Deploy Windows 10 Desktop Shortcuts and Icons with SCCM Configuration Baselines

It started with a Tweet…

I promised on Twitter that I would write this post if I had 20 peoples interest…

Background

We had a requirement to deploy Desktop Shortcuts, to the Windows 10 Public Desktop, for a new application. The shortcut was deployed using Group Policy Preferences (GPP). Below is a link to a nice article showing you how to do this:-

https://blogs.technet.microsoft.com/askds/2014/02/17/adding-shortcuts-on-desktop-using-group-policy-preferences-in-windows-8-and-windows-8-1/

There was also a requirement to publish a “Custom” icon for each Desktop Shortcut.

Why use a Configuration Item?

With SCCM there are lots of ways to “skin the cat”. We can use an Application to deploy a single icon file and have the Application Detection Method detect the icon file. If the file doesn’t exist it would get deployed to the client – nice and easy. Equally, we could use a Configuration Item for our detection logic (does the icon file exist) and then deploy a Package/Application, that puts the icon on the client, for any client that fails the Configuration Baseline Evaluation.

The purpose of this post is to show you how you “could” use Configuration Items in your Windows 10 environment. I have picked a relatively simple example and some may argue:-

“Ben, why don’t you just use GPP’s for the Shortcut and an Application to deliver the custom .ico file?”

I could!……. But i’m showing off Configuration Items 🙂

By the end of this post, I hope you will have a better understanding of how useful and flexible Configuration Items and Baseline are.

  1. Brief overview of Configuration Items and Configuration Baselines
  2. Create an Application for the Custom Desktop Icon
  3. Create an Application for the Desktop Shortcut
  4. Create a Configuration Item/Baseline to detect if the Desktop Icon exists
  5. Create a Configuration Item/Baseline to detect if the Desktop Shortcut exists
  6. Understanding the Configuration Baseline Results
  7. Re-mediate any client that fails the Configuration Baseline Evaluation for the Desktop Icon
  8. Re-mediate any client that fails the Configuration Baseline Evaluation for the Desktop Shortcut

1. Brief overview of Configuration Items and Configuration Baselines

Before we begin, it may help you to get an overview of Configuration Items (CI’s) and Configuration Baselines CB’s).

Configuration Item (CI)

A CI defines a collection of “Settings” that must meet a specific Condition (Compliance Rule) for that item to be then marked as Compliant.

Example

  1. “File C:\Icon\Icon1.ico” ( <= Setting) “Does the file Exist?” ( <= Compliance Rule)
  2. “Registry Item HKLM\Software\PayRise /v Amount” ( <= Setting) “Does it = £1,000,000?” ( <= Compliance Rule)
Configuration Item (CI) Example

We can use the following settings when creating a CI:-

  • Active Directory Query
  • Assembly
  • File System (<= Using this one in our post)
  • IIS Metabase
  • Registry Key
  • Registry Value
  • Script
  • SQL Query
  • WQL Query
  • XPath Query

Different Settings will allow different remediation options. Some “Non Compliant” Settings can “Self Heal” in order to become Compliant.

Configuration Baseline (CB)

A CB is a collection of CI’s that will be deployed to and evaluated by your clients. Upon evaluation of each of the CI’s in the CB, a result of “Compliant” is returned only if ALL the CI’s in the CB are evaluated as “Compliant”. If only some of the CI’s are evaluated as “Compliant” the overall evaluation will be “Not Compliant”. It is therefore important that you take care when deciding a CI’s membership with a CB.

When will the Client evaluate the CB?

When you deploy a CB to a Collection, you can specify an evaluation schedule. The default Evaluation Schedule is 7 Days. Care should be taken when considering the Evaluation Schedule, especially if you are deploying scripts that could invoke lots of system resources. Do you really want to be checking for that Desktop Icon every minute?

When the Compliance of a CB is reported back to the server, we can create a Collection for all Clients that report the same Compliance status! Some CI Settings, like File System, are unable to automatically re-mediate so we create a Collection for our non Compliant Clients and we can then re-mediate them with other tools from the SCCM arsenal

Create a new Collection for Non-Compliant Clients

2. Create an Application for the Custom Desktop Icon

In this section we will create an Application to deploy out custom .ico file

I like creating Applications to deliver files to Clients. Here are just a few reasons why:-

  1. CCMCache. We can leverage Branche Cache, Peer Cache, Johnny Cash (SIC) and BITS throttling when delivering files to clients
  2. We can use the same Application in a Task Sequence to deliver the same file during a IPU or Wipe and load OSD – less duplication = less admin work = more time to drink coffee
  3. An Application allows me to identify if the file exists before it downloads to the clients local cache

Prerequisites

  • Before we create the Application, place your custom .ico file and icon installation script on your normal “Content Location” UNC share (Step 8 has more details on what your “Content Location” folder should look like.
  • On your Admin machine, also place your custom .ico file in C:\Windows\Icons (You will need to create this folder). We will need this in place for when we create our Desktop Shortcut later.

1 . From the SCCM Admin Console, navigate to Software Library > Applications. Right Click Applications and choose Create Application

Create a New Application

2 . In the Create Application Wizard, choose Manually Specify the Application Information and click Next

Choose Manually Specify the Application Information

3 . Choose a Name for the new Application and click Next

Give your Application a Name

4 . We are not going to Display this Application in the Catalog so no need for a shiny icon or description. Click Next

No need to customize here, we are not displaying this Application in the Catalog

5 . We need to add a Deployment Type so click Add

Click “Add” to create a new Deployment Type

6 . Choose Script Installer from the Deployment Type drop down box and click Next

Choose “Script Installer” as the Deployment Type

7 . Give the Deployment Type a Name and click Next

Give the Deployment Type a Name

8 . Specify the Application Content Location and Installation Program and click Next

Content Location: “\\contentserver\share\Icons\Awesome New App”
Installation Program: Powershell.exe -ExecutionPolicy Bypass -File “Install_Icon.ps1”

* When the Application is deployed, we will use a script to copy the .ico from the ccmcache folder to another local folder on the client. By using wildcards, we can re-use the same script when we look at deploying other .ico files to clients. An example of what the contents of the “Install_Icon.ps1” script could be is:-

Your Content Location should be looking something like this by now…

Two files present in the Application Content Location

9 . Click Add Clause

Add a Clause for the Detection Method

10 . Now we set the Detection Rule. Choose “FileSystem” from for the Setting Type and set the following fields:-

  1. Type: File
  2. Path: C:\Windows\Icons
  3. File or Folder Name Awesome_New_App_Icon.ico

Click OK

Set the Application Detection Rule

11 . Click Next

Click Next after creating a Detection Rule

12 . Set the User Experience settings to the following values:-

  1. Installation Behavior: Install for System
  2. Logon Requirement: Whether or not a user is logged on
  3. Installation Program Visibility: Hidden

Click Next

Specify the User Experience Settings

13 . Click Add on the Installation requirements for this deployment type page

14 . On the Create Requirement page, select the following values:-

  1. Category: Device
  2. Condition: Operating System
  3. Operator: Windows 10

Click OK

Set the Requirement to Windows 10

15 . Click Next

After Adding the Application Requirement, click Next

16 . Click Next on the Software Dependencies screen (we wont be setting anything here)

17 . Click Next after reviewing the Summary

18 . Click Close to complete creating the Deployment Type

19 . Click Next

20 . Click Next again

21 . Click Close to complete the Application creation process

Voila, we have our Application

3. Create an Application for the Desktop Shortcut

In this section we will create an Application to deploy our Desktop Shortcut. The steps are very similar to the previous section so we will omit screenshots.

For the benefit and simplicity of this post, I am using a shortcut for calc.exe

Prerequisites

In the previous section we created an Application to deploy our custom .ico. We need to ensure that the Desktop Shortcut we create for use in this section points to the correct .ico file on our clients.

  • Ensure the icon reference of the shortcut points to C:\Windows\Icons\Awesome_New_App.ico
  • Place your Desktop Shortcut and Desktop Shortcut installation script on your normal “Content Location” UNC share.
    (Step 8 has more details on what your “Content Location” folder should look like.
Your Desktop Shortcut should be pointing to the location your .ico will be deployed to on the clients

1 . From the SCCM Admin Console, navigate to Software Library > Applications.Right Click Applications and choose Create Application

2 . In the Create Application Wizard, choose Manually Specify the Application Information and click Next

3 . Choose a Name for the new Application and click Next e.g. Awesome New App – Shortcut

4 . We are not going to Display this Application in the Catalog so no need for a shiny icon or description. Click Next

5 . We need to add a Deployment Type so click Add

6 . Choose Script Installer from the Deployment Type drop down box and click Next

7 . Give the Deployment Type a Name and click Next e.g. Awesome New App – Shortcut

8 . Specify the Application Content Location and Installation Program and click Next

Content Location: “\\contentserver\share\Shortcuts\Awesome New App”
Installation Program: Powershell.exe -ExecutionPolicy Bypass -File “Install_Shortcut.ps1”

* When the Application is deployed, we will use a script to copy the .lnk from the ccmcache folder to the Public Desktop on the client. By using wildcards, we can re-use the same script when we look at deploying other .lnk files to clients. An example of what the contents of the “Install_Shortcut.ps1” script could be is:-

The Content Location should contain your Shortcut and an Installation Script

9 . Click Add Clause

10 . Now we set the Detection Rule. Choose “FileSystem” from for the Setting Type and set the following fields:-

  1. Type: File
  2. Path: C:\Users\Public\Desktop
  3. File or Folder Name Awesome New App.lnk

Click OK

11 . Click Next

12 . Set the User Experience settings to the following values:-

  1. Installation Behavior: Install for System
  2. Logon Requirement: Whether or not a user is logged on
  3. Installation Program Visibility: Hidden

Click Next

13 . Click Add on the Installation requirements for this deployment type page

14 . On the Create Requirement page, select the following values:-

  1. Category: Device
  2. Condition: Operating System
  3. Operator: Windows 10

Click OK

15 . Click Next

16 . Click Next on the Software Dependencies screen (we wont be setting anything here)

17 . Click Next after reviewing the Summary

18 . Click Close to complete creating the Deployment Type

19 . Click Next

20 . Click Next again

21 . Click Close to complete the Application creation process

4. Create a Configuration Item/Baseline to detect if the Desktop Icon exists

In this section we will create a Configuration Item and Baseline to evaluate if the required .ico file is on the client

1 . From the SCCM Admin Console, navigate to Assets and Compliance > Compliance Settings > Configuration Items > Create Configuration Item

Create a Configuration Item

2 . Specify general information about the CI

  • Name: Awesome New App – Icon
  • Type of Configuration: Windows Desktops and Servers (custom)

Click Next

Set some general information for this CI

3 . Choose your supported platforms, in our case Windows 10, and click Next

Choose the supported platforms for this CI

4 . Click New to add a setting for us to evaluate in this CI

Click New to add a setting to evaluate in this CI

5 . Add the following information into your CI Setting. Remember the Setting is the item you are looking to evaluate. In our case we are going to evaluate C:\Windows\Icons\Awesome_New_App.ico as specified in Section 2

  • Name: Awesome New App – Icon
  • Setting Type: File system
  • Path: C:\Windows\Icons
  • File or Folder Name: Awesome_New_App.ico

Click the Compliance Rules tab

Add some setting information to the CI

6 . Click New

Click New

7 . Specify the following Compliance Rule settings

  • Name: Awesome New App – Icon
  • Rule Type: Existential
  • Setting: File must exist on client devices

Click OK

Specify Compliance Rule Settings

8 . Click OK

Click OK in the Create Setting window

9 . Click Next

Click Next

10 . Click Next

Click Next

11 . Click Next

Click Next

12 . Click Close

Click Close

Now that we have created the CI we can go ahead to create the CB to deploy to our clients

13 . From the SCCM Admin Console, navigate to Assets and Compliance > Compliance Settings > Configuration Baselines > Create Configuration Baseline

Create a new Configuration Baseline

14 . Give the CB a name e.g. Awesome New App – Icon

Name your CB

15 . Click Add > Configuration Items, select the CI we created previously and click Add

Select the CI and click Add

16 . Click OK

Click OK

17 . Click OK

Click OK

18 . Select your new CB and click Deploy from the ribbon toolbar

Highlight the CB to Deploy

19 . Click Browse to select the Collection to deploy this CB to

Click Browse

20 . Select your desired Collection to deploy this CB to and click OK

Select your desired Collection to deploy the CB to

21 . Select an Evaluation Schedule. This is how often your client will evaluate the CB. In this example, we will evaluate the CB once per day

Click OK

Select an Evaluation Schedule and click OK

5. Create a Configuration Item/Baseline to detect if the Desktop Shortcut exists

In this section we will create a Configuration Item and Baseline to evaluate if the required .lnk file is on the clients Public Desktop. The process is similar to Section 4 so we will omit screenshots

1 . From the SCCM Admin Console, navigate to Assets and Compliance > Compliance Settings > Configuration Items > Create Configuration Item

2 . Specify general information about the CI

  • Name: Awesome New App – Shortcut
  • Type of Configuration: Windows Desktops and Servers (custom)

Click Next

3 . Choose your supported platforms, in our case Windows 10, and click Next

4 . Click New to add a setting for us to evaluate in this CI

5 . Add the following information into your CI Setting. Remember the Setting is the item you are looking to evaluate. In our case we are going to evaluate “C:\Users\Public\Desktop\Awesome New App.lnk” as specified in Section 3

  • Name: Awesome New App – Shortcut
  • Setting Type: File system
  • Path: C:\Users\Public\Desktop
  • File or Folder Name: Awesome New App.lnk

Click the Compliance Rules tab

6 . Click New

7 . Specify the following Compliance Rule settings

  • Name: Awesome New App – Shortcut
  • Rule Type: Existential
  • Setting: File must exist on client devices

Click OK

8 . Click OK

9 . Click OK

10 . Click Next

11 . Click Next

12 . Click Close

Now that we have created the CI we can go ahead to create the CB to deploy to our clients

13 . From the SCCM Admin Console, navigate to Assets and Compliance > Compliance Settings > Configuration Baselines > Create Configuration Baseline

14 . Give the CB a name e.g. Awesome New App – Shortcut

15 . Click Add > Configuration Items, select the CI we created previously and click Add

16 . Click OK

17 . Click OK

18 . Select your new CB and click Deploy from the ribbon toolbar

19 . Click Browse to select the Collection to deploy this CB to

20 . Select your desired Collection to deploy this CB to and click OK

21 . Select an Evaluation Schedule. This is how often your client will evaluate the CB. In this example, we will evaluate the CB once per day

Click OK

6. Understanding the Configuration Baseline Results

The clients will evaluate the two CB’s at the schedule you set. In our example, once per day. We can see the results of the evaluation either on the client or in the console

Compliance Results as seen in the Console
Compliance Results as seen on the Client

If we click View Report from the client, we can see some more information for the Compliance Result and reason for Non-Compliance

This CB evaluated as Non-Compliant because:-

  1. The CI was Non Compliant… because…
  2. The setting being evaluated (does file exist) was not present
  3. Because there was not 100% CI Compliance, the Baseline resulted in Non-Compliant
Configuration Baseline Evaluation Report

While we are here, load C:\Windows\CCM\Cmtrace.exe on the client and open C:\Windows\CCM\Logs\CIAgent.log to view the CI Evaluation log

CIAgent.log

We have established that both CB’s are Non-Compliant meaning we have neither the Desktop Shortcut or Desktop .ico file on our clients.

Some CI’s, when marked as Non-Compliant, can be set to automatically re-mediate in the CB settings. For example when using Registry Values and Scripts as Compliance Conditions

Some CI’s can self heal like lizards

We don’t have the ability to do this when dealing with files. Isn’t it handy we created some Applications earlier! We can use these Applications to re-mediate the Non-Compliant clients

7. Re-mediate any client that fails the Configuration Baseline Evaluation for the Desktop Icon

In Section 6 we looked at the evaluation status of the CB’s in the SCCM console. We will now deploy the Application we created in Section 2 to any Non-Compliant client

1 . From the SCCM Admin Console, navigate to Assets and Compliance > Compliance Settings > Configuration Baselines

  1. Select the Baseline where you wish to deploy the Application Awesome New App – Icon to Non-Compliant clients
  2. Select the Deployments tab
  3. Select the Deployment
  4. On the Ribbon menu, click Create New Collection and choose Non-Compliant
Create Collection from Configuration Baseline Deployment Panel

2 . In the Create Device Collection wizard, click Next

Click Next

3 . In the Define Membership Rules for this Collection window, click Next

Click Next

4 . Click Next in the Summary Windows

Click Next

5 . Click Close to complete the Create Device Collection Wizard

All Collections created from a CB are placed in Assets and Compliance > Device Collections > Devices and Collections

The new Collection is in the root of the Device Collections folder

6 . To deploy our Awesome New App – Icon Application to this Collection

  1. Highlight the Collection
  2. On the Ribbon menu, click Deploy
  3. Select Application
Deploy an Application to the Non-Compliant Configuration Baseline Collection

7 . In the Deploy Software Wizard, click Browse

Click Browse

8 . Select Awesome New App – Icon and click OK

Select the Application to Deploy and click OK

9 . Click Next

10 . Click Add and choose a Distribution Point or Distribution Point Group to distribute the Application Content to

Distribute the Content for the Application

11 . Select the Distribution Point or Distribution Point Group and click OK

Select the Distribution Point or Distribution Group and click OK

12 . Click Next

Click Next

13 . Select Required from the drop down list and click Next

Select Required for the purpose of the Deployment

14 . To Deploy the Application ASAP, leave these setting as Default and click Next

Click Next

15 . In the User Notifications drop down box, choose Hide in Software Center and all Notifications and click Next

Choose to hide the Application in Software Center – we don’t want the user interacting with this Application

16 . Click Next

We will leave Deployment alerts off for this Deployment

17 . Click Next

Click Next

18 . Click Close

Click Close

At the next Computer Policy refresh interval, the Policy Agent will run and our clients will get the new Deployment for Awesome New App – Icon

We can check C:\Windows\CCM\Logs\AppDiscovery.log

AppDiscovery.log gives us an indication that the Application was not detected so it will be installed

Voila, we have our .ico file in our folder

Application successfully deployed the .ico file to our folder on the client

At the next CB evaluation schedule, because the .ico is now on the client, the CB should return a Compliance State of Compliant

Evaluation showing the Configuration Baseline as Compliant

If we check back in the SCCM Console, the Compliance status for clients in the CB will be updated (be patient)

Clients will start to come back into Compliance

8. Re-mediate any client that fails the Configuration Baseline Evaluation for the Desktop Shortcut

In Section 7 we looked at re-mediating Clients that did not have our custom .ico file. In this section we will perform similar steps to re-mediate the missing Desktop Shortcut on Non-Compliant Clients. We will omit screenshots in this section as they are similar to the previous section

1 . From the SCCM Admin Console, navigate to Assets and Compliance > Compliance Settings > Configuration Baselines

  1. Select the Baseline where you wish to deploy the Application Awesome New App – Shortcut to Non-Compliant clients
  2. Select the Deployments tab
  3. Select the Deployment
  4. On the Ribbon menu, click Create New Collection and choose Non-Compliant

2 . In the Create Device Collection wizard, click Next

3 . In the Define Membership Rules for this Collection window, click Next

4 . Click Next in the Summary Windows

5 . Click Close to complete the Create Device Collection Wizard

6 . To deploy our Awesome New App – Icon Application to this Collection

  1. Highlight the Collection
  2. On the Ribbon menu, click Deploy
  3. Select Application

7 . In the Deploy Software Wizard, click Browse

8 . Select Awesome New App – Shortcut and click OK

9 . Click Next

10 . Click Add and choose a Distribution Point or Distribution Point Group to distribute the Application Content to

11 . Select the Distribution Point or Distribution Point Group and click OK

12 . Click Next

13 . Select Required from the drop down list and click Next

14 . To Deploy the Application ASAP, leave these setting as Default and click Next

15 . In the User Notifications drop down box, choose Hide in Software Center and all Notifications and click Next

16 . Click Next

17 . Click Next

18 . Click Close

As in the previous section for our custom .ico, at the next Computer Policy refresh interval, the Policy Agent will run and our clients will get the new Deployment for Awesome New App – Shortcut

We can see in C:\Windows\CCM\Logs\AppEnforce.log that the Application was installed

AppEnforce.log shows Application Installing successfully

We can also see our new Desktop Shortcut…using our custom .ico file!

Awesome New App.lnk is copied to the Client and the reference to the .ico in C:\Windows\Icons is working

Conclusion

In this, long, post we learned how to create an Application for our our new Desktop Shortcut and our custom .ico file. We also looked at creating Configuration Items and Configuration Baselines to identify Clients that were missing the Desktop Shortcut or custom .ico file. We then deployed those Applications to the Non-Compliant clients and re-mediated them.

As i said at the beginning of this post, there are lots of ways to skin the SCCM cat. I personally use Group Policy Preferences to deliver the Shortcut but then use an SCCM Application to deliver, when required, a custom .ico file

I hope I have given you an understanding of how you could use Configuration Items and Configuration Baselines in your environment to re-mediate some of the daily challenges us admins face.

4.7/5 - (4 votes)

4 thoughts on “Deploy Windows 10 Desktop Shortcuts and Icons with SCCM Configuration Baselines”

  1. Thank you very much for this post! However, I have followed these steps exactly, and in my testing everything works as far as to download the application files to the ccmcache folder but then never executes the scripts to create the icon folder, deploy the shortcut, etc. I don’t see any errors but also not sure if I am checking the correct logs. I have tested the scripts locally and they definitely work. Any suggestions for how to determine why it would not be completing that final step?

    Thanks in advance!

  2. Hey Ben, no problem at all. We could never get this to work unfortunately, all the pieces were there but the final step of the script running against the deployed to client just wouldn’t take. We ultimately used the ‘Run Script’ option against a collection which did give us the results we were looking for.

    If the need arises again I’ll be sure to check back and report if any other/more problems though.

    Thanks for checking in!

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.