AppV for Windows 10 1607–Update Packages / Enable in Windows

I’m going to cover two topics, both updating your old Packages to install without error on 1607, and how to enable AppV in 1607 with Powershell / AppModel Deployment.

We have a few AppV Packages that we use, when doing inplace upgrade from 1511 –> 1607, it automatically enables the new AppV that’s built into Windows, and the AppV Apps that were previously installed just work, that’s great!

However, when trying to deploy AppV Packages via ConfigMgr to newly installed 1607 clients, we’d get error:
Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client  Searching for that error led me to:

I also tried to run the MSI, which showed the error that the MSI couldn’t find AppV Client:


From that TechNet article, I tried to follow the directions to update the MSI for the workaround, but would get this error:

The process outlined worked, just that the script included in the Windows 10 ADK doesn’t.   It has some references to old file locations from older SDKs.  After minor modification to the Update-AppvMsiPackage.ps1 script, we were able to make it work. (Changes shown in Picture below)

You can download our Modified Script HERE – Thanks Mark (@Geodesicz)



When you install the ADK, it will install the Sequencer and add the PowerShell Script, that's the one you need to modify / replace.

Steps to upgrade package

  1. Open Elevated Powershell
  2. Import-Module “Update-AppvMsiPackage.ps1” (Use the modified version you created or downloaded)
  3. Update-AppvMsiPackage –msiPackage c:\folder\appvpackage.msi


Now when you deploy that package to a 1607 machine, it works!

AppV in 1607 -

  • AppV Status: Powershell: get-appvstatus
  • Enable: Powershell: Enable-AppV
  • Corresponding Registry Key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client  Enabled = 1

Deploy via Catalog (App Model)



Here’s how to make it:



I have two deployment types, one for the MSI installer & one to activate the built-in 1607
First one will run if build NOT equal 14393, and the second will run if 14393
Only covering the new 1607 method here



Content: You can just put anything, you can probably leave it blank.  I just have it pointed to my folder for the PowerShell Script and documentation.  Just so I remember where to find it.


Program: powershell.exe -Command Enable-Appv

Detection Method = the Registry key I talked about earlier



Requirements: Set to require build 14393 (1607) – You can add this Custom Global Condition by following this awesome guide:


You should now have the ability to use this Application model as a prereq for your AppV Package deployments.

Also, recommend updating your AppV 5.1 Client install to include the detection method for 1607’s.  Consider this Senario.  You have Several AppV Packages you deploy. You have the 5.1 AppV Client as a pre-req for your AppV Package Deployments.  On Windows pre-1607,  it will then install the 5.1 Client.  On Windows 1607, it will fail the install of the client, and not continue with the AppV Package deployment. However, if you already have AppV enabled on 1607 via GPO or OSD, etc, then you can just add the 1607 detection method to 5.1’s install, then when you deploy your AppV Package, it will see the pre-reqs are already installed if 1607, and continue on.



Found a post about an overview of the new AppV in 1607, along with Group Policy info:

Hope you find this useful, took me a day dealing with the incorrect PowerShell Script provided.

Windows 10 In Place Upgrade TS – Fail TS if NOT UEFI

We’re slowly rolling out Windows 10 to our Windows 7 and 8 computers, be we only want the computers to upgrade if they are already UEFI, so we can then enable Secure Boot and all the good stuff that goes along with it.
While we try to ensure we only target machines that are UEFI enabled, we know there is a chance that it might get run on a computer that is not.  To that point, I’ve built in safe guard to make sure the TS stops and the computer stays at the OS level it is, until it can get wiped and reloaded.


To achieve these results, I had to re-engineer how I did this.  I have a similar method for our Bare-Metal installs (Blogged HERE), but the same process didn’t work when starting the TS from inside the OS.

Process for In-Place upgrade:


  1. Group: Confirm UEFI or Fail TS and Reboot – This requires _SMSTSBootUEFI = True
      1. “Notify UEFI Status – Machine Not Set to UEFI” – Command Line:
        MessageBox\serviceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\wscript.exe MessageBox\UEFIStatus-NotUEFI.vbs
        This is using the serviceUI.exe from the MDT Package (tools\x64) and a modifed vbs Script borrowed from windows-noob, originally created to Pause TS. (Script shown below)
        It is using the serviceUI.exe file (available in the MDT package) to be able to interact with the user desktop.  There is a lot of info about this just google “serviceUI.exe”.
        This step calls my OSD-Windows10Scripts package, where I have a folder called MessageBox, where I keep the vbs file & the serviceUI.exe file.

      2. “FAIL Task Sequence” – Command Line: FAIL – This will just make the TS Fail.

Script: “UEFIStatus-NotUEFI.vbs”

'Script to tell the user that the task sequence is paused.
' (c) August 2013.

'hide the Task Sequence Progress window

Set TsProgressUI = CreateObject("Microsoft.SMS.TsProgressUI")

'Popup Message

MsgBox "This Machine is not Running in UEFI, In-Place Upgrade will NOT be available, must do Wipe & Reload Install of Windows 10." & chr(13) & "Click on Ok.", 64,"Requires UEFI - Failed Upgrade"


Script available in the “MessageBox” folder in the download HERE. (OSD-Windows10Scripts folder)

Pictures from Deployment:



Windows 10 upgrade Task Sequence w/ ConfigMgr 1606 for Windows 7/8 or 10.

Update 10/11 – Exported TS, can download HERE.  It is a bit more extensive than the one shown in Original post.  This TS as several indirect contributes, I link back to their blogs, in both the posts and in the actual Description fields of the TS Steps.

  • Includes Required packages, you’ll just have to modify them for your environment
    • Bios Passwords (HP Bios Password File & Dell Bios Steps)
  • Several Applications, I’ve left the steps, but just used a “Place Holder” App.  You can replace them with the ones you’ve setup.
  • Install Updates Step, I’ve removed them and added “dummy” Install Software Update Steps as a reminder to replace them.  There is a bug in 1606 when exporting that doesn’t like the Update Step.  More info on Mike’s Blog
  • Bitlocker – MBAM steps, you’ll need to modify these for your MBAM Server. – More Info HERE


Original Post: 9/29

We’ve been working on our Windows 10 upgrade TS to move to Windows 10 1607, but we also want to use the same TS to upgrade Windows 7 and 8 computers when possible, and if we can upgrade in a way to leverage the additional Security features in Windows 10 that rely on Secure Boot (Credential Guard / Device Guard)

Requirements to upgrade Windows 7 and 8 computers to enable Credential Guard in 10, UEFI:

  1. Bios are already set to UEFI and Machines images in UEFI mode to have correct partitions already available. 
    1. Windows 7, many of our systems are set to UEFI, with Secure Boot disabled.
      1. With HP, as long as you had it set to UEFI Hybrid (with CSM), during the TS, you can change it to UEFI Native.  - On  my oldest HP test model, When the bios is switching over to SecureBoot, it does prompt you to enter a 4 digit code to continue on some models.  Once you enter it, the setup continues without problem. 
      2. With Dell, as long as you had it set to UEFI, you can then enable Secure Boot during the TS
    2. Windows 8.1 could handle UEFI w/ SecureBoot, since we configured our Windows 8.1 machines this way already, it will be a pretty easy in place upgrade.
    3. Placement of your Bios Change Steps are important.  You need to set it so it will change after the system is already upgrading into Windows 10, and no longer boots to Windows 7.  (Make sure there are no reboots before you change the settings and you start the upgrade step.)
  2. If our Machines don’t already have the Bios set in this way to allow upgrading to Windows 10 to leverage the new features, we will do a Wipe & Reload instead of in-place upgrade to ensure we have UEFI & Secure Boot Enabled.

In the TS, we’ve added sections that only applies when upgrading from Windows 7 or 8, one before the upgrade and one after.  In these steps, we do some cleanup of the systems before upgrade, as well as ensure they are already running UEFI.  In the Post Upgrade, we run several other customizations as well as driver updates that we don’t need to if they were upgrading from 1511, which already had them included.  Here is a Capture of the TS, I’ll then break it down.


First, we create a new Group for Machines that are currently on 7 or 8 that will be upgrading to 10
Set it to if None of these conditions apply, use the WMI Query: select * from win32_operatingsystem where caption like 'Microsoft Windows 10%'

    1. Now you need to create a Variable which will be used later:
      I created a variable called “UpgradeTo10” and set it to True.
  1. UEFI Status – I have a section that will Check to make sure UEFI is set, otherwise it will fail and stop the TS. – Not necessary, but I just want to make sure we’re only upgrading systems that are set to UEFI so we can enable the additional security features Secure Boot offers.
    Update 10/3/2016 – Blogged how I did this section HERE
  2. Bitlocker Removal – This decrypts the drive from AES-256, and waits for the decrypt to finish (So we can use the new Bitlocker Encryption available in 1511 & up). – Script to decrypt and wait until finished can be found here:
    Note, we also disabled the MBAM service, we had MBAM kick in and start the encryption process during our testing.
  3. Uninstall Old Software.. – This section I have it remove software we no longer want on the machines as we move to Windows 10, just a little Clean up.
  4. Set Secure Boot – This section loads the Bios Settings to Enable Secure Boot.  If you have any reboots between these bios changes and the Upgrade OS step, it will prevent your computer from booting and stop the TS Process.
    1. Use the Vendor provided tools to create packages to modify your bios
      1. HP:
      2. Dell:

After those steps, we have several steps that Pertain to the upgrade process in General, they happen no matter if the upgrade is from 7 or if upgrading from 1511 to 1607.  We’ve found that upgrading from 1511 to 1607 removes some customizations, so we reapply them in that section, as well as run drivers updates using the Dell & HP Driver update tools.  This saves us from having to add drivers to the OSD process, as they are updated dynamically.

Now we have another section that is just for the Computers upgrading from 7 / 8.1 to Windows 10.  It consists of 4 sections, it runs when it sees the TS Variable “UpgradeTo10” is True.

  1. Enable Credential Guard – This section contains several steps to enable the features in Windows 10 and apply the registry keys to enable – Steps are found on my post HERE.  However, just change the DISM command from dism.exe /image:c: to Dism.exe /Online
    1. Step 1: cmd /c Dism.exe /Online /Enable-Feature /FeatureName:Microsoft-Hyper-V /All /NoRestart /quiet
    2. Step 2: cmd /c Dism.exe /Online /Enable-Feature /FeatureName:Microsoft-Hyper-V-Management-Clients /All /NoRestart /quiet

      HERE is another nice post by @LofgrenPeter about enabling Credential Guard and removing the Hyper-V Tools if you don’t plan to use them.

  2. Update Applications – This section includes any other software we want to update to make it more in line with rest of our Windows 10 machines.  In my example, all of our Current Windows 10 machines already have Office 2016, so when we upgrade Windows 7 machines, we want to upgrade Office from 2013 to 2016 as well.
  3. OSD-Windows10-Package – This sections has additional tweaks for Windows 10 that are not present when upgrading from 7 or 8.1, but were present already when upgrading from previous builds of Win10.
  4. Enable Bitlocker – This section sets the Registry Keys and Enables Bitlocker XTS-256 – Steps are found on my post HERE 

Machines Tested:  Windows 7 –> Windows 10 1607 – These systems updated in place without any user intervention, including the enabling of Secure boot, activating Credential guard and encrypting with XTS 256… unless otherwise noted.

  1. Dell (Bios already set to UEFI w/ Legacy Boot Rom enabled & SecureBoot Disabled before upgrade)
    1. Latitude E6430
    2. Latitude E6530
    3. Latitude E6440
    4. Latitude E6540
    5. Latitude E7240
    6. Latitude E7250
    7. Latitude E5550
    8. OptiPlex 7010
  2. HP  (Bios already set to UEFI w/ Hybrid CSM & SecureBoot Disabled before upgrade)
    1. Revolve 810 G1 – During the first reboot in the “Upgrade OS..” Step, it prompts for user input to approve Bios Changes.  I’ve found more info here, page 9.
    2. Revolve 810 G2
    3. Revolve 810 G3

Note, when you’re imaging Windows 7, make sure you’re imaging them in UEFI mode, to make upgrade easy.  Dell should look like this, then choose the UEFI boot Flash Drive to start your image.

That will boot your computer in UEFI mode, format the Drive for UEFI and install Windows 7.  Then when you go to upgrade to 10, there are no issues, you can have it disable legacy rom, and enable Secure Boot during the TS and have all the features Windows 10 has to offer without wipe and reload.

HP Bios should be set like this for your Windows 7 Deployments:

Then during the upgrade from 7 to 10, you can use the HP Bios Config tool (BiosConfigUtility64.exe) to change the settings: 
CMD Step: BiosConfigUtility64.exe -set:EnableSecureBoot.txt -cspwdfile:HPBiosPassword.bin
Just have a packages with the HP Tools and your Password file in it.


For more info about adding drivers in a more traditional way for your upgrades, check out Johan’s Post:

Remember, this is NOT a solution to change Legacy Bios to UEFI, still recommend 1e’s solution for that.  This was only if you had set your systems to UEFI while installing Windows 7 / 8.  I did hear a rumor that the ConfigMgr team is working on a Bios->UEFI solution built into a future release… so that’s exciting.

Windows 10 in place upgrade Task Sequence, auto re-install RSAT.

I was testing the in place upgrade of 1511 to 1607, once I logged back in, I noticed my ADUC & Group Policy tools where missing, then remembered that the upgrade removes Remote Server Administration Tools (RSAT).  Since I already had it setup as an application, I figured I could add a couple steps to check if I have it, then reinstall it after the upgrade.

A nice overview of the Upgrade TS Option in CM1606 here:
And a quick overview here:

I’ve heavily modified the TS to include upgrading from Windows 7 and 8.1 computer if they already have bios set to UEFI.  However, I’ll go into that in a future post, for now, I just want to cover RSAT in 1511 to 1607.

  1. First step was to create at TS Variable if RSAT is installed.
    1. Create a step “Set Task Sequence Variable”, I called my variable “RSATInstalled” and set it to true.
    2. Have it run if the following conditions are met, WMI Query: select * from Win32_QuickFixEngineering where HotFixID like"KB2693643"
  2. Now, after it upgrades and installs 1607,
    1. Create an Install Application Step and point it to your RSAT Install for Windows 10.
    2. Set it to run if the TS Variable “RSATInstalled” equals true

You’re all set, after upgrading to 1607 using your Upgrade TS, you’ll see RSAT was reinstalled, and you’re ready to do your Remote Administration.

To make the application for RSAT, here is a good walk-through:

HP Driver / Bios Updates during OSD with System Software Manager

I recently figured out how to skip importing Dell Drivers into ConfigMgr and just dynamically apply them during OSD using the Dell Command Update tool.  Being that I have some HP computers, I was hoping to do something similar with their driver updater, but it was more work, and the documentation was poor, so I put that idea on hold.  Now that I’m setting up a new ConfigMgr environment, I thought it would be a good time to go down that road again, as I don’t want to mess with importing drivers into my new system.

My Goals for doing this is:

  1. Not having to import Drivers into the ConfigMgr console (Not saying that is bad, as it’s supported by MS, and just works, I just don’t like driver management.  I like a clean console)
  2. Having the latest Video \ Wi-Fi \ Chipset \ etc drivers installed during OSD with minimal maintenance.

This solution requires two HP Software items to be setup and working together.

  1. HP System Software Manager (SSM) (Client Package during OSD & Server Side)
    Documentations: PDF – Gives Command Line info, and explains in more detail the commands I use below.
  2. HP SoftPaq Download Manager (Server Side)

Server Update Share:  You’ll need a Server to host your SoftPaqs and create your file share.  I’m using my ConfigMgr Source Server, and created a new Share.

  1. Create a new Folder for your HP Updates, then Share it: \\Server\HPSSM$ (or whatever you want to name it.)
    Share Permissions: Domain Users & Domain Computers = Read
  2. Share Security: Add Domain Computers, Read & execute
  3. Install HP SoftPaq Download Manager (I used the defaults) – This can be on the server or Admin Workstation – I installed locally on source content server for simplicity.
  4. Setup your Configuration, OS & Models & Set Download Directory)
    Download Folder= The Directory you used for your Share
    Choose the OS you want to download drivers for.  You might have to play with this a little, nothing showed up for Windows 7 x64, until I choose the “Enterprise” version, it was the opposite for Windows 10.
    Select the Models of HP you have, I only have these 3 Models
  5. Now click “Find Available SoftPaqs in upper left, and it will populate.
  6. Select the updates you want, then click Download

Now, install the System Software Manager on the Server

  1. I just followed the defaults to let it install (Or install this on a test machine)
  2. Copy the SSM.exe & from C:\Program Files (x86)\Hewlett-Packard\System Software Manager to your Softpaq Download Folder and run the command from that directory: ssm /am_bld_db
    Note: in my Example, D:\Shares\src\Updates\HP\Softpaqs = \\server\hpsum$ (Driver Store Share)
    1. This will create the ssmcva.mdb & ssmcvalc.mdb files in  that directory
  3. Now your share is setup, your drivers downloaded and driver database created.


Create your Package for OSD and place in TS

  1. Batch File (Load_HPDriverUpdates.cmd)

    REM Run SSM.exe pointing to Source Server for Driver Store Info

    SSM.exe \\server.fqdn\hpssm$ /a /noreboot /log:c:\cabs\InstallLogs

  2. SSM.exe (Grab from the one you installed on the Server)
  3. (Grab from the one you installed on the Server)
  4. Create TS Step – Run Command Line: cmd.exe /c Load_HPDriverUpdates.cmd & set the Package to the one you created.
    This step is well after the computer joins the domain, so it has access to the Update Share you created based on the fact it’s a Domain Computer.
    Right after that Step, I have a “restart” step to allow the drivers to apply, then continue on.
  5. Then during OSD you’ll see this:

After OSD is complete, you’ll have your Drivers installed.

One other thing I did to make this work was import several network / storage drivers into the base WIM, to ensure the machine had basic support (Using the Dell WinPE Driver Cab for Win10 & Win7).  I set this up for my Dell computers, but the basic drivers work on the HP as well, I didn’t have to do anything extra to support the HP machines. I’m not going to go cover that process here, please refer to my earlier Post for Dell HERE.


Systems Tested on: (Test Scenario: All drivers are already available in WIM via Build and Capture, or using HP SSM to apply any available updated drivers or missing Drivers, NOT using the Apply Driver step in ConfigMgr)

  1. Windows 7 x64
    1. Revolve 810 G1 – Note – USB 3 driver causes BSOD when Installing, tried several versions, get BSOD installing anyone w/ Win7. However, after BSOD, it does appear to be installed.
      Also, the NFC driver doesn’t install during OSD.  It shows “Unknown Device”, if I run the same command outside of OSD, it installs it fine.  Still trying to figure that one out.
    2. Revolve 810 G2 – Note – SMB Bus driver was missing, I couldn’t find an available softpaq for it.  It was the Synaptic SMB Bus driver, so I added it directly into the Windows WIM during B&C.  I was unable to find the individual driver download on HP’s site, but it was included in the large Drive pack download. Now that the driver is in the B&C WIM, all drivers are installed by the end of OSD.
    3. Revolve 810 G3  - All Drivers were installed properly.  I think it would have had the same issue as the G2 with the SMB Bus Driver, but since I tested after applying the WIM fix for the G2, guess I’ll never know.
  2. Windows 10 x64
    1. Revolve 810 G1 – Does not install the Audio Driver, defaults to the Generic HD driver & JMicron PCIe SD Host Controller was missing – Was not listed on HP’s site, but the Windows 7 Driver – Was able to edit the sp63637.cva file on the SSM share to add Windows 10. Works fine.
    2. Revolve 810 G2 – Does not install the Audio Driver, defaults to the Generic HD driver, Needs sp65631 installed (IDT Audio) – Was able to edit the sp65631.cva file on the SSM share to add Windows 10. 
    3. Revolve 810 G3 – Installed all Drivers, no missing drivers after OSD.

My Recommendations, use the HP Driver Package like you’ve always done, then use HP’s Update Software to Update specific Drivers to the latest versions (Video / WLAN / LAN / etc)

Not all drivers would apply, and it did take some modifications of the .cva files to get it working fully.  Overall, I think this is a good technology to supplement driver packages, but not completely replace it.

Other thoughts:  You can also use this to update bios, I have tested this, and works. Make sure you do it before you enable Bitlocker.  This does NOT work in x64 PE, you have to do it in x86 PE or after the OS is installed. One odd thing, it will apply the bios update every time the computer is imaged, even if it is the same version.  Not sure why that happens.  I’m currently using the Application Model to deploy HP Bios to machines in production.