anyweb

Introduction I got my hands on a test unit, a Microsoft Surface Go 4, and wanted to see if we could image it via SCCM as we currently are doing for Surface Go 3 models. However, the problems became apparent quickly. Problem The problems were lack of storage (no HDD detected) if using an Windows 10 ADK version 2004 that hasn’t been updated with the latest servicing stack and cumulative update to address CVE-2023-24932, or if using an ADK based on Windows 11, the partitioning steps hangs forever along with the other issues that ADK 11 has (preprovision bitlocker fails, no vbs support). So how to fix this ? The easiest choice was to grab the driver pack from Microsoft and inject the missing storufs.inf driver into the Windows 10 ADK version 2004 boot wim. So I went down what I thought was the path of least resistance. Download the drivers (MSI) You can download the MSI drivers for the Surface Go 4 from here, select the appropriate OS (Windows 10 or Windows 11). Extracting the drivers Once you’ve downloaded the MSI, you’ll want to extract the drivers from the pack, to do that use the cmdline below, replace it with the MSI name you want to extract and point it to the exact folder you want the drivers to extract to. Do not have any spaces between TARGETDIR and the = sign. MSIEXEC /a SurfaceGo4_Win10_19045_23.072.25310.0.msi /qb TARGETDIR=C:\drivers\SG4 But guess what, those UFS storage drivers are not available in the downloadable MSI. You will need to rip the needed drivers from the factory image so keep that in mind before you blow it away. I found the needed files in the following folder on the factory install: C:\Windows\Inf The drivers and were dated 2023/04/13 on my example unit, and the needed are: storufs.inf storufs.sys However even with those files it’s not enough, you cannot import them into the boot.wim image as they are not signed (missing the CAT file). And the necessary CAT file is nowhere to be found in the factory install image. So we are back to square one. I asked Microsoft to provide me with this signed driver but for some reason was declined. Instead they advised me to patch the boot images. The solution To fix this you’ll need to patch your ADK 10 version 2004 boot wim to include the latest SSU and CU updates. In my testing that was the October CU. Here’s the script used, yes it’s a batch file but it works just fine, there is a PowerShell script available from Microsoft (here) but you’ll need to modify it heavily before starting. Copy the downloaded CU to the appropriate folder before starting REM use this to patch ADK 2004 with latest CU/SSU/optional components REM to start with, copy the CU to C:\dev\patch_winpe\CU REM make sure to REMOVE any pre-existing C:\winpe_amd64 before starting! REM thanks to Microsoft for the script, modified by Niall Brady, 2023/11/23 REM - > copy a fresh boot.wim without any component (you can use the boot.wim from your Configuration Manager Installation as well to start with) REM CLEANUP if needed! DISM.exe /Unmount-Wim /MountDir:C:\winpe_amd64\mount /discard DISM.exe /Cleanup-Wim call "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\copype.cmd" amd64 c:\winpe_amd64 REM - Create some temp folders... MD c:\winpe_amd64\SSU MD c:\winpe_amd64\CU MD c:\winpe_amd64\temp REM - > expand SSU expand.exe C:\dev\patch_winpe\CU\windows10.0-kb5031356-x64_65d5bbc39ccb461472d9854f1a370fe018b79fcc.msu -f:*ssu*.cab c:\winpe_amd64\SSU REM - > expand CU expand.exe C:\dev\patch_winpe\CU\windows10.0-kb5031356-x64_65d5bbc39ccb461472d9854f1a370fe018b79fcc.msu -f:*Windows*x64.cab c:\winpe_amd64\CU REM - > mount the boot.wim file for servicing operations dism.exe /Mount-Wim /WimFile:C:\winpe_amd64\media\sources\boot.wim /index:1 /MountDir:C:\winpe_amd64\mount REM - > Apply SSU dism.exe /image:C:\winpe_amd64\mount\ /Add-Package /PackagePath:c:\winpe_amd64\SSU\ REM - > adding the core components (bare minimum requirement by Configuration Manager) REM Scripting (WinPE-WMI) dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab" dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab" REM Scripting (WinPE-Scripting) dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-Scripting.cab" dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab" REM Network (WinPE-WDS-Tools) dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WDS-Tools.cab" dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-US\WinPE-WDS-Tools_en-us.cab" REM Startup (WinPE-SecureStartup) dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureStartup.cab" dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStartup_en-us.cab" REM - > adding optional / additional components (do not forget to add them, if needed) REM HTML (WinPE-HTA) REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-HTA.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-HTA_en-us.cab" REM Database (WinPE-MDAC) REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-MDAC.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-MDAC_en-us.cab" REM Storage (WinPE-EnhancedStorage) REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-EnhancedStorage.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-EnhancedStorage_en-us.cab" REM Microsoft .NET (WinPE-NetFx) REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-NetFx.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-NetFx_en-us.cab" REM Windows PowerShell (WinPE-PowerShell) - this requires WinPE-NetFx to be added first REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-PowerShell.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-PowerShell_en-us.cab" REM Windows PowerShell (WinPE-DismCmdlets) - this requires WinPE-PowerShell to be added first REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-DismCmdlets.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-DismCmdlets_en-us.cab" REM Windows PowerShell (WinPE-StorageWMI) - this requires WinPE-PowerShell to be added first REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-StorageWMI.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-StorageWMI_en-us.cab" REM Windows Secure Boot Cmdlets (WinPE-SecureBootCmdlets) - this requires WinPE-PowerShell to be added first REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-SecureBootCmdlets.cab" REM dism.exe /Add-Package /Image:"C:\winpe_amd64\mount" /PackagePath:"c:\program files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-SecureBootCmdlets_en-us.cab" REM - > Apply CU dism.exe /image:C:\winpe_amd64\mount\ /Add-Package /PackagePath:c:\winpe_amd64\CU\ REM pause here to add any custom stuff pause REM - > final step unmount the boot.wim and commit the changes dism.exe /unmount-Wim /MountDir:C:\winpe_amd64\mount /commit After patching the boot.wim, import it back into SCCM, distribute it to your distribution points and attach it to your task sequence. Note: Keep in mind that you’ll also need the patched version of Windows 10/Windows 11 operating system wim file to the same CU level otherwise you’ll get a BSOD after applying the image. I hope this helps someone cheers niall Related reading Surface Go 4 drivers (MSI) – download October 2023 CU – download Windows 11 ADK 22H2 – download Surface Recovery Image download – Surface Recovery Image Download – Microsoft Support PowerShell script to modify boot images Manage boot images for CVE-2023-24932

I'd open a Microsoft ticket and ask them to investigate

did every previous upgrade work without problem before this ? do you have any non microsoft AV software installed on the site server ?

ok have you simply tried restarting the primary server ?

hi Michael, how long have you waited ? how many clients are managed by the primary ? does the cmupdate.log reveal anything interesting ?

interesting! thanks for updating the thread

weird, is the file blocked or corrupt in any way ?

Introduction This is Part 1 of a new series of guides which will cover managing Windows 365 Cloud PC's using PowerShell and Microsoft Graph. This mini series should help you get started with automating and managing your Cloud PC's using PowerShell via Microsoft Graph. If you are new to Windows 365 Cloud PC's then please read our previous series called Getting started with Windows 365 available here. At the time of writing, Paul is a 7 times Enterprise Mobility MVP based in the UK and Niall is a 13 times Enterprise Mobility & Windows and Devices MVP based in Sweden. Below you can find all parts in this series: Automating Windows 365 part 1 - Introducing Graph and setting up Visual Studio code <- you are here Automating Windows 365 part 2 - Using Graph X-Ray Automating Windows 365 part 3 - Provisioning Cloud PC's Automating Windows 365 part 4 - Managing your Cloud PC Automating Windows 365 part 5 - TBD In this part we'll cover the following: Introducing Graph Setup Visual Studio Code Installing Visual Studio Code Installing the PowerShell Extension Enabling ISEMode Initial connection to Graph Permissions Testing permissions using Graph Explorer Related reading Summary Introducing Graph Microsoft have summarized Graph as: ChatGPT summarized it as follows: OK so now we know that we can use Microsoft Graph to our advantage, to interact with data that we have access to and build scripts and apps to automate common tasks. But before we do let's take a look at one quick way of interacting with Graph, and that is via an online tool called Microsoft Graph Explorer which in turn uses the Graph API. Microsoft Graph Explorer lets you make requests and see responses against Microsoft Graph. To launch Graph Explorer click here. You'll be presented with a view such as below. Login to your tenant If you are new to Graph Explorer, there are a few things to keep in mind: 1. Allows you to select the method, eg: GET, POST, PUT, PATCH, DELETE 2. Select the context: v1.0 or beta 3. The address of your API call, including any variables or filters 4. Tabs containing more info 5. Sub set of Graph REST API examples Now you are ready to perform your first query, so go with the default selection and click on Run Query As you can see it returns a lot of data which we can use in our automation. Cool! Setting up Visual Studio Code Now that we know a little bit about Microsoft Graph, the next step is to install and configure a tool to connect with it effectively, and to do that we'll use Visual Studio Code. Visual Studio Code is more powerful and feature rich than the built in free PowerShell Integrated Scripting engine in Windows (PowerShell ISE) so let's use it. Installing Visual Studio Code It's free, to get started you'll need to download it first - https://code.visualstudio.com/docs/?dv=win Once downloaded, launch the executable to start setup. select your options and it's done. Click on Finish to launch Visual Studio Code. Installing the PowerShell Extension After installation, it's time to add a PowerShell extension. Click on Extensions. Search for PowerShell and click on Install Connect with Visual Studio Code Once you've installed the PowerShell extension, close Visual Studio Code and launch it again as an Administrator (Run As Administrator). Click on the Settings icon, and choose Command Palette Search for IseMode and select Enable IseMode from the list of choices This will force Visual Studio Code to look like PowerShell ISE. Initial connection to Graph Now we have everything in place, let's create our first script to make our initial connection to Graph from Visual Studio Code. To do that, click on File, give your script a suitable name such as connect to microsoft graph.ps1 Visual Studio Code now knows how to deal with the PowerShell commands as we've installed the PowerShell extension. Type in the following command: Install-Module Microsoft.Graph.Beta.DeviceManagement.Administration Once done, click on the run symbol (triangle) and notice the question. After answering Yes, PowerShell will start downloading the needed bits. After it has finished installing you can verify by running the following code Get-InstalledModule Microsoft.Graph.Beta.DeviceManagement.Administration You can do that in Visual Studio Code by typing the command, selecting it and then running the selected code. Finally, we want to connect to our installed module by using the the Connect-MgGraph command. Connect-MgGraph -Scopes "CloudPC.Read.All" You may get prompted for permissions (more on that below), if so click Accept. If required, you can also select the check box "Consent on behalf of your organization" to make it easier for other admins to do the same requests. Permissions In order to access the wealth of data in Microsoft Graph you'll need to provide permissions. For Cloud PC management, we can add an initial subset of permissions to review data. To review the permissions see the Graph API Documentation for what permissions are needed, keep in mind that these are currently in Beta and subject to change. Those permissions are basically broken down into three areas, License, Group and Cloud PC License permissions User.ReadWrite.All Directory.ReadWrite.All Group permissions GroupMember.ReadWrite.All, Group.ReadWrite.All Directory.ReadWrite.All CloudPC permissions CloudPC.ReadWrite.All Testing permissions using Graph Explorer Launch Graph Explorer. To verify our permissions we'll try a simple Cloud PC related task, List all Cloud PCs. To list all your Cloud PC's using Graph Explorer and Microsoft Graph API, try the following. GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs You'll probably see permission errors if they are not yet set or if you have not yet elevated your role in Azure (PIM). Notice how it helpfully points us to the Modify Permissions tab. As an account that has permissions to grant consent, click on Consent for the permissions listed. You'll get one or more prompts to accept these permissions and you can revoke them at any time. Again, if required, you can also select the check box "Consent on behalf of your organization" to make it easier for other admins to do the same requests. After consenting to the permissions and running the query again in Graph Explorer, the result is shown. Note that it's only a subset of the available info and it informs you that if you want more data you'll need to modify the request to include $select to return non-default properties. So now we've seen how to modify the permissions to review Cloud PC data in Graph Explorer, let's gather the same data using Visual Studio Code and a PowerShell cmdlet for Cloud PC. In addition, we'll filter on the managedDeviceName property shown in the output above so that it will only list that data. $MyCloudPCs = Get-MgBetaDeviceManagementVirtualEndpointCloudPC | select-object "managedDeviceName" $MyCloudPCs and here's the output: Success ! Related reading Overview of Microsoft Graph -https://learn.microsoft.com/en-us/graph/overview Graph Explorer API - https://developer.microsoft.com/en-us/graph/graph-explorer Working with Windows 365 Cloud PCs using the Microsoft Graph API - https://learn.microsoft.com/en-us/graph/api/resources/cloudpc-api-overview?view=graph-rest-beta Download Visual Studio Code - https://code.visualstudio.com/docs/?dv=win Permissions - https://learn.microsoft.com/en-us/graph/permissions-reference Permissions overview - https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http Overview of Cloud PC with Graph - https://learn.microsoft.com/en-us/graph/cloudpc-concept-overview Working with Windows 365 Cloud PCs using the Microsoft Graph API - https://learn.microsoft.com/en-us/graph/api/resources/cloudpc-api-overview?view=graph-rest-beta&preserve-view=true Graph API examples for Cloud PC - https://learn.microsoft.com/en-us/graph/api/virtualendpoint-list-cloudpcs?view=graph-rest-beta&tabs=http Microsoft Graph Beta - https://learn.microsoft.com/en-us/powershell/module/Microsoft.Graph.Beta.DeviceManagement.Administration/get-mgbetadevicemanagementvirtualendpointcloudpc?view=graph-powershell-beta Summary Microsoft Graph and Visual Studio Code with the PowerShell Extension gives admins a useful and powerful way of managing their Windows 365 Cloud PC's and automating repetitive actions. Please join us in the next part where we'll look at how Graph X-Ray can help us further.

the variables detected/set should be revealed in the smsts.log during the Gather steps, so look there and then add them to the new Powershell script, have you tried that ?

@Pierrot yup that's right

hi Pierrot, this command is supposed to be done on the domain controller hosting CA certificate services as per the guide, and it's used to extract the previously configured windows noob issuing CA certificate to a file (any name you want eg: somecert.cer but makes sense to actually name it what is is, in this case windowsnoobIssuingCA.cer), for later import. the -ca.cert merely instructs certutil to retrieve the CA's certificate, in this case, retrieve the windowsnoob Issuing CA's certificate, does that make it clearer ? if you then type certutil (with no options) on the domain controller, it should return the info you've previously set for the Config switch, such as in mine, below: cheers niall

Introduction Configuration Manager 2309 was just released to the early update ring, you can read about that here. In this video I show you how I upgraded my PKI enabled (HTTPS) ConfigMgr 2303 site to 2309, take a brief look at some of the features, show that you need to upgrade the SQL ODBC driver before starting the upgrade and more. Related reading Early ring opt in script – https://go.microsoft.com/fwlink/?linkid=2099733 Update 2309 now available – https://techcommunity.microsoft.com/t5/configuration-manager-blog/update-2309-for-microsoft-configuration-manager-current-branch/ba-p/3928963 Whats new in 2309 – https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2309 SQL ODBC driver download – https://learn.microsoft.com/en-us/sql/connect/odbc/download-odbc-driver-for-sql-server?view=sql-server-ver16 Johan Arwidmarks VBS FOD fix – https://www.deploymentresearch.com/fixing-vbscript-support-in-windows-adk-sep-2023-update-build-25398/ Technical Preview 2305 – https://www.niallbrady.com/2023/05/27/technical-preview-2305-is-out-should-you-upgrade-yes/ Technical Preview 2307 – https://www.niallbrady.com/2023/07/29/a-quick-look-at-configuration-manager-2307-technical-preview/

Introduction Configuration Manager 2309 has just been released, and I wanted to update one of my ConfigMgr labs to this version. Before doing that I could see that the PKI environment was not healthy, there were expired certificates and worse still an expired Root CA CDP. My usual fixes didn’t help so it was time to dig deeper with help from Stealthpuppy’s blog post here. Long story short, when I power on a PKI based lab that’s been offline for a while I usually just restart certsrv.msc on the IssuingCA, this resolves most issues but in this case it wouldn’t even restart, I got an error (which I’ve seen before). The revocation function was unable to check revocation because the revocation server was offline To troubleshoot further, I issued the following: certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE This allowed me to start certificate services on the IssuingCA and troubleshoot further. Please watch the video to see how I resolved the issues. If you want some PKI guides look no further. Setting up PKI Part 1 – Introduction and server setup Part 2 – Install and do initial configuration on the Standalone Offline Root CA Part 3 – Prepare the HTTP Web server for CDP and AIA Publication Part 4 – Post configuration on the Standalone Offline Root CA Part 5 – Installing the Enterprise Issuing CA Part 6 – Perform post installation tasks on the Issuing CA Part 7 – Install and configure the OCSP Responder role service Part 8 – Configure AutoEnroll and Verify PKI health How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 1 How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 2 cheers ! niall

Introduction In a previous blog post I discussed how you can disable (or enable) Microsoft’s new flagship service called Copilot. Copilot is a very hot topic today as it gives the power of AI to all users of Windows. As it’s going to be included with Windows 11 version 23H2 coming later in Q4 you need to start testing it now. To test it you’ll probably want to have two groups of users, those where you’ve disabled Copilot and a smaller subset where you enable it. Based on my own testing, in order to automate enabling Copilot you need to have some things in place in your environment right now, and those requirements are listed below. Windows 11 version 22H2 with KB5030310 installed Turn on the “Get the latest updates as soon as they are available” windows Update setting – see how here Locations needs to be North America, parts of Asia/South America regions only (for now) In this blog post I’ll focus on the point above highlighted in red, and we’ll solve the problem by creating a Win32 app in Microsoft Intune. Download the required files From Microsoft Catalog website, download the 2023-09 Cumulative Update Preview for Windows 11 Version 22H2 for x64-based Systems (KB5030310) . Scripts There are two the scripts used in this package: install.cmd wusa.exe .\windows11.0-kb5030310-x64_2b759815a3b7626cc8f508753553172aa444d454.msu /quiet /norestart -wait check_for_KBKB5030310.ps1 # niall brady 2023/10/04 # check if the KB is actually installed # $result = systeminfo.exe | findstr KB5030310 if ($result){ write-output "Found KB5030310" exit 0} else { write-output "Could not find KB5030310" exit 1} Microsoft Win32 Content Prep Tool Get the tool here https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool. Create an icon for your package (optional) Using Google images/Bing images search for Windows Update and pick a graphic that matches what you want this to look like. Create intunewin package I use a folder layout as follows when creating Win32 apps. Win32app_name Win32app_source Win32app_target I place the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe) in the Win32app_name folder, along with any icon’s used for the app. Next I place the required files (in this case the downloaded MSU file, a PowerShell script and some batch files) into the Win32app_source folder. Once all these are in place we can go ahead and create the intunewin package. You can see the settings I used in the output below. The Intunewin file will end up in the win32app_target folder. Create the Win32 app In Microsoft Intune, create a new Win32 app and give it a suitable name. Next, point it to the folder containing the previously created intunewin file. Fill in some app information, and select your desired Logo if making the software available enter your Program settings On the App requirements screen make sure that Windows 11 version 22H2 is selected For detection rules point it to the included PowerShell script by clicking on Use a custom detection script and pointing the check_for_KB5030310.ps1 PowerShell script in the win32app_source folder. Continue through the wizard and assign is as appropriate to your target Windows 11 version 22H2 devices that you want brought up to build 2361. After creating the app, you can later monitor it’s progress. Job done ! Related reading Copilot released to GA How can I disable (or enable) Copilot Using remediation scripts to automate a setting for Copilot Remediations | Microsoft Learn Get Windows Updates as soon as they are available see you in the next one cheers niall.

Introduction In a previous blog post I discussed how you can disable (or enable) Microsoft’s new flagship service called Copilot. Copilot is a very hot topic today as it gives the power of AI to all users of Windows. As it’s going to be included with Windows 11 version 23H2 coming later in Q4 you need to start testing it now. To test it you’ll probably want to have two groups of users, those where you’ve disabled Copilot and a smaller subset where you enable it. Based on my own testing, in order to automate enabling Copilot you need to have some things in place in your environment right now, and those requirements are listed below. Windows 11 version 22H2 with KB5030310 installed Turn on the “Get the latest updates as soon as they are available” windows Update setting Locations needs to be North America, parts of Asia/South America regions only (for now) In this blog post I’ll focus on the second point above highlighted in red, and we’ll solve the problem by using the remediation scripts ability in Microsoft Intune. You can do this other ways, there’s a CSP listed here that probably does the same thing, I’ll test that and update here as appropriate. ./Device/Vendor/MSFT/Policy/Config/Update/AllowOptionalContent Keep in mind though the text below: This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) – learn more by visiting aka.ms/AllowOptionalContent). This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds. These settings are subject to change and may have dependencies on other features or services in preview. What we need to automate is flipping the switch shown below from Off to On. The switch is for: Get the latest updates as soon as they’re available so that it downloads things like Copilot preview bits from Windows Update. This actually sets a registry value to 1 when flipped to On and that’s how we’ll solve it. Note: Whether you set the toggle to Off or On, you’ll still get the regular security updates as usual. The toggle determines how quickly you get the additional non-security updates, fixes, feature updates, and improvements Download the scripts The scripts used in this blog post are available here, unzip before use. There are 2 scripts in the zip file, one for detection, and another for remediation. copilot ux registry key Create the remediation As an Intune admin, navigate to Devices, select Windows, select Scripts, ensure you are in Remediations and click on + Create to create a new remediation. Give the remediation a useful name such as Turn ON – Get the latest updates as soon as they’re available Click next and add the scripts in the highlighted sections here: so that it looks like so, make sure to select Yes for Run script in 64-bit PowerShell Click through the wizard and select an appropriate Assignment group and schedule. In the example below I previously created a dynamic Azure AD group called called All Windows 11 version 22H2 build 2361 based on OSVersion = Version 10.0.22621.2361. I also set the schedule to run hourly, but you can set it any way you wish. Note that this specific version of Windows 11 is only necessary to test Copilot today as this ability will be native to Windows 11 version 23H2 later in Q4. Click Create once done. Next you wait, and review the status after it’s reached your target devices. Monitor the remediation In the Device Status section of your newly created remediation, you should see the status of all devices targeted by the remediation. Note that it does take some time before this data flows back up to Intune. and afte running again it’ll change Detection status to Without issues. Verify on target devices On a device targeted with this policy, you can review the logs created by the remediation scripts for troubleshooting, they’ll be placed in the following folder: C:\ProgramData\IntuneRemediations\Copilot Next, verify that the Windows Update setting is indeed turned on: and finally, you can review the registry key that it enables, in HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings IsContinuousInnovationOptedIn = 1 and of course after this setting is set it will auto download the Copilot bits So once the required KB’s are installed (KB5030310 + KB5030509) and after restarting the targeted device, Copilot is enabled ! job done ! Related reading Copilot released to GA How can I disable (or enable) Copilot Remediations | Microsoft Learn Get Windows Updates as soon as they are available see you in the next one cheers niall.

by reimaging your devices you are removing the value of having them delivered with an image, have you not tried talking to the vendor that supplies your PC's to get a Windows image that you want preinstalled ?

why do you think you need to install Windows at all, surely the hardware vendor is installing Windows on your devices ?

Introduction TLDR Available SKUS & Cost Copilot Availability Temporary enterprise feature control Creating policy in Intune Using Copilot Introduction Microsoft held an event last week where they talked a whole lot about Artificial Intelligence (AI) and Microsofts own service to connect with AI called Copilot. In this blog post I’ll describe what I’ve learned about Copilot since the announcement and show you how you can enable or disable it via Intune policy. Why would you want to disable Copilot ? There are lots of reasons such as data protection, security, and having control of what your users are doing with this new technology. Rolling it out to approved users to test at first would be a great way to start rather than this showing up on all applicable Windows 11 devices. TLDR If you didn’t know already, TLDR is slang for too long, didn’t read. So if you don’t want to read this entire article, read this summary instead. As long as Windows update policies are targeting your Windows 11 version 22H2 devices and as long as they are on build 2361 or later, and as long as they are in the US or other ‘enabled’ regions, Copilot will NOT be enabled on Windows 11 version 22H2. If however you have Windows 11 version 22H2 devices devices and are on build 2361 or later and they are EXCLUDED from Windows update policies then Copilot WILL be enabled unless you configure policies such as below. Lastly, if you upgrade these devices using the Annual Feature Update to 23H2 in Q4 2023, then Copilot will be enabled. Available SKUS & Cost Copilot will be available in 3 SKUs with costs ranging from free to $30 USD per user per month. Copilot in Windows – Free Bing Chat Enterprise – $5 standalone, included in Microsoft E3/E5 Microsoft 365 Copilot – $30 The breakdown of those 3 SKUs are listed below: Copilot Availability The interesting news in the Windows event blog post was that Copilot would be rolled out to some customers (more of that later) starting Tuesday September 26th for Windows 11 version 22H2 and more broadly as time goes by. It will also be included with Windows 11 version 23H2 when that releases later this fall (Q4 timeframe). Microsoft Copilot in Windows will be available on September 26. It will empower you to create faster and complete tasks with ease and lessen your cognitive load—making once-complicated tasks simple. We’ve made accessing the power of Copilot seamless as it’s always right there for you on the taskbar or with the Win+C keyboard shortcut, providing assistance alongside all your apps. Copilot in Windows will feature the new Copilot icon, the new Copilot user experience, Bing Chat, and will be available to commercial customers for free. The detail about which customers it would be rolled out to is in the sub notes of another blog post here. Thanks go to Steven here for that nugget of info. Copilot in Windows will start to release in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time. So now we know what’s coming, we need to know what we need in place to see it on production ready Windows 11 devices today. In summary, that should be the following: Windows 11 version 22H2 with KB5030310 installed North America, parts of Asia/South America regions only (for now) September 26th was the release date for this new capability to the general public as long as you are located in the regions mentioned above and it comes in an update listed here. This update has already started rolling out globally but if you don’t see it yet on your Windows 11 22H2 devices then you can manually install the update from the Microsoft Update Catalog here. Temporary enterprise feature control According to this docs site, all Windows 11 version 22H2 releases should be using Temporary Enterprise feature control, meaning that “Features behind temporary enterprise control are automatically disabled for devices that have their Windows updates managed by policies.” Ok, so if that’s the case then any managed Intune devices with Windows updates managed by policies shouldn’t need any further action prior to the release of Windows 11 23H2. Right ? and once 23H2 is released those same devices will get Copilot enabled by default. However, the same article shows the following info. To verify if the docs above are indeed correct I deployed a new Windows 11 22H2 virtual machine, patched it to the required 2361 build and made sure that it was NOT targeted with policy to either enable (or disable) Copilot. Note: This device (below) was not targeted by any Windows Update policy from Intune. The result ? Copilot was ENABLED. Next I did the exact same test on a device that had Windows Update policies deployed to it via Intune, and after updating to build 2361, there was no Copilot enabled. This test has confirmed that the temporary enterprise control feature is working as per the Microsoft docs. Creating policy in Intune Now that you know what you need in place to test Copilot, it’s time to take a look at policy creation in Intune. Why would you want to do that ? so that you can have fine control over who can use Copilot and who cannot. Note: The currently available CSP was released for Windows Insider Preview and therefore may change, if it does I’ll update this blog post. In Intune create a new device configuration profile and select templates, custom as shown here. Give the policy a suitable name and fill in the following custom URI, use the following settings: Name TurnOffWindowsCopilot Description OMA-URI ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot Data type Integer Value 1 as shown here Note: If you want to Enable Copilot replace the 1 with 0 Assign the policy to two groups, one where you want to disable the ability and another for excluding this policy. Next, you can optionally set an Applicability rule for OSversion = 10.0.22621.2361 to 10.0.22621.9999 which should cover all versions of Windows 11 version 22H2 for the coming while. Note: If you want to disable Copilot for Windows 11 23H2 when it releases then adjust the OSVersion accordingly. Monitoring the policy Once you’ve deployed the policy you’ll see devices reporting back different results based on your applicability rules, and based on whether the devices meet the requirements for Copilot or not. If you did not specify OSVersion 10.0.22621.2361 as the minimum release then any Windows 11 22H2 devices that get this policy that have not yet updated to build 2361 will report an error (remediation failed). Not Applicable is for versions of Windows that this does not apply to, for example Windows 10 and Success means the policy was successfully applied. On the devices targeted with the policy that are running the correct version of Windows 11 22h2 (build 2361) you should now see the following registry keys. Using Copilot The screenshot below is from my Windows Insider preview release, where I enabled Copilot Preview. I asked Copilot to tell me about Niall Brady. The technology is definitely very cool and I’m looking forward to seeing where it goes! That’s all for this blog post, happy Copiloting and thanks to all that responded to this thread on Twitter (yeah I’m still calling it that). Related reading https://blogs.windows.com/windowsexperience/2023/09/26/the-most-personal-windows-11-experience-begins-rolling-out-today/ https://www.microsoft.com/en-us/microsoft-365/blog/2023/09/21/announcing-microsoft-365-copilot-general-availability-and-microsoft-365-chat/ https://learn.microsoft.com/en-us/windows/whats-new/temporary-enterprise-feature-control#windows-11-features-with-permanent-enterprise-feature-control https://support.microsoft.com/en-us/topic/september-26-2023-kb5030310-os-build-22621-2361-preview-363ac1ae-6ea8-41b3-b3cc-22a2a5682faf https://learn.microsoft.com/en-us/bing-chat-enterprise/manage#turn-off--enterprise

take a look at this https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/implementing-an-ocsp-responder-part-v-high-availability/ba-p/396882

are you sure that that fqdn was pingable before this step, could the system have dropped the ip address or gone asleep ?

well spotted, and here's a tip for everyone to help you find out what these codes mean, start CMTrace.exe (available in the C:\Windows\CCM folder), click on Tools and select Error Lookup in the window that appears, paste in your error code and click on Lookup this helps to reveal the reason why something is failing

what happens just before the error ? what server version is it ? which ADK is installed ? is it pure WDS or WDS plus some other functionality ?

@xerxes2985 great ! I'm glad to hear it !

then something is not right, if you enable f8 command support then it should work, if it is not then you are working on the wrong boot image to the one in the console

if you have enabled it on the boot image, then redistribute it to the distribution point(s) and try again