Windows AutoPilot Deployment

Microsoft has announced that Windows AutoPilot Deployment – a new cloud service that enables IT professionals and partners to customize the Windows 10 out of box setup experience. It used cloud configuration, delivering a self-service deployment experience with new Windows 10 Pro devices. It is now available through CSP.https://blogs.windows.com/business/2017/06/29/delivering-modern-promise-windows-10/#7Y0FQE61FUq42yKb.97

For Windows AutoPilot Deployment feature overviews and demos please see below:

Persistent Device Drivers in Reference Image

We needed to keep the Intel USB 3.0 drivers in a Windows 7 reference image.

  1. Import the drivers into MDT and create a selection profile.
  2. Edit the TS and update the Injected Drivers step to point to the selection profile.
  3. Open and edit Unattend.xml. Add the component called Microsoft-Windows-PnpSysprep to Step 3 Generalize.
  4. Edit the PersistAllDeviceInstalls option to be true.
  5. Save the Unattend.xml file and close.

More information here: http://technet.microsoft.com/en-us/library/ff716298.aspx

Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker

Reason:

With WinPE 10 it uses the AES-CBC 128-bit encryption method.

Solution:

Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)

CScript Error: Can’t find script engine “VBScript” for script

During a OSD task sequence in Configuration Manager, we ran into an error with a VBS script that has worked previously.

The error in the SMSTS.LOG file was: CScript Error: Can’t find script engine “VBScript” for script

The problem appears to be caused by a changed registry value: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\REGDBVersion

After some searching on the internet the solution was to add the modify the REGDBVersion to a value of hex:01,00,00

Add to task sequence via a Command Line: REG ADD HKLM\Software\Microsoft\COM3 /v REGDBVersion /t REG_BINARY /d 010000 /f

Profit!

MDT WSUS Windows 10 Updates Failing 0x8024401C

Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.

I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.

After some more googling and trial and error I made the following changes to the IIS server for the WSUS  Application Pool:

  • Queue Length: From 10000 to 25000
  • Limit Interval (minutes): From 5 to 15
  • “Service Unavailable” Response: From HttpLevel to TcpLevel
  • Private Memory Limit (KB): From 18342456 to 0

Build is now receiving updates from the WSUS server.

Add Updates to Windows 10 Images

Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).

Here are the steps that I completed:

  1. md C:\mount\Windows
    Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
    Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
    Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit

Once completed the Windows 10 WIM image will have the latest cumulative update installed.

best practices

Some light reading for the bus ride home:

Download Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr

Downgrade TPM 2.0 to TPM 1.2 for Dell Devices

Dell devices with TPM at the 2.0 level will not build on legacy BIOS systems.

A solution around this is to downgrade the TPM to 1.2 level.

This can be done using the Dell provided TPM firmware update utility.

Have a look here for the details: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/11850.how-to-change-tpm-modes-1-2-2-0

Error Installing Intune Client – 0x80043010

So you have just joined your Windows 10 device to Azure AD with Azure AD Join and the device has auto enrolled into Microsoft Intune (MDM). We done.

Now you want to install the Intune Client to get all those Intune console features you seen and heard about.

Sorry, no go:

Device is registered to be managed by MDM service. Please unregister the device from MDM service before installing Microsoft Intune, 0x80043010

There are two different ways that Intune can manage a Windows 10 system:

  • Enroll it as “mobile device” using the MDM agent built into Windows 10. Use Policy configuration service provider (OMA-DM) Future technology.
  • Install the Intune client agent. All the cool configuration policies you see in the Intune console.

These are mutually exclusive though. Each has its pros and cons. The long term goal is for the built-in MDM agent to be the end-all be-all for managing Windows 10 and it does a good job today but it doesn’t cover everything like Defender management or software updates. The full Intune agent is generally preferred today because it does provide these things but it depends upon your scenario.

MDT 2013 – Windows 10 – KB2267602 Freeze during build

Had this issue during the building of a Windows 10 reference image using build 1607.

During the Windows Update Pre-Application Installation the build would stop and progress no further. The update was the Definition Update for Windows Defender – KB2267602 (Definition 1.63…)

Capture2

Looking at the ZTIWIndowsUpdate.log the download did not start and the progress was at 0%.

I have included the update KB######### to allow the Windows 10 1607 build to communicate with the local WSUS server.

I have added the Definition Update to the exclusion list in the customsettings.ini property using WUMU_ExcludeKB as shown below:

WUMU_ExcludeKB001=2267602

After kicking off a new reference build the task sequence continued on with no issues.