BitLocker, Configuration Manager 2012, Deployment, Registry, Task Sequence, Windows 10, Windows 7, Windows Preinstallation Environment

Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker

Reason:

With WinPE 10 it uses the AES-CBC 128-bit encryption method.

Solution:

Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)
Advertisements
Configuration Manager 2012, Deployment, MDT, System Center, Windows Preinstallation Environment

Windows Preinstallation Environment Version and Associated OS Version

WinPE Windows Windows Version Notes
1.0 Windows XP 5.1.2600.x First version of WinPE.
1.1 Windows XP SP1 5.1.2600.x
1.2 Windows Server 2003 5.2.3790.x
1.5 Windows XP SP2 5.1.2600.x Windows PE 2004.
1.6 Windows Server 2003 SP1 5.2.3790.x Windows PE 2005.
2.0 Windows Vista 6.0.6000.x
2.1 Windows Server 2008 6.0.6001.x
2.2 Windows Server 2008 SP2 6.0.6002.x
3.0 Windows 7 6.1.7600.x Windows AIK 2.0.
3.1 Windows 7 SP1 6.1.7601.x Windows AIK Supplement for Windows 7 SP1.
4.0 Windows 8 6.2.9200.x Windows ADK (Windows Kits 8.0).
5.0 Windows 8.1 6.3.9300.x Windows ADK (Windows Kits 8.1).
5.1 Windows 8.1 Update 1 6.3.9600.x Windows ADK (Windows Kits 8.1 Update).
10.0 Windows 10 10.0.10240.16384 Windows ADK (Windows Kits 10.0)
Active Directory, Administration, Deployment, MDT, PowerShell, Script, Windows 10, Windows Preinstallation Environment

PowerShell – Configure Active Directory Permissions to Join Computer to the Domain

In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.

These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample Set-OUPermissions.ps1 script and copied it to C:\Setup\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01.

  1. On DC01, using Active Directory User and Computers, browse to contoso.com / Contoso / Service Accounts.
  2. Select the Service Accounts organizational unit (OU) and create the MDT_JD account using the following settings:
    1. Name: MDT_JD
    2. User logon name: MDT_JD
    3. Password: P@ssw0rd
    4. User must change password at next logon: Clear
    5. User cannot change password: Select
    6. Password never expires: Select
  3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press Enter after each command:
    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
    Set-Location C:\Setup\Scripts
    .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
    
  4. The Set-OUPermissions.ps1 script allows the MDT_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted:
    1. Scope: This object and all descendant objects
      1. Create Computer objects
      2. Delete Computer objects
    2. Scope: Descendant Computer objects
      1. Read All Properties
      2. Write All Properties
      3. Read Permissions
      4. Modify Permissions
      5. Change Password
      6. Reset Password
      7. Validated write to DNS host name
      8. Validated write to service principal name
Configuration Manager 2012, Deployment, Logs, MDT, System Center, Task Sequence, Windows 7, Windows Preinstallation Environment

Failed to run the action: Use Toolkit Package – Error: 80070002; Source: Windows

Error:

Failed to run the action: Use Toolkit Package.
The system cannot find the file specified. (Error: 80070002; Source: Windows)

Use Toolkit Package Error 80070002

Environment:

System Centre 2012 R2 CU5 Integrated with MDT 2013. Deployment Windows 7 SP1 with Office 2013.

Cause:

If the Drive Letter task sequence variable is configured to True. This does not occur if it is configured to False.

Solution:

To work around this issue, create the following two Task Sequence variables at the very top of the Task Sequence:

SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

Place them immediately after the Execute Task Sequence group.

Deployment, Logs, MDT, Task Sequence, Windows Preinstallation Environment

Troubleshooting OSD – Now where are those logs again?

When troubleshooting you’re OSD, it is always good to know those log locations. Here is a quick list of the smsts.log and it’s locations during the deployment:

  • WindowsPE, before HDD format: x:\windows\temp\smstslog\smsts.log
  • WindowsPE, after HDD format: x:\smstslog\smsts.log
  • Windows, SCCM agent not installed: c:\_SMSTaskSequence\Logs\Smstslog\smsts.log
  • Windows, SCCM agent installed: c:\windows\system32\ccm\logs\Smstslog\smsts.log
  • Windows x64, SCCM agent installed: c:\windows\sysWOW64\ccm\logs\Smstslog\smsts.log
  • Task Sequence completed: c:\windows\system32\ccm\logs\smsts.log
  • Task Sequence completed x64: c:\windows\sysWOW64\ccm\logs\smsts.log

Are you PXE booting?

Better have this log file in you favourites; \\DPServer\D$\SMS_DP$\sms\logs\SMSPXE.log. It records details about the responses to PXE boot clients and details about expansion of boot images and boot files.

Conference, Deployment, Drivers, MDT, Microsoft, PowerShell, Task Sequence, TechEd, Windows 8.1, Windows Preinstallation Environment

Michael Niehaus Notes from TechEd North America

As we were going through our TechEd North America deployment pre-conference today, we showed a lot of links for pages of interest.  Here is a list of those (at least the ones I remembered):

Also, be sure to look for the session slides on http://deploymentbunny.com.

Configuration Manager 2012, Deployment, Drivers, MDT, Windows 7, Windows 8.1, Windows Preinstallation Environment

Lenovo SCCM Package

These Lenovo SCCM packages provides device drivers in .inf form for ThinkPad computers. They allow you to deploy Windows images (WIM) with Microsoft System Center Configuration Manager (SCCM) & Microsoft Dployment Toolkits (MDT) by importing the device drivers.

http://download.lenovo.com/express/sccm.html

Deployment, USMT, WADK, Windows 8.1, Windows Preinstallation Environment

Windows Assessment and Deployment Kit (ADK) Released

The new Windows ADK is a set of tools that you can use to customize, assess, and deploy Windows operating systems to new computers. It is for use with Windows 8 Release Preview and future releases Windows 8 releases. The collection includes:

  • Application Compatibility Toolkit (ACT)
  • Deployment Tools, such as DISM, SIM, OSCDIMG and PowerShell cmdlets
  • User State Migration Tool (USMT)
  • Volume Activation Management Tool (VAMT)  – A great tool!
  • Windows Performance Toolkit (WPT) – tools to record system events and analyze performance data
  • Windows Assessment Toolkit – Assessment are tasks that simulate user activity and examine the state of the computer
  • Windows Assessment Services – remotely manage settings, computers, images, and assessments in a lab environment
  • Windows Preinstallation Environment (Windows PE)

Download it from: http://www.microsoft.com/en-us/download/details.aspx?id=30652