Windows AutoPilot Deployment

Microsoft has announced that Windows AutoPilot Deployment – a new cloud service that enables IT professionals and partners to customize the Windows 10 out of box setup experience. It used cloud configuration, delivering a self-service deployment experience with new Windows 10 Pro devices. It is now available through CSP.https://blogs.windows.com/business/2017/06/29/delivering-modern-promise-windows-10/#7Y0FQE61FUq42yKb.97

For Windows AutoPilot Deployment feature overviews and demos please see below:

Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker

Reason:

With WinPE 10 it uses the AES-CBC 128-bit encryption method.

Solution:

Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)

MDT WSUS Windows 10 Updates Failing 0x8024401C

Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.

I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.

After some more googling and trial and error I made the following changes to the IIS server for the WSUS  Application Pool:

  • Queue Length: From 10000 to 25000
  • Limit Interval (minutes): From 5 to 15
  • “Service Unavailable” Response: From HttpLevel to TcpLevel
  • Private Memory Limit (KB): From 18342456 to 0

Build is now receiving updates from the WSUS server.

Add Updates to Windows 10 Images

Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).

Here are the steps that I completed:

  1. md C:\mount\Windows
    Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
    Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
    Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit

Once completed the Windows 10 WIM image will have the latest cumulative update installed.

best practices

Some light reading for the bus ride home:

Download Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr

Enable BitLocker on Azure AD Joined windows 10 Device

Windows 10 devices will automatically encrypt the local drive when joining to Azure Active Directory (AAD). The device must be InstantGo capable.

InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.

How do you check this?

Open a command prompt, type powercfg /a

Devices that have InstantGo support will return “Network Connected”:

clip_image002

 Where do I find the recovery key?

Users can retrieve their recovery key by going to http://myapps.microsoft.com, select Devices and select the device for which they would like to get the recovery key:

clip_image006

MDT 2013 – Windows 10 – KB2267602 Freeze during build

Had this issue during the building of a Windows 10 reference image using build 1607.

During the Windows Update Pre-Application Installation the build would stop and progress no further. The update was the Definition Update for Windows Defender – KB2267602 (Definition 1.63…)

Capture2

Looking at the ZTIWIndowsUpdate.log the download did not start and the progress was at 0%.

I have included the update KB######### to allow the Windows 10 1607 build to communicate with the local WSUS server.

I have added the Definition Update to the exclusion list in the customsettings.ini property using WUMU_ExcludeKB as shown below:

WUMU_ExcludeKB001=2267602

After kicking off a new reference build the task sequence continued on with no issues.

PowerShell – Configure Active Directory Permissions to Join Computer to the Domain

In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.

These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample Set-OUPermissions.ps1 script and copied it to C:\Setup\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

  1. On DC01, using Active Directory User and Computers, browse to contoso.com / Contoso / Service Accounts.
  2. Select the Service Accounts organizational unit (OU) and create the MDT_JD account using the following settings:
    1. Name: MDT_JD
    2. User logon name: MDT_JD
    3. Password: P@ssw0rd
    4. User must change password at next logon: Clear
    5. User cannot change password: Select
    6. Password never expires: Select
  3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press Enter after each command:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
    Set-Location C:\Setup\Scripts
    .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
    
  4. The Set-OUPermissions.ps1 script allows the MDT_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
    1. Scope: This object and all descendant objects
      1. Create Computer objects
      2. Delete Computer objects
    2. Scope: Descendant Computer objects
      1. Read All Properties
      2. Write All Properties
      3. Read Permissions
      4. Modify Permissions
      5. Change Password
      6. Reset Password
      7. Validated write to DNS host name
      8. Validated write to service principal name

How to bypass the Unattend screen in Windows 8.1 Update

In Windows 8.1 with KB3065988 installed, the system prompts users to reserve a copy of Windows 10 as part of the OOBE process that occurs at the first startup cycle. For organizations that are deploying Windows 8.1 Pro by using an Unattend.xml file that automates the OOBE process, this reservation notice still occurs. To suppress this notice, you can use either of the following methods:

Use Group Policy
Set the following Group Policy setting to Disabled:

Computer Configuration > Administrative Templates > System > Logon > Show first sign-in animation

Change the Unattend.xml file
Add the following entry to the Unattend.xml file for Windows 8.1 Pro x64

<settings pass="specialize">
        <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Description>DisableAnimation</Description>
                    <Order>1</Order>
                    <Path>reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableFirstLogonAnimation /d 0 /t REG_DWORD /f </Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>