I moved to http://www.thesccm.com

NOTE: I moved to http://www.thesccm.com

Advertisements

IE print pdf file error “Bad parameter”

NOTE: I moved to http://www.thesccm.com

How is this related with SCCM? No, it doesn’t 🙂

But because of Adobe Reader was deployed by SCCM, and there is print problem, so it became “SCCM package” problem, and it became my problem. 🙂

So the problem is when open a pdf file in IE, when you click this little “print” icon in IE, we got an error from Adobe Reader “Bad parameter.”

pdf-parameter-error

Although I am 100% sure nothing wrong with our Adobe Reader SCCM package, but I intend to find out what is the reason.

This is the setting what cause this “print issue” in my case.

Computer Configuration\Policies\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows

ie-64-tab-gpo

It was set “Enabled”. As “Help” mentioned, Some ActiveX controls and toolbars maybe not be available when 64-bit processes are used.

As you see, Adobe Reader XI is using 32-bit processes, so in this case, it stop working. (I am using 64-bit Windows 10)

adobe-process

I would suggest set it “Disable” or “Not Configured” if you wants to use Enhanced Protected Mode, and if you are not sure if all your ActiveX components work on 64-bit processe.

This setting you will find in your IE:

Internet Options->Advanced->Settings->Security->Enable 64-bit processes for Enhanced Protcted Mode

ie-setting

By change this setting in GPO “Disable” or “Not Configured”, or uncheck that in IE Advanced Setting, it fixed “bad parameter” problem.

 

#gpo, #ie, #troubleshooting

SCCM PXE boot failed after unintall WSUS.

NOTE: I moved to http://www.thesccm.com

Setup my test lab in this weekend to test SCCM TP 1609, and my PXE boot failed. SMSPXE.log shows:

RequestMPKeyInformation: Send() failed.
Unsuccessful in getting MP key information. 80004005.
PXE::MP_InitializeTransport failed; 0x80004005
PXE::MP_ReportStatus failed; 0x80070490,
PXE::CPolicyProvider::InitializeMPConnection failed; 0x80070490

mplist-failed

When tried to open MP list, http://my_sccm_server/sms_mp/.sms_aut?mplist, it gave me HTTP Error 500.19

mplist failed 2.PNG

Error Code 0x800700e, unable to load DLL.

So what happend? Well, because I uninstalled WSUS (not ask my way, I had my reason. 😀 ), applicationHost.config files didn’t updated itself.

How to fix it:

Open “C:\Windows\System32\inetsrv\config\applicationHost.config”, search “suscomp.dll”, and remove the whole line.
Problem soveled.

<scheme name="xpress" doStaticCompression="false" doDynamicCompression="true" dll="C:\Program Files\Update Services\WebServices\suscomp.dll" staticCompressionLevel="10" dynamicCompressionLevel="0" />

iis

Well, you can also install WSUS back, it will fix the problem for you. 🙂

#pxe, #sccm, #troubleshooting

Manually enable Bitlocker on Hyper-V Gen 2 Virtual Machine

Yes, you can automatic enable Bitlocker on your Hyper-V Gen 2 virtual machine during OSD, please read Niall Brady’s post https://www.windows-noob.com/forums/topic/12608-how-can-i-enable-bitlocker-on-hyper-v-gen-2-virtual-machines-during-osd-using-system-center-2012-r2-configuration-manager/

But if you already install a Hyper-V Gen 2 virtual machine, and you want to enable bitlocker, you can do it manually.

Wait a sencond, why do I want bitlocker on my virtual machine? Well, I need to test how bitlocker effect Windows 10 InPlace Upgrade. sepecially when using bitlocker start up PIN. So in virtual machine, I can setup bitlocker start up password, and see does SCCM know how to suspend the bitlocker password and continue InPlace upgrade.

Here are the steps:

  1. Open cmd as administrator.
  2. Set AES-256 Engryption
    REG.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "EncryptionMethod" /t REG_DWORD /d 2

     

  3. Allow enable bitlocker for no TPM chip
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 00000001 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 00000001 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 00000002 /f 
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 00000002 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKEY /t REG_DWORD /d 00000002 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 00000002 /f

    bitlocker1Set AES-256 and enable allow bitlocker without TPM

  4. Enable bitlocker with password
    manage-bde -on C: -pw

     

  5. Create a password, you won’t see anything when you type it.
    bitlocker2

    Enable bitlocker on C: Drive and create password

     

  6. Restart virtual machine, it will ask for your bitlocker password.
    bitlocker3
  7. Check if you C drive has bitlocker enabled.
    bitlocker4

Continue reading

#bitlocker, #windows10

Is this a good way to update ADK 1607 and custom boot image in SCCM?

 

NOTE: Read this article before you start do anything 
https://blogs.technet.microsoft.com/enterprisemobility/2016/09/09/configuration-manager-and-the-windows-adk-for-windows-10-version-1607/

I don’t know if this is a good way to update ADK 1607 and custom the winpe.wim, that is how I did it. Since I have not been any MS events, classes or trainings. Honestly I have been only one day SCCM class in my career as an IT. So don’t trust everything what I said. 🙂

PS. if this it not a correct way to do, please let me know and comments are always welcome.

First: Update ADK 1607

  1. Download ADK 1607 https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
  2. Uninstall earlier version of ADK.
  3. Install ADK 1607.
  4. Install to default path C:\Program Files (x86)\Windows Kits\10\
  5. These are the basic components you must install.
    Deployment Tools, Windows Preinstallation Environment, User State Migration Tool
  6. After ADK 1607 is installed, restart your server

Second: Custom default winpe.wim

Why do I custom the winpe? Well I want every boot image I am going to create has the language, keyboard layout, and timezone which are suitable for me, I don’t want to mount and umount my boot image each time. (I am lazy.)

  1. Create a folder C:\WIM
  2. Create a folder C:\WIM\Mount
  3. Copy “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim” to C:\Temp\WIM
  4. Change “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim” name to winpe.wim.bak
  5. Run Deployment and Imaging Tools Environment as administrator
    mdt
  6. Modify, copy and paste those dism lines what are suitable for you, and run it:
    # Mount winpe.wim to c:\wim\mount folder
    dism /mount-wim /wimfile:C:\wim\winpe.wim /mountdir:c:\wim\mount /index:1
    #set your timezone, in my case I use “FLE Standard Time”
    dism /image:C:\wim\mount /Set-TimeZone:"FLE Standard Time"
    #(Optional) if you are using other language than English, you can use these to set your winpe enviroment.
    Example: in my case is "fi-FI"
    
     dism /image:C:\wim\mount /Set-SysLocale:fi-FI
     dism /image:C:\wim\mount /Set-UserLocale:fi-FI
     dism /image:C:\wim\mount /Set-InputLocale:fi-FI 
    
    mountwim
  1. Create a new file name smsts.ini in C:\wim folder
    folder
  2. Copy and paste these to the smsts.ini file and save it.
    [Logging]
    LOGLEVEL=0
    LOGMAXSIZE=5242880
    LOGMAXHISTORY=3
    DEBUGLOGGING=1
    CCMDEBUGLOGGING=1

    smsts

  1. Copy smsts.ini file to C:\WIM\Mount\windows
  2. (Optional) Add Active Directory Module if you need it. Mick Pletcher has a blog post about it. Read here
  3. (Optional) Add Dell Command PowerShell Provider Read here
  4. Unmount and save the winpe.wim
    #unmount and commit changes
    dism /unmount-wim /mountdir:c:\wim\mount /commit
    
    unmount
  5. Copy C:\WIM\winpe.wim to “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\
    folder2

NOTE: Repeat 1-11 for x86 boot winpe image if you deploy 32bit machines.

Third: Update OSD boot image for SCCM

Use the script https://gallery.technet.microsoft.com/RegenerateBootImageWinPE10-f508f1e4

NOTE: Read the instruction how to use this script, it will update your older version of OSD boot image to the newest version, but it doesn’t update you custom made boot image, example MDT boot image.

At last: Create/Update custom boot image

If you are using custom made boot image, example MDT boot image, you will need to recreate that again. You can use this script to reimport your drivers from you older boot image. download here.

NOTE: When I test this script, I noticed that script itself is just a function, you can either use import-module to import this script, then run it. or you can use my modified script.  Download here

 

#adk, #osd, #sccm

Add/Remove computers to/from AD Group based on OU changes

NOTE: I moved to http://www.thesccm.com

This has nothing to do with SCCM. For a special reason, I just needed to have a way to add computers to AD group based on their OU.

Example you have created different OU name based on which city your computers are, and you also want to add those computers to AD group based on the city, and remove those computers from the AD group when computers are moved to another city OU.

So here is the shorter version of script I came up with:

$OU = "OU=Helsinki,OU=Computers,DC=Z-IT,DC=com"
$Group = "CN=Helsinki Computers,OU=Groups,DC=Z-IT,DC=com"

#Example City Helsinki
#remove from group
Get-ADGroupMember –Identity $Group | Where-Object { $_.distinguishedName –NotMatch $OU } | ForEach-Object {
         Remove-ADGroupMember $Group -Members $_.DistinguishedName -Confirm:$false
}

#Add to group
Get-ADComputer –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$Group)" | ForEach-Object {
         Add-ADGroupMember $group -Members $_.DistinguishedName
}

Here is the longer version, which writes log file, and send log file to you email.
Download Link: Click here

#ad, #powershell

SCCM Search Tool (beta)

Has been in my mind to make a new tool, just didn’t know what do I make. Finally on Friday I made up my mind to make a SCCM search tool. Some time ago when we were doing troubleshooting, reading sccm log files, and have no idea what those long numbers means, example: 674ab-eec5-40e1-a5f2-9. 😀

You need Admin Console installed and connection to SCCM server before you run the tool.

This is just a beta, so it doesn’t search everything. And please don’t use too short search keywords. 😀

I will continue make it better when I have time.

Download from TechNet Gallery:  Click here

Updates: 22.9.2016. Added Software Updates search

sccmsearch

 softwareupdate

#sccm