Jump to content


Root Admin
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by anyweb

  1. have you looked at the advice here ? https://social.technet.microsoft.com/Forums/en-US/d8753255-6b98-478c-875e-117358f972f1/mpstatusreceiver-directory-on-wsus-is-80-gb
  2. Introduction When users complete Windows Autopilot Out of Box Experience (OOBE), they can be asked to confirm Country and Keyboard settings, based on what is configured in the following Windows Autopilot Deployment Profile settings. Below is the Windows Autopilot deployment profile settings used for this blog post, notice how the User account type is set to Standard. Notice also that the Privacy settings setting is set to Hide. Your users will most likely be used to seeing the region related screens during OOBE, for example: However if you disable Privacy Settings in the Windows Autopilot Deployment profile, even though you might allow users to select Country and Keyboard settings, Windows Autopilot still sets the Time Zone to Pacific Standard Time. You can confirm this behavior by pressing left shift+F10 and typing PowerShell then Get-TimeZone. This Time Zone will apply regardless of what country the user selects. Even if your users are tech-savvy enough to find out where in Windows Settings they need to change these region based settings, if they are a standard user (which they should be in today's security conscious world), changing the timezone may leave them with incorrect time and incorrect regional format settings in the operating system. To fix this you could use Geo location and Azure services as per Nickolaj's post here, provided of course that: Your company allows Geo location Your company is not using any proxies or VPN's that mask the users actual location. This solution is not affected by either of these things, doesn't need local administrative permissions and does not require enabling privacy settings. This solution prompts the end user to confirm (or change) the detected settings, and then uses some back end magic to set everything in place including triggering a time sync. This method works even for standard (non administrator) users. Requirements The method requires that you use the English (En-US) version of Windows 10 as delivered from your OEM. If any other language is applied from the factory then it might cause some of the logic to fail. If you do go down that route, then you'll need to prepare language specific versions of the zonemapping.csv and other files as necessary. So let's get started. You can always install language packs later. Step 1. Get the scripts Note: You can only download these files when logged on as a member of https://www.windows-noob.com Note: Intune has a hard block of 200,000 bytes per PowerShell script. To get around this limit, I've removed most of the original comments from the Powershell scripts. The resulting script can be uploaded to Intune as it's less than the 200,000 bytes limit even with all the files encoded. If you'd like a copy of the version with comments included to help with troubleshooting, scroll to the very bottom of this blog post. Download the condensed ZIP: win.ap.CreateScheduledTask.SetTimeZone_CONDENSED_VERSION.zip Extract the condensed ZIP file to C:\Scripts\SetTimeZone Step 2. Get ServiceUI.exe from MDT You'll need the ServiceUI.exe executable file to display user interfaces (UI) to end users when operating in SYSTEM context. To get the file, download and install MDT somewhere and navigate to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. To download MDT click here. Copy the ServiceUI.exe file to your extracted SetTimeZone\Encode folder so it looks like this. Step 3. Modify the scripts Open SetTimeZone-GUI.ps1 and SyncTime.ps1 in PowerShell ISE and make changes as appropriate. Once done editing those scripts to suit your needs save the changes. Then run the Encode script to generate the encoded txt files which you will paste into the variables highlighted below. you can do that by locating the appropriate TXT file for each encoded file, for example for ServiceUI.exe it'll be the ServiceUI.txt file, open it in notepad, copy the contents of that file using CTRL+A and CTRL+C and paste the results using CTRL+V into the associated variable, once you've done all 5 encoded files it'll look something like this If you are happy with all the changes in win.ap.CreateScheduledTask.SetTimeZone.ps1, save the changes. Step 4. Deploy it from Intune In Microsoft Endpoint Manager, select devices, scripts and add a new PowerShell script. Fill in some details like so. Deploy it to your Windows Autopilot users (start with a small group of users to test...), note that if you deploy this script to users that have already enrolled, the script checks if the enrollment was within the last 72 hours and if it was it will run, but if the enrollment was more than 72 hours ago, it'll do nothing. Step 5. Test it out First off, let's see what the expected outcome is. After Windows Autopilot enrollment is complete, and the user has logged on to the desktop, shortly after they login they will see a popup window asking them to Confirm or Change their Time Zone and Region settings. Below is an example of that. The user can confirm the settings by simply clicking Confirm, or if they want to change any of the options they can do so by clicking the relevant drop down menu. In this example the user changed the Regional format to English (Sweden), from English (United States) and after clicking Change the settings are applied. The following will occur when Confirm or Change is clicked. The keyboard layout is set (1), the regional format is in the chosen format (2) and the time will change to the selected timezone within one minute (3). The time sync takes place via an event generated in event viewer by the SetTimeZone-Gui script. Windows 11 support Does it work with Windows 11 ? absolutely ! see here: Job done ! Troubleshooting Note: If you are testing this on a hyper-v virtual machine, please disable enhanced mode. There are three log files generated by this solution win.ap.CreateScheduledTask.SetTimeZone.log located in C:\Windows\Temp win.ap.SetTimeZone-GUI.log located in C:\Users\<username>\appdata\local\Temp win.ap.synctime.log located in C:\Windows\Temp Here you can see it changing the time zone as revealed in the log file time change... the following scheduled tasks are created. The SetTimeZone scheduled task will run within a few minutes of the user logging in, it runs the following script. which in turn launches Powershell and our SetTimeZone-Gui.ps1 script %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -File %temp%\SetTimeZone-Gui.ps1 That will launch the UI shown previously, allowing the end user to confirm or change the detected settings. Once the user confirms or changes the timezone settings an event ID will be generated which will in turn launch the Synctime Based on EventId task. Magic 🙂 If the user ignores the popup and restarts the computer, it will appear again after logging on every time they logon for 7 days. You can change that behavior via the scripts settings.Ok that's it for this blog post, see you next time, cheers niall Related: https://smsagent.blog/2022/05/13/beware-of-changing-regional-format-after-intune-enrolment/ Footnote: Here is the commented version of ZIP. This version of the scripts cannot be uploaded to Intune as it's too big, use for troubleshooting purposes only.win.ap.CreateScheduledTask.SetTimeZone_COMMENTED_VERSION.zip
  3. Introduction I’m no stranger to Tachyon, I’m currently blogging about it in this series. When I heard that a new version was about to be released I was definitely interested. I signed up and watched the 1E Tachyon 8 Launch Webinar which showcased a preview of Tachyon 8, hosted by Michael Wright (Director of Product Marketing, 1E) and Bogdan Udrea (Chief Technologist Product, 1E). The webinar showcased what is new and exciting about the latest version of Tachyon and why you should be excited about it and it’s host of new features. If you do watch the webinar (and I encourage you to do so) take note that there is a huge amount of information to digest. Why release a new version now ? The first question to ask yourself would be why should Digital Workplace Leaders like you be interested in another release of Tachyon from 1E ? This blog post will hopefully clarify and simplify points about why there is a new version of Tachyon. “Software constantly evolves to adapt to new problems and the scenarios they present.” One of the first reasons is challenges from within the workplace, including something referred to as The Great Resignation. You only have to take a look online at Tik-Tok and you’ll see multiple videos of people resigning from their current workplace. The quit rate in the United States just hit an all time high, and now more than ever, we live in an employee centric world. Ask yourself these questions: Is your organization a contributor to the global challenges that many companies are facing ? Is your organization IT Infrastructure a contributor to why your employees are switching jobs ? The Great Resignation. It’s clear that the hybrid workplace (which came into its own niche during the never ending Covid 19 pandemic) increased employee-IT friction because workers were forced to work from home, sometimes without adequate tools and having to figure out why they couldn’t access on-premise resources or do their job as they used to when in the office. Tickets were raised, users were not happy. Users that cannot work for a couple of hours because an application is crashing reduces productivity and increases frustration. To add to the users frustration the ability of the IT Help Desk to help them with their problems by visiting the users desk is out of the question as their desk is more than likely at home. “Everything is dependent on experience.” What forward looking companies have realized is that employee’s engagement and productivity (regardless of whether they are working from home or in the office) is dependent on experience. This has led 1E to create something called the Experience Economy for the workplace and that is one of the building blocks of Tachyon 8. Experience Economy As a home consumer you expect certain performance from your Internet Providers, you expect high performance and the speed that was advertised when you purchased it. You also expect things like Siri, Alexa or Google to understand what you said when you summoned them. The same needs to be true for employees in the workplace, those employees should get the type of experience they expect from the business, and they should not be negatively impacted changes in the workplace carried out by IT and they should definitely not be treated like second class citizens. Focusing on what matters When a problem invariably happens it’s not enough to simply observe the problem. We know through monitoring or user complaints that there is a problem, and just acknowledging it doesn’t help. As an IT Admin you can acknowledge a problem but if you cannot do anything about it then the user will suffer and that doesn’t necessarily help improve the situation. What can Tachyon 8 do to relieve this friction factor? Tachyon 8 focuses on what matters, it’s not enough to simply focus on a problem. 1E navigated through the following four areas when creating Tachyon 8 to drive insights to action acceleration. Analytics and Insights Resolution Acceleration Action and Prevention Engagement and Empowerment Insights to Action Acceleration. Tachyon 8 enhanced the capabilities across these 4 key areas to: Expand and improve upon what is collected and provide insights into analytics Cool capabilities built into the RCA toolkit Prevent issues at scale Engage with employees using the toolset in Tachyon 8 to facilitate self-service Tachyon 8 has increased the level of insights into key problematic areas namely networking, boot and login, applications and software to provide better visibility from a networking perspective, to investigate why devices are slow to boot or login, and to assist with determining if applications are affecting the overall productivity of the device. Resolution acceleration provides a quadrant view to give a device a unique placement on horizontal and vertical axis compared to other devices in the enterprise but also to be able to show the correlation between a certain metric (or event) and the impact that has had on the overall experience or whatever you are concerned about on that device. In addition, you can do a side by side comparison between affected and ‘good’ devices to determine what is causing the problem. From the Action & Prevention space, Tachyon has continued to publish management packs. These are sets of instructions to address a problem statement in real time on a problem device. Tachyon 8 has added a new user engagement ability which allows admins to engage with their users, not necessarily a survey. It also adds enhancements around interactions with those users to let them know about something or to enhance self-service capabilities. Use cases There are actually hundreds of use cases and scenarios that can be run in Tachyon 8, if you’d like more info about them then do join 1E’s Tachyon Tuesdays where they’ll start unpacking these use cases and how you can benefit from them. To summarize though, they can be broken down into the following four categories. Use cases that address Employee Engagement and Empowerment for example are announcements, this is a one way communication to the end user. Announcements can be used to announce IT or non-IT changes. Interactions compliment announcements by using the User Engagement module in Tachyon where the 1E client can automatically engage with a user based on how they react to whatever has occurred. These four elements are built into a persistent user interface within the 1E client, which allows users to revisit certain elements and go back and open tickets if that’s what the user wanted to do. Updated UI With Tachyon 8, the UI has been expanded in several areas. For example, previously the Tachyon Experience module looked like this: With Tachyon 8, focus areas have been added including Advanced Analytics, Inventory Management and User Engagement as you can see here: What do the users see ? The users get to see an updated 1E client agent when it’s appropriate. They also get access to the new persistent user-interface so that they can revisit previous problems if and when necessary. Announcements can be customized to make them look more like they are coming from an individual rather than an organization to make them feel more personal. When will the release be available ? Early adopters of Tachyon 8 are actively using this in their environments today. If you’d like to try it now, please reach out to your 1E Account Manager and they will make it available. Conclusion The development team behind Tachyon 8 have learnt valuable lessons from customers, business needs and partners to focus on what really matters. They’ve used this knowledge gained to add additional functionality to assist with the challenges posed by hybrid workplaces. DISCLAIMER: The contents of this article are the opinion of the author and have been written from an impartial standpoint; however, 1E may have reimbursed the author for time and expenses for undertaking the findings and conclusions detailed in the article.
  4. ‘Tis the season to be caring – for your loved ones, for each other, and yes, even for your data and mailboxes. If you’re a Microsoft 365 administrator, celebrate with us. All you have to do is sign up for free to 365 Threat Monitor and set up your account! How does it work? - Sign up to 365 Threat Monitor - Receive a guaranteed $10 Amazon voucher and a chance to win one of the Grand Prizes! - For every valid entry, we’ll make a $10 donation to One Laptop per Child What are you waiting for? Sign up now!
  5. this shouldn't cause the devices to 'not' get task sequence policy, which is essentially what is happening, i don't know enough about how your environment is setup to give conclusive proof, you could for example have some pre-start command that is running to add the computer into the collection(s) needed for UI++,. that would require further investigation from you, and maybe that pre-start (if there is one) is getting confused on these Dell computers.
  6. Introduction Note: In a previous blog post I showed you how you can deploy an Operating System from a Cloud Management Gateway (CMG) using bootable media. That blog post assumed you had a working network connection (wired) and also required the use of bootable media. Please review that blog post and associated video before starting this one. This new ability to deploy OS via the CMG was added to Configuration Manager version 2010, screenshots in this blog post come from Configuration Manager version 2111. In this blog post, I'll show you how to allow your users to self-service deploy an operating system from Software Center. That task sequence will run some steps to ensure that they are connected to a LAN cable or USB-C docking station prior to starting. But why is this important ? Well, if the user is connected to Wi-Fi, then as soon as the task sequence reboots, the boot image will load and unless it knows exactly what Wi-Fi hotspot the user was connected to and unless it has Wi-Fi support and necessary certificates built in (unlikely) it will fail to pull down any content as there will be no network. Their are 3rd party custom solutions that can allow you to connect to Wi-Fi via the boot image, I haven't tested them yet due to complexities with our own Enterprise Wi-Fi, but here's a comprehensive example. So assuming that you don't want to use Wi-Fi, read on. In this blog post I'll show you how to automatically check the type of network connection, and to popup a message to the end user if no wired connection (802.3) is detected. this is done using the PhysicalMediaType and Status properties from Get-NetAdapter. In the sample below I check for all network adapters on a computer. It lists both wired and wireless (as well as virtual (non-physical)) network adapters. The red box shows the output from a laptop that is docked, as you can see multiple network cards/types are listed. Get-NetAdapter The green output shows the same command but filters on 802.3 physicalmedia type. Get-NetAdapter | Where-Object PhysicalMediaType -EQ 802.3 Taking it one step further, you can add the -physical attribute to only show physical network adapters. Get-NetAdapter -physical | Where-Object PhysicalMediaType -EQ 802.3 and from the two network adapters listed here, we can see that only one of them has a status of Up, meaning that is it connected. We could even filter for that as shown here. Get-NetAdapter -physical | Where-Object {$_.PhysicalMediaType -EQ 802.3 -and $_.Status -EQ "Up"} Using this logic we can build a script to detect the desired type of network and to popup a message to the end user if it's not connected. Step 1. Get the script The following script does the checking, save it to a folder called CheckNetworkCable. <# .SYNOPSIS This script checks if a network cable is connected or not, if not, pops up message to connect .DESCRIPTION For more info see https://www.windows-noob.com/forums/topic/22678-checking-for-network-cable-connections-before-deploying-an-os-from-the-cmg-via-software-center/ .PARAMETER [none] This script does not take any parameters. .EXAMPLE .NOTES Version: 0.1 2021/12/5 Version: 0.2 2021/12/6 lan cable re-check Version: 0.3 2021/12/7 hide tsprogressui Version: 0.4 2021/12/8 loop through multiple 802.3 NIC types if present and check status, added Cancel ability to the popup message Version: 0.5 2021/12/9 check for VM and exit if so, added ExitValue .LINK .Author Niall Brady 2021/12/5 #> Function LogWrite { Param ([string]$logstring) $a = Get-Date $logstring = $a,$logstring Try { Add-content $Logfile -value $logstring -ErrorAction silentlycontinue } Catch { $logstring="Invalid data encountered" Add-content $Logfile -value $logstring } write-host $logstring } function CheckCable{ # checks 802.3 LAN connections for a status of Up, loops through all 802.3 nics found before popping up message if none are connected $global:connected = $null $networkcards = Get-NetAdapter -Physical | select Name, PhysicalMediaType, InterfaceDescription, Status LogWrite "Checking the following 802.3 NIC(s): " $networkcards foreach ($networkcard in $networkcards) { # only interested in 802.3 nics... if ($networkcard.PhysicalMediaType -eq '802.3'){ $description = $networkcard.InterfaceDescription LogWrite "examining the following NIC: $description" if ($networkcard.status -eq 'Up') { LogWrite "Network Cable: CONNECTED" $global:connected = $true $ExitValue = 0 ExitScript ($ExitValue) } else { LogWrite "Network Cable: DISCONNECTED" $global:connected = $false } } } LogWrite "Showing end user the 'Please connect to a network cable' popup message" Add-Type -AssemblyName PresentationCore,PresentationFramework $msgBody = "Please connect to a wired network or USB-C docking station to continue. Once connected, wait a few seconds then click <OK>, or click <Cancel> to abort this operation." $msgTitle = "You must connect to suitable network." $msgButton = 'OKCANCEL' $msgImage = 'info' $Result = [System.Windows.MessageBox]::Show($msgBody,$msgTitle,$msgButton,$msgImage) LogWrite "The user chose: '$result'" $global:connected = $false if ($Result -eq 'Cancel') { LogWrite "The user chose cancel to insert network cable popup message" $ExitValue = 1 ExitScript ($ExitValue) } } Function ExitScript ($ExitValue) { LogWrite "Exiting from the '$scriptname' version '$version' script with exit code $ExitValue." Exit $ExitValue } ########################################################################################### # script body starts here... $scriptname = "Check if LAN cable is Connected" $version = "0.5" $logfile = "$env:temp\CheckNetworkCableConnected.log" LogWrite "Starting the '$scriptname' version '$version' script..." #Hide the progress dialog try { LogWrite "hiding the task sequence progress user interface" $TSProgressUI = new-object -comobject Microsoft.SMS.TSProgressUI $TSProgressUI.CloseProgressDialog()} catch {LogWrite "failed to hide the Task Sequence UI, are we really in a task sequence ?"} # check is this a vm, exit if so... $IsVirtual=((Get-WmiObject win32_computersystem).model -eq 'VMware Virtual Platform' -or ((Get-WmiObject win32_computersystem).model -eq 'Virtual Machine')) if ($IsVirtual) {LogWrite "virtual machine detected, will exit now." $ExitValue = 0 ExitScript ($ExitValue) } else {LogWrite "Virtual machine not detected, continuing..."} do{ LogWrite "Looping until connected..." CheckCable } until($connected -eq $true) $ExitValue = 0 ExitScript ($ExitValue) Step 2. Get ServiceUI.exe from MDT You'll need the ServiceUI.exe executable file to display user interfaces (UI) to end users when operating in SYSTEM context. To get the file, download and install MDT somewhere and navigate to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. To download MDT click here. Copy the ServiceUI.exe file to your extracted CheckNetworkCable folder so it looks like this. Next, copy this folder to your package source on your Configuration Manager server. Step 3. Create a package (with no program) In ConfigMgr create a new package *with no program* using the files in the CheckNetworkCable folder you created above. Step 4. Distribute the package After creating the package, right click it and choose Distribute Content. Distribute the content to all of your CMG's and any other on-premise distribution points. Step 5. Edit the task sequence and point to the package In your task sequence, add the following lines at the start of the task sequence. cmd.exe /c mkdir C:\Windows\Temp\OSDScripts\ Then copy files to the C:\Windows\Temp\OSDScripts folder.. xcopy ".\ServiceUI.exe" "C:\Windows\Temp\OSDScripts\" /D /E /C /I /Q /H /R /Y /S copy another file... xcopy ".\CheckNetwork.ps1" "C:\Windows\Temp\OSDScripts\" /D /E /C /I /Q /H /R /Y /S Run the script, note: do NOT select the timeout value in this step otherwise it will fail. C:\Windows\Temp\OSDScripts\ServiceUI.exe -process:TSProgressUI.exe %windir%\system32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -NoProfile -ExecutionPolicy bypass -File C:\Windows\Temp\OSDScripts\CheckNetwork.ps1 Apply the changes. Don't forget to distribute the content contained in your task sequence to your CMG. Step 6. deploy the Task sequence Deploy your task sequence as Available to a collection containing client computers that you intend to test with, make sure that the following option is selected. Step 7. Test the solution On a client computer with real network cards (or with a connection to a USB-C hub or Thunderbolt 3 dock that is in turn connected to a wired LAN), verify that the Configuration Manager client detects that it is connected to the Internet and that you can see the task sequence in Software Center. For the purposes of the test, unplug the dock and/or network cable and use Wi-Fi to test. Note: The script detects virtual machines and assumes they have network connectivity and therefore skips the popup. This particular task sequence also informs the user about the type of network they need to use, but we'll still run our detection script. If the user is not connected to a wired LAN cable or USB-C docking station, they'll get this popup. After connecting to the required network type and clicking OK the task sequence will continue. Job done. Troubleshooting The script logs to C:\Windows\Temp\CheckForNetworkCable.log. Below we can see that at first the cable was disconnected, and then the user connected the cable and it allowed the script to continue. Related reading https://docs.microsoft.com/en-us/mem/configmgr/osd/deploy-use/deploy-task-sequence-over-internet
  7. if you look at your task sequence and click on the deployments tab, check what collections is it deployed to, if your computer isn't in one of those collections then it won't see the task sequence, if your computer is in a collection targeted by the task sequence them and has been imaged before it won't re run the task sequence unless it's re-deployed to that device or the device deleted regarding the front end you are using, it's probably trying to run a deployment using direct membership (adding a device record to a collection that the task sequence is deployed to), can you confirm that ? if so, verify if your computers record is in that collection (or not...)
  8. it's protection, if you want to re-image the same device just re-deploy the same task sequence to it (in another collection for example), <OR> if you don't care about the history of the device, delete the device record in ConfigMgr Assets and Compliance and try again
  9. are there any differences on the clients that work, versus those that fail, for example are their language packs installed ?
  10. ok have you also deployed a Servicing Stack Update to those devices ? Download the SSU from: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005260
  11. are you pushing a task sequence or some other method, more details would be useful
  12. whether you start again or not is up to you, are you doing this in a lab ? did you take snapshots/checkpoints ? did you see my comment about what the actual error referred to...
  13. did you try contacting the author of that guide ? clearly it cannot download something, have you tried downloading/verifying the url it's referencing ? I'd also recommend you follow my guides instead, they work every time 🙂 Setting up PKI Part 1 - Introduction and server setup Part 2 - Install and do initial configuration on the Standalone Offline Root CA Part 3 - Prepare the HTTP Web server for CDP and AIA Publication Part 4 - Post configuration on the Standalone Offline Root CA Part 5 - Installing the Enterprise Issuing CA Part 6 - Perform post installation tasks on the Issuing CA Part 7 - Install and configure the OCSP Responder role service Part 8 - Configure AutoEnroll and Verify PKI health
  14. i'm not sure I understand your issue, so you can PXE boot but once you select the task sequence it fails ? can you attach the smsts.log file please
  15. the thing is when you deploy apps during OSD they should be installing in SYSTEM context and that is something that the user cannot see or interact with, so.... once you know this, you have to look at the options in the app itself to get it to install without any user interaction, or... deploy it to USERS after OSD
  16. they must run silently, so figure out a way to do that and you'll be golden, OR bite the bullet and install the app AFTER the osd part is done, on the users first login, where they CAN click on stuff
  17. hi, what was difficult about signing up to this site, please explain (in detail) so we can look into it, secondly, I assume you are talking about Autopilot for existing devices for your task sequence ? what version of Windows 10 are you testing with ?
  18. attach your cmupdate.log and we can take a look
  19. If you have experience with the Windows Admin Center, you might already have deduced it is a powerhouse of functionality making light of important server management tasks. If you’re just adding it to your system administrator toolbox, welcome to the wonder of Windows Admin Center! With so much functionality, figuring out where to focus is key. Whether you’re just setting out with Windows Admin Center or wanting to realize its full potential, start with Altaro’s free 160+ page second edition eBook, How To Get The Most Of The Windows Admin Center. Written by Microsoft Cloud & Datacenter Management MVP Eric Siron, it covers the latest developments like the Control Azure Stack HCI, use of WinRM over HTTPs and integration with Azure Monitor, amongst others. It’s a comprehensive guide on everything from installation methods and security considerations to integrating Windows Admin Center into an existing environment. There is even a brief history lesson along with a comparison to alternatives so you should get a solid overview of Windows Admin Center, why chose it and how to work with it. An all-new server management experience when it was introduced, Windows Admin Center modernized administrative activities with a centralized HTML 5 web application. Just add servers, clusters, desktops, and Azure virtual machines into a personalized, persistent interface, and manage their roles, features, software, registry, PKI certificates, and more. And with Microsoft’s latest investment into the Windows Admin Center and new functionality, there is now even more server management power to work with. Learn to simplify and optimize your server management tasks - Download your free eBook now!
  20. Introduction I previously posted a blog post showing you how your users can decommission their old domain joined PC using the Retire My PC app. I showed you how to create the app and deploy it via Software Center to your users' old computer. The reason why this app exists is to allow users to decommission their old PC when it suits them and not have to rely on onsite support staff or a third party service to secure company data stored on the old PC before it gets returned to the vendor or seller. This is achieved by ensuring the device is protected by Bitlocker and then deleting the Bitlocker protector from the TPM prior to shutting down the device. There is much more going on in the app, please see the list of original features below. stops the ConfigMgr client agent service (if one is running) stops the MBAM agent service (if one is running) rotates the BitLocker key (optional) WIPEs the BCD registry entries (optional) joins a workgroup clears the Bitlocker TPM protector adds a record of all this to Azure Tables emails the log to a support inbox In this blog post I'll show you how to deploy a newer, more secure version of the app via the Company Portal in Microsoft Endpoint Manager (Microsoft Intune) which can be used on Intune managed, Azure AD joined computers. This version of the app has some new abilities which are highlighted below. Available in Company Portal Allows the user to select the type of decommission (Recoverable or Secured) If the Recoverable option is selected, the Bitlocker protector is removed from the TPM. If a support technician or the end user has access to the recovery password info, they can enter it at the boot screen and therefore can boot back into Windows. If the Secured option is selected, not only is the Bitlocker protector removed from the TPM but the Bitlocker key is rotated and the new key is not uploaded to Azure AD, or ConfigMgr or MBAM. Therefore the admin and the end user will not have the recovery info needed to boot the computer. In addition, the BDE registry keys are completely wiped out, so even if they manage to get the rotated key (from the email sent to the configured support inbox, read the NOTE below) this would only allow file access, Windows will not boot. Regardless of which option the user chooses, the device will NOT boot into Windows after it's retired as it cannot due to the missing Bitlocker protector in the TPM, and this secures the PC from unwanted access. However, if the user selects cancel in the main UI, the detection method file is removed so they can reinstall the app on-demand via Company Portal. NOTE: You can also modify the script to not include the rotated recovery key information in the email making the device very secure indeed. If you do this, the device (and the data on it) can never be recovered as the rotated Bitlocker key is not stored anywhere. As this is so drastic, I've left this recovery info in the email. This email will never be seen by the end user and is sent to a shared help desk inbox. Once you are happy with the way things are going, you can optionally remove this info from the log to ensure company data is 100% secured on decommissioned devices. Before starting, please read the original Retire My PC blog post to get an understanding of how to set this all up. You can skip the creation of the app in ConfiMgr if you are using this in cloud only environments. Step 1. Get the scripts Note: You can only download these files when logged on to https://www.windows-noob.com Retire My PC.zip Download, unzip and extract the files. Step 2. Get ServiceUI.exe from MDT You'll need the ServiceUI.exe executable file to display user interfaces (UI) to end users when operating in SYSTEM context. To get the file, download and install MDT somewhere and navigate to C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64. To download MDT click here. Copy the 64 bit version of ServiceUI.exe file to your extracted win32app_source folder so it looks like this. Step 3. Get the Win32 content prep tool Download the Win32 content prep tool from here. Copy the IntuneWinAppUtil.exe file to your Retire My PC source folder, it should look like this. Step 4. Modify the script Open the securewipe.ps1 script. Configure the $ToAddress and $FromAddress variables. Using your Sendgrid API key, paste your API key value (line 615 below). Add your httptrigger1 URL add your httptrigger2 url here If you want to completely remove the rotated key from the email, rem out the following lines marked in yellow Save the changes to the script. save your changes. Step 5. Create the Intunewin package Open a command prompt and browse to the reset-windows folder structure. Launch the IntuneWinAppUtil.exe file and answer the following. Please specify the source folder: win32app_source Please specify the setup file: securewipe.ps1 Please specify the output folder: win32app_target Do you want to specify catalog folder (Y/N)? n as shown here. After doing that you'll have the securewipe.intunewin file in the win32app_target folder. Step 6. Create the Win32 app in Endpoint Manager Log into https://endpoint.microsoft.com and add a new Win32 App. Below are some screenshots showing how I've configured the app. For Select app type, select Windows app (Win32) from the drop down menu Click on Select app package file and point it to the securewipe.intunewin file in the win32app_target folder. fill in some info about the app for the logo, click on Select image and point it here... fill in the install commands fill in the requirements and the detection rules.. finally deploy it to your users that should be retiring old pc's... and save the app. This is what the end user will see after launching the app from the Company Portal once they make their selections and clicking OK clicking OK to this warning will start the process and some seconds later the device will no longer be able to boot. The recovery key data stored in Microsoft Endpoint Manager will not contain the latest rotated key from the device if the user selected the <Secured> option. The only place you'll find the recovery key data, is in the email sent to the shared help desk inbox if you optionally decided to include that info. The app logs to C:\Users\<USERNAME>\AppData\Local\Temp\win.ap.securewipe.log and this log file is emailed to your shared help desk email inbox. Job done !
  21. I would advise you to think long and hard about hybrid azure ad domain join, try and avoid it or you'll have lots of problems... guaranteed modern devices can be workgroup joined with no GPO's applied, and instead all settings and configurations come directly from Intune (or SCCM if co-managed)
  22. just to be clear, you are trying to install Windows 10 LTSC 2019 on a computer with 3 physical hard discs, correct ? and when you try in that configuration, it fails ? does the same task sequence work correctly if there is only one hdd ?
  23. ok thanks for reporting this, can you please send a Frown from the console and attach the cmtrace screenshots to report this there ? if you want, please share the id with me, thanks
  • Create New...