Config Mangler

Thanks, I just wanted a sanity check before I did much more on this. PXE is working now and we nearly have a full SCCM build for the Surface 3. Did you go as far as encryption? It encrypts with TPM / PIN and stores the recovery key in AD but when I enter the PIN at start-up I get the message "Too many PIN entry attempts" on the first attempt and have to use the recovery key to get in. I sense a Premier Support call coming.......

I'm just starting out imaging the Surface Pro 3 with SCCM 2012 R2. Do you know if it needs Server 2012 for PXE boot to work?

I don't know if this is related as it's not MBAM, but we found that since SCCM SP1 or maybe R2, TPM passwords were no longer being stored in AD. We have since found this needs an AD schema change. Effectively you need Server 2012.

You'll need to import the drivers for your RAID card into the WINPE boot image.

x80070570 translates to - The file or directory is corrupted and unreadable

@Rusty You use Applocker to whitelist store apps. Unlike the rest of this stuff it's fairly well documented and works! Like you I looked at getting hold of App-x installers for Twitter, Kindle etc. but there were no obvious downloads so really I think you have to link to the store.

We were told by MS that Sideloading was to be deprecated under Win 8.1u1. You now import the apps into SCCM from a Store connected machine with that app installed, or as above import your own APP-X

Memory usage on the SCCM server is what slows down our console response. Reboot the server and look at limiting the SQL memory allocation

Thanks for that Remco. It saved me a lot of time mucking about with .NET versions. I had a Dell Venue 11 Pro 7130 with the 9.18 video driver and Software Center crashed every time. Reverted to VGA and it worked straight away. Now the hunt for a working driver begins!

I have not experienced the slow driver problem. Is it the same with various models of hardware? Maybe clear out your drivers to a minimum and build back up if that's not too much work! For your second issue, how far is it getting? Is it joining the domain? Is your TS using the updated SCCM client package? Do you have an unattend.xml and does it work. Post your SMSTS.LOG

Hope this isn't a repost. Watch out for this if you are doing an in-place upgrade using the SCCM Software Centre on XP. This has stopped our XP -> Win 7 rollout in its tracks and I would advise not upgrading to R2 until this is fixed. When you do an OSD it copies down the boot.wim and you get error 800700C1 Executing command line: "C:\_SMSTaskSequence\WinPE\SMS\bin\i386\bootsect.exe" /NT60 SYS /MBR Since R2, bootsect.exe is not compatible with XP. To make matters worse, when you reboot the XP machine you get NTLDR not found and the machine is a brick. There is a relatively easy workaround which is replacing the bootsect.exe in the boot.wim with an older one, but it's not supported and I don't know what else is affected. I'll try this in my lab but have logged a MS premier call for advice. It's supposed to be fixed in SCCM 2012 R2 CU1 http://social.technet.microsoft.com/Forums/en-US/6e934990-999a-4367-860a-3ce4e5eda956/sccm-2012-r2-error-0x800700c1?forum=configmanagerosd

Not sure about PXE, but for the drivers, make sure you are using the NDIS 6.3 drivers in the boot image i.e. Windows 8 drivers If it has the Intel i217 card you need to use e1d63x64.inf or x86 as appropriate I'm assuming you're on at least SCCM 2012 SP1 here.

I would try the WMI QUERY listed by peter33. I must say you are making life hard for yourself here and maybe introducing unnecessary complexity and also a point of failure. Just pull in the latest drivers and review critical driver updates periodically.

Assuming the NAA is not locked out etc. the easiest test to do is do a new task sequence. That will force you to validate the NAA as you do it and enter a valid OU etc.

Got you. Touch works but you need the keyboard to pop up to enter the computer name and password. We don't use a password on PXE and pre-populate SCCM with the computer name vs MAC address so don't enter anything. We use cheap Belkin USB 4 port unpowered adapters as well as the dock and they have worked with everything. I built a similar Panasonic toughbook and it was 64 bit drivers only so yes that might be worth a shot.

What model of tablet is it? It might need a BIOS update. Why do you need this? I presume you're building them on a dock anyway so having a keyboard available is no big deal.

Thought I would share this. We have managed to shave 20 minutes off an i5 laptop build and 60 minutes off an Atom tablet build by turning off power savings during the build. I just added a package / batch file with the following entries. c:\windows\system32\powercfg.exe -change -monitor-timeout-ac 0 c:\windows\system32\powercfg.exe -change -monitor-timeout-dc 0 c:\windows\system32\powercfg.exe -change -disk-timeout-ac 0 c:\windows\system32\powercfg.exe -change -disk-timeout-dc 0 c:\windows\system32\powercfg.exe -change -standby-timeout-ac 0 c:\windows\system32\powercfg.exe -change -standby-timeout-dc 0 c:\windows\system32\powercfg.exe -change -hibernate-timeout-ac 0 c:\windows\system32\powercfg.exe -change -hibernate-timeout-dc 0 This also fixed terrible build problems with the Atom where builds could sometimes take three days to complete! I was sure that SCCM disabled any power savings during a build but it looks like this is not the case. We run another batch file at the end to revert the settings.

Have you imported the computer information for that VM? Right-click on Devices, Import Computer, Single Computer and add the mac address etc....

Indeed it is. I had to turn off PTT in the BIOS for the TPM to be recognised at all. If you leave it enabled you get "arithmetic result exceeded 32 bits" when trying to enable BitLocker!

Yes the Samsung Ativ, Lenovo X230, infact everything I've tried except the Dell store their key in AD using the same TS. Yes the Dell is joining the domain Yes the msTPM value is empty <not set> A complication on the Dell is that it has two devices under Security Devices: Intel® Atom Processor Z2760 Security Engine & TPM 1.2 I have had problems before where a manufacturers' TPM driver is used so I have modified the build to enable just the TPM 1.2 module but I get the same result. I do think this area is where the problem lies though.

No luck. I added the two REG keys suggested before the Enable Bitlocker step. The keys were created but the recovery key was not stored in AD. A successful build on different hardware does not create those registry keys itself and the key does get stored in AD. The SMSTS log looks the same to me on both builds.

Surely that it what the Enable BitLocker part of the TS does and you shouldn't have to configure that yourself. Are you manually setting those keys as well? I will check the log for those entries on a working machine which does store the key in AD and I'll try adding those keys before "Enable BittLocker" in the TS.

Here's the guide if anyone else unclear: https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21742 Basically you request the cert from IIS on the SCCM box using the fqdn of the sccm box as the Common Name

Thanks. Log attached. It runs the command about 11:38. Also the output from bde status is: Volume C: [Windows] [OS Volume] Size: 57.29 GB BitLocker Version: 2.0 Conversion Status: Used Space Only Encrypted Percentage Encrypted: 100.0% Encryption Method: AES 128 Protection Status: Protection Off Lock Status: Unlocked Identification Field: Unknown Key Protectors: None Found I can manually activate Bitlocker after this it prompts to save a recovery key and protection status changes to ON. So the TPM side of things is ok. smsts.log

I am getting the same on Dell Latitude 10 (UEFI) hardware i.e. it will not save the recovery password to AD. The TS does not fail and "manage-bde -status c:" shows it as encrypted but with a warning against the disk as there is no recovery key. The Samsung Slate 7 / ATIV will correctly store the key in AD on the same Windows 8 task sequence. Is it the pre-provisioning task which is at fault here and are people treating this as a bug in SCCM which should be logged with Microsoft? Are there any useful logs for BitLocker other than event viewer? The Dell only has a 64Gb SSD so encrypting it the old fashioned way is probably no big deal if I have to go that way.