After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker
With WinPE 10 it uses the AES-CBC 128-bit encryption method.
Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.
- Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
- Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
- Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f
Available Encryption Methods in WinPE 10
- Value Data: 3 (Description: AES-CBC 128-bit)
- Value Data: 4 (Description: AES-CBC 256-bit)
- Value Data: 6 (Description: XTS-AES 128 bit)
- Value Data: 7 (Description: XTS-AES 256-bit)
Here is an article from Johan Arwidmark regarding adding IE11 to your reference image.
Don’t forget to update the unattend.xml.
Also here are the KB Articles not to deploy to the WIndows 7 reference image:
If you get a DISM error, this is usually associated with the updates being added to the OS via offline servicing.
Check the DISM.log folder for the update that is affecting your build. X:\Windows\Logs\DISM.log
Failed to run the action: Use Toolkit Package.
The system cannot find the file specified. (Error: 80070002; Source: Windows)
System Centre 2012 R2 CU5 Integrated with MDT 2013. Deployment Windows 7 SP1 with Office 2013.
If the Drive Letter task sequence variable is configured to True. This does not occur if it is configured to False.
To work around this issue, create the following two Task Sequence variables at the very top of the Task Sequence:
SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15
Place them immediately after the Execute Task Sequence group.
The title says it all. The MigApp.xml file is only limited up to Office 2010. So you will need to download the Hotfix from Microsoft . This will replace the existing MigApp.xml file with the updated MigApp.xml file.
Once updated, you may need to redistribute the package(s) used in your user migration solution.
For a kiosk I need to remove the Computer icon from the Start Menu.
The group policy location is: User Configuration, Administrative Templates, Desktop then Remove computer icon on the desktop
This setting hides computer from the desktop and from the new Start menu. It also hides links to computer in the Web view of all Explorer windows, and it hides computer in the Explorer folder tree pane. If the user navigates into computer via the “Up” button while this setting is enabled, they view an empty computer folder. This setting allows administrators to restrict their users from seeing computer in the shell namespace, allowing them to present their users with a simpler desktop environment.
If you enable this setting, computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to computer, the folder will be empty.
If you disable this setting, computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.
If you do not configure this setting, the default is to display computer as usual.
This issue happened in our production environment. The KMS activation failed on a WIndows 7 client due to a corrupt Token.dat file.
The solution was to stop the server, rename the token.dat file and restart the service again. Then activate the client against the KMS host.
- net stop sppsvc
- CD %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
- REN tokens.dat tokens.bar
- net start sppsvc
- slmgr /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH (This client key should still be on the client)
- slmgr /ato
I was needing to disable some devices on a Windows 7 x64 computer. Did the usual download from Microsoft then constructed the syntax. I kept getting: Disable failed.
I have this working on WIndows XP x86. After some googling it turned out that the 64 bit version of Devcon.exe that is available to download from Microsoft is not compatible for windows 7 64 bit. Go figure.
You need to extract it from Windows Server 2003 x64 DVD.
Here is a link for the x64 version of Devcon.exe (zipped):
Disabling devices using Devcon
- List all devices to a text file: devcon find *> d:\list.txt
- Verify the device is unique: devcon find *VEN_1113
- devcon disable *VEN_1113
Great tool for MDT users if your unable to connect to WSUS or the internet. Download all those security updates for each OS in one easy to use bundle. Love this tool.
Get NETDOM>EXE and NETDOM.MUI (remember there are x86 and x64) from the Windows 7 RSAT.
NETDOM JOIN %computername% /DOMAIN:local.net /UserD:local\BuildAccount /PasswordD:pa$$word
These Lenovo SCCM packages provides device drivers in .inf form for ThinkPad computers. They allow you to deploy Windows images (WIM) with Microsoft System Center Configuration Manager (SCCM) & Microsoft Dployment Toolkits (MDT) by importing the device drivers.