anyweb

Introduction Enabling BitLocker during New Computer scenarios has been a task organizations have been using for years now, indeed you've had the ability to automate it fully using FrontEnd's such as this one. As Virtual technology (such as Microsoft Hyper-V Generation 2) has improved in leaps and bounds, so has the need to protect those assets. Of course you can BitLocker the Hyper-v host but wouldn't be nice to also BitLocker the virtual machines running on that host and do so using a task sequence in System Center 2012 R2 Configuration Manager. Up until now that's been a manual experience but with the steps below, it's semi-automated. I say semi because some user input is required in order to bypass the lack of TPM in a virtual machine. Tip: Rather than create all these steps you can download the entire task sequence and scripts required in the CM12 UEFI BitLocker HTA which was updated with these changes, June 25th, 2015. Step 1. Download the scripts. I've created a few PowerShell scripts which you can use to achieve this task. CM12 UEFI BitLocker HTA Scripts.zip Extract the scripts to a folder on your ConfigMgr server. Step 2. Create a Package for the scripts On the ConfigMgr server, create a new package called CM12 UEFI BitLocker HTA Scripts (or if you are already using the CM12 UEFI BitLocker HTA merge these files with the existing package and update it to your distribution points). Once the package is created, distribute it to the distribution points. Step 3. Add steps to a deploy task sequence In your deploy task sequence, add a new group by clicking on the Add drop down and select New Group. Give the group a new name called Configure and Enable BitLocker - NewComputer, click on the Options tab and select that the step runs if Task Sequence Variable DeploymentType = NewComputer as shown below. Create another New Group called Set Encryption Algorithm Next add a Use Toolkit Package step and directly after that create a new Run Command Line step to copy the scripts downloaded above to by doing as follows Name: Copy Custom Scripts Command Line: xcopy ".\*.*" "%scriptroot%\" /D /E /C /I /Q /H /R /Y /S Package: CM12 UEFI BitLocker HTA Scripts as shown here Next create a Run Command Line step listed below Name: Set AES-128 Command Line: reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "EncryptionMethod" /t REG_DWORD /d 1 /f Set the corresponding options on those steps should be like so BitLockerValue = 128 Next create a Run Command Line step listed below Name: Set AES-256 Command Line: reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "EncryptionMethod" /t REG_DWORD /d 2 /f Set the corresponding options on those steps should be like so BitLockerValue = 256 Next, create a new Run Command Line step outside of that group called Add reg keys to allow for no TPM and paste the following code into it, this code allows the Hyper-v Virtual Machine (Generation 2) to become bitlockered without a TPM and without having received Group Policy to do so. cmd /c REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 00000001 /f & cmd /c REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 00000001 /f & cmd /c REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 00000002 /f & cmd /c REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 00000002 /f & cmd /c REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKEY /t REG_DWORD /d 00000002 /f & cmd /c REG.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 00000002 /f as shown below Next, create a new Run Command Line to popup a message box to inform the user about the coming BitLocker cmd prompt, name the step Popup to inform user about BitLocker Password. In the step, paste in the following line, note that this line depends on you copying the custom scripts previously from the cscript.exe "%scriptroot%\BitLocker\BitLocker_Password_prompt.wsf" The line above basically pops up a message and waits until the user clicks ok to continue. Next we Enable BitLocker using ServiceUI and PowerShell, via a Run Command Line step as specified below: Name: Enable BitLocker Command Line: %deployroot%\tools\x64\ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy bypass -File "%scriptroot%\PowerShell\EnableBitLocker.ps1" On the options tab, select Continue on Error as there is no checking in the script to verify the passwords entered, (maybe coming in a later version...) Next we add a Restart Computer step as the computer needs to 'set' Encryption in motion and it needs to prompt for the password you entered above, the restart computer step should restart to the Currently installed default Operating System After restarting the computer, we need to add a Use Toolkit Package step, directly followed by a Copy Custom Scripts step as we did in the start of these modifications: and finally we add the Wait For Encryption to complete step which is another PowerShell script which first hides the task sequence progress and then waits for encryption to complete operations. This step is a Run Command Line step as specified here: Name: Wait for Encryption to complete Command Line: %deployroot%\tools\x64\ServiceUI.exe -process:TSProgressUI.exe %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy bypass -File "%scriptroot%\PowerShell\WaitForEncryption.ps1" That's it, save the changes and start testing the task sequence. Step 4. Deploy a new virtual machine On a Hyper-v Generation 2 virtual machine, PXE boot and start the CM12 UEFI BitLocker HTA task sequence, after it installs the operating system it will stop with a prompt shown below: After carefully reading the prompt, click OK and the next phase begins..the task sequence progress window will appear briefly then disappear, an Adminstrative PowerShell cmd prompt will appear and it will prompt you to enter a BitLocker Password as shown below enter the BitLocker password and press enter, you'll be asked to confirm the password Note: While entering the password, no characters will appear in the cmd prompt, so enter it carefully ! after some moments, the following will appear confirming your entries and informing you that the Password protector has been set, shortly after (5 seconds later) it will restart automatcially and now, you enter the BitLocker password in your Hyper-v Virtual machine, this is necessary as there is no TPM to store the password. after entering the password correctly the vm will continue with the task sequence and start encrypting the drive ! in addition, the second PowerShell script will kick into action and wait for the task sequence to finish encrypting the drive and after completing that successfully, the task sequence finishes and you can login to review the BitLocker state. Note: Security comes with a price tag, and in this case, that is incovenience due to a lack of a TPM. As the computer is now BitLockered, it will prompt for a password on every reboot unless your suspend BitLocker before the reboot, therefore if you want to deploy anything to your virtual machine that needs a reboot, either be prepared to manually enter the BitLocker password, or suspend Bitlocker using the following command: manage-bde -protectors -disable c: cheers niall

check the smspxe.log file on the server hosting the PXE role, that log file should reveal if the client computer is reaching it or not, search for the mac address.

it's recommended to use ip helpers instead of dhcp options, however, you say your network changed, what changed about it and is everything being routed correctly between one network and the next ?

how is SQL server setup/entered in the wizard ?

why wouldn't a build and capture ts work for you, try it and see, most people recommend building your image in MDT and then capturing it there, deploying it in ConfigMgr, there are many videos about same on virtualacademy, however the native functionality of Configmgr can be used too, give it a try and see where it takes you

this might help. http://blogs.technet.com/b/chrisavis/archive/2013/10/01/performing-an-in-place-upgrade-of-server-2008-r2-to-server-2012-r2.aspx

check in C:\Windows\CCM\Logs

are you deploying software to clients that have the updated client or not ?

intune standalone or hybrid ?

how about letting people know what it's about, before clicking, otherwise it's a bit of hit and miss...

does the user in question have read access to WMI on the remote site system.

what's the exact error you get ? you can attach the smsts.log file here so we can take a look check your custom boot image is set for the below on the data source tab "deploy this boot image from the pxe enabled distribution point"

did you read the 'error', it's basically telling you that you don't have enough permissions as the logged on user to do wat you need to do. So login as a user that has Full Administrator permssions and you should be able to accomplish things..

Microsoft Account notifications If you don’t have your Microsoft Account (MSA) connected to your PC, starting in the next build you’ll start seeing notifications asking you to do so. You’ll need to connect the MSA that you registered for the Windows Insider Program with (and accepted the “Microsoft Windows Insider Program Agreement”) in order to continue receiving new Windows 10 Insider Preview builds (both Fast and Slow rings) from Windows Update. If you already have your MSA connected to your account on your PC, then you’re all set. We’re introducing new infrastructure in Windows Update to help us deliver new builds more effectively to Windows Insiders, and ensure that we’re flighting builds to people who have registered and opted in to the program. Connecting your MSA also allows seamless access to Windows Insider-only functionality in the Windows Feedback app and Insider Hub too. This change is for the Windows Insider Program ONLY, and is specific to how we’re delivering the Insider Preview builds. Once available on July 29th, you do not need an MSA to upgrade Windows 10 on your Windows 7 or Windows 8.1 PCs if they are not receiving Insider Preview builds. You will not be required to use an MSA on new PCs that come with Windows 10 preinstalled or clean installed from media. Some features in Windows 10 do require an MSA to use, such as downloading apps in the Windows Store. Getting the final release on July 29thWindows Insiders running the Windows 10 Insider Preview (Home and Pro editions) with their registered MSA connected to their PC will receive the final release build of Windows 10 starting on July 29th. This will come as just another flight. I’ve gotten a lot of questions from Windows Insiders about how this will work if they clean installed from ISO. As long as you are running an Insider Preview build and connected with the MSA you used to register, you will receive the Windows 10 final release build and remain activated. Once you have successfully installed this build and activated, you will also be able to clean install on that PC from final media if you want to start over fresh. If you are running the Enterprise edition of the Windows 10 Insider Preview, to upgrade to the final release of Windows 10 Enterprise you will need to download and activate it from Volume Licensing Service Center. As a reminder, the Enterprise edition of the Windows 10 Insider Preview is not eligible for the free upgrade offer and can be upgraded to the final release of Windows 10 through an active Software Assurance agreement. Stay with us as a Windows InsiderAs we’ve announced before, the Windows Insider Program will continue even after we release Windows 10 on July 29th. Windows Insiders will continue to receive future flights as we begin to work on the next release immediately after Windows 10 ships. You’ll get to see the latest Windows fixes, features, and updates and give us feedback. So stay with us! Of course, we’ll provide you an option to leave the program and stay on the final build if you choose: but we hope that we’ll continue to provide you great reasons to remain a Windows Insider. Insider Hub & Windows Feedback appBecause we’re getting ready for the final release, we’re removing a few things we don’t expect to ship to everyone. So starting with the next build, the Insider Hub will no longer be pre-installed. Windows Insiders can reinstall the Insider Hub app through the following steps: Go to Settings, System, Apps & features Click Manage optional features then Add a feature Select the Insider Hub entry (the list is in alphabetical order) and click Install. You will have to go through this process with each build we flight prior to the final release on July 29th, but once we start flighting new builds after July 29th it will be preinstalled again. The Windows Feedback app will continue to be included in builds and in the final release. But as I noted above, the Windows Feedback app will have functionality specific to Windows Insiders who are registered for the program with their MSA connected to their PC. One more thing – Here comes Microsoft Edge!In the next build we release to Windows Insiders in the Fast ring, the “Project Spartan” name will officially change to Microsoft Edge. One result of this naming means that the Microsoft Edge app has a new app ID. This will cause any favorites, cookies, history and Reading list items that you had saved in the Project Spartan app to be lost after upgrading from a previous Windows 10 Insider Preview build. If you want to keep these, you will need to back up your favorites before the next flight! To save your favorites, follow these steps before upgrading to the next build we release (do it now): Copy your favorites from %localappdata%/Packages/Microsoft.Windows.Spartan_cw5n1h2txyewy/AC/Spartan/User/Default/Favorites. Save them to %userprofile%/Favorites. After upgrading to the next build open Microsoft Edge, choose Settings, and you’ll see an option to import favorites from another browser. Choose Internet Explorer to import the favorites you saved in your %userprofile% directory into Microsoft Edge. We expect to have new Insider Preview builds for you soon and think you’ll be excited about the continuing progress we’re making on Windows 10. We couldn’t have done it without you. via > http://blogs.windows.com/bloggingwindows/2015/06/19/upcoming-changes-to-windows-10-insider-preview-builds/

great to hear it, for the benefit of others having your problem, maybe you could share how you solved it.

if you use TeamViwer i can remote in and have a look at your task sequence and help you edit it, contact me offline for this > niall@ windows-noob .com

Microsoft has released an update to update Windows 8 and Windows 2012 R2 to support KMS host for later versions of Windows such as the soon to be released Windows 10. You can read about the update here https://support.microsoft.com/en-us/kb/3058168 Important Do not install a language pack after you install this update. Otherwise, the language-specific changes in the update will not be applied, and you will have to reinstall the update. For more information, see Add language packs to Windows. Method 1: Windows Update This update is provided as an optional update in Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update. Method 2: Microsoft Download CenterThe following files are available for download from the Microsoft Download Center: Operating system Update All supported x86-based versions of Windows 8.1 Download the package now. All supported x64-based versions of Windows 8.1 Download the package now. All supported x64-based versions of Windows Server 2012 R2 Download the package now. All supported x86-based versions of Windows 8 Download the package now. All supported x64-based versions of Windows 8 Download the package now. All supported x64-based versions of Windows Server 2012 Download the package now. Note The update for Windows RT 8.1 or Windows RT can be obtained only from Windows Update. For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: cheers niall

While you can image a Window 7 machine with UEFI it's only possible when you can disable things like secure boot in the bios or enable CSM mode (lenovo) is it worth it ? maybe, maybe not, try it and see.

you need to split the wim or split the partitions on the usb media (so first partition is FAT so that UEFI can understand it, and second is ntfs)

oh right, no Configmgr... well forget about that then, why are you using WDS, no MDT ?

what about the smspxe.log like i mentioned, attach it here

do you mean that UEFI network boot works fine for two days and then all of a sudden it fails with that error ? what does the smspxe.log file tell you when you receive that failure ?

with mdt you can boot from lan/usb/media no problem, and it handles uefi as well as legacy easily

from the FAQ - http://blogs.technet.com/b/configmgrteam/archive/2015/05/19/sysctr-2012-configmgr-sp2-and-systctr-2012-r2-configmgr-sp1-faq.aspx Which version of the Windows ADK should I use with System Center 2012 Configuration Manager SP2 or System Center 2012 R2 Configuration Manager SP1? System Center 2012 Configuration Manager SP2 and System Center 2012 R2 Configuration Manager SP1 use the Windows Assessment and Deployment Kit 8.1. This version is required beginning with R2. If your sites currently run System Center 2012 Configuration Manager SP1, before you run Setup, on the site server and on each computer that runs an instance of the SMS Provider you must uninstall the Windows Assessment and Deployment Kit 8.0, and then download and install Windows Assessment and Deployment Kit 8.1. For more information see Prerequisites For Deploying Operating Systems in Configuration Manager. You can find the latest version of the Windows Assessment and Deployment Kit 8.1 on the Microsoft Download Center. i'm guessing that you are testing something that is compatible with SCCM 2016 (the tp release) which does have windows 10 support baked in, however have you tried modifying your boot wim as i describe in this old post here.. http://www.niallbrady.com/2013/10/09/how-can-i-manually-add-winpe-5-boot-images-to-system-center-2012-configuration-manager-sp1-cu3/

don't capture the image directly from the surface pro 3, use virtual machines instead to build your master image, and capture it from there, as regards customizing the start screen see here > http://www.windows-noob.com/forums/index.php?/topic/8101-using-system-center-2012-configuration-manager-part-13-deploying-windows-8-x64-with-custom-start-screen/ to build and capture windows 8.1 it's the same process as Windows 7 or less (with ConfigMgr) as described here > http://www.windows-noob.com/forums/index.php?/topic/6353-using-system-center-2012-configuration-manager-part-7-build-and-capture-windows-7-x64-sp1/ or use MDT to build your reference image as most people advise, you can setup a quick MDT infrastructure following my guides here > http://www.windows-noob.com/forums/index.php?/forum/74-mdt/ hope that helps ! lastly, have you seen this yet ? CM12 in a Lab - 5 video series on deploying the Microsoft Surface Pro 3 - available now !