Microsoft 365 Enterprise Tech Series – Enterprise Deployment & Management Technical Workshop L300

Microsoft 365 Enterprise Tech Series – Enterprise Deployment & Management Technical Workshop L300

November 30-December 1, 2017 | Auckland, New Zealand

A 2-day Training on the Complete, Intelligent, Secure Solution that Empowers Employees

What is Microsoft 365 Enterprise Tech Series?

Microsoft 365 is a complete, intelligent solution, including Office 365, Windows 10, and Enterprise Mobility + Security, that empowers everyone to be creative and work together, securely. The Enterprise Tech Series will help empower your team, safeguard your business, and simplify IT management with a single solution, purpose-built for your business

What to Expect from Training:

Understand the Microsoft 365 Vision
Dive into Modern IT Deployment
Learn about Traditional IT Transformation
Feel equipped to fully manage Microsoft 365 environments

Advertisements

Windows 10 – Switch from BIOS-to-UEFI Webinar

If you’re planning your Windows 10 migration, the switch from BIOS-to-UEFI is a hugely important piece of the puzzle.

Unless all your Windows machines are configured to UEFI, your organization cannot take advantage of the special Windows 10 security features. Microsoft’s ‘MBR2GPT’ tool still only gets you part of the way there.

This webinar was hosted live from Redmond by Microsoft MVP Jörgen Nilsson and Jim Bezdan, will ensure you know how to complete the BIOS-to-UEFI process fully, securely and automatically.

The full webinar recording can be viewed here: https://www.1e.com/on-demand-webinar/automate-bios-to-uefi-2018-edition/

DHCP Policies and Custom Vendor Classes

Many organisations still have legacy BIOS devices that do not support UEFI boot. So setup DHCP to provide both BIOS or UEFI boot files depending on what the device BIOS uses.

By using DHCP policies and custom vendor classes for the following DHCP Options:

Option 60
Option 66
Option 67

Assume that you have CM configured with a PXE enabled distribution point and a valid and configured DHCP server. You should therefore be at a configured state where you are able to PXE boot BIOS based devices.

Create Custom Vendor Classes for Use with your DHCP Policy

Think Custom Vendor Classes as Detection Method’s used to determine how devices are requesting a boot image from the DHCP server.

Open the DHCP Console and expand the IPv4 Node
Right-Click on ‘IPv4 Node’ and select ‘Define Vendor Classes’
Click ‘Add’
Create the UEFI 64-Bit Vendor class first by entering the following information
Enter the following information for the respective fields:
DisplayName: PXEClient (UEFI x64)
Description: PXEClient:Arch:00007
ASCII: PXEClient:Arch:00007
Click ‘OK’
Click ‘Add’
DisplayName: PXEClient (UEFI x86)
Description: PXEClient:Arch:00006
ASCII: PXEClient:Arch:00006
Click ‘OK’
Click ‘Add’
DisplayName: PXEClient (BIOS x86 & x64)
Description: PXEClient:Arch:00000
ASCII: PXEClient:Arch:00000
Click ‘OK’

Creating Custom DHCP Policies

UEFI 64-Bit DHCP Policy

Right-Click ‘Policies’ and click ‘New Policy’
Give the policy a friendly name that coincides with the your vendor class naming scheme:
PolicyName: PXEClient (UEFI x64)
Description: Delivers the correct bootfile for (UEFI x64)
Click ‘Next’
On the ‘Configure Conditions for the policy’ page click ‘add’
Select the ‘Value’ drop-down box and select the PXEClient (UEFI x64) vendor class that you created in previous steps
Ensure that you check the box ‘Append wildcard(*)’
Select ‘Add’
Select ‘Ok’
Click ‘Next’
If you want the policy to affect only a specific range within your scope configure it, otherwise select no and click ‘next’
On the Configure settings for the policy page ensure that ‘DHCP Standard Options’ is selected from the drop down box
Configure the following scope options:
060: PXEClient
066: IP Address of the SCCM or WDS Service
067: smsboot\x64\wdsmgfw.efi
Cick ‘Next’
On the Summary page click ‘Finish’

BIOS 32-Bit & 64-Bit DHCP Policy

Right-Click ‘Policies’ and click ‘New Policy’
Give the policy a friendly name that coincides with the your vendor class naming scheme:
PolicyName: PXEClient (BIOS x86 & x64)
Description: Delivers the correct bootfile for BIOS machines
Click ‘Next’
On the ‘Configure Conditions for the policy’ page click ‘add’
Select the ‘Value’ drop-down box and select the PXEClient (BIOS x86 & x64) vendor class that you created in previous steps
Ensure that you check the box ‘Append wildcard(*)’
Select ‘Add’
Select ‘Ok’
Click ‘Next’
If you want the policy to affect only a specific range within your scope configure it, otherwise select no and click ‘next’
On the Configure settings for the policy page ensure that ‘DHCP Standard Options’ is selected from the drop down box
Configure the following scope options:
060: PXEClient
066: IP Address of the SCCM or WDS Service
067: smsboot\x64\wdsnbp.com
Cick ‘Next’
On the Summary page click ‘Finish’

UEFI 32-Bit DHCP Policy

Right-Click ‘Policies’ and click ‘New Policy’
Give the policy a friendly name that coincides with the your vendor class naming scheme:
PolicyName: PXEClient (UEFI x86)
Description: Delivers the correct bootfile for (UEFI x86) machines
Click ‘Next’
On the ‘Configure Conditions for the policy’ page click ‘add’
Select the ‘Value’ drop-down box and select the PXEClient (UEFI x86) vendor class that you created in previous steps
Ensure that you check the box ‘Append wildcard(*)’
Select ‘Add’
Select ‘Ok’
Click ‘Next’
If you want the policy to affect only a specific range within your scope configure it, otherwise select no and click ‘next’
On the Configure settings for the policy page ensure that ‘DHCP Standard Options’ is selected from the drop down box
Configure the following scope options:
060: PXEClient
066: IP Address of the SCCM or WDS Service
067: smsboot\x86\wdsmgfw.efi
Cick ‘Next’
On the Summary page click ‘Finish’

Remove Default PXE Options

Ensure that you have removed the 067, 066, 060 options from the default scope options to ensure that the Policies take precedence otherwise you will end up with conflict

As long as you have configured everything correctly you should now have the ability to boot machines from  BIOS or UEFI.

Windows AutoPilot Deployment

Microsoft has announced that Windows AutoPilot Deployment – a new cloud service that enables IT professionals and partners to customize the Windows 10 out of box setup experience. It used cloud configuration, delivering a self-service deployment experience with new Windows 10 Pro devices. It is now available through CSP.https://blogs.windows.com/business/2017/06/29/delivering-modern-promise-windows-10/#7Y0FQE61FUq42yKb.97

For Windows AutoPilot Deployment feature overviews and demos please see below:

Persistent Device Drivers in Reference Image

We needed to keep the Intel USB 3.0 drivers in a Windows 7 reference image.

  1. Import the drivers into MDT and create a selection profile.
  2. Edit the TS and update the Injected Drivers step to point to the selection profile.
  3. Open and edit Unattend.xml. Add the component called Microsoft-Windows-PnpSysprep to Step 3 Generalize.
  4. Edit the PersistAllDeviceInstalls option to be true.
  5. Save the Unattend.xml file and close.

More information here: http://technet.microsoft.com/en-us/library/ff716298.aspx

Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker

Reason:

With WinPE 10 it uses the AES-CBC 128-bit encryption method.

Solution:

Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)

CScript Error: Can’t find script engine “VBScript” for script

During a OSD task sequence in Configuration Manager, we ran into an error with a VBS script that has worked previously.

The error in the SMSTS.LOG file was: CScript Error: Can’t find script engine “VBScript” for script

The problem appears to be caused by a changed registry value: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\REGDBVersion

After some searching on the internet the solution was to add the modify the REGDBVersion to a value of hex:01,00,00

Add to task sequence via a Command Line: REG ADD HKLM\Software\Microsoft\COM3 /v REGDBVersion /t REG_BINARY /d 010000 /f

Profit!

MDT WSUS Windows 10 Updates Failing 0x8024401C

Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.

I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.

After some more googling and trial and error I made the following changes to the IIS server for the WSUS  Application Pool:

  • Queue Length: From 10000 to 25000
  • Limit Interval (minutes): From 5 to 15
  • “Service Unavailable” Response: From HttpLevel to TcpLevel
  • Private Memory Limit (KB): From 18342456 to 0

Build is now receiving updates from the WSUS server.

Add Updates to Windows 10 Images

Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).

Here are the steps that I completed:

  1. md C:\mount\Windows
    Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
    Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
    Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit

Once completed the Windows 10 WIM image will have the latest cumulative update installed.

best practices

Some light reading for the bus ride home:

Download Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr