Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker

Reason:

With WinPE 10 it uses the AES-CBC 128-bit encryption method.

Solution:

Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)
Advertisements

CScript Error: Can’t find script engine “VBScript” for script

During a OSD task sequence in Configuration Manager, we ran into an error with a VBS script that has worked previously.

The error in the SMSTS.LOG file was: CScript Error: Can’t find script engine “VBScript” for script

The problem appears to be caused by a changed registry value: HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\REGDBVersion

After some searching on the internet the solution was to add the modify the REGDBVersion to a value of hex:01,00,00

Add to task sequence via a Command Line: REG ADD HKLM\Software\Microsoft\COM3 /v REGDBVersion /t REG_BINARY /d 010000 /f

Profit!

MDT WSUS Windows 10 Updates Failing 0x8024401C

Had an issue with MDT failing to install Windows 10 via WSUS. I kept getting the 0x8024401C error.

I upgraded my WSUS on the Windows Server 2012R2 to version 4.0. Then upgraded the host to Windows Server 2016. Still receiving the same error.

After some more googling and trial and error I made the following changes to the IIS server for the WSUS  Application Pool:

  • Queue Length: From 10000 to 25000
  • Limit Interval (minutes): From 5 to 15
  • “Service Unavailable” Response: From HttpLevel to TcpLevel
  • Private Memory Limit (KB): From 18342456 to 0

Build is now receiving updates from the WSUS server.

Add Updates to Windows 10 Images

Due to the issues with the Windows 10 1607 build and WSUS updates, I have added the April 2017 Cumulative update into my Windows 10 image (install.wim).

Here are the steps that I completed:

  1. md C:\mount\Windows
    Dism /Mount-Image /ImageFile:"C:\Servicing\Images\install.wim" /Index:1 /MountDir:C:\Servicing\mount\Windows
    Dism /Add-Package /Servicing/Image:C:\Servicing\mount\Windows /PackagePath:C:\Servicing\MSU\windows10.0-kb4016635-x64_2b1b48aa6ec51c019187f15059b768b1638a21ab.msu /LogPath C:\Servicing\AddPackage.log
    Dism /Unmount-Image /MountDir:C:\Servicing\mount\Windows /Commit

Once completed the Windows 10 WIM image will have the latest cumulative update installed.

best practices

Some light reading for the bus ride home:

Download Whitepaper on Top 10 Best Practices on Windows 10 OSD with SCCM ConfigMgr

Downgrade TPM 2.0 to TPM 1.2 for Dell Devices

Dell devices with TPM at the 2.0 level will not build on legacy BIOS systems.

A solution around this is to downgrade the TPM to 1.2 level.

This can be done using the Dell provided TPM firmware update utility.

Have a look here for the details: http://en.community.dell.com/techcenter/enterprise-client/w/wiki/11850.how-to-change-tpm-modes-1-2-2-0

Microsoft Premier Workshop – EMS + S Technical Workshop

Microsoft Premier Workshop – EMS + S Technical Workshop

The four-day EMS + S Technical Workshop for Spark will provide members of the Spark technical support and delivery team the skills required to understand and successfully configure and support Spark’s EMS customer solution.

The topics included within this Workshop include

  • EMS Introduction
  • Managing client access
  • Defining and managing security & rights management
  • Implementing & applying user templates
  • Working with customer self-service options

In this Workshop, students will learn the tools used in EMS to help define and manage individual customer requirements within Sparks shared customer environment.  This Workshop contains Level 300 content.

Key Features and Benefits 

Each module is designed to provide participants with in-depth expertise, tools and experience in configuring and managing various EMS scenarios.  As an exclusive Spark event students, will be able to deep dive on the Spark solution to define specific customer requirements.  A series of User Scenarios will provide participants with the practical application of the features and functions they learn about.

Technical Highlights 

This Workshop will include the following topics

EMS Pre-Requisites 

  • The Solution
  • Connecting a customer

Intune

  • Mobile device management
  • Controlling conditional access – device and applications
  • Managing compliance rules
  • Applying exemptions
  • Mobile application rules

Rights Management (RMS)

  • Activating RMS
  • Invoking and managing file protection
  • Configuring templates
  • Applying templates
  • User experience

Azure Active Directory Premium (AADP)

  • Identity and access management – Single Sign-On to access cloud apps from Windows, iOS and Android devices
  • Data protection
  • Self-service for employees – password and group management
  • Password resets
  • Group management
  • Customized MyApps portal
  • Integration with On-premises

User Scenarios – practical experience in applying the learning of the Workshop

Enabling/Disabling Fast Startup and Hibernation

Enable Hibernation: powercfg -h on

Enable Fast Startup: REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power” /V HiberbootEnabled /T REG_dWORD /D 1 /F

Disable Hibernation: powercfg -h off

Disable Fast Startup: REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power” /V HiberbootEnabled /T REG_dWORD /D 0 /F

Microsoft Intune was not able to retrieve all the data

Microsoft Intune is setup and you are browsing through the Admin section. You notice the below message on a number of pages:

Microsoft Intune was not able to retrieve all the data

You save and review the log file. The second line reads:

Error occurred while retrieving JWT token, check that current user has an Intune license and try again.

Resolution

You need to assign a Intune A Direct license through the Office365 Admin Center. Ensure you have appropriate Administrative permission in Office 365.

Profit

 

Enable BitLocker on Azure AD Joined windows 10 Device

Windows 10 devices will automatically encrypt the local drive when joining to Azure Active Directory (AAD). The device must be InstantGo capable.

InstantGo (formerly known as Connected Standby) is a very low power state that some devices support. It’s very like your mobile phone, it’s almost switched off but still can receive text messages, e-mails and switch to a different power state when receiving phone calls.

How do you check this?

Open a command prompt, type powercfg /a

Devices that have InstantGo support will return “Network Connected”:

clip_image002

 Where do I find the recovery key?

Users can retrieve their recovery key by going to http://myapps.microsoft.com, select Devices and select the device for which they would like to get the recovery key:

clip_image006