Adaptiva, Best Practices, Configuration Manager 2012, Configuration Manager 2016, Intune, MDT, Microsoft, Windows 10

Windows 10 OSD Best Practices with ConfigMgr

Microsoft MVP Ami Casto will give you demonstrations of community tools and Adaptiva technologies to help ensure your success with:

  • Windows 10 OSD planning, deployment, and maintenance
  • Large-scale, zero-touch deployments and ongoing servicing
  • Security configuration management to harden attack surfaces
  • Real-time incident response to urgent security issues
  • Windows 10 OSD Best Practices with ConfigMgr Webinar

https://adaptiva.com/videos/2018/2018-06-26-windows-10-osd-best-practices/

Advertisements
BIOS, Configuration Manager 2012, Configuration Manager 2016, Deployment, MDT, Microsoft, UEFI, Uncategorized

Windows 10 – Switch from BIOS-to-UEFI Webinar

If you’re planning your Windows 10 migration, the switch from BIOS-to-UEFI is a hugely important piece of the puzzle.

Unless all your Windows machines are configured to UEFI, your organization cannot take advantage of the special Windows 10 security features. Microsoft’s ‘MBR2GPT’ tool still only gets you part of the way there.

This webinar was hosted live from Redmond by Microsoft MVP Jörgen Nilsson and Jim Bezdan, will ensure you know how to complete the BIOS-to-UEFI process fully, securely and automatically.

The full webinar recording can be viewed here: https://www.1e.com/on-demand-webinar/automate-bios-to-uefi-2018-edition/

Deployment, MDT, reference image, Task Sequence, Windows 7

Persistent Device Drivers in Reference Image

We needed to keep the Intel USB 3.0 drivers in a Windows 7 reference image.

  1. Import the drivers into MDT and create a selection profile.
  2. Edit the TS and update the Injected Drivers step to point to the selection profile.
  3. Open and edit Unattend.xml. Add the component called Microsoft-Windows-PnpSysprep to Step 3 Generalize.
  4. Edit the PersistAllDeviceInstalls option to be true.
  5. Save the Unattend.xml file and close.

More information here: http://technet.microsoft.com/en-us/library/ff716298.aspx

Deployment, MDT, Security Updates, Windows 10, Windows Server 2016, WSUS

MDT WSUS Windows 10 Updates Failing 0x8024401C

Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.

I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.

After some more googling and trial and error I made the following changes to the IIS server for the WSUS  Application Pool:

  • Queue Length: From 10000 to 25000
  • Limit Interval (minutes): From 5 to 15
  • “Service Unavailable” Response: From HttpLevel to TcpLevel
  • Private Memory Limit (KB): From 18342456 to 0

Build is now receiving updates from the WSUS server.

Configuration Manager 2012, Deployment, MDT, System Center, Windows Preinstallation Environment

Windows Preinstallation Environment Version and Associated OS Version

WinPE Windows Windows Version Notes
1.0 Windows XP 5.1.2600.x First version of WinPE.
1.1 Windows XP SP1 5.1.2600.x
1.2 Windows Server 2003 5.2.3790.x
1.5 Windows XP SP2 5.1.2600.x Windows PE 2004.
1.6 Windows Server 2003 SP1 5.2.3790.x Windows PE 2005.
2.0 Windows Vista 6.0.6000.x
2.1 Windows Server 2008 6.0.6001.x
2.2 Windows Server 2008 SP2 6.0.6002.x
3.0 Windows 7 6.1.7600.x Windows AIK 2.0.
3.1 Windows 7 SP1 6.1.7601.x Windows AIK Supplement for Windows 7 SP1.
4.0 Windows 8 6.2.9200.x Windows ADK (Windows Kits 8.0).
5.0 Windows 8.1 6.3.9300.x Windows ADK (Windows Kits 8.1).
5.1 Windows 8.1 Update 1 6.3.9600.x Windows ADK (Windows Kits 8.1 Update).
10.0 Windows 10 10.0.10240.16384 Windows ADK (Windows Kits 10.0)
Active Directory, Administration, Deployment, MDT, PowerShell, Script, Windows 10, Windows Preinstallation Environment

PowerShell – Configure Active Directory Permissions to Join Computer to the Domain

In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.

These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample Set-OUPermissions.ps1 script and copied it to C:\Setup\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

  1. On DC01, using Active Directory User and Computers, browse to contoso.com / Contoso / Service Accounts.
  2. Select the Service Accounts organizational unit (OU) and create the MDT_JD account using the following settings:
    1. Name: MDT_JD
    2. User logon name: MDT_JD
    3. Password: P@ssw0rd
    4. User must change password at next logon: Clear
    5. User cannot change password: Select
    6. Password never expires: Select
  3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press Enter after each command:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
    Set-Location C:\Setup\Scripts
    .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
    
  4. The Set-OUPermissions.ps1 script allows the MDT_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
    1. Scope: This object and all descendant objects
      1. Create Computer objects
      2. Delete Computer objects
    2. Scope: Descendant Computer objects
      1. Read All Properties
      2. Write All Properties
      3. Read Permissions
      4. Modify Permissions
      5. Change Password
      6. Reset Password
      7. Validated write to DNS host name
      8. Validated write to service principal name
Deployment, DISM, MDT, System Center, Uncategorized, Windows 10, Windows 8.1

How to bypass the Unattend screen in Windows 8.1 Update

In Windows 8.1 with KB3065988 installed, the system prompts users to reserve a copy of Windows 10 as part of the OOBE process that occurs at the first startup cycle. For organizations that are deploying Windows 8.1 Pro by using an Unattend.xml file that automates the OOBE process, this reservation notice still occurs. To suppress this notice, you can use either of the following methods:

Use Group Policy
Set the following Group Policy setting to Disabled:

Computer Configuration > Administrative Templates > System > Logon > Show first sign-in animation

Change the Unattend.xml file
Add the following entry to the Unattend.xml file for Windows 8.1 Pro x64

<settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Description>DisableAnimation</Description>
                    <Order>1</Order>
                    <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f </Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>