Manually enable Bitlocker on Hyper-V Gen 2 Virtual Machine

Yes, you can automatic enable Bitlocker on your Hyper-V Gen 2 virtual machine during OSD, please read Niall Brady’s post https://www.windows-noob.com/forums/topic/12608-how-can-i-enable-bitlocker-on-hyper-v-gen-2-virtual-machines-during-osd-using-system-center-2012-r2-configuration-manager/

But if you already install a Hyper-V Gen 2 virtual machine, and you want to enable bitlocker, you can do it manually.

Wait a sencond, why do I want bitlocker on my virtual machine? Well, I need to test how bitlocker effect Windows 10 InPlace Upgrade. sepecially when using bitlocker start up PIN. So in virtual machine, I can setup bitlocker start up password, and see does SCCM know how to suspend the bitlocker password and continue InPlace upgrade.

Here are the steps:

  1. Open cmd as administrator.
  2. Set AES-256 Engryption
    REG.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "EncryptionMethod" /t REG_DWORD /d 2

     

  3. Allow enable bitlocker for no TPM chip
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 00000001 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 00000001 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 00000002 /f 
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 00000002 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKEY /t REG_DWORD /d 00000002 /f
    
    REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 00000002 /f

    bitlocker1Set AES-256 and enable allow bitlocker without TPM

  4. Enable bitlocker with password
    manage-bde -on C: -pw

     

  5. Create a password, you won’t see anything when you type it.
    bitlocker2

    Enable bitlocker on C: Drive and create password

     

  6. Restart virtual machine, it will ask for your bitlocker password.
    bitlocker3
  7. Check if you C drive has bitlocker enabled.
    bitlocker4

Continue reading

Advertisements

#bitlocker, #windows10

Is this a good way to update ADK 1607 and custom boot image in SCCM?

 

NOTE: Read this article before you start do anything 
https://blogs.technet.microsoft.com/enterprisemobility/2016/09/09/configuration-manager-and-the-windows-adk-for-windows-10-version-1607/

I don’t know if this is a good way to update ADK 1607 and custom the winpe.wim, that is how I did it. Since I have not been any MS events, classes or trainings. Honestly I have been only one day SCCM class in my career as an IT. So don’t trust everything what I said. 🙂

PS. if this it not a correct way to do, please let me know and comments are always welcome.

First: Update ADK 1607

  1. Download ADK 1607 https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
  2. Uninstall earlier version of ADK.
  3. Install ADK 1607.
  4. Install to default path C:\Program Files (x86)\Windows Kits\10\
  5. These are the basic components you must install.
    Deployment Tools, Windows Preinstallation Environment, User State Migration Tool
  6. After ADK 1607 is installed, restart your server

Second: Custom default winpe.wim

Why do I custom the winpe? Well I want every boot image I am going to create has the language, keyboard layout, and timezone which are suitable for me, I don’t want to mount and umount my boot image each time. (I am lazy.)

  1. Create a folder C:\WIM
  2. Create a folder C:\WIM\Mount
  3. Copy “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim” to C:\Temp\WIM
  4. Change “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim” name to winpe.wim.bak
  5. Run Deployment and Imaging Tools Environment as administrator
    mdt
  6. Modify, copy and paste those dism lines what are suitable for you, and run it:
    # Mount winpe.wim to c:\wim\mount folder
    dism /mount-wim /wimfile:C:\wim\winpe.wim /mountdir:c:\wim\mount /index:1
    #set your timezone, in my case I use “FLE Standard Time”
    dism /image:C:\wim\mount /Set-TimeZone:"FLE Standard Time"
    #(Optional) if you are using other language than English, you can use these to set your winpe enviroment.
    Example: in my case is "fi-FI"
    
     dism /image:C:\wim\mount /Set-SysLocale:fi-FI
     dism /image:C:\wim\mount /Set-UserLocale:fi-FI
     dism /image:C:\wim\mount /Set-InputLocale:fi-FI 
    
    mountwim
  1. Create a new file name smsts.ini in C:\wim folder
    folder
  2. Copy and paste these to the smsts.ini file and save it.
    [Logging]
    LOGLEVEL=0
    LOGMAXSIZE=5242880
    LOGMAXHISTORY=3
    DEBUGLOGGING=1
    CCMDEBUGLOGGING=1

    smsts

  1. Copy smsts.ini file to C:\WIM\Mount\windows
  2. (Optional) Add Active Directory Module if you need it. Mick Pletcher has a blog post about it. Read here
  3. (Optional) Add Dell Command PowerShell Provider Read here
  4. Unmount and save the winpe.wim
    #unmount and commit changes
    dism /unmount-wim /mountdir:c:\wim\mount /commit
    
    unmount
  5. Copy C:\WIM\winpe.wim to “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\
    folder2

NOTE: Repeat 1-11 for x86 boot winpe image if you deploy 32bit machines.

Third: Update OSD boot image for SCCM

Use the script https://gallery.technet.microsoft.com/RegenerateBootImageWinPE10-f508f1e4

NOTE: Read the instruction how to use this script, it will update your older version of OSD boot image to the newest version, but it doesn’t update you custom made boot image, example MDT boot image.

At last: Create/Update custom boot image

If you are using custom made boot image, example MDT boot image, you will need to recreate that again. You can use this script to reimport your drivers from you older boot image. download here.

NOTE: When I test this script, I noticed that script itself is just a function, you can either use import-module to import this script, then run it. or you can use my modified script.  Download here

 

#adk, #osd, #sccm

Add/Remove computers to/from AD Group based on OU changes

NOTE: I moved to http://www.thesccm.com

This has nothing to do with SCCM. For a special reason, I just needed to have a way to add computers to AD group based on their OU.

Example you have created different OU name based on which city your computers are, and you also want to add those computers to AD group based on the city, and remove those computers from the AD group when computers are moved to another city OU.

So here is the shorter version of script I came up with:

$OU = "OU=Helsinki,OU=Computers,DC=Z-IT,DC=com"
$Group = "CN=Helsinki Computers,OU=Groups,DC=Z-IT,DC=com"

#Example City Helsinki
#remove from group
Get-ADGroupMember –Identity $Group | Where-Object { $_.distinguishedName –NotMatch $OU } | ForEach-Object {
         Remove-ADGroupMember $Group -Members $_.DistinguishedName -Confirm:$false
}

#Add to group
Get-ADComputer –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$Group)" | ForEach-Object {
         Add-ADGroupMember $group -Members $_.DistinguishedName
}

Here is the longer version, which writes log file, and send log file to you email.
Download Link: Click here

#ad, #powershell

SCCM Search Tool (beta)

Has been in my mind to make a new tool, just didn’t know what do I make. Finally on Friday I made up my mind to make a SCCM search tool. Some time ago when we were doing troubleshooting, reading sccm log files, and have no idea what those long numbers means, example: 674ab-eec5-40e1-a5f2-9. 😀

You need Admin Console installed and connection to SCCM server before you run the tool.

This is just a beta, so it doesn’t search everything. And please don’t use too short search keywords. 😀

I will continue make it better when I have time.

Download from TechNet Gallery:  Click here

Updates: 22.9.2016. Added Software Updates search

sccmsearch

 softwareupdate

#sccm

All components Type and Availability shows “Unknown”. Failed to read the required Operations Management component registry key values on local computer; error = 6 (0x6).

This morning, I noticed in our SCCM Primary server, all components Type and Availability shows “Unknown”

unknown

After awhile, “Type” and “Availability” shows correctly, about 60 minutes later, it shows “Unknown” again, and it just repeatedly changes itself. We rebooted the server, but it didn’t help.

Investigating further, I saw that the compmon.log on the site server displayed the following errors:

"Failed to read the required Operations Management component registry key values on local computer; error 6 (0x6)"

And it repeatedly try to  add all the components to monitored component list again and again about each hour.

compmon1

I found this post has same kind issues http://sccmstuff.com/troubleshooting/compmon-log-errors-6-0x6/ ,  so I start check our registry, found out what is our problem key:

HKLM\Software\Microsoft\SMS\Operations Manager\Components\SMS_NETWORK_DISCOVERY

This registry key was empty, unlike other components registry keys. I remember we tested use Network Discovery to create boundaries automatically, but later we decided not to use Network Discovery and we deselected it. It seems the component’s registry has left behind.

I made a backup of the Components registry, deleted SMS_NETWORK_DISCOVERY registry key, restarted SMS_EXECUTIVE service. The log is clear without errors. It didn’t try to add those components to monitored list again. All components shows status correctly.

#sccm, #troubleshooting

SCCM 1606 BUG? 32-bit process Powershell detection method doesn’t work

As you know, you can use powershell detection method when you create Application in SCCM.

Usually, I use this script, and it has been working for many years:

$app = Get-WmiObject Win32Reg_AddRemovePrograms  | where-object {$_.DisplayName -like “Your Application name”}
if ($app -ne $null) {
write-host Installed
}

I choosed “Run script as 32-bit process on 64-bit clients”. Because clients are 64bits Windows 10 machines, and my application is 32-bits.

detect

As usual, I tested the detection script in my machine that has the application already installed. Run the script in ISE (x86), it will get you “Installed”. If run it in ISE (x64), it gives you nothing.

Yesterday, users complains softwares are trying to install again and again, and I started to check out what is going on.

I checked “C:\Windows\CCM\Logs\AppDiscovery.log” in few machines, applications that are using this 32-bit powershell detection method gave result “not detected”, although applications are installed.

No one has changed those Applications detection method, I wonder what went wrong.

At the end, I found the “Run script as 32-bit process on 64-bit clients” powershell dection method didn’t work right after machines have updated SCCM Client 1606. 5.00.8412.1007, based on time stamp of ccmsetup.log and AppDiscovery.log.

I have tested few more Applications, results are same.

 

#application, #sccm, #troubleshooting