The Deployment Bunny

Subscribe to The Deployment Bunny feed The Deployment Bunny
OS Deployment, Virtualization, Microsoft based Infrastructure...
Updated: 2 min 18 sec ago

OS Deployment – Allow PXE deployment to the same MAC Address by configure SMS_DISCOVERY_DATA_MANAGER in ConfigMgr, or How to deploy Windows to shared docking stations and usb network adapters

Fri, 01/29/2016 - 05:27

This is very simple, when you deploy a device uisng PXE, ConfigMgr will inventory the MAC address, but that will prevent that mac address from being used once more unless the hardware inventory is executed after the machine has been deployed and removed from the docking station (similar)

The fix:
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components \SMS_DISCOVERY_DATA_MANAGER on the primary site server
  • Add a MultiString entry called ExcludeMACAddress
  • Add all Mac Address to ExcludeMACAddress

For a complete story I strongly recommend you to read the following post:

http://blogs.technet.com/b/system_center_configuration_manager_operating_system_deployment_support_blog/archive/2015/08/27/re_2d00_use-the-same-nic-for-multiple-pxe-initiated-deployments.aspx

/mike


Categories: MDT

Working in the Datacenter–Enable Virtual TPM in Hyper-V gives you the ability to test bitlocker in a VM

Tue, 01/26/2016 - 01:24

Last night a friend contaced me and said “-Did you ever post the vTPM thing?”, i did say yes, but i was wrong, so here it is…

Simple, without testing and verfication, a deployment solution will fail. One of the tasks that takes a lot of time to test and verify is BitLocker and that also includes TPM. Windows 10 and Windows Server 2016 gives you the ability to create Virtuial Machines with a Virtual TPM Chip 2.0.


A VM running Windows Server 2012 R2 with a vTPM chip, The VM is running on Windows Server 2016.

The How-To Part

You need to run Windows Server 2016 TP4 or Windows 10.

On the host, add Isolated UserMode, Hyper-V and Hostguardian Services, by running the following powershell command(elevated):

Add-WindowsFeature -Name “Isolated-UserMode”,”Hyper-V”,”HostGuardian” -IncludeAllSubFeature –IncludeManagementTools

If needed, restart the host.

Before you can enable the vTPM you need to have a Guardian Service guardian object and with that you can crerate a Key Protector.

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates
$Owner = Get-HgsGuardian -Name ‘Guardian’
$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Great, the last piece is to enable the vTPM

Set-VMKeyProtector -VMName ‘WSUS01’ -KeyProtector $KeyProtector.RawData
Enable-VMTPM -VMName ‘WSUS01’

/Mike


Categories: MDT

Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit (and some PowerShell)

Wed, 01/06/2016 - 03:54

Yes, the book is finally done and it is up on Amazon. The book follows all the others by being a build-while-you-read book, it includes a complete set of PowerShell scripts that will build your entire lab environment (The script has been changed, so it will be easier to use them at customer sites or other test/lab environments if needed). The focus of the book is as you could guess by the title to deploy Windows 10 using MDT and LiteTouch. The versions we did use in the book are Windows 10 1511, MDT 2013 Update 2 and the new ADK. It has been hard work, late nights, but darn I still love writing books… You can find the book on Amazon.com as well as other sites. oh, btw, the book also includes a complete hydration kit that uses MDT and PowerShell to build your complete lab environment.

Happy reading and deploying

/mike


Categories: MDT

OS Deployment – Creating a reference Image with Windows Server 2008 R2 Core could fail

Mon, 12/28/2015 - 07:21
The Issue:

There is an issue with KB3106614. The issue is that it should not be installed att all on a Windows Server 2008 R2 Core Server. That patch is a Security Update for Silverlight and it has nothing to do with the Core edition of Windows Server 2008 R2, this is what happens:


The never ending install of KB3106614 in Windows Server 2008 R2 Core.

The Solution:

We cannot change the settings on the patch(wich is in this case obvisily incorrect), but we can prevent the update process in LiteTouch to install it by adding WUMU_ExcludeKB. It is also possible to set this in customsettings.ini, but that will prevent this from being installed for other Operating System. So, IMHO, for a ref image creation the easiest way would be to block it by setting this in the Task Sequence.


Prevent the patch from ever being installed using WUMU_ExcludeKB.

/mike


Categories: MDT

Looking in the Mirror – The most viewed posts during 2015

Sun, 12/27/2015 - 10:51

Kind of fun, when i write a post i have no ide if it is going to be “hit” or a total fail, but here they are, the posts that have most views during 2015:

Number 1

Number 2

Number 3

Number 4

Number 5

Number 6

Number 7

Number 8

Number 9

/mike


Categories: MDT

OS Deployment in the real World – I really Need a KMS key, but i cannot find it in the VLSC site?

Fri, 12/18/2015 - 09:48

No KMS Key in the VLSC for Windows 10 for OPEN License  ???

Turns out to be correct, you need to request that since MAK keys now are “prefferd” for Open License. It is possible to order one:

– Call: PA Call Center

– Email: KMSADD

There is ONE blog that i have found that explains this…http://www.neighborgeek.net/2015/08/no-kms-key-in-vlsc-for-windows-10-for.html

So, all credits goes to Steve Whitcher

/Mike


Categories: MDT

Working in the Datacenter – Add-DVDDrive does not work correctly in Windows Server 2016 TP4 (or in Windows 10)

Thu, 12/17/2015 - 08:21

It seems to be a bug, hopefully it will be fixed soon. The issue is very simple. If you try to run Add-VMDvdDrive the –path must be specified, in previous version that could be left alone. This problem is more common when you create VM Gen 2, since it does not have a DVD by default, and yes when we build VM’s they usually have a empty DVD for various reasons. According to help in the command let, there is no differences in the cmdlet between 1.1 and 2.0, but in reality it is.

The Issue

The problem is that when using the command Add-VMDvdDrive -VMName $VMName it fails with Add-VMDvdDrive : Exception of type ‘System.ArgumentException’ was thrown because it does not have a path, so i have seen workarounds when you create a small ISO and mount that and then you can remove that, but that sucks. There are some other issues as well.


The issue.

The Workaround

Luckily there is 2 different PowerShell modules, 1.1 for older OS and 2.0 for Windows 10/Windows server 2016 TP4 so the only thing you need to do is unload the new PowerShell module for Hyper-V and load the old one, and when you are done, you can load the new module again.

(if you would like to know why there is 2 versions, here you go: http://blogs.msdn.com/b/virtual_pc_guy/archive/2015/11/16/why-are-there-two-hyper-v-powershell-modules-in-windows-10.aspx)


We run this in the beginning of the script to replace the module.


We run this in the end of the script to restore the module.

/mike

Here is the code on GHitHub


Categories: MDT

Working in the Datacenter – Creating a Reference Image of Windows Server 2016 TP4

Tue, 12/01/2015 - 19:42

Yes, you really need a reference Image, if not today, you will need it later. If you just deploy VM’s in an isolated environment, well in that case you might not, but for me testing is all about “Non Contoso” testing. What I mean is that I really need to play/test/learn how to run Windows Server 2016 in VM’s, as Hyper-V, with vendors software (like software from Dell, HP and such), so here it is, some kind of step by step guide to create a reference image for Windows Server 2016 TP4. There is a detailed description on how to create a reference image for Windows 10 on TechNet https://technet.microsoft.com/en-us/library/mt297533(v=vs.85).aspx.

MDT 2013 Update is not installed:

Download and Install the following:

ADK 10 – http://go.microsoft.com/fwlink/p/?LinkId=526740

MDT 2013 Update 1 – https://www.microsoft.com/en-us/download/details.aspx?id=48595

I usually have a dedicated “image factory” server/machine, but you can do this on basically any Windows computer running Windows 7 or above. If you are looking for an image factory, here is the story:http://deploymentbunny.com/2014/01/06/powershell-is-king-building-a-reference-image-factory/

MDT 2013 Update 1 is already installed:

Download the following:

Windows Server 2016 Technical Preview 4 – https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Visual C++ – http://deploymentbunny.com/2014/08/05/powershell-is-king-download-all-vc-runtimes-using-a-script/

Configure MDT

Mount the ISO and import the Operating System.

Import the VC++ runtimes as applications – http://deploymentbunny.com/2014/09/25/nice-to-havevb-script-wrapper-for-all-vc-installers-to-be-used-in-mdt/

Create a new Task Sequence for Windows Server 2016 Technical Preview 4 and perform the following modifications: Add the product key

The product key is located on the media in the folder \Sources\pid.txt (It works with the Datacenter Edition, NOT the standard, don’t use standard for TP4)

Disable the Maps Broker

This step is actually  an application that basically runs a PowerShell script that does disable the service, the reason for having a script is that it is easy to open script, modify, set conditions and similar things in a script, that way I don’t need to modify the task sequence when a change is needed. You can download the script here: https://github.com/DeploymentBunny/Files/blob/master/Tools/Configure%20-%20Disable%20Services%20for%20Windows%20Server/Configure-DisableServicesforWindowsServer.ps1

You then need to create an application in the workbench with the following settings:

Quit Install Command: PowerShell.exe -ExecutionPolicy Bypass -File Configure-DisableServicesforWindowsServer.ps1

The services currently makes no sense to have in a UI server and it does not start at all, so instead of having error in the Server Manager I rather disable the service. Of course you can disable the service in any other way, but I don’t like to have a long list of disable commands in the task sequence.

Add .NET framework 3.5.1 (includes 2.0)

A massive amount of server applications, toolkit, drivers does require .Net framework

Add VC++ runtimes

In the beginning of the post I explained how to download all VC++ and how to import an application that that installs all VC++

Basically every agent invented is written in C++ (it seams that way)

Cleanup before SysPrep

Currently the savings are not that great, but as a best practice I always try to make the image as small as possible to make it fast to deploy.

The story is here: http://deploymentbunny.com/2014/06/05/nice-to-know-get-rid-of-all-junk-before-sysprep-and-capture-when-creating-a-reference-image-in-mdt/:

Add Updates

You can add updates by downloading the from http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3118754, this works when the number of update are small and the update is a .CAB file, but you should configure MDT to use a WSUS server in customsetings.ini, like this:

/Mike


Categories: MDT

OSD Deployment – Deploying Intel NUC and getting drivers and settings assigned using the AliasUserExit.vbs – Converting Product into %ModelAlias%

Tue, 11/24/2015 - 01:47

I have been deploying the small and cool Intel NUC’s for a long time, they just have one problem, it is a small problem, but….

There is no Make/Model, actually, the entire SMBBios is empty, now that makes it a bit hard to figure what model we are deploying and therefore it is hard to determine what drivers that needs to be deployed. On some older  NUC’s there could be settings.

This is what we get from PowerShell – Win32_ComputerSystem,Win32_ComputerSystemProduct,Win32_BIOS and Win32_BaseBoard

As you can see Make and Model are kind of “nothing”, but SMBIOSBIOSVersion is RYBDWi35.86A.0350.2015.0812.1722 and that is basically the name of the motherboard, but slightly better, why don’t we use the Win32_BaseBoard and grab product, that seems just to be the perfect match here. And hold it… Win32_BaseBoard is already inventoried by the ZTIGather process, so the only thing we need to do is to set ModelAlias to Product, that seems pretty easy…

The “old” AliasUserExit to the rescue (once more)

The AliasUserExit script runs as a part of the ZTIGather process in MDT/ConfigMgr. This script has a section for Models where either Make is “Intel” or “”, in that case we grab the Product from the gather process and store that in %ModelAlias%.

Script can be found here: http://1drv.ms/1OdlmnW and inside the VBscript it explains how to use it

Verify that it works:

Running cscript ZTIGather.wsf /inifile:Customsettings.ini we get this on a DN2820FYK.
Note: In this case someone manually added/modified the SMBios using the Intel Toolkit to say that the Model is DN2820FYKH, but it is actually DN2820FYK Running cscript ZTIGather.wsf /inifile:Customsettings.ini we get this on a NUC5i7RYB.
Note: In this case the BIOS is “normal”, that is it is totally blank Running cscript ZTIGather.wsf /inifile:Customsettings.ini we get this on a D53427RKE.
Note: In this case the BIOS does contain vales, older NUC’s could have them set..
Categories: MDT

Working in a Datacenter – Nested Hyper-V or Running Hyper-V in Hyper-V

Sat, 11/21/2015 - 09:12

There are many reason where it make sense to run Hyper-V in Hyper-V, one of them being to enable Credential Guard (VSM) in Windows Server 2016 TP 4 and later. For training, demos, test. R&D it is great. For Windows Server 2016 TP4 it needs to be enable and configured to work and that means PowerShell. Currently there are also some limitations.

On the Host:

Device Guard Disable Credential Guard Disable Hyper-V Enabled Hardware Intel VT-x Windows Version Build 10565 or greater

 

In the VM:

Dynamic Memory No Change memory while VM is running No Using any kind of Checkpoint No Live Migration No Save/Resume No

 

You can read the fine print here: https://msdn.microsoft.com/en-us/virtualization/hyperv_on_windows/user_guide/nesting

The PowerShell Function/Script: This script will enable Nested Hyper-V an a VM Invoke-WebRequest "https://raw.githubusercontent.com/DeploymentBunny/Files/master/Tools/Enable-NestedHyperV/EnableNestedHyperV.ps1" -OutFile ~/EnableNestedHyperV.ps1 Import-Module ~/EnableNestedHyperV.ps1 Enable-NestedHyperV -VMname TEST100 This Script (Provided be Microsoft) will verify configuration Invoke-WebRequest "https://raw.githubusercontent.com/Microsoft/Virtualization-Documentation/master/hyperv-tools/Nested/Get-NestedVirtStatus.ps1" -OutFile ~/Get-NestedVirtStatus.ps1 ~/Get-NestedVirtStatus.ps1

/mike


Categories: MDT

OS Deployment – Adding a Wizard to control the Task Sequence behavior when you create a Reference Image

Mon, 11/16/2015 - 20:48

If you are in the business of doing Reference Imaging you want that process to be as automated as possible, but now and then you need to verify that different part of the task sequence works, lets say that you need to verify that an application you added to that task sequence get installed correctly, at time you don’t really like to run trough the entire Windows update process. Easy fix, you open the Task Sequence and disable it, but what if you could do some thing like this instead…A quick Note before you begin: This is not supported, since includes a modification a ZTIConfig.vbs and credit goes to Keith Garner for the explaining how to do that modification. Thanks!

I have done demos on this topic for some time now and I have promised to post this, so for all of you attending MMS in MN, TechDays and other various events, here you have it.

If that is what you want, here it is.

Adding the Suspend Step

The Suspend Step is a function that is built-in to MDT, but you need to add it. After you have done that the task sequence will suspend at that step and you can perform manual tasks, or test and verify that things works as expected. When you are done, just hit the “Resume Task Sequence” icon that will be on the desktop. Extremely useful, but instead of enable/disable by modifying the task sequence, it is nice to have that as checkbox.

Open your Task Sequence and browse to: State Restore \ Custom Tasks (My folder has been renamed to “Custom Tasks Post WU) and add a Run Command Line using the following settings:

  • Name: Suspend
  • Command Line: cscript.exe “%SCRIPTROOT%\LTISuspend.wsf”


The Suspend Step has been added.

Adding Conditions to the Steps.

We need a couple of Properties that we can use, let us use SuspendTS, DisableApps and DisableWSUS, add the following settings to the following steps in the Task Sequence.

For the Windows update steps, add the following Task Sequence Variable.

  • Variable: DisableWSUS
  • Condition: not equals
  • Value: NO


One of the Windows Update Step has the condition set, don’t forget to set them both.

For the Application install group steps, add the following Task Sequence Variable.

  • Variable: DisableApps
  • Condition: not equals
  • Value: NO


The group that install all the Applications has the correct condition set.

For the Suspend Task Sequence step, add the following Task Sequence Variable.

  • Variable: SuspendTS
  • Condition: equals
  • Value: YES


The Suspend Step Condition changed according to the list above.

Create an Application Bundle

We need a application bundle, the application bundle will actually not install anything at all, instead it is going to be the place holder for the HTML code. I recommend that you have all the “applications” you don’t want to see in a set of folders and this application in an other folder, or directly in the root, because this application should be seen, so you can “fill out the form”.

Create the Application Bundle using the following settings:

  • Application Type: Application Bundle
  • Application Name: Deployment Settings


The application Bundle has been created in the Config Folder.

Add HTML code to the Application Bundle

Open the Application Bundle and the the following HTML code to the comments field

<table>
<tr>
<td>Enable Suspend Task Sequence</td>
<td><INPUT type="checkbox" Name="SuspendTS" value="YES" /></td>
</tr>
<tr>
<td>Disable  Windows Update</td>
<td><INPUT type="checkbox" Name="DisableWSUS" value="NO" /></td>
</tr>
<tr>
<td>Disable Application Install</td>
<td><INPUT type="checkbox" Name="DisableApps" value="NO" /></td>
</tr>
</table>

Note:Make sure that your " are real " and not the “Word edition”


HTML has been added to the Comments filed.

Enable HTML code to run in the Comments field

Time for the unsupported part, the change you are about to do will stop the Wizard from parsing the comments field as text.

In scripts folder, find the file named ZTIConfig.vbs, make a copy of it, open the ZTIConfig.vbs and find the following line (around Line 700)

sComments = EncodeXML(oItem.SelectSingleNode("./Comments").Text)

and replace it with this

sComments = oItem.SelectSingleNode("./Comments").Text

Save the file.

Modify your CustomSettings.ini

We need to be able to select applications, so make sure your customsettings.ini shows:

  • SkipApplications=NO
  • SkipSummary=NO

The setting SkipSummery can later be set to YES, the setting I suggest is just so that you can see that Variables are set correctly with the need to run trough the entire deployment when testing this.


CustomSettings.ini has been modified.

Hide all other applications

When running the wizard, I don’t need to see all the applications, since the have been added to my task sequence. So you can either open each and every application and enable the “Hide this Application” checkbox, or you can (if you have all the applications in folders, just disable the folder.

Create Your Reference Image using the new “Wizard”

Boot the VM, select your Task Sequence and enable/disable the item.

Note: You don’t really need to select the application, it is just used as place holder for the HTML code, I have however made the application a default application to avoid confusion as a MnadatorApplications001={GUID}


All item have been Selected.


All values have been set correctly.

Have Fun!

/mike

Question: Do I need to select the application:
Answer: No

Question: Why don’t you add a Wizard Page instead?
Answer: Because that is more complicated if you don’t know exactly how the wizard works, this method is in most cases good enough and can be done even if you don’t have any experience in modifying the Wizard, you can as an example just add a dropdown box to be able to select certain items

Question: Do you have any other example on how to use this?
Answer: Yes, a ton of them

Question: If I don’t need to wizard thing anymore, how to I disable it?
Answer: Since it is an application, disable the application


Categories: MDT

OS Deployment – What’s inside my WIM?

Sun, 11/15/2015 - 10:37

I was working for a customer in the US last week (You know how you are) and they had a problem with OSD that is solved by the updated Kernel Driver Framework. So, I told them to create a new ref image that has all patches included, still did not work. So, let us open the WIM and see if the hotfix is included, it was not, since there was an issue with WSUS, fixed and cased closed. but…

I have tested the script against all kinds of WIM files and so far it works, the script it self has been tested on Windows 10 and Windows Server 2016 TP3

Creating a WIM Content Report

I did create a script that extracts the information from the WIM file at the customer site, but this version has been somewhat “polished”.

Download: http://1drv.ms/1bwlwXm


The Script.

What do I get?


Generic Info.


Drivers (Yes, even if you don’t add drivers, Microsoft Office will).


Enabled Features.


All the Packages.


All Appx Packages.

Usage

Import the Get-WimInfo.ps1 powershell script as a module:

Import-Module Get-WimInfo.ps1 -Force –Verbose

Use the Command like this:

New-WimReport -MountFolder C:\mount\ -WIMFile E:\WIMs\RW10X64-002.wim -Index 1

/mike


Categories: MDT

Working in the Datacenter – Deploying Update Rollups for System Center 2012 R2

Sat, 11/14/2015 - 16:01

You really need to understand this: A Update Rollup should NEVER, EVER be deploying using WSUS!!! (or any other automated way, unless you know exactly what needs to be done before and after to make it work)

Why?

Microsoft provides all the Update Rollups trough Windows Update, so far so good, that makes it easy to deploy, so what is the big “nono” here? Well, the short story is that it does not work they way most people assumes. Deploying the Update Rollup could also require you to perform actions like this:

  • Update the SQL database using script
  • Add or modify Registry Keys
  • Manually update Agents
  • Troubleshoot issues

So, based on the history, please, just don’t do this, it does not work. You need to deploying a Update Rollup pretty much like a Service Pack, since that is what it really is. It does contain both bug fixes as well as new features and some of the features will change behavior, some of the new features needs to be enabled.

Ok, so how?

You need to follow the blogs from each product team so you know when they are released and then you need to follow the step-by-step instructions from the team. If you do have a test system (you can use a hydration kit to build one fast and use for testing, check http://www.deploymentbunny.com or http://deploymentresearch.com for more information

Ok, so When?

You have two options here, you either know someone that has tested and verified it or you wait 30 days and “listen” on the Internet, if you see 1.000.000 hits in a search engine, maybe you should wait to everyone else has fixed it.

Plan it a head

Ok, so this is what I tell all the customers I work with. Since Microsoft is releasing Update Rollups 4 times per year, create a schedule and set a side a couple of days (or more) every year to do this. It does not need to match the dates Microsoft will release it, just have a Maintenance Window 4 times every year to update/maintain your System Center platform.

Deploying Update Rollup 8 for System Center 2012 R2 – All Systems

https://support.microsoft.com/en-us/kb/3096378

Deploying Update Rollup 8 for System Center 2012 R2 – App Controller (No updates)

The last update for App Controller was System Center 2012 SP1 – http://support.microsoft.com/kb/2879276

Deploying Update Rollup 8 for System Center 2012 R2 – Data Protection Manager

Note: Could require a restart of all protected servers after deploying agent.

3086084 Update Rollup 8 for System Center 2012 R2 Data Protection Manager

Download the Data Protection Manager update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Operations Manager

Note: Do not install this update rollup package immediately after you install the System Center 2012 R2 server. Otherwise, the Health Service state may not be initialized.

Note: Could require manually editing webpages

Note: Could require you to manually adding Registry Keys and Values

Note: Could require you to manually run SQL scripts to update the database

3096382 Update Rollup 8 for System Center 2012 R2 Operations Manager

Download the Operations Manager update package now

Deploying Update Rollup 8 for System Center 2012 R2 –  Orchestrator

3096381 Update Rollup 8 for System Center 2012 R2 Orchestrator

Download the Orchestrator update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Service Provider Foundation

3096384 Update Rollup 8 for System Center 2012 R2 Service Provider Foundation

Download the Service Provider Foundation update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Virtual Machine Manager

Note: Bare metal provisioning has changed

Note: Could require you to manually run SQL scripts

Note: Many new features, read and understand (and test them)

3096389 Update Rollup 8 for System Center 2012 R2 Virtual Machine Manager

Download the Server update package now

Download the Administrator Console update package now

Download the Guest Agent update package now

Deploying Update Rollup 8 for System Center 2012 R2 – Windows Azure Pack

3096392 Update Rollup 8 for System Center 2012 R2 Windows Azure Pack

Download the Windows Azure Pack update package now


Categories: MDT

Working in the Datacenter – Protect Remote Desktop Connection Manager using Self Signed Certificates

Fri, 11/13/2015 - 09:48

Even if IT is changing into more “Pets” and “Cattle’s”, we still have a massive amount of system that will be managed using Remote Desktop for a long time. Using Remote Desktop Connection Manager makes that process easier, you can basically work with all machines in a single windows.


The mini view of 3 computers in RDCMan 2.7

Security is important

One really great feature is that you can save the password for each and every connection, and if you read the help file, it states:

RDCMan can encrypt the passwords stored in files either with the local user’s credentials via CryptProtectData or an X509 certificate

Hmm, ok, the first one is kind of bad. If I move the RDCMan file to another computer then all the passwords are lost, on the other hand, that is also more safe. But I really have that situation. I need to have to be able to use the configurations files on more then one computer and they need to be protected. So lets use Certificate instead, but, how do you create a Certificate that can be moved around easy and at the same time is secure and protect itself?

According to the help file, we shall of course use the one utility on the planet that I hate most, I don’t like that fact that you need to spend hours to download an SDK kit just to run a app to create file that takes 1 second. There just to have to be a replacement for makecert.exe…

PowerShell to the Rescue!

So, lets us first create the certificate, export it and then remove it and finally import it. This way way we know we can import it even on other computers. You need to protect the certificate with a password, that way it will be protected from being imported by anyone else than you

Create and export a self signed Certificate for Remote Desktop Connection Manager #Create and Export Certificate $PlainPassword = “P@ssw0rd” $ExportFolder = "C:\Test" $Subject = "RDCMan" $CertificateFileName = "RDCManCertificate.pfx" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force $RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange Export-PfxCertificate -Cert $RDCManCertificate -FilePath "$ExportFolder\$CertificateFileName" -Password $SecurePassword $RDCManCertificate | Remove-Item

 

Import the Self Signed Certificate for Remote Desktop Connection Manager #Import Certificate $PlainPassword = “P@ssw0rd” $ImportFolder = "C:\Test" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force $CertificateFileName = "RDCManCertificate.pfx" Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Password $SecurePassword -FilePath "$ImportFolder\$CertificateFileName"

 

Use the Certificate in Remote Desktop Connection Manager

In the setting for each .rdg file you can configure encryption, like this.

Hey, almost missed, my friend and co-worker Markus Lassfolk have a really cool script that dumps all servers from AD and create the .RDG file fore you, go grab that here: http://www.isolation.se/automatically-generate-rdcman-connection-files-with-a-script/
/mike


Categories: MDT

Temporary Post Used For Theme Detection (dd80ecef-be86-44d9-b774-d30ba4269263 – 3bfe001a-32de-4114-a6b4-4005b770f6d7)

Tue, 11/10/2015 - 15:38

This is a temporary post that was not deleted. Please delete this manually. (839435e4-6c23-44e2-9ae1-274443083985 – 3bfe001a-32de-4114-a6b4-4005b770f6d7)


Categories: MDT

Working in the Datacenter – Operations Management Suite (OMS) now supports Linux (Preview)

Wed, 11/04/2015 - 15:43

Today the OMS team announced support for the a Linux agent, that will give you the opportunity to also monitor Linux systems using OMS.

Read more here: http://blogs.technet.com/b/momteam/archive/2015/11/04/oms-agent-for-linux-now-available.aspx


Categories: MDT

OS Deployment – Windows 10 and OUs, Policies and LAPS

Wed, 11/04/2015 - 15:35

So, you are about to deploy Windows 10 in your organization, that sounds like a great plan. Before you start I do have some recommendations when it comes to joining them in your domain.

Create a separate OU for your Windows 10 computers

Yes, I strongly recommend you to do this. When working with customers I see a lot of “-We have 850 GPO settings that we used for XP, should we apply the same for Windows 10?” and the the answer is of course NO!!!! Instead you create a new OU and start over, this is your chance to cleanup that mess. For most customers it turns out that you need just a small number of settings for Windows 10 computers, since most is already correct. Also, you might use ConfigMgr and are starting use the policy in there instead or shifting into MDM. Just have a blank and blocked OU for your Windows 10 computers until you have figured out exactly what you need to have. after that, you might want to move computers back, use WMI filter or re-arrange your OU structure.


A separate OU has been created for Windows computers.

What policy’s should you have?

This is a discussion I have with every customer and over time I have learn to explain this. I usually divide all settings in to four different categories and the simple rule is that if you cant tag your policy in any of these four categories, don’t use it!

Group Policy Settings Reference for Windows 10: http://www.microsoft.com/en-us/download/details.aspx?id=25250


Download Settings Ref.

Settings that will help the user to do the correct action

This could be to save documents in the correct place, to configure the Antivirus program to perform correctly and so on

Settings that brand the computer correctly

Branding is important from many aspects, one is that the user often sees  a non branded device as their “own”, while a branded computer belongs to the company and this also reflects they way people treat the device.

Settings that prevents the user from shooting them self in the foot

This is not security settings, this is more of the “Would you like to open Word Documents using Notepad instead of Word”, and that will prevent the user from working, kind of…

Real Security settings

As a first step, you need to have some kind of strategy around Security, there is not really any value in locking down a computer to insanity, while the user is a local admin anyway. As a first step use Security Compliance Manager 3.0 plus the draft for Windows 10 Security Settings (and final when that arrives) to determinate a baseline.

Windows 10 Security Compliance Manager Baselines: http://blogs.technet.com/b/secguide/archive/2015/10/08/security-baseline-for-windows-10-draft.aspx

Security Compliance Manager: http://www.microsoft.com/en-us/download/details.aspx?id=16776


The new template files for SCM and Windows 10 (draft).

Implement Local Administrator Password Solution (LAPS)

With LAPS you have a solution that will on a regular basis change the password of the local admin account and store it in Active Directory, this is one of those “Just install it, don’t ask)

LAPS: https://www.microsoft.com/en-us/download/details.aspx?id=46899


Download LAPS.

Update your ADMX and ADML files for Windows 10

Ok, so the basic is done, now you need to download the new ADMX and ADML files and store them in a Central Store

Download the ADMX and ADLM files

Tat is done here : http://www.microsoft.com/en-US/download/details.aspx?id=48257

After download, run the installer to unzip the files. Open the folder and remove all languages folders you don’t need. I usually only keep the en-US. The only reason to have other languages is that you have administrators that don’t understand English, this has nothing to do with end users, they will hopefully never, ever create or modify GPO’s

 


Download the ADMX and ADML files for Windows 10.

Update your Central Store

This is very much recomened, but it will work if you use a local store as well. The reason to have a central store is that all policys modified/created will use the same base, otherwise there is huge risk that a policy is created on one machine, with different languaes, different versionas and that could lead in to all kinds of disaster. (In this case the server is named SRVDC01 and the domain name is network.local)

So, the easy way is to rename the folder called \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions.old

And copy the new policydefinitions from your unzipped folder to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions like this:


The PolicyDefinitions folder in the correct location.

If you hade any custom policy files, copy them from the PolicyDefinitions.old to PolicyDefinitions to get them back. The reason I do this is because there are some policy’s that has been changed and instead of picking them out, it is easier to just rename the old folder and upload a new folder with correct policy’s. Note: this does not change ANY existing policy’s at all.When you create anew policy the Policy Editor will start using the new templates, that’s all.

To verify that you have the correct policy’s in place, just open GPEdit and create a new policy and browse to a new setting you don’t have before.


Here you can see that the template is fetched from Central Store and that I can Configure Device Guard that is a feature of Windows 10.

/mike


Categories: MDT

Working in the Datacenter – Wake on LAN using PowerShell

Mon, 11/02/2015 - 15:31

I have to admit, I’m lazy. So when working with computers, datacenters, at home or basically anywhere I don’t like to get up and push a button. My hands needs to be close to my keyboard, BTW, Wake on LAN is not something new, it is actually pretty old.

The first section in this post is about how it works, and the second part is how to use it.

How does this work? The Wake On LAN Function

I don’t like to download utilities or application when I don’t really need to, if i can solve this with a simple PowerShell CMD-let or a simple function, I’ll use that instead. So browsing around the Internet lead me to this site http://www.adminarsenal.com/admin-arsenal-blog/powershell-sending-a-wake-on-lan-wol-magic-packet where the basic functionality to create a magic packet exist. So by using the fundamentals from Kris Powell I crerated a function of this:


Send-MagicPacket

Getting the MacAdress

But to be able to send a Magic Packet I do need a MacAddress, so I need a function for that to and here it is. I do need multiple functions here.

The first function is to grab the MAC from a “live” IP address, but then I need to know the IP.


Get-MacFromIP

So the second function is to get the IP from name.


Get-IPFromName

And combining them leads me into the last function.


Get-MacFromName

There are of course a bunch of other ways to get the MAC address, you can of course grab the MAC address from with in the OS using basically any command line, but it’s so handy to not logon to all the machines(Yes I know there are ways, but I have a massive amount of lab machines, not members of the domain and other strange machines).

Storing the MacAddress in a XML data file

Well getting the macaddress is easy when the machine is turned on, but, hey  that’s not going to be the case here. So while the machines are “live” I can get the MAC, IP and Computer name and store that in an XML File, then I can later use that information to wake my machines up when I need them, so I do need to store that information somehow.


New-ComputerDataFile

Get information from the XML data file

Now, lets see what’s in the data file by using this function


Get-ComputerDataFile

Using this Load them up and lets get started!

#Import Module
Import-Module C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\WakeOnLan.psm1 -Force -Verbose

#Set Vars
$XMLfile = “C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\Computers.xml”
$Computers = “FABUILD01″,”DFLAB01”

With all functions loaded you can now run trough a couple of steps to create your XML file and have functions ready for Wake-On-LAN


Function is loaded and basic variables are set

Create the XML file and get the content

#Generate  New XML File
New-ComputerDataFile -Computers $Computers -XMLDatafile $XMLfile

#Get Content of XML File
Get-ComputerDataFile -XMLDatafile $XMLfile

Wake it up!

#Send Magic Packet to Computer
Send-MagicPacket -Mac $(Get-MacFromXML -ComputerName DFLAB01 -XMLDatafile $XMLfile)

Here is the PowerShell Module and a Sample Script on how to use it http://1drv.ms/1KUHGMi

/mike

 

For Ref:

WakeOnLan.psm1 – Listning:

Function Get-MacFromIP{
param(
$IP
)
$Ping = ( new-object System.Net.NetworkInformation.Ping ).Send($IP)
if($Ping.Status -eq “Success”){
RETURN (Get-NetNeighbor -IPAddress $IP).LinkLayerAddress
}
else
{
Write-Host “NA”
}
}
Function Get-IPFromName{
Param(
$ComputerName
)
Return (Test-Connection -ComputerName $ComputerName -Count 1 -BufferSize 32).IPV4Address.IPAddressToString
}
Function Get-MacFromName{
param(
$ComputerName
)
$IP = (Test-Connection -ComputerName $ComputerName -Count 1 -BufferSize 32).IPV4Address.IPAddressToString
$Ping = ( new-object System.Net.NetworkInformation.Ping ).Send($IP)
if($Ping.Status -eq “Success”){
RETURN (Get-NetNeighbor -IPAddress $IP).LinkLayerAddress
}
else
{
Write-Host “NA”
}
}
Function Get-MacFromXML{
Param(
$ComputerName,
$XMLDatafile
)

[XML]$XMLData = Get-Content -Path $XMLDatafile
RETURN $(($XMLData.Computers.Computer | Where-Object -Property Name -EQ -Value $ComputerName).Mac)
}
Function New-ComputerDataFile{
Param(
$Computers,
$XMLDatafile
)

$XMLData = New-Item -Path $XMLDatafile -ItemType File -Force
$ComputerID = 100

set-Content $XMLData ‘<?xml version=”1.0″ encoding=”utf-8″?>’
add-Content $XMLData ‘<Computers>’

foreach($computerName in $computers){
$ComputerID = $ComputerID + 1
add-Content $XMLData ” <Computer id=””$ComputerID””>”
add-Content $XMLData ”  <Name>$ComputerName</Name>”
add-Content $XMLData ”  <IP>$(Get-IPFromName -ComputerName $ComputerName)</IP>”
add-Content $XMLData ”  <Mac>$(Get-MacFromName -ComputerName $ComputerName)</Mac>”
add-Content $XMLData ‘ </Computer>’
}
add-Content $XMLData ‘</Computers>’
}
Function Get-ComputerDataFile{
Param(
$XMLDatafile
)

[XML]$XMLData = Get-Content -Path $XMLDatafile
$XMLData.Computers.Computer

}
Function Send-MagicPacket{
Param(
$Mac
)
Write-Host “Sending MagicPacket to $MAC”

$MacByteArray = $Mac -split “[:-]” | ForEach-Object { [Byte] “0x$_”}
[Byte[]] $MagicPacket = (,0xFF * 6) + ($MacByteArray  * 16)
$UdpClient = New-Object System.Net.Sockets.UdpClient
$UdpClient.Connect(([System.Net.IPAddress]::Broadcast),7)
$UdpClient.Send($MagicPacket,$MagicPacket.Length)
$UdpClient.Close()
}

Proj-WakeOnLan.ps1 – Listning:

#Import Module
Import-Module C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\WakeOnLan.psm1 -Force -Verbose

#Set Vars
$XMLfile = “C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\Computers.xml”
$Computers = “FABUILD01″,”DFLAB01″

#Generate  New XML File
New-ComputerDataFile -Computers $Computers -XMLDatafile $XMLfile

#Get Content of XML File
Get-ComputerDataFile -XMLDatafile $XMLfile

#Send Magic Packet to Computer
Send-MagicPacket -Mac $(Get-MacFromXML -ComputerName DFLAB01 -XMLDatafile $XMLfile)

 

Computers.xml –  – Listning:

<?xml version=”1.0″ encoding=”utf-8″?>
<Computers>
<Computer id=”101″>
<Name>FABUILD01</Name>
<IP>192.168.97.134</IP>
<Mac>2C-41-38-09-A4-89</Mac>
</Computer>
<Computer id=”102”>
<Name>DFLAB01</Name>
<IP>192.168.97.121</IP>
<Mac>B8-AE-ED-75-7A-FC</Mac>
</Computer>
</Computers>


Categories: MDT

Working in the Datacenter – Wake on LAN using PowerShell

Mon, 11/02/2015 - 15:31

I have to admit, I’m lazy. So when working with computers, datacenters, at home or basically anywhere I don’t like to get up and push a button. My hands needs to be close to my keyboard, BTW, Wake on LAN is not something new, it is actually pretty old.

The first section in this post is about how it works, and the second part is how to use it.

How does this work? The Wake On LAN Function

I don’t like to download utilities or application when I don’t really need to, if i can solve this with a simple PowerShell CMD-let or a simple function, I’ll use that instead. So browsing around the Internet lead me to this site http://www.adminarsenal.com/admin-arsenal-blog/powershell-sending-a-wake-on-lan-wol-magic-packet where the basic functionality to create a magic packet exist. So by using the fundamentals from Kris Powell I crerated a function of this:


Send-MagicPacket

Getting the MacAdress

But to be able to send a Magic Packet I do need a MacAddress, so I need a function for that to and here it is. I do need multiple functions here.

The first function is to grab the MAC from a “live” IP address, but then I need to know the IP.


Get-MacFromIP

So the second function is to get the IP from name.


Get-IPFromName

And combining them leads me into the last function.


Get-MacFromName

There are of course a bunch of other ways to get the MAC address, you can of course grab the MAC address from with in the OS using basically any command line, but it’s so handy to not logon to all the machines(Yes I know there are ways, but I have a massive amount of lab machines, not members of the domain and other strange machines).

Storing the MacAddress in a XML data file

Well getting the macaddress is easy when the machine is turned on, but, hey  that’s not going to be the case here. So while the machines are “live” I can get the MAC, IP and Computer name and store that in an XML File, then I can later use that information to wake my machines up when I need them, so I do need to store that information somehow.


New-ComputerDataFile

Get information from the XML data file

Now, lets see what’s in the data file by using this function


Get-ComputerDataFile

Using this Load them up and lets get started!

#Import Module
Import-Module C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\WakeOnLan.psm1 -Force -Verbose

#Set Vars
$XMLfile = “C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\Computers.xml”
$Computers = “FABUILD01″,”DFLAB01”

With all functions loaded you can now run trough a couple of steps to create your XML file and have functions ready for Wake-On-LAN


Function is loaded and basic variables are set

Create the XML file and get the content

#Generate  New XML File
New-ComputerDataFile -Computers $Computers -XMLDatafile $XMLfile

#Get Content of XML File
Get-ComputerDataFile -XMLDatafile $XMLfile

Wake it up!

#Send Magic Packet to Computer
Send-MagicPacket -Mac $(Get-MacFromXML -ComputerName DFLAB01 -XMLDatafile $XMLfile)

Here is the PowerShell Module and a Sample Script on how to use it http://1drv.ms/1KUHGMi

/mike

 

For Ref:

WakeOnLan.psm1 – Listning:

Function Get-MacFromIP{
param(
$IP
)
$Ping = ( new-object System.Net.NetworkInformation.Ping ).Send($IP)
if($Ping.Status -eq “Success”){
RETURN (Get-NetNeighbor -IPAddress $IP).LinkLayerAddress
}
else
{
Write-Host “NA”
}
}
Function Get-IPFromName{
Param(
$ComputerName
)
Return (Test-Connection -ComputerName $ComputerName -Count 1 -BufferSize 32).IPV4Address.IPAddressToString
}
Function Get-MacFromName{
param(
$ComputerName
)
$IP = (Test-Connection -ComputerName $ComputerName -Count 1 -BufferSize 32).IPV4Address.IPAddressToString
$Ping = ( new-object System.Net.NetworkInformation.Ping ).Send($IP)
if($Ping.Status -eq “Success”){
RETURN (Get-NetNeighbor -IPAddress $IP).LinkLayerAddress
}
else
{
Write-Host “NA”
}
}
Function Get-MacFromXML{
Param(
$ComputerName,
$XMLDatafile
)

[XML]$XMLData = Get-Content -Path $XMLDatafile
RETURN $(($XMLData.Computers.Computer | Where-Object -Property Name -EQ -Value $ComputerName).Mac)
}
Function New-ComputerDataFile{
Param(
$Computers,
$XMLDatafile
)

$XMLData = New-Item -Path $XMLDatafile -ItemType File -Force
$ComputerID = 100

set-Content $XMLData ‘<?xml version=”1.0″ encoding=”utf-8″?>’
add-Content $XMLData ‘<Computers>’

foreach($computerName in $computers){
$ComputerID = $ComputerID + 1
add-Content $XMLData ” <Computer id=””$ComputerID””>”
add-Content $XMLData ”  <Name>$ComputerName</Name>”
add-Content $XMLData ”  <IP>$(Get-IPFromName -ComputerName $ComputerName)</IP>”
add-Content $XMLData ”  <Mac>$(Get-MacFromName -ComputerName $ComputerName)</Mac>”
add-Content $XMLData ‘ </Computer>’
}
add-Content $XMLData ‘</Computers>’
}
Function Get-ComputerDataFile{
Param(
$XMLDatafile
)

[XML]$XMLData = Get-Content -Path $XMLDatafile
$XMLData.Computers.Computer

}
Function Send-MagicPacket{
Param(
$Mac
)
Write-Host “Sending MagicPacket to $MAC”

$MacByteArray = $Mac -split “[:-]” | ForEach-Object { [Byte] “0x$_”}
[Byte[]] $MagicPacket = (,0xFF * 6) + ($MacByteArray  * 16)
$UdpClient = New-Object System.Net.Sockets.UdpClient
$UdpClient.Connect(([System.Net.IPAddress]::Broadcast),7)
$UdpClient.Send($MagicPacket,$MagicPacket.Length)
$UdpClient.Close()
}

Proj-WakeOnLan.ps1 – Listning:

#Import Module
Import-Module C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\WakeOnLan.psm1 -Force -Verbose

#Set Vars
$XMLfile = “C:\Users\Administrator\OneDrive\PowerShellScript\WakeOnLan\Computers.xml”
$Computers = “FABUILD01″,”DFLAB01″

#Generate  New XML File
New-ComputerDataFile -Computers $Computers -XMLDatafile $XMLfile

#Get Content of XML File
Get-ComputerDataFile -XMLDatafile $XMLfile

#Send Magic Packet to Computer
Send-MagicPacket -Mac $(Get-MacFromXML -ComputerName DFLAB01 -XMLDatafile $XMLfile)

 

Computers.xml –  – Listning:

<?xml version=”1.0″ encoding=”utf-8″?>
<Computers>
<Computer id=”101″>
<Name>FABUILD01</Name>
<IP>192.168.97.134</IP>
<Mac>2C-41-38-09-A4-89</Mac>
</Computer>
<Computer id=”102”>
<Name>DFLAB01</Name>
<IP>192.168.97.121</IP>
<Mac>B8-AE-ED-75-7A-FC</Mac>
</Computer>
</Computers>


Categories: MDT

OS Deployment using MDT – Inside the Validation Step

Wed, 09/30/2015 - 06:32

So, you are about to deploy Windows (client or server) using Microsoft Deployment Toolkit. Before you do that, maybe you should change the Validate Action, why? Because the default values does not make sense to everyone, that’s why.

The Validate Action

The Validate Action is a step in the Task Sequence that verifies that the machine you are about to install are good enough to be deployed. the defaults are a bit “wrong” for most customers IMHO.

The Defaults:
  • Check if the Machine has at least 768 MB of RAM
  • Check that the minimum CPU speed is at least 800 MHz
  • Don’t check disk space
  • Check that if there is a Operating System installed, it is a Client OS
Consider this: Ensure minimum memory

768 MB is just wrong, a Windows 10 machine will need at least 2 GB (x86) or 4 GB (x64), so that means you should set them to 2048 or 4096, no, not at all. You need to calculate on the GPU RAM as well, since that is most likely “stolen” from RAM. So a 4 GB machine is 4096 MB – 512 MB (GPU Memory = 3584, set it to 3500. A 2 GB machine is 2048 MB – 512 MB = 1536 MB, set it to 1530.

Ensure minimum processor speed (MHz)

This is a bit tricky, depending on power saving features and the fact the machine is virtual, this could block OS install, even if it is correct. But, there is very few machines with 4GB of ram with a slower CPU then 800 MHz anyway, so checking memory. should be fine.

Check to ensure specified image size will fit (MB)

This check does not happen unless you check it, and maybe you should, if you are using Multicast the image will first be copied to the disk and then it will perform the install, in that case you actually “need” space, consider to change that.

Ensure current OS to be refreshed is

This checks the OS on the disk before installing/refresh, well it make sense in most cases, however, when you are playing and testing you could have a laptop that is used for both client and server OS test, in that case you need to uncheck.


Below you can see the default values.


Modified values.


Here is the result if the validation fails, due to insufficient memory.

Check BIOS

One other fun thing is the Check BIOS action, when I ask around I usually get something like – Well it checks the bios, you know. Not really, it is a script that runs to gather information a bout the bios, that is correct. It then uses that information against a XML file to see if it is a match, it there is a match, it will then block OS install. But the question is, what does it really check?

When opening the VBscript it seems that it checks, Manufacturer, Model and date of Bios

and if it does find a match it will tell you the following…

and that’s very nice to know, if you are deploying Windows Vista…

ZTIBIOSCheck.xml

Let us see what it looks for…

Ok, hmm, If you have BIOS version XX ROM BIOS Version 1.23, the Vendor is Wyssyg Computers and the Model is WYSIWYG Super Cool Computer 2007 with a BIOS date of 20060801000000.000000+000 it will then block the install. Not sure that has ever happened, but hey, nothing is impossible…

What you could do is to add computers to the XML file to block installation if you know that a certain model/bios will not work correctly.

/mike


Categories: MDT

Pages