Leaderboard

@dreddric it's done now see >

i presume the collection is setup using a query, can you share the query so we can see what you are looking for... also, have you checked that the computer is actually present in that specific OU prior to ending up in the collection ?

Thanks. Very useful. Usually I use VPN services from this site.

That is cuz you are one crazy awesome dude Niall!!! Still have my fingers crossed that we get to have that drink this summer!! Waiting to find out if we are still going to have our CTG Summit in August! 🤙

if i had a vote left Marc i'd vote for it, did you tweet it yet ?

Added this a week ago: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/40637050-provide-support-for-bitlocker-management-with-ibcm It could use some attention and more importantly some votes! 🤙

Having your Bitlocker Management keys stored on your on premise database (ConfigMgr) is an asset to many customers, and also gives you time to migrate to Intune and see the different ways it can manage your recovery keys, you could create an Azure web app proxy to connect back to the on-premise server handling the requests.

Hi Niall, I'm currently running MECM 2002 and I have followed your guides but I want to use the bitlocker encryption certificate so I have followed the Microsoft documentation. I have created the cert but I get and error when trying to produce the policy in MECM. The error is Plain text storage of recovery information required when the Bitlocker Management encryption certificate has not been deployed. Where do I have to deploy it too? I have two management points both on prem one is an IBCM both using HTTPS. Thank you EDIT: I had the policy open while I created the cert. Closing the policy window and relaunching fixed the issue. Thank you

Hi, i hope you didnt take that as a bad vibe. Im just unexperienced and learning sccm now. And since i cant copy paste on the server and also want to understand most of the things i just do it manually

Hi Martinez, if you are running a Proxy server in your environment run these command on your Management Point in an admin cmd. netsh winhttp set proxy proxy.fqdn:port "<local>;*.fqdn" bitsadmin /util /setieproxy localsystem NO_PROXY bitsadmin /util /setieproxy localsystem proxy.fqdn:port "<local>;*.fqdn" iisreset I was struggeling with the same problem for a long time. The IIS server has some serious problems when the IEProxy for local system is configured with AUTODETECT. That can result in various errors in Config Manager. The settings above also fixed my installation errors for MDOP Bitlocker and Cache Server for delivery optimization. So long Peter

Turns out no Software Update point is needed, just needed to add an Operating System Upgrade package and point it to the CORRECT folder...

Hello Shashi, you're very welcome and stay safe yourself too. So long Peter

I tried this. There was no change.

yup, for anyone wondering, in part 4 of my series you'll see how to do this silently, https://www.niallbrady.com/2019/11/13/want-to-learn-about-the-new-bitlocker-management-in-microsoft-endpoint-manager-configuration-manager/

are all packages failing to get to the dp ? or only some packages ? i'm confused about you mentioning PXe, what has that to do with packages getting to the dp, you need to fix the packages getting to the dp first and then concentrate on your other issues

you need to provide more detail about this distribution point, was it ever working ? have you tried to reinstall the DP role on this server ? you mention 'during the reimage of the device' what do you mean by that ?

did you look at your logs ? there are some errors in there, i've highlighted one for you

have you seen this yet ? https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-management-gateway-addressing-common-challenges/ba-p/1351262?utm_source=dlvr.it&utm_medium=twitter

This will not be supported and you WILL have problem when you manage WSUS outside of SCCM for non-SCCM computer. There is NO problem having WSUS installed on the CM server with its own clean db.

Start with a Clean WSUS server using full SQL server.

you can use these guides to get going for server 2016 see below for server 2019 see below

you don't want to use an existing WSUS server. You want a fresh one that is use SQL database not WID.

Hi - link to the scripts.zip file no longer seems valid. I'm looking to do this can someone provide the link to the files? All sorted - Login first!! What a dummy!

Introduction In Part 1 I showed you how you can configure BitLocker on Windows 10 devices using Microsoft Intune, but that method relies on the end user actually clicking on the notification in Windows and then continuing through the wizard until completion. In this post I'll show you how you can automate that part of the process, using an MSI that is based upon an MSI that was originally created by Pieter WigLeven. That MSI creates a scheduled task to run daily until the drive is encrypted. Pieter's solution was great but lacked some key features that I wanted such as logging (so that you can view errors which may occur during the encryption phase), logic and a user facing reboot prompt. Therefore, I decided to rewrite the PowerShell script included in the MSI and then re-package it for your benefit. Note: I'd recommend you test this solution in a lab environment, I used Windows 10 version 1703 Hyper-v based virtual machines (Generation 2) with a Virtual TPM enabled. Also to note, this MSI (and Pieters) does not check for the existance of a third party encryption tool, if you want that functionality then you'll need to modify the PowerShell script accordingly and then repackage it as described in Step 5. Enabling a Virtual TPM If you use Hyper-v VM's without a Virtual TPM enabled then the PowerShell script will exit logging errors and will not start the encryption. You can enable the Virtual TPM in the Security settings of your virtual machine (shown in the screenshot below) by placing a check mark in Enable Trusted Platform Module. Step 1. Download the MSI Note: In this guide I've used the windows-noob.com version of the MSI. I've modified the MSI as described in Step 5 and made it available in the Downloads section of this Guide, it includes new features such as Detailed logging Logic to check if encryption was enabled Reboot notification for end users Automatically remove the scheduled task once encryption is enabled You can get the the windows-noob.com version of the MSI in the Downloads section of this guide (scroll down....) or you can get the original MSI from Pieter. Keep in mind that if you are doing Azure AD join, that the user is automatically an Administrator, if however you are using Windows Autopilot then the user will not be an Administrator. The windows-noob.com version of the tool is based on the user being an Administrator. Step 2. Add the MSI as a LOB app in Intune Now that you have the MSI available, it's time to upload it into Intune. In the Intune service in Azure, select Mobile Apps, then Apps, then click on + Add to add an App. Select Line of Business app in the drop down, then select Select file and point it to the downloaded MSI file before clicking on OK. Next click on App Configuration and fill in some details about the application before clicking on OK finally click on Add. Step 3. Assign the app as Required to a User Group Next you will deploy the application (Assign) to a group of Users. In this guide I've created an Assigned User Group called Automate BitLocker Encryption (Users) which contains users that I want to target with this policy. Click on Assignment, then click on Select Groups, select the User Group you created previously and then click on Select. For Type, click on the dropdown and select Required and then click on Save. This will mean that any users in this User Group will be targeted by this required application and it will automatically download and run. Step 4. Verify the experience On a Windows 10 computer that is not yet BitLockered (and not encrypted by any third party encryption), Logon as a user that is a member of the above User Group. Keep in mind that they also need to have received the BitLocker Configuration created in Part 1 of this guide. That policy will set the BitLocker Configuration options (such as Encryption Algorithm), but it will not start encryption automatically. Trigger a Sync using the appropriate button. This will pull down the new policy and start the download and installation of the MSI which in turn will copy some files, and create a scheduled task. Once policy is received, you can see that the application is installed in Control Panel And three files are present in the File System at C:\Program Files (x86)\BitLockerTrigger. Note: The VBS kicks off the PowerShell script and the XML file is used in the creation of the Task Scheduler task. You can also check Task Scheduler to see the task is added, and that it is scheduled to run at 2pm. Tip: By default Windows Task Scheduler has the History tab disabled by default, to enable it you must start Task Scheduler as Administrator (Run as Administrator) and then click on Enable All Tasks History in the right pane. This will give you some details about the running task and whether it did run or not, but for more details about the task review the TriggerBitLocker.log file as described below. Running the Task You can wait until 2pm for the scheduled task to run or right click on the task and choose Run to run it now. after it has run, if everything was ok it will popup a reboot to the user, if things don't go according to plan use CMTrace.exe and navigate to C:\Windows\Temp and open the generated log file C:\Windows\Temp\TriggerBitLocker.log The log file should reveal any problems that occur. In the example below you can see what happens when you try to run the task on a computer without a TPM. The key takeaway here is that logging is now included with the MSI and the PowerShell logic will avoid popping up a reboot message to the end user in the event that it has not succeeded to enable Encryption. On a computer that meets the specifications (TPM), the PowerShell script enables encryption and the user will see the popup, they can delay for a few hours or accept the reality that they are getting Encrypted with BitLocker. and if they choose Reboot Now they'll see something like this After the reboot we can verify BitLocker encryption status and the recovery key is in Intune in Azure. job done ! Note: After successfully enabling BitLocker the script deletes the Scheduled Task so that it no longer re-runs. Step 5. (Optional) Edit the MSI with Advanced Installer If you'd like to update the MSI yourself, you can install the MSI on a vm, and pull the scripts from the folder shown above, then load it using Advanced Installer. Edit what you want in the package and edit the PowerShell script to suit your needs, once done copy the replacement scripts back into the MSI in the Files and Folders section below Once done, to build the package click on the Save icon in the ribbon. And use that compiled MSI in the guide above. Downloads Below is the windows-noob.com version of Pieters MSI, this version was compiled using Advanced Installer 14.2.1 (great product !) and contains improvements to the PowerShell script such as logic handling, logging to help with troubleshooting and a Reboot computer popup at the end of the script which only appears if encryption is enabled. windows-noob.com TriggerBitlocker.msi (version 1.0.0.2) - TriggerBitlocker.msi windows-noob.com TriggerBitLockerUser.msi (version 1.0.0.2TriggerBitlockerUser.msi Recommended reading Hardware independent automatic Bitlocker encryption using AAD/MDM https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/06/07/hardware-independent-automatic-bitlocker-encryption-using-aadmdm/#comment-26696 Configuring BitLocker in Intune - Part 1. Configuring BitLocker https://www.windows-noob.com/forums/topic/15514-configuring-bitlocker-in-intune-part-1-configuring-bitlocker/ Download Advanced Installer http://www.advancedinstaller.com/download.html

Thanks for your help anyweb. This ended up highlighting the root cause and fixing my issue: Modified the registry key per instructions: alternatively try this, open regedit and change the following reg key value. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SRSRP] "SRSInitializeState"=dword:00000000 The value should be changed to 0, then wait for the value to change back to 1. It will change to 2 for a while. You can amonitor the srsrp.log while you wait Once modified I then found these errors in the srsrp.log: System.Web.Services.Protocols.SoapException: An error occurred within the report server database. This may be due to a connection failure, timeout or low disk condition within the database. ---> Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerStorageException: An error occurred within the report server database. This may be due to a connection failure, timeout or low disk condition within the database. ---> System.Data.SqlClient.SqlException: The transaction log for database 'ReportServer' is full due to 'LOG_BACKUP'.~ at Microsoft.ReportingServices.Library.ReportingService2005Impl.SetProperties(String Item, Property[] Properties, Guid batchId)~ at Microsoft.ReportingServices.WebServer.ReportingService2005.SetProperties(String Item, Property[] Properties) This is a self contained SCCM with SQL 2014 on the same server. I opened up the ReportServer database -> Properties -> Files. The ReportServer_log autogrowth was set to "By 10 percent, limited to 40MB". We changed this to unlimited and I re-ran the script again and it is now processed correctly. The bitlocker management folder now exists and I am back on path.

Thanks for your guidance, it is a very helpful! I did all the steps on my test infrastructure, though I had a reduced set of virtual machines. It seems to me that there is an error in section 5 (maybe my comment will help other people) You suggest to execute the command: certutil -f -dspublish "E: \ ROOTCA_windows noob Root CA.crt" RootCA Where RootCA , as you write, is the host name of offline Root CA, however certutil helps us: CertUtil [Options] -dsPublish CertFile [NTAuthCA | RootCA | SubCA | CrossCA | KRA | User | Machine] ... CertFile - certificate file to publish NTAuthCA - Publish cert to DS Enterprise store RootCA - Publish cert to DS Trusted Root store SubCA - Publish CA cert to DS CA object CrossCA - Publish cross cert to DS CA object ... So RootCA in this case is not the host name here, but the store name. Your host name matches the store name, and your command has been executed. My Root CA name was different, and when I will have tried to execute the command certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RCA01 i got an error CertUtil: -dsPublish command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. however command certutil -f -dspublish "C:\from_RCA\RCA01_My-CA.crt" RootCA performed correctly. Next command in your manual certutil -f -dspublish "E: \ windows noob Root CA.crl" RootCA is correct, because to publish CRL you must specify the host name: CertUtil [Options] -dsPublish CRLFile [DSCDPContainer [DSCDPCN]] .... CRLFile - CRL file to publish DSCDPContainer - DS CDP container CN, usually the CA machine name

I got it working here with %windir%\System32\.... Guessing the x64 ServiceUI.exe does not have the virtual mapping for sysnative. I guess the x32 version would work fine, but I like to use x64 on x64 systems, so this change is just fine Thanks for a great solution by the way This looks to be the perfect solution for upgrading our computers to the newest version of W10 on systems with both English and Norwegian System UI as default If you happen to be in Oslo anytime, I'll buy you a beer -Jannis

hi, see below do we need to enable full disk encryption during the OSD for this to work? the following docs explain that you can do this during OSD By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker. -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

Hi Niall, I have used your guides to implement SCCM MBAM 1910 and it went in successfully. I am however facing an issue where the clients - even though they receive the policies and the registry change to encrypt without user action - I find that nothing happen until I manually run MBAMClientUI.exe. I've even changed the MBAM Registry to implement "NoStartupDelay" and no joy. I've had one or two successful when the MDOP client pops up but the rest just sit there. Any advice is greatly appreciated and I look forward to hearing from you Regards Carl Davis P.S - AMAZING GUIDES BTW - Thank you for taking the time to write and video ,

Have you used a tool, like Roger Zander Client Center https://github.com/rzander/sccmclictr, or the MS Client Support Center Tool, https://docs.microsoft.com/en-us/configmgr/core/support/support-center ; to examine a client? What I would look for is things like... "is the last scan version matching what my environment says" (in CM Console, Monitoring, Software Updates Point Synchronization Status, the Catalog Version); that'll be the catalog version i'd want my clients to have used. is wuahandler.log scanning successfully? In those tools, you can see what CM believes locally is deserved or installed for updates, as scanned by the CM client. When you say "locally just msrt... but when I go directly to Microsoft, I deserve more" -- are those updates listed locally by the CM client? If not; are those updates even in CM? (EXACTLY those updates, by title and kb article--maybe you're missing a category in your CM SUP rules for what patch info to download)

hi Shaq, the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required. but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless. cheers niall

Hi Niall, I would like to thank you for making such detailed documents and videos. But I have a question. I have looked at your videos and your documents and I am a bit confused. Even in this document you mentioned "Update: Initially PKI/HTTPS was required (in TP1905) for BitLocker Management in SCCM, however from Technical version 1909 it was no longer required, and became optional (but recommended). For more info see this blog post. I'm including the important note from that text below. Note: Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to Set Up SSL on IIS (or see my two links below)." But in the video as well as the comments you said SCCM should be in HTTPS mode. Could you please clarify? Thanks again for your detailed documentations.

everything inside the LAB should be on a private network, that way everything in the lab can talk to itself without interference from the outside, if you map a switch to a network card then that effectively gives your lab access to anything on that network and vice versa, so if your network card is connected say to your internal company network, and you set your switch to External, using your onboard NIC, then your dhcp server could start handing out ip's on your company network, and you don't want that. so keep your lab private, and only share internet into the lab using a smoothwall or similar. if you want to 'test' deploying things (like operating systems or otherwise) to computers outside of the lab, then follow my guide here

Thank you for the lab (up to part 6 its all working fine) Great to hear it ! Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy 🙂 ) in Certsrv.msc on the IssuingCA right click on Certificate Templates, and choose Manage, you can then select a known Certificate Template (for example Workstation Authentication) that matches what is required for your FW, check the documentation of the FW to see exactly what type of certificate it requires and duplicate it by chgoosing Duplicate Template then rename it to your needs and adjust it to suit the FW requirements and as for your other question, see this answer from Technet. According to https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file the LoadDefaultTemplate flag only applies to an enterprise CA. My assumption is that if you set up a standalone, the templates will be loaded nevertheless. LoadDefaultTemplates only applies during the install of an Enterprise CA. This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.

Thanks for this script/ solution. Thanks to this I learned a lot about how to do BitLocker with PowerShell from Intune MDM. I've added some functionality and made some fixes and design changes, but can't release all the code here due to the fact that I've done this for my company, and it's their IP. That being said, I'd like to share a fix to one part that failed for me some times: Fetching the certificate for uploading recovery password to Azure AD using REST. I rewrote it to this, might be usefull for others: # Get the AAD Machine Certificate $Certificate = $([array]$(Get-ChildItem -Path 'Certificate::LocalMachine\My').Where{$_.'Issuer' -match 'CN=MS-Organization-Access'}) $CertificateThumbprint = [string]$($Certificate | Select-Object -ExpandProperty 'Thumbprint') $CertificateSubject = [string]$([string]$($Certificate | Select-Object -ExpandProperty 'Subject').Replace('CN=','')) # Get tenant domain name from registry $TenantDomain = [string]$([string]$(Get-ItemProperty -Path ('Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\{0}' -f ($CertificateThumbprint)) -Name 'UserEmail' | Select-Object -ExpandProperty 'UserEmail').Split('@')[-1]) Offtopic: How do I set a profile picture? I've searched the forum and Google-ed it too.

So, I ran into an issue running that reporting services configuration manager, that it couldn't find SSRS. Ended up having to remove the SSRS role and reinstall it from from the SQL Server installation center. Reporting is fixed now. Thanks for pointing me in the right direction!

This is an insanely cool guide !!! But I have a very important question. Will come out this year Part 8 ?

But I can’t get to the web interface for /Reports in the start menu locate the SSRS Report Server Configuration Manager, and run it, you need to configure the Reports url in there and click apply.

Resolved getting to this website by adding /# at the end of the address. Administration and monitoring website: https://webserver.contoso.com/HelpDesk

I resolved the issue by doing the following: 1.Under the Application properties select: Allow this application to be installed from the Install Application task sequence action instead of deploying it manually.2.Go to the User Experience tab and verify that the application will Install for system, whether or not a user is logged on.

first things first do you have any details of what files were over written/infected ? and do you have valid virus free backups of the database and all other software

Windows Server Update Services (WSUS) is needed for software updates synchronization and for the software updates applicability scan on clients. The WSUS server must be installed before you create the software update point role. The following versions of WSUS are supported for a software update point: source > https://docs.microsoft.com/en-us/sccm/sum/plan-design/prerequisites-for-software-updates

Introduction You are most likely familiar with the Microsoft Surface Pro 6 and the recently released version of Windows 10 version 1903 (May 2019 Update). Now you can automate the installation of Surface Pro 6 using PowerShell and MDT. This script has been written to allow you to automate the deployment Windows 10 version 1903 (May 2019 Update) using the latest available software including: Windows 10 x64 (version 1903) Microsoft Deployment Toolkit (MDT) build 8456 Latest available 2019 drivers for the Surface Pro 6 for Windows 10 version 1903 Windows 10 ADK (version 1903) Windows Server 2019 Note: This is fully automated, and as this does install a Windows Deployment Services server role hosting a boot image, you should modify the script accordingly and test it thoroughly in a lab first. This script is tailored for one thing only, deploying Windows 10 x64 version 1903 to the Microsoft Surface Pro 6 with all drivers loaded and MDT pre-configured. Download it and customize it to suit your needs for other hardware if you wish because what it does is pretty cool. This script performs the following actions:- Downloads and then Installs Windows ADK 10 (version 1903) if you have not done so already Downloads and then Installs MDT, if you have not done so already Downloads all required drivers for Microsoft Surface Pro6 if you have not done so already Imports the Windows 10 x64 (version 1903) operating system into MDT Imports the Microsoft Surface Pro drivers into MDT Creates Selection Profiles for Surface Pro 6 and WinPE x64 Creates a Deploy Windows 10 X64 version 1903 task sequence Edits the Deploy Windows 10 X64 version 1903 task sequence and adds an inject drivers step for Microsoft Surface Pro 6 Sets a WMI query for hardware detection for the Surface Pro 6 on the corresponding driver step Injects the Microsoft Surface Pro 6 network drivers into the LiteTouchPE_x64.wim Creates custom CustomSettings.ini and BootStrap.ini files Disables the X86 boot wim (as it is not needed for Surface Pro 6) Changes the Selection Profile for the X64 boot wim to use the WinPE x64 selection profile Installs the Windows Deployment Service role Configures the WDS role and adds the previously created LiteTouchPE_x64.wim Starts the WDS service so that you can PXE boot (UEFI network boot). All you have to do is provide a domain joined server (MDT01), then download the script below, modify some variables, then place certain files in the right place such as the Windows 10 x64 Enterprise (version 1903) media. Please ensure you have a working DHCP scope on your Active Directory domain controller, then PXE boot a Microsoft Surface Pro and sit back and enjoy the show. Step 1. Download the script The PowerShell script will do all the hard work for you, download it, unzip it and place it on the server that is designated to be the MDT server. Scripts.zip Step 2. Configure the variables in the script Once you have downloaded and extracted the script, you need to configure certain variables interspersed throughout the script. I'll highlight the ones you need to edit. The most important of them is the $SourcePath variable (line 57) as this decides where to get the content from and where to store it. This variable should point to a valid drive letter, the folder name will be created if it does not exist. The $FolderPath variable (line 271) specifies the MDT Deployment share root folder for example C:\MDTDeploy. There are other variables to configure, for joining the Domain (lines 349-351) and then you need to configure how you actually connect to the MDT server from WinPE (lines 426-430) Step 3. Copy the Windows 10 x64 (version 1903) operating system files Mount a Microsoft Windows 10 x64 Enterprise (version 1903) ISO and copy the contents to $SourcePath\Operating Systems\Windows 10 x64\1903 as shown below. Step 4. Optionally copy MDT, ADK 10, Surface Pro drivers This is an optional step. If you've already downloaded the above files then place them in the source folder, otherwise the script will automatically download them for you. Note: You do not have to do this as the script will download the content for you if it's not found. Step 5. Optionally copy your Applications to the respective folders This is an optional step. If you have apps like Office 365, copy them to their respective folders under Applications. If you do add any applications, you'll need to edit the corresponding section within the script for the CustomSettings.ini and replace the GUID for the App, these applications are remmed out with a #, as shown here (line 392-393) and in line 328 Step 6. Run the script On the server that will become your MDT server, start PowerShell ISE as Administrator. Click on the green triangle to run the script. This is how it looks while running... Below you can see the script has completed. Step 7. Deploy a Surface Pro 6 After the script is complete, you are ready to test deploying Windows 10 version 1903 (May 2019 Update) to a Microsoft Surface Pro 6. You can see that Windows Deployment Services is installed and that the ADK 1903 version of the MDT LiteTouch_X64 boot wim is already imported. This boot image also has the Surface Pro 6 network drivers added. After the Surface Pro 6 has PXE booted, you'll see the MDT computer Name screen, you can change that behavior in the UI itself (CustomSettings.ini on the Properties/Rules of the DeploymentShare) or automate it via the many methods available such as those that Mikael describes here. After clicking next the OS will get deployed. and after a while it's all complete. Step 8. Review the MDT Deployment Workbench After opening the Deployment Workbench, you can see the Deploy Windows 10 x64 version 1903 task sequence is created and in the task sequence you can see the inject drivers step that is customized with a wmi query for Surface Pro 6 drivers specific to the Surface Pro 6 are imported into MDT Surface Pro 6 specific selection profiles created drivers (network) are also added to the x64 boot image Troubleshooting If the script has issues starting WDS (and you see the error below) then restart the server, as you were asked to do at the end of the script ;-). If you cannot PXE boot, because WDS is not accepting connections (revealed by the PXE Response tab in WDS properties), then look for the following error in the scripts output: An error occurred while trying to execute the command. Error Code: 0x5 Error Description: Access is denied. If you see that error, then the user you are logged in as does not have sufficient permissions to configure WDS. To grant permissions to the Windows Deployment Server (MDT01) do as follows Open Active Directory Users and Computers. Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control. On the first screen of the wizard, click Next. Change the object type to include computers. Add the computer object of the Windows Deployment Services server, and then click Next. Select Create a Custom task to delegate. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next. In the Permissions box, select the Write all Properties check box, and click Finish. Next, open ADSIEdit.msc Browse to the Computer Account of the WDS Server. It will have a Child Object named something like "CN=MDT01-Remote-Installation-Services". The user that runs the the PowerShell script or the WDS Console needs Full Access permissions to this Child Object. Right click and choose Properties. Select the Security/Permissions tab and add the user/group in. Set them to have Full Permissions. Log out of the MDT Server and log back in again. AD replication may delay the result of this, but you should now no longer have Access Denied. Summary Automating the deployment of Windows 10 version 1903 (May 2019 Update) to the Microsoft Surface Pro 6 using PowerShell and MDT is easy when you know how.

Hi all - The title states it all, really. I have created and been maintaining my site's SCCM environment for the past 9 years, with no training or aid beyond what I have gained from reading information presented by a number of patrons of this site and similar (Niall Brady, Garth Jones, Anoop Nair, and Mikael Nystrom to name some), and I was wondering what options there are for gaining some accreditation. I am based in the UK, in case this removes some options from the list!

you are welcome, it was one of the more difficult thing I've gotten around to blogging, and I did it to understand the process better myself and to teach others, I've done the lab 3 times already and I know it works :-), if you follow the next in the series you can also configure SCCM with HTTPS, links below How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2

Is there any way to use this with the Pre-download content feature? Im testing it out but as the condition on Upgrade the Operting System is not evaluated to $true before C:\ProgramData\Upgrade_Forced.txt exists it will not pre-download the files. Is there another way to build the ts so we can leverage pre-download content?

Introduction Traditionally you deploy one operating system per task sequence but there are times when you might want to deploy more than operating system in the same task sequence. There are a variety of ways of doing this, for example you could use a MDT based User Driven Installation (UDI) task sequence which in turn requires you to use the UDI Wizard Designer to edit the Volume page and add, remove or re-order Operating System wim images which can then be displayed to the end user (shown below). This works well as long as you are willing to use UDI based task sequences and the associated UDI Designer Wizard and don't mind updating the MDT Toolkit Files package after doing so. Alternatively you could use a dynamic task sequence which uses a HTA FrontEnd (hypertext application or web page..) that is based on variables set in the task sequence itself. The HTA method is more dynamic as you do not need to update the MDT Toolkit files package every time you make a change to one of the operating systems included in the task sequence and you don't need to use a User Driven Installation based task sequence either. Here is what the FrontEnd looks like you can click on the drop down menus to select from the Operating Systems that you make available In addition you can use tooltips (by hovering over a drop down menu) in this task sequence to display helpful info to the end user about what each operating system is for. So how is it done ? I'll show you. Step 1. Get the Task Sequence Download the Multiple Operating Systems in a Task Sequence below. Multi-Image task sequence.zip You need to import it into your Configuration Manager server. To Import it, in the Configuration Manager console navigate to the Software Library and find the Operating Systems section, right click on Task Sequences and choose Import Task Sequence as shown below. browse to the UNC path where you downloaded the ZIP file above click next, you will get an import failure for the boot wim, select Ignore Dependency as shown below The task sequence is imported successfully. Step 2. Get the HTA Download the Multi Image HTA below Multi-Image.zip Unzip these files and copy them to a folder on your Configuration Manager server. Next, create a package by doing as follows, select Application Management in software Library, and choose Packages, right click and choose Create Package fill in some info about the package, call it Multi-Image Select do not create a program continue through the wizard until done Step 3. Distribute the package Right click on the Multi-Image package and choose Distribute Content, distribute it to all your distribution points as shown below continue until the wizard is complete. Step 4. Edit the Task sequence Right click on the Multiple Operating Systems in a Task Sequence task sequence and choose edit, you'll probably see the error below, it's ok we are going to add that package next... On the Display HTA step, click on the Browse button beside Package, and select the Multi-Image so it looks like below Once done, take a look at the three OSName variables, they are what is shown to the end user in the Multi-Image HTA. You can set these variables to match whatever three (or two or more) operating systems you are deploying in this task seqence. in addition you can define the two tooltips used in the HTA If you want the HTA to display make/model and serial number info then add a MDT Toolkit Files step, immediately followed by a MDT Gather step as shown below (this is optional, and requires MDT Integration with Configuration Manager 2012.) Now you need to add your operating system images, under the New Computer Group,click add,choose images and then apply operating system image as shown below click on browse and browse to your selected operating system image Next, select the Options tab, and add a condition (Task Sequence Variable) and enter the following info, ImageValue = OSValue1 as shown below repeat the above for each Operating System Image you want to deploy, however set the options value for the variable ImageValue to OSValue2 or OSValue3 as appropriate. You don't need to make all three available, you can simply disable one or two in the task sequence if you want and they won't appear in the HTA. Dynamic ! for the purpose of this task sequence, you can go ahead and add a boot wim and then deploy it for testing, obviously you'll want to customize the task sequence to do all the actions you normally do, below you can see that the second Operating System image was selected (OSValue2) and is being deployed as logged in SMSTS.log That's it, job done ! Summary Deploying multiple operating systems with Configuration Manager 2012 R2 is easy enough and there are many ways of doing it, this method is dynamic and I hope you try it out !. Related Reading CM12 in a lab - Part 16. Integrating MDT 2012 with Configuration Manager 2012 CM12 in a lab - Part 17. Using MDT 2012 with Configuration Manager 2012 CM12 in a lab - Part 18. Deploying a UDI Client Task Sequence Downloads You can download a Microsoft Word copy of this guide here. Multiple Wim Images in One Task Sequence.zip

Thanks Niall. Final question.....being a required deployment, is the expected behavior be that the hta pop-up to initiate the task sequence would only show if all content has been downloaded (I also have the TS set to "Download all content locally before starting task sequence" enabled in the deployment)? Looks like the content starts to come down to the client only when I click the upgrade now button in the HTA but not before. I am looking into how I can suppress the pop-up until all content has been downloaded.

If you open the .smx file in notepad. Or make a copy of it and add xml at the end you can read it more easily in internet explorer. There is a section were the hostname is presented. Go to Microsoft Configuration Manager folder then inboxes\auth\statesys.box\corrupt You will see that it puts the files there. Take the latest message and copy it to another location and add xml then open it in IE or any other browser, otherwise you can open the .smx in notepad directly.

Have you set up boundaries and boundary groups and made sure you've added your server in the Content location box?