What’s new in Windows 10 Fall Creators Update, Redstone 3, 1709, 16299, etc

Hello all,

In the past month I have done 3 separate talks about the new release of Windows 10 FCU (1709).  The link below is the slides from the last talk:

CTSMUG201710 – Fall Creators Update 1709

The 5 links below are the most useful but I call out a lot of good data below.



WAAS: Naming Structure Not-So-Secret Decoder Ring

In the past year we have had a lot of Nomenclature Changes for Windows As A Service (WAAS).  The following slide from Ignite 2017 really clears it up.  Just like designer MUD in a SPA.

WAAS Naming Alignment 01

How often Office and Windows updated?

WAAS Naming Alignment 02

What versions of Microsoft System Center Configuration Manager (ConfigMgr / SCCM) supports 1709 next week.

WAAS Naming Alignment 03

Windows 10 Fall Creators Update, 1709, Microsoft Windows [Version 10.0.16299.15], Redstone 3, RS3 release is Oct 17th 2017.  I know a lot of names for the same piece of software.

I am excited for next week.

Slide Source: https://view.officeapps.live.com/op/embed.aspx?src=https%3A%2F%2F8gportalvhdsf9v440s15hrt.blob.core.windows.net%2Fignite2017%2Fsession-presentations%2FBRK3075.PPTX

Windows 10 Fall Creators Update (1709) Deprecated Features – PowerShell 2.0 is EOL among others

Fall Created Update (2017 RS3 1709) will be removing some more security holes.  I wonder if some of these are in response to the SMB1 fiasco (WannaCry for example).

  • TLS RC4 ciphers.
  • The SCCM Windows Hello deployed feature which has been replaced with the Registration Authority of Active Directory Federation Services
  • SysKey.exe gone in favor of Bitlocker
  • Enhanced Mitigation Experience Toolkit (EMET) is being removed for Windows Defined Exploit Guard (WDEG) feature
  • PowerShell 2.0 is very security holey – Twitter Tears Shed – Jeffery Snover
    • For example you can invoke PoSH 2.0 if it is installed.  Since it lacks logging you will have no idea what happened.  Most companies I work with just remove it from 1703.

Posted July 20th 2017 a list of features that are being depreciated or Removed from 1709.


Windows PowerShell 2.0

Applications and components should be migrated to PowerShell 5.0+.

Microsoft Paint

Will be available through the Windows Store. Functionality integrated into Paint 3D.

RSA/AES Encryption for IIS

We recommend that users use CNG encryption provider.

System Image Backup (SIB) Solution

We recommend that users use full-disk backup solutions from other vendors.

TLS RC4 Ciphers

To be disabled by default. For more information, see the following Windows IT Center topic:

TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016


Enhanced Mitigation Experience Toolkit (EMET)

Use will be blocked. Consider using the Exploit Protection feature of Windows Defender Exploit Guard as a replacement.


Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article:

4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3

TCP Offload Engine

Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article:

Why Are We Deprecating Network Performance Features (KB4014193)?



Full List Source: https://support.microsoft.com/en-us/help/4034825/features-that-are-removed-or-deprecated-in-windows-10-fall-creators-up

Free eBooks from Microsoft



Free eBooks.. get em while they are … free!


  • Windows 10
  • Office 365
  • Office 2016
  • Power BI
  • Azure
  • Windows 8.1
  • Office 2013
  • SharePoint 2016
  • SharePoint 2013
  • Dynamics CRM
  • PowerShell
  • Exchange Server
  • System Center
  • Cloud
  • SQL Server and more!

Client Health: Repair the WMI Path and ensure WMI is added

Once upon a time I wrote a Client Health repair script for Windows XP SMS and SCCM 2007 environments.  By far and away the biggest issue was WMI corruption.  The point of this script was to fix as much as humanly possible WITHOUT using WMI.  No minor feat and you can see one section below here.   A major issue that was EASILY remedied was ensuring WMI was in the system path.  This was recently pointed out to me that people were charging for simple logic.  So here is a nice way to do it for free with a few more frills thrown in for free.

Solution: Fix the WMI in the System Path

The fix below will parse you entire system path and remove any %variable%, remove duplicates, and ensure certain items are in the System path like WMI.  I always wanted to add in a check to look for UNC (\\) paths as those always make a system go slower.

The following script will NOT work.  Please see the full CLIFIX script


Dim windir: windir = WSHShell.ExpandEnvironmentStrings("%WINDIR%")

' =============================================================================
' Description: checks that wbem is near the front of the sys path and cleans
' any duplicate statements from the path environment
' =============================================================================


 WindirPath = LCase(windir)
 System32path = LCase(windir & "\system32")
 WBEMpath = LCase(windir & "\system32\wbem")

 WindirPathFound = False
 System32pathFound = False
 WBEMpathFound = False
 SystemRoot = False

 strKeyNamePath = "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
 strValueName = "Path"

 strValue = wshshell.regRead("HKLM\" & strKeyNamePath & "\" & strValueName)
 strValue = LCase(strValue)
 ARRpath = Split(LCase(strValue), ";")

 For i = 0 To UBound(ARRpath)
  'Repalce SystemRoot with actual value
  If InStr(ARRpath(i), LCase("%systemroot%")) <> 0 Then strValue = Replace(strValue, LCase("%systemroot%"), LCase(windir)) : SystemRoot = True : COLLECTMSG "CHK_SYSTEMPATH","Warning Replaced %systemroot%",SystemRoot
  If ARRpath(i) = WindirPath Then WindirPathFound = True
  If ARRpath(i) = System32path Then System32pathFound = True
  If ARRpath(i) = WBEMpath Then WBEMpathFound = True

If (WBEMpathFound = True) And (System32pathFound = True) And (WindirPathFound = True) And (SystemRoot = False) Then COLLECTMSG "CHK_SYSTEMPATH","All Paths Found",WBEMpathFound: Exit Sub

 '// Log the results
 If WBEMpathFound = False Then strValue = WBEMpath & ";" & strValue : COLLECTMSG "CHK_SYSTEMPATH","Error WBEMpathFound", WBEMpathFound:logit=True : CLIENTSTATE = CLIENTSTATE + 1
 If WindirPathFound = False Then strValue = WindirPath & ";" & strValue : COLLECTMSG "CHK_SYSTEMPATH","Error WindirPathFound", WindirPathFound :logit=True : CLIENTSTATE = CLIENTSTATE + 1
 If System32pathFound = False Then strValue = System32path & ";" & strValue : COLLECTMSG "CHK_SYSTEMPATH","Error System32pathFound",System32pathFound:logit=True : CLIENTSTATE = CLIENTSTATE + 1
 If logit = True Then StrERRType = StrERRType & "SYSTEMPATH_"

 '//Take out duplicates
 'Dictionary Object is Much faster
 ARRpath = Split(LCase(strValue), ";")
 Set PureString = CreateObject("Scripting.Dictionary")
 For i = 0 To UBound(ARRpath)
  If Not PureString.Exists(ARRpath(i)) Then PureString.Add ARRpath(i), ARRpath(i) : Debug(ARRpath(i))
 strValues = ""
 For Each strKeyName in PureString.Keys
  strValues = strValues & strKeyName & ";"
 Set PureString = Nothing
 'Remove duplicate semicolons
 If InStr(strValues, ";;") <> 0 Then strValues = Replace(Replace(strValues, ";;", ";"), ";;", ";")
 'Remove trailing semicolons
 ln = Len(strValues)
 If InStr(ln, strValues, ";") <> 0 Then strValues = Left(strValues, ln - 1)
 'Set to current runtime path
 Set oEnv = WshShell.Environment("System")
 Set oEnv = Nothing
 'Set to Registry for next restart
 wshshell.regwrite "HKLM\" & strKeyNamePath & "\" & strValueName,strValues,"REG_SZ" 
 RegCounter "CHK_SYSTEMPATH",1
End Sub

WI 15048: SCCM Control Panel Applet missing – Command line to run it

With the improvements to the control panel the Configuration Manager Control Panel Applet (CPL) has disappeared.  To add insult to injury the default location of the SCCM client is not indexed nor in the system path.

Open the Configuration Manager CPL


SMS back from the dead 🙂  I always wondered if the files were not renamed due to all the white and black listing applications that would have to be updated… or if it is just because that is how they were checked into the coding suite.



Client Health : Group Policy initiated Based Script – All those core fixes still work great with SCCM Current Branch for FREE!

It came to my attention recently in a Twitter Post by Troy Martin that client health is still a thing.  It is silly companies are trying to take your money to fix clients for SCCM by doing things that have been free since 2005 and which SCCM CB fixes really well. Here is a table from the twitter post that is pretty good


To add to the detail of the things you can get from the community.  Here is my updated post from MyITForum in 2008.  I picked up the torch in 2006 and ended in 2010.  Lots of great fixes out there that still work!  Just like the Sunshine and Daises.  Client Health is really easy now and free!

I am ACTIVELY looking for a copy of the script Public_SMS_CLIFIX_V4.21.vbs.txt was the last one I released.  All thanks to @Mike Terrill (www.miketerrill.net) for dredging up 4.18


CLIFIX_Public_4_19 – Thanks to Chad Simmons for finding v4.19

Below is a listing of features in a reworked version of Dudeworks (Thanks Rob and Brian), 1E, et al. (see bottom for longer list) start up scripts.  I recently became aware of Chris Stauffers Client Health Checker v1.2.   My script focuses on workstation health, Chris’ focuses on SMS health.  It is my hope in 2009 to combine these two if it seems intelligent to do.  Hopefully we can have this all together in early 2009.  Be great to present and then for everyone to tear apart at MMS… anything is possible. 

Reminder: this is not finalized.  It takes a community. Please feel free to post updates in the forums.


Workstation Client Health maintenance is a continuous process that must be maintained.


Workstation Client Health maintenance is a continuous process that must be maintained. The following document gives an overview on how to fix several common workstation issues.

Note: The original Link no longer works.  I am actively looking for any version 4.18.  CLIFIX_Public_V4_18

CliFix GPO startup script :- Can NO LONGER be downloaded from here http://myitforum.com/cs2/blogs/scassells/Public_SMS_CLIFIX_4.19.vbs.txt

In an effort to reduce the amount of common workstation issues I have developed a script to check and change the following common issues. This script is to be run via GPO startup scripts. This requires the script to work as the system account and have intranet connectivity. Both are accomplished by running as a GPO. Script Requirements

  1. Script must be in a location where the computers system account has access. Usually on your domain controller ex. \\FQDNDomain\sysvol\ FQDNDomain\
  2. sc.exe must be present for full successful run.
    1. Either in the run path
    2. system32
    3. system32\DLLCache
    4. Note: there are multiple versions floating around in the average environment
  3. regsvr32.exe needs to be present
  4. %systemroot%\system32 needs to be in system path
Script Settings

All, unless I missed some, sections of the script can be turned on and off in the top of the script. Please review the script as some features will fail without modification.

Please Review the following CONFIG SETTINGS Variables:

  • SMSVersion
  • ConfigMgrVersion
  • WKS_CacheSize
  • WKS_LocalAdminGroup
  • WKS_admACCT
  • RegPath
  • strWebAddress
  • StrCCRServer
  • strCCRSiteCode
  • CCMSetUP
What the Script Does
  1. Checks to make sure the script has not run in X many hours.
    1. Example if X = 12 the script will not run again until at least 12 hours after the last occurrence.
    2. This will prevent a slow down on multiple reboots.
  2. Sets DCOM permissions to be correct for SMS / SCCM configuration
  3. Checks to make sure System Path has the 3 required windows paths enabled. (does NOT use WMI or require a restart to change values)
    1. C:\windows
    2. C:\windows\sysetm32
    3. C:\windows\system32\wbem
    4. Also removes %systemroot% from path replacing it with correct full path value
    5. If one of the 3 paths is missing, it will parse the full path removing duplicates and adding a,b,or c to the beginning of the path statement leaving all else unchanged.
  4. Check to see if sc.exe exists in the run from directory and if not in the system32 directory
  5. Checks to see if this script is run on a workstation or server. If a server kills the script
  6. Checks to make sure the correct local admin group is present (value is set in header of script)
  7. Checks WMI service to see if it is set to auto and running. If not executes sc.exe to start the service.
  8. Attempts to connect to WMI object
  9. If the WMI object connect fails
    1. Attempt to do a repair (if no previous status is present in the registry and approved via script switches)
    2. Attempt to do a rebuild (if ‘repair’ status is present in the registry and approved via script switches)
    3. If both the above have failed then do nothing and report major error
  10. Checks to see if Admin$ is present, if not forces existence via WMI
  11. Checks to see if msxml3.dll is registered, if not forces existence via WSH
  12. Checks to see if Qmgr.dll and qmgrprxy.dll are registered, if not forces existence via WSH
  13. Checks to see if OLEAut32.dll is registered, if not forces existence via WSH
  14. Checks to make sure the following services are set to appropriate Status and Mode
    1. RPC
    2. WMI
    3. Firewall/ICS
    4. Server Service
    5. Remote Registry
    6. BITS
    7. Windows Update Services
    8. Terminal Services
    9. Windows Installer
    10. Note: You may want to review the settings for your environment on each of these services. All of the above services are set to default and either Manual or Automatic.
  15. Check the SMS version
  16. Checks the CCMExec service
  17. If SMS is not correct version can be forced to do an install
    1. Needs Review
  18. If the all of the above test passed without issue you have a healthy workstation. The following two checks are for SMS.
    1. Check log file last update time. If the PolicyEvaluator.log file has not been modified in past 14 days do a repair of the client.
    2. Check client assignment. If no assignment set new site code based on AD boundaries in which the client is present.
      1. Note: Some people may want to disable this as it relies on AD
  19. If any fixes above had to be preformed
    1. Check the advanced client state. Which client policies have enabled.
    2. Check the cache size
    3. Send a Client Configuration Request (CCR) to have client installed
    4. Run CCMSetup from the install share on the server.

Note during this script several forms of reporting, logging, and information submitting have been preformed. The standard methods of reporting are:

  • Event log
  • Log file in the %temp% directory for the account used to run
    • GPO = C:\windows\temp
  • Reporting to a website that submits client status to a SQL table.
    • Future WebPost on how to do this

Other verbose methods include:· Two levels of command line reportingo Log to Command lineo Verbose to command line· network share copy

Future Additions:

Area’s that need improvement


·         MyITForum Forum: http://www.myitforum.com/forums/tm.asp?m=107044 ·         1E: http://www.1e.com ·         Chris Stauffers soon to be reviewed: http://myitforum.com/cs2/blogs/cstauffer/archive/2008/06/13/client-health-check-script-and-scheduled-task-version-1-1-release.aspx ·         Brian Mason: Original Author of CliFix ·         Rob Olson: Original Author of CliFix at http://www.dudeworks.com ·         Greg Ramsey:http://myitforum.com/cs2/blogs/gramsey/ ·         Steve Pruitt: http://myitforum.com/cs2/blogs/spruitt/ ·         And the MSSMS list http://www.myitforum.com