NOTE: I moved to http://www.thesccm.com

How is this related with SCCM? No, it doesn’t 🙂

But because of Adobe Reader was deployed by SCCM, and there is print problem, so it became “SCCM package” problem, and it became my problem. 🙂

So the problem is when open a pdf file in IE, when you click this little “print” icon in IE, we got an error from Adobe Reader “Bad parameter.”

Although I am 100% sure nothing wrong with our Adobe Reader SCCM package, but I intend to find out what is the reason.

This is the setting what cause this “print issue” in my case.

Computer Configuration\Policies\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows

It was set “Enabled”. As “Help” mentioned, Some ActiveX controls and toolbars maybe not be available when 64-bit processes are used.

As you see, Adobe Reader XI is using 32-bit processes, so in this case, it stop working. (I am using 64-bit Windows 10)

I would suggest set it “Disable” or “Not Configured” if you wants to use Enhanced Protected Mode, and if you are not sure if all your ActiveX components work on 64-bit processe.

This setting you will find in your IE:

Internet Options->Advanced->Settings->Security->Enable 64-bit processes for Enhanced Protcted Mode

By change this setting in GPO “Disable” or “Not Configured”, or uncheck that in IE Advanced Setting, it fixed “bad parameter” problem.

NOTE: I moved to http://www.thesccm.com

Setup my test lab in this weekend to test SCCM TP 1609, and my PXE boot failed. SMSPXE.log shows:

RequestMPKeyInformation: Send() failed.
Unsuccessful in getting MP key information. 80004005.
PXE::MP_InitializeTransport failed; 0x80004005
PXE::MP_ReportStatus failed; 0x80070490,
PXE::CPolicyProvider::InitializeMPConnection failed; 0x80070490

When tried to open MP list, http://my_sccm_server/sms_mp/.sms_aut?mplist, it gave me HTTP Error 500.19

Error Code 0x800700e, unable to load DLL.

So what happend? Well, because I uninstalled WSUS (not ask my way, I had my reason. 😀 ), applicationHost.config files didn’t updated itself.

How to fix it:

Open “C:\Windows\System32\inetsrv\config\applicationHost.config”, search “suscomp.dll”, and remove the whole line.
Problem soveled.

<scheme name="xpress" doStaticCompression="false" doDynamicCompression="true" dll="C:\Program Files\Update Services\WebServices\suscomp.dll" staticCompressionLevel="10" dynamicCompressionLevel="0" />

Well, you can also install WSUS back, it will fix the problem for you. 🙂

Manually enable Bitlocker on Hyper-V Gen 2 Virtual Machine

But if you already install a Hyper-V Gen 2 virtual machine, and you want to enable bitlocker, you can do it manually.

Wait a sencond, why do I want bitlocker on my virtual machine? Well, I need to test how bitlocker effect Windows 10 InPlace Upgrade. sepecially when using bitlocker start up PIN. So in virtual machine, I can setup bitlocker start up password, and see does SCCM know how to suspend the bitlocker password and continue InPlace upgrade.

Here are the steps:

2. Set AES-256 Engryption
REG.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "EncryptionMethod" /t REG_DWORD /d 2

3. Allow enable bitlocker for no TPM chip

REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 00000001 /f

REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 00000002 /f

REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 00000002 /f

REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKEY /t REG_DWORD /d 00000002 /f

REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 00000002 /f

Set AES-256 and enable allow bitlocker without TPM

manage-bde -on C: -pw

5. Create a password, you won’t see anything when you type it.

Enable bitlocker on C: Drive and create password

7. Check if you C drive has bitlocker enabled.

Is this a good way to update ADK 1607 and custom boot image in SCCM?

I don’t know if this is a good way to update ADK 1607 and custom the winpe.wim, that is how I did it. Since I have not been any MS events, classes or trainings. Honestly I have been only one day SCCM class in my career as an IT. So don’t trust everything what I said. 🙂

PS. if this it not a correct way to do, please let me know and comments are always welcome.

2. Uninstall earlier version of ADK.
4. Install to default path C:\Program Files (x86)\Windows Kits\10\
5. These are the basic components you must install.
Deployment Tools, Windows Preinstallation Environment, User State Migration Tool

Second: Custom default winpe.wim

Why do I custom the winpe? Well I want every boot image I am going to create has the language, keyboard layout, and timezone which are suitable for me, I don’t want to mount and umount my boot image each time. (I am lazy.)

1. Create a folder C:\WIM
2. Create a folder C:\WIM\Mount
3. Copy “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim” to C:\Temp\WIM
4. Change “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim” name to winpe.wim.bak
5. Run Deployment and Imaging Tools Environment as administrator
6. Modify, copy and paste those dism lines what are suitable for you, and run it:
# Mount winpe.wim to c:\wim\mount folder
dism /mount-wim /wimfile:C:\wim\winpe.wim /mountdir:c:\wim\mount /index:1
#set your timezone, in my case I use “FLE Standard Time”
dism /image:C:\wim\mount /Set-TimeZone:"FLE Standard Time"
#(Optional) if you are using other language than English, you can use these to set your winpe enviroment.
Example: in my case is "fi-FI"

dism /image:C:\wim\mount /Set-SysLocale:fi-FI
dism /image:C:\wim\mount /Set-UserLocale:fi-FI
dism /image:C:\wim\mount /Set-InputLocale:fi-FI

1. Create a new file name smsts.ini in C:\wim folder
2. Copy and paste these to the smsts.ini file and save it.
[Logging]
LOGLEVEL=0
LOGMAXSIZE=5242880
LOGMAXHISTORY=3
DEBUGLOGGING=1
CCMDEBUGLOGGING=1

1. Copy smsts.ini file to C:\WIM\Mount\windows
2. (Optional) Add Active Directory Module if you need it. Mick Pletcher has a blog post about it. Read here
4. Unmount and save the winpe.wim
#unmount and commit changes
dism /unmount-wim /mountdir:c:\wim\mount /commit

5. Copy C:\WIM\winpe.wim to “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\

NOTE: Repeat 1-11 for x86 boot winpe image if you deploy 32bit machines.

Third: Update OSD boot image for SCCM

Use the script https://gallery.technet.microsoft.com/RegenerateBootImageWinPE10-f508f1e4

NOTE: Read the instruction how to use this script, it will update your older version of OSD boot image to the newest version, but it doesn’t update you custom made boot image, example MDT boot image.

At last: Create/Update custom boot image

If you are using custom made boot image, example MDT boot image, you will need to recreate that again. You can use this script to reimport your drivers from you older boot image. download here.

NOTE: When I test this script, I noticed that script itself is just a function, you can either use import-module to import this script, then run it. or you can use my modified script.  Download here

NOTE: I moved to http://www.thesccm.com

This has nothing to do with SCCM. For a special reason, I just needed to have a way to add computers to AD group based on their OU.

Example you have created different OU name based on which city your computers are, and you also want to add those computers to AD group based on the city, and remove those computers from the AD group when computers are moved to another city OU.

So here is the shorter version of script I came up with:

$OU = "OU=Helsinki,OU=Computers,DC=Z-IT,DC=com"$Group = "CN=Helsinki Computers,OU=Groups,DC=Z-IT,DC=com"

#Example City Helsinki
#remove from group
Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $OU } | ForEach-Object { Remove-ADGroupMember$Group -Members $_.DistinguishedName -Confirm:$false
}

Get-ADComputer –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$Group)" | ForEach-Object {
Add-ADGroupMember $group -Members$_.DistinguishedName
}

Here is the longer version, which writes log file, and send log file to you email.

SCCM Search Tool (beta)

Has been in my mind to make a new tool, just didn’t know what do I make. Finally on Friday I made up my mind to make a SCCM search tool. Some time ago when we were doing troubleshooting, reading sccm log files, and have no idea what those long numbers means, example: 674ab-eec5-40e1-a5f2-9. 😀

You need Admin Console installed and connection to SCCM server before you run the tool.

This is just a beta, so it doesn’t search everything. And please don’t use too short search keywords. 😀

I will continue make it better when I have time.