Leaderboard

Thanks. Very useful. Usually I use VPN services from this site.

That is cuz you are one crazy awesome dude Niall!!! Still have my fingers crossed that we get to have that drink this summer!! Waiting to find out if we are still going to have our CTG Summit in August! 🤙

if i had a vote left Marc i'd vote for it, did you tweet it yet ?

Added this a week ago: https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/40637050-provide-support-for-bitlocker-management-with-ibcm It could use some attention and more importantly some votes! 🤙

Having your Bitlocker Management keys stored on your on premise database (ConfigMgr) is an asset to many customers, and also gives you time to migrate to Intune and see the different ways it can manage your recovery keys, you could create an Azure web app proxy to connect back to the on-premise server handling the requests.

Hi Niall, I'm currently running MECM 2002 and I have followed your guides but I want to use the bitlocker encryption certificate so I have followed the Microsoft documentation. I have created the cert but I get and error when trying to produce the policy in MECM. The error is Plain text storage of recovery information required when the Bitlocker Management encryption certificate has not been deployed. Where do I have to deploy it too? I have two management points both on prem one is an IBCM both using HTTPS. Thank you EDIT: I had the policy open while I created the cert. Closing the policy window and relaunching fixed the issue. Thank you

Hi, i hope you didnt take that as a bad vibe. Im just unexperienced and learning sccm now. And since i cant copy paste on the server and also want to understand most of the things i just do it manually

Turns out no Software Update point is needed, just needed to add an Operating System Upgrade package and point it to the CORRECT folder...

Hello Shashi, you're very welcome and stay safe yourself too. So long Peter

I tried this. There was no change.

are all packages failing to get to the dp ? or only some packages ? i'm confused about you mentioning PXe, what has that to do with packages getting to the dp, you need to fix the packages getting to the dp first and then concentrate on your other issues

you need to provide more detail about this distribution point, was it ever working ? have you tried to reinstall the DP role on this server ? you mention 'during the reimage of the device' what do you mean by that ?

did you look at your logs ? there are some errors in there, i've highlighted one for you

have you seen this yet ? https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-management-gateway-addressing-common-challenges/ba-p/1351262?utm_source=dlvr.it&utm_medium=twitter

This will not be supported and you WILL have problem when you manage WSUS outside of SCCM for non-SCCM computer. There is NO problem having WSUS installed on the CM server with its own clean db.

Start with a Clean WSUS server using full SQL server.

you can use these guides to get going for server 2016 see below for server 2019 see below

you don't want to use an existing WSUS server. You want a fresh one that is use SQL database not WID.

Hi - link to the scripts.zip file no longer seems valid. I'm looking to do this can someone provide the link to the files? All sorted - Login first!! What a dummy!

Introduction In Part 1 I showed you how you can configure BitLocker on Windows 10 devices using Microsoft Intune, but that method relies on the end user actually clicking on the notification in Windows and then continuing through the wizard until completion. In this post I'll show you how you can automate that part of the process, using an MSI that is based upon an MSI that was originally created by Pieter WigLeven. That MSI creates a scheduled task to run daily until the drive is encrypted. Pieter's solution was great but lacked some key features that I wanted such as logging (so that you can view errors which may occur during the encryption phase), logic and a user facing reboot prompt. Therefore, I decided to rewrite the PowerShell script included in the MSI and then re-package it for your benefit. Note: I'd recommend you test this solution in a lab environment, I used Windows 10 version 1703 Hyper-v based virtual machines (Generation 2) with a Virtual TPM enabled. Also to note, this MSI (and Pieters) does not check for the existance of a third party encryption tool, if you want that functionality then you'll need to modify the PowerShell script accordingly and then repackage it as described in Step 5. Enabling a Virtual TPM If you use Hyper-v VM's without a Virtual TPM enabled then the PowerShell script will exit logging errors and will not start the encryption. You can enable the Virtual TPM in the Security settings of your virtual machine (shown in the screenshot below) by placing a check mark in Enable Trusted Platform Module. Step 1. Download the MSI Note: In this guide I've used the windows-noob.com version of the MSI. I've modified the MSI as described in Step 5 and made it available in the Downloads section of this Guide, it includes new features such as Detailed logging Logic to check if encryption was enabled Reboot notification for end users Automatically remove the scheduled task once encryption is enabled You can get the the windows-noob.com version of the MSI in the Downloads section of this guide (scroll down....) or you can get the original MSI from Pieter. Keep in mind that if you are doing Azure AD join, that the user is automatically an Administrator, if however you are using Windows Autopilot then the user will not be an Administrator. The windows-noob.com version of the tool is based on the user being an Administrator. Step 2. Add the MSI as a LOB app in Intune Now that you have the MSI available, it's time to upload it into Intune. In the Intune service in Azure, select Mobile Apps, then Apps, then click on + Add to add an App. Select Line of Business app in the drop down, then select Select file and point it to the downloaded MSI file before clicking on OK. Next click on App Configuration and fill in some details about the application before clicking on OK finally click on Add. Step 3. Assign the app as Required to a User Group Next you will deploy the application (Assign) to a group of Users. In this guide I've created an Assigned User Group called Automate BitLocker Encryption (Users) which contains users that I want to target with this policy. Click on Assignment, then click on Select Groups, select the User Group you created previously and then click on Select. For Type, click on the dropdown and select Required and then click on Save. This will mean that any users in this User Group will be targeted by this required application and it will automatically download and run. Step 4. Verify the experience On a Windows 10 computer that is not yet BitLockered (and not encrypted by any third party encryption), Logon as a user that is a member of the above User Group. Keep in mind that they also need to have received the BitLocker Configuration created in Part 1 of this guide. That policy will set the BitLocker Configuration options (such as Encryption Algorithm), but it will not start encryption automatically. Trigger a Sync using the appropriate button. This will pull down the new policy and start the download and installation of the MSI which in turn will copy some files, and create a scheduled task. Once policy is received, you can see that the application is installed in Control Panel And three files are present in the File System at C:\Program Files (x86)\BitLockerTrigger. Note: The VBS kicks off the PowerShell script and the XML file is used in the creation of the Task Scheduler task. You can also check Task Scheduler to see the task is added, and that it is scheduled to run at 2pm. Tip: By default Windows Task Scheduler has the History tab disabled by default, to enable it you must start Task Scheduler as Administrator (Run as Administrator) and then click on Enable All Tasks History in the right pane. This will give you some details about the running task and whether it did run or not, but for more details about the task review the TriggerBitLocker.log file as described below. Running the Task You can wait until 2pm for the scheduled task to run or right click on the task and choose Run to run it now. after it has run, if everything was ok it will popup a reboot to the user, if things don't go according to plan use CMTrace.exe and navigate to C:\Windows\Temp and open the generated log file C:\Windows\Temp\TriggerBitLocker.log The log file should reveal any problems that occur. In the example below you can see what happens when you try to run the task on a computer without a TPM. The key takeaway here is that logging is now included with the MSI and the PowerShell logic will avoid popping up a reboot message to the end user in the event that it has not succeeded to enable Encryption. On a computer that meets the specifications (TPM), the PowerShell script enables encryption and the user will see the popup, they can delay for a few hours or accept the reality that they are getting Encrypted with BitLocker. and if they choose Reboot Now they'll see something like this After the reboot we can verify BitLocker encryption status and the recovery key is in Intune in Azure. job done ! Note: After successfully enabling BitLocker the script deletes the Scheduled Task so that it no longer re-runs. Step 5. (Optional) Edit the MSI with Advanced Installer If you'd like to update the MSI yourself, you can install the MSI on a vm, and pull the scripts from the folder shown above, then load it using Advanced Installer. Edit what you want in the package and edit the PowerShell script to suit your needs, once done copy the replacement scripts back into the MSI in the Files and Folders section below Once done, to build the package click on the Save icon in the ribbon. And use that compiled MSI in the guide above. Downloads Below is the windows-noob.com version of Pieters MSI, this version was compiled using Advanced Installer 14.2.1 (great product !) and contains improvements to the PowerShell script such as logic handling, logging to help with troubleshooting and a Reboot computer popup at the end of the script which only appears if encryption is enabled. windows-noob.com TriggerBitlocker.msi (version 1.0.0.2) - TriggerBitlocker.msi windows-noob.com TriggerBitLockerUser.msi (version 1.0.0.2TriggerBitlockerUser.msi Recommended reading Hardware independent automatic Bitlocker encryption using AAD/MDM https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/06/07/hardware-independent-automatic-bitlocker-encryption-using-aadmdm/#comment-26696 Configuring BitLocker in Intune - Part 1. Configuring BitLocker https://www.windows-noob.com/forums/topic/15514-configuring-bitlocker-in-intune-part-1-configuring-bitlocker/ Download Advanced Installer http://www.advancedinstaller.com/download.html

Thanks for your help anyweb. This ended up highlighting the root cause and fixing my issue: Modified the registry key per instructions: alternatively try this, open regedit and change the following reg key value. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\SRSRP] "SRSInitializeState"=dword:00000000 The value should be changed to 0, then wait for the value to change back to 1. It will change to 2 for a while. You can amonitor the srsrp.log while you wait Once modified I then found these errors in the srsrp.log: System.Web.Services.Protocols.SoapException: An error occurred within the report server database. This may be due to a connection failure, timeout or low disk condition within the database. ---> Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerStorageException: An error occurred within the report server database. This may be due to a connection failure, timeout or low disk condition within the database. ---> System.Data.SqlClient.SqlException: The transaction log for database 'ReportServer' is full due to 'LOG_BACKUP'.~ at Microsoft.ReportingServices.Library.ReportingService2005Impl.SetProperties(String Item, Property[] Properties, Guid batchId)~ at Microsoft.ReportingServices.WebServer.ReportingService2005.SetProperties(String Item, Property[] Properties) This is a self contained SCCM with SQL 2014 on the same server. I opened up the ReportServer database -> Properties -> Files. The ReportServer_log autogrowth was set to "By 10 percent, limited to 40MB". We changed this to unlimited and I re-ran the script again and it is now processed correctly. The bitlocker management folder now exists and I am back on path.

I got it working here with %windir%\System32\.... Guessing the x64 ServiceUI.exe does not have the virtual mapping for sysnative. I guess the x32 version would work fine, but I like to use x64 on x64 systems, so this change is just fine Thanks for a great solution by the way This looks to be the perfect solution for upgrading our computers to the newest version of W10 on systems with both English and Norwegian System UI as default If you happen to be in Oslo anytime, I'll buy you a beer -Jannis

hi, see below do we need to enable full disk encryption during the OSD for this to work? the following docs explain that you can do this during OSD By default, the Enable BitLocker task sequence step only encrypts used space on the drive. BitLocker management uses full disk encryption. Configure this task sequence step to enable the option to Use full disk encryption. For more information, see Task sequence steps - Enable BitLocker. -do we need to set bitlocker encryption levels in the OSD still and GPOs or just use the new Bitlocker deployment policy after the machine is online? it's up to you which way works better, do you want to control bitlocker (keys) during OSD or after, that's entirely up to you, the easiest way is to simply target the policy after it's imaged, but the safest way is to configure it during OSD.

Hi Niall, I have used your guides to implement SCCM MBAM 1910 and it went in successfully. I am however facing an issue where the clients - even though they receive the policies and the registry change to encrypt without user action - I find that nothing happen until I manually run MBAMClientUI.exe. I've even changed the MBAM Registry to implement "NoStartupDelay" and no joy. I've had one or two successful when the MDOP client pops up but the rest just sit there. Any advice is greatly appreciated and I look forward to hearing from you Regards Carl Davis P.S - AMAZING GUIDES BTW - Thank you for taking the time to write and video ,

Have you used a tool, like Roger Zander Client Center https://github.com/rzander/sccmclictr, or the MS Client Support Center Tool, https://docs.microsoft.com/en-us/configmgr/core/support/support-center ; to examine a client? What I would look for is things like... "is the last scan version matching what my environment says" (in CM Console, Monitoring, Software Updates Point Synchronization Status, the Catalog Version); that'll be the catalog version i'd want my clients to have used. is wuahandler.log scanning successfully? In those tools, you can see what CM believes locally is deserved or installed for updates, as scanned by the CM client. When you say "locally just msrt... but when I go directly to Microsoft, I deserve more" -- are those updates listed locally by the CM client? If not; are those updates even in CM? (EXACTLY those updates, by title and kb article--maybe you're missing a category in your CM SUP rules for what patch info to download)

hi Shaq, the reason I stated that HTTPS was required was because it was in TP1905, but then it wasn't in TP1909, but in ConfigMgr 1910 Current Branch it is again, required. but... going forward I think that a future release of ConfigMgr (maybe 2002) will allow you to use eHTTP or HTTPS, that would make it much easier to use the MBAM capabilities but remember HTTPS is more secure regardless. cheers niall

Hi Niall, I would like to thank you for making such detailed documents and videos. But I have a question. I have looked at your videos and your documents and I am a bit confused. Even in this document you mentioned "Update: Initially PKI/HTTPS was required (in TP1905) for BitLocker Management in SCCM, however from Technical version 1909 it was no longer required, and became optional (but recommended). For more info see this blog post. I'm including the important note from that text below. Note: Microsoft recommends but doesn't require the use of HTTPS. For more information, see How to Set Up SSL on IIS (or see my two links below)." But in the video as well as the comments you said SCCM should be in HTTPS mode. Could you please clarify? Thanks again for your detailed documentations.

everything inside the LAB should be on a private network, that way everything in the lab can talk to itself without interference from the outside, if you map a switch to a network card then that effectively gives your lab access to anything on that network and vice versa, so if your network card is connected say to your internal company network, and you set your switch to External, using your onboard NIC, then your dhcp server could start handing out ip's on your company network, and you don't want that. so keep your lab private, and only share internet into the lab using a smoothwall or similar. if you want to 'test' deploying things (like operating systems or otherwise) to computers outside of the lab, then follow my guide here

Thank you for the lab (up to part 6 its all working fine) Great to hear it ! Just a short question: how can I add templates? My PaloAlto FW needs the Subordinate Certification Authority template for inspecting network traffic. It is only with "new - certificate template to issue"? (This sounds too easy 🙂 ) in Certsrv.msc on the IssuingCA right click on Certificate Templates, and choose Manage, you can then select a known Certificate Template (for example Workstation Authentication) that matches what is required for your FW, check the documentation of the FW to see exactly what type of certificate it requires and duplicate it by chgoosing Duplicate Template then rename it to your needs and adjust it to suit the FW requirements and as for your other question, see this answer from Technet. According to https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file the LoadDefaultTemplate flag only applies to an enterprise CA. My assumption is that if you set up a standalone, the templates will be loaded nevertheless. LoadDefaultTemplates only applies during the install of an Enterprise CA. This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.

Thanks for this script/ solution. Thanks to this I learned a lot about how to do BitLocker with PowerShell from Intune MDM. I've added some functionality and made some fixes and design changes, but can't release all the code here due to the fact that I've done this for my company, and it's their IP. That being said, I'd like to share a fix to one part that failed for me some times: Fetching the certificate for uploading recovery password to Azure AD using REST. I rewrote it to this, might be usefull for others: # Get the AAD Machine Certificate $Certificate = $([array]$(Get-ChildItem -Path 'Certificate::LocalMachine\My').Where{$_.'Issuer' -match 'CN=MS-Organization-Access'}) $CertificateThumbprint = [string]$($Certificate | Select-Object -ExpandProperty 'Thumbprint') $CertificateSubject = [string]$([string]$($Certificate | Select-Object -ExpandProperty 'Subject').Replace('CN=','')) # Get tenant domain name from registry $TenantDomain = [string]$([string]$(Get-ItemProperty -Path ('Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\{0}' -f ($CertificateThumbprint)) -Name 'UserEmail' | Select-Object -ExpandProperty 'UserEmail').Split('@')[-1]) Offtopic: How do I set a profile picture? I've searched the forum and Google-ed it too.

So, I ran into an issue running that reporting services configuration manager, that it couldn't find SSRS. Ended up having to remove the SSRS role and reinstall it from from the SQL Server installation center. Reporting is fixed now. Thanks for pointing me in the right direction!

This is an insanely cool guide !!! But I have a very important question. Will come out this year Part 8 ?

But I can’t get to the web interface for /Reports in the start menu locate the SSRS Report Server Configuration Manager, and run it, you need to configure the Reports url in there and click apply.

Resolved getting to this website by adding /# at the end of the address. Administration and monitoring website: https://webserver.contoso.com/HelpDesk

I resolved the issue by doing the following: 1.Under the Application properties select: Allow this application to be installed from the Install Application task sequence action instead of deploying it manually.2.Go to the User Experience tab and verify that the application will Install for system, whether or not a user is logged on.

first things first do you have any details of what files were over written/infected ? and do you have valid virus free backups of the database and all other software

Windows Server Update Services (WSUS) is needed for software updates synchronization and for the software updates applicability scan on clients. The WSUS server must be installed before you create the software update point role. The following versions of WSUS are supported for a software update point: source > https://docs.microsoft.com/en-us/sccm/sum/plan-design/prerequisites-for-software-updates

Awesome guide thanks, can't wait for the next part.

UPDATE: Success1809-AnswerFile.txtAddLanguage_zh-cn.txt What I ended up doing is below because other options simply didn’t work right, and there is limited documentation on versions 1809 and 1903. Maybe I can save you some headache. MDT "Add Language Packs Offline" referenced in original comment, does not appear to work with newer versions of Windows(1903)/SCCM(1902 and later). Other options such as adding Language Packs(and other features) using dism /online after OS installation results in the Windows UI remaining the default EN-US language. resetting this setting via Powershell and rundll/xml proved unsuccessful. Download the required language packs for my environment. Inject them directly into the offline install.wim via DISM NOTE: in MS Volume Licensing site, DO NOT select 64-bit or 32-bit when trying to download the Language Packs. You must first select MULTILANGUAGE from the language dropdown, or you will only have 1511 language packs available to download. Create an answer file, My answer file is attached for reference. (EDIT)Add Language Collection variable to "All Unknown Computers" device collection, and leave value blank, and uncheck "do not display this value". Screen shot below This will add the Language variable field when your start the image process Set Language Variables using the Set Dynamic Variables after Apply OS but before Setup Windows and Config mgr (screenshot below) I added a step to use English by default if none of the rules proved true I created a package containing all the new language features for each language, Each package with a bat file that runs the series of dism commands (example attached). NOTE, some of the languages do not contain the speech capability. Added Timezone support using tzutil /s “Timezone name” and keyed it on NTDomain.ClientSiteName attribute (screen below) EDIT: I forgot to include the Language Collection variable on Unknown Computers collection

all of it

you need to paste in YOUR OID which you created in step 4 into the file, so that it looks pretty much like what I've shown you, other than it will have YOUR OID and not MINE. you might want to change the pki cps url also to point to your url cheers niall

there you go ! now you know why i use TreeFreeSize, the problem you have is as i guessed, the sql server transaction logs, look at my link above and you'll see how to compress them down to almost nothing

can not download the script. it is unavailable fixed... I should sin-in

Introduction You are most likely familiar with the Microsoft Surface Pro 6 and the recently released version of Windows 10 version 1903 (May 2019 Update). Now you can automate the installation of Surface Pro 6 using PowerShell and MDT. This script has been written to allow you to automate the deployment Windows 10 version 1903 (May 2019 Update) using the latest available software including: Windows 10 x64 (version 1903) Microsoft Deployment Toolkit (MDT) build 8456 Latest available 2019 drivers for the Surface Pro 6 for Windows 10 version 1903 Windows 10 ADK (version 1903) Windows Server 2019 Note: This is fully automated, and as this does install a Windows Deployment Services server role hosting a boot image, you should modify the script accordingly and test it thoroughly in a lab first. This script is tailored for one thing only, deploying Windows 10 x64 version 1903 to the Microsoft Surface Pro 6 with all drivers loaded and MDT pre-configured. Download it and customize it to suit your needs for other hardware if you wish because what it does is pretty cool. This script performs the following actions:- Downloads and then Installs Windows ADK 10 (version 1903) if you have not done so already Downloads and then Installs MDT, if you have not done so already Downloads all required drivers for Microsoft Surface Pro6 if you have not done so already Imports the Windows 10 x64 (version 1903) operating system into MDT Imports the Microsoft Surface Pro drivers into MDT Creates Selection Profiles for Surface Pro 6 and WinPE x64 Creates a Deploy Windows 10 X64 version 1903 task sequence Edits the Deploy Windows 10 X64 version 1903 task sequence and adds an inject drivers step for Microsoft Surface Pro 6 Sets a WMI query for hardware detection for the Surface Pro 6 on the corresponding driver step Injects the Microsoft Surface Pro 6 network drivers into the LiteTouchPE_x64.wim Creates custom CustomSettings.ini and BootStrap.ini files Disables the X86 boot wim (as it is not needed for Surface Pro 6) Changes the Selection Profile for the X64 boot wim to use the WinPE x64 selection profile Installs the Windows Deployment Service role Configures the WDS role and adds the previously created LiteTouchPE_x64.wim Starts the WDS service so that you can PXE boot (UEFI network boot). All you have to do is provide a domain joined server (MDT01), then download the script below, modify some variables, then place certain files in the right place such as the Windows 10 x64 Enterprise (version 1903) media. Please ensure you have a working DHCP scope on your Active Directory domain controller, then PXE boot a Microsoft Surface Pro and sit back and enjoy the show. Step 1. Download the script The PowerShell script will do all the hard work for you, download it, unzip it and place it on the server that is designated to be the MDT server. Scripts.zip Step 2. Configure the variables in the script Once you have downloaded and extracted the script, you need to configure certain variables interspersed throughout the script. I'll highlight the ones you need to edit. The most important of them is the $SourcePath variable (line 57) as this decides where to get the content from and where to store it. This variable should point to a valid drive letter, the folder name will be created if it does not exist. The $FolderPath variable (line 271) specifies the MDT Deployment share root folder for example C:\MDTDeploy. There are other variables to configure, for joining the Domain (lines 349-351) and then you need to configure how you actually connect to the MDT server from WinPE (lines 426-430) Step 3. Copy the Windows 10 x64 (version 1903) operating system files Mount a Microsoft Windows 10 x64 Enterprise (version 1903) ISO and copy the contents to $SourcePath\Operating Systems\Windows 10 x64\1903 as shown below. Step 4. Optionally copy MDT, ADK 10, Surface Pro drivers This is an optional step. If you've already downloaded the above files then place them in the source folder, otherwise the script will automatically download them for you. Note: You do not have to do this as the script will download the content for you if it's not found. Step 5. Optionally copy your Applications to the respective folders This is an optional step. If you have apps like Office 365, copy them to their respective folders under Applications. If you do add any applications, you'll need to edit the corresponding section within the script for the CustomSettings.ini and replace the GUID for the App, these applications are remmed out with a #, as shown here (line 392-393) and in line 328 Step 6. Run the script On the server that will become your MDT server, start PowerShell ISE as Administrator. Click on the green triangle to run the script. This is how it looks while running... Below you can see the script has completed. Step 7. Deploy a Surface Pro 6 After the script is complete, you are ready to test deploying Windows 10 version 1903 (May 2019 Update) to a Microsoft Surface Pro 6. You can see that Windows Deployment Services is installed and that the ADK 1903 version of the MDT LiteTouch_X64 boot wim is already imported. This boot image also has the Surface Pro 6 network drivers added. After the Surface Pro 6 has PXE booted, you'll see the MDT computer Name screen, you can change that behavior in the UI itself (CustomSettings.ini on the Properties/Rules of the DeploymentShare) or automate it via the many methods available such as those that Mikael describes here. After clicking next the OS will get deployed. and after a while it's all complete. Step 8. Review the MDT Deployment Workbench After opening the Deployment Workbench, you can see the Deploy Windows 10 x64 version 1903 task sequence is created and in the task sequence you can see the inject drivers step that is customized with a wmi query for Surface Pro 6 drivers specific to the Surface Pro 6 are imported into MDT Surface Pro 6 specific selection profiles created drivers (network) are also added to the x64 boot image Troubleshooting If the script has issues starting WDS (and you see the error below) then restart the server, as you were asked to do at the end of the script ;-). If you cannot PXE boot, because WDS is not accepting connections (revealed by the PXE Response tab in WDS properties), then look for the following error in the scripts output: An error occurred while trying to execute the command. Error Code: 0x5 Error Description: Access is denied. If you see that error, then the user you are logged in as does not have sufficient permissions to configure WDS. To grant permissions to the Windows Deployment Server (MDT01) do as follows Open Active Directory Users and Computers. Right-click the OU where you are creating prestaged computer accounts, and then select Delegate Control. On the first screen of the wizard, click Next. Change the object type to include computers. Add the computer object of the Windows Deployment Services server, and then click Next. Select Create a Custom task to delegate. Select Only the following objects in the folder. Then select the Computer Objects check box, select Create selected objects in this folder, and click Next. In the Permissions box, select the Write all Properties check box, and click Finish. Next, open ADSIEdit.msc Browse to the Computer Account of the WDS Server. It will have a Child Object named something like "CN=MDT01-Remote-Installation-Services". The user that runs the the PowerShell script or the WDS Console needs Full Access permissions to this Child Object. Right click and choose Properties. Select the Security/Permissions tab and add the user/group in. Set them to have Full Permissions. Log out of the MDT Server and log back in again. AD replication may delay the result of this, but you should now no longer have Access Denied. Summary Automating the deployment of Windows 10 version 1903 (May 2019 Update) to the Microsoft Surface Pro 6 using PowerShell and MDT is easy when you know how.

you are welcome, it was one of the more difficult thing I've gotten around to blogging, and I did it to understand the process better myself and to teach others, I've done the lab 3 times already and I know it works :-), if you follow the next in the series you can also configure SCCM with HTTPS, links below How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) - Part 2

After the huge popularity of the windows-noob.com Configuration Manager 2012 Guides (609,165 views as of July 2nd, 2014), which were subsequently made available for download, (and downloaded 63521 times as of July 2nd, 2014) I've now made the following guides available in Microsoft Word format (zipped). These are the windows-noob Mobile Device Management guides which help you integrate Microsoft Intune with Configuration Manager 2012 R2, and then go on to add support for the following mobile devices" iOS Android Windows RT Windows 8.1 Windows Phone Mobile Device Management with Microsoft Intune integration (UDM) CM12 in a Lab – Part 1, integrating Microsoft Intune CM12 in a Lab – Part 2, adding Support for iOS devices CM12 in a Lab – Part 3, deploying apps to iOS devices CM12 in a Lab – Part 4, configuring compliance on iOS devices CM12 in a Lab – Part 5, enabling support for Windows 8.1 devices CM12 in a Lab – Part 6, deploying Windows 8.1 apps (appx) CM12 in a Lab – Part 7, deploying Windows Store apps CM12 in a Lab – Part 8, adding Android devices CM12 in a Lab – Part 9, deploying Apps to Android devices CM12 in a Lab – Part 10, adding Windows Phone 8 devices CM12 in a Lab – Part 11, using Intune Extensions Note: To download this zip file you need to register your account on windows-noob.com You can download the windows noob Mobile Device management guides in one ZIP from here: System Center 2012 R2 Configuration Manager Mobile Device Management - The windows-noob.com Guides.zip Once extracted you'll have the guide in Word format like below Please do spread the word ! cheers niall

Is there any way to use this with the Pre-download content feature? Im testing it out but as the condition on Upgrade the Operting System is not evaluated to $true before C:\ProgramData\Upgrade_Forced.txt exists it will not pre-download the files. Is there another way to build the ts so we can leverage pre-download content?

Thanks Niall. Final question.....being a required deployment, is the expected behavior be that the hta pop-up to initiate the task sequence would only show if all content has been downloaded (I also have the TS set to "Download all content locally before starting task sequence" enabled in the deployment)? Looks like the content starts to come down to the client only when I click the upgrade now button in the HTA but not before. I am looking into how I can suppress the pop-up until all content has been downloaded.

Have you set up boundaries and boundary groups and made sure you've added your server in the Content location box?

Since the upgrade to SP1 for SCCM 2012, I am unable to use the "Devices" in the Assets and Compliance workspace. It sits stuck at "Returning List Items..." I have tried leaving it there for at least 24 hours with no change. I have even tried a fresh install using SQL 2012 /w CU2 and SCCM 2012 /w SP1. This problem doesn't show up anywhere else. Device collections return items, including the All Systems collection. Any thoughts on a solution? Thank you, Mike Peterson