After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker
With WinPE 10 it uses the AES-CBC 128-bit encryption method.
Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.
- Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
- Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
- Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f
Available Encryption Methods in WinPE 10
- Value Data: 3 (Description: AES-CBC 128-bit)
- Value Data: 4 (Description: AES-CBC 256-bit)
- Value Data: 6 (Description: XTS-AES 128 bit)
- Value Data: 7 (Description: XTS-AES 256-bit)
Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.
I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.
After some more googling and trial and error I made the following changes to the IIS server for the WSUS Application Pool:
- Queue Length: From 10000 to 25000
- Limit Interval (minutes): From 5 to 15
- “Service Unavailable” Response: From HttpLevel to TcpLevel
- Private Memory Limit (KB): From 18342456 to 0
Build is now receiving updates from the WSUS server.
Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).
Here are the steps that I completed:
Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit
Once completed the Windows 10 WIM image will have the latest cumulative update installed.
Some light reading for the bus ride home:
Windows 10 devices will automatically encrypt the local drive when joining to Azure Active Directory (AAD). The device must be InstantGo capable.
InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.
How do you check this?
Open a command prompt, type powercfg /a
Devices that have InstantGo support will return “Network Connected”:
Where do I find the recovery key?
Users can retrieve their recovery key by going to http://myapps.microsoft.com, select Devices and select the device for which they would like to get the recovery key:
Had this issue during the building of a Windows 10 reference image using build 1607.
During the Windows Update Pre-Application Installation the build would stop and progress no further. The update was the Definition Update for Windows Defender – KB2267602 (Definition 1.63…)
Looking at the ZTIWIndowsUpdate.log the download did not start and the progress was at 0%.
I have included the update KB######### to allow the Windows 10 1607 build to communicate with the local WSUS server.
I have added the Definition Update to the exclusion list in the customsettings.ini property using WUMU_ExcludeKB as shown below:
After kicking off a new reference build the task sequence continued on with no issues.
Need to get into the Samsung recovery partition on your new TabPro S?
Easy, holding down the F4 key and power on the device. Sorted.
In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample Set-OUPermissions.ps1 script and copied it to C:\Setup\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.
- On DC01, using Active Directory User and Computers, browse to contoso.com / Contoso / Service Accounts.
- Select the Service Accounts organizational unit (OU) and create the MDT_JD account using the following settings:
- Name: MDT_JD
- User logon name: MDT_JD
- Password: P@ssw0rd
- User must change password at next logon: Clear
- User cannot change password: Select
- Password never expires: Select
- In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press Enter after each command:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
- The Set-OUPermissions.ps1 script allows the MDT_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
- Scope: This object and all descendant objects
- Create Computer objects
- Delete Computer objects
- Scope: Descendant Computer objects
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service principal name
In Windows 8.1 with KB3065988 installed, the system prompts users to reserve a copy of Windows 10 as part of the OOBE process that occurs at the first startup cycle. For organizations that are deploying Windows 8.1 Pro by using an Unattend.xml file that automates the OOBE process, this reservation notice still occurs. To suppress this notice, you can use either of the following methods:
Use Group Policy
Set the following Group Policy setting to Disabled:
Computer Configuration > Administrative Templates > System > Logon > Show first sign-in animation
Change the Unattend.xml file
Add the following entry to the Unattend.xml file for Windows 8.1 Pro x64
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Path>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f </Path>