact with the TS environment.

$env.GetVariables() | % {$_ + "=" + $env.Value($_)}

This will dump out all the variables to the screen, this is a bit messy as there are lots of variables – some with quite long xml text as the values.

This will output all the variables to a text file :

$env.GetVariables() | % {$_ + "=" + $env.Value($_)} | out-file "variables.txt"

This will display the value of a specific variable (e.g. Architecture):


You could adapt this into a script to run automatically, instead of manually if required.