Config Mangler

I'm trying to buy a certificate for vPro use in 2012. The vendor wants a CSR generated. Where do I do this? Is it in IIS on the main SCCM box or is it on the CA? Can't see any information on this online specifically for 2012.

Is the computer record ok in SCCM? Double click the computer and check if its obsolete or the background is grey. There's also a hot fix for SCCM sp1 which may apply here. I'll post a link later.

This might sound daft but we had a failure like that when we had ££ signs in the password! It liked dollars though!

Looks like it can't see the hard drive. Have these got a raid controller maybe? You'll need to pull the drivers into your boot image if so.

"manage-bde" says it's AES-128. My understanding is that group policy is locked out during deployment, hence why we need to use the reg key change the encryption level to AES-256. So after the TS I am left with an AES-128 encrypted drive, if I decrypt and re-encrypt, without changing anything it sees the registry key and does 256-bit.

Yes the key is created during the build but is ignored in the TS. Looks like a call to Microsoft.

Thanks. Unfortunately the encryptionmethod /4 switch is just plain 256-bit which is what I should be getting. I'm not 1000% sure the key is set during the build so I better do another one to confirm, but the TS certainly doesn't fail.

We have a requirement to set AES-256 cipher strength for Windows 8. In my Windows 7 TS I use this command to set it to 256-bit before the Enable BitLocker step: reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 4 /f This works fine in Windows 7, but Windows 8 ignores the same command and defaults to 128-bit If I decrypt the drive, set the reg key and manually run BitLocker it encrypts as 256-bit. So the key does work, but not inside the task sequence. I may have to log this with Microsoft but any ideas before I do?

Got you now. You could try adding a prompt for OSDComputer name in the TS then it might get the correct computer name earlier. It removes the zero touch element though. We use the asset sticker as the computer name so it's not such a big deal in practice. I'll live with it for the benefits.

The old label command still works e.g. "label c: donaldduck"

So you get the AD recovery key listed under MININT-xxxxxx? Guess you just want to move the Enable BitLocker task till later in the TS where the computer is properly named.

The MS volume licenced installation shows version 7804.

Thanks I didn't think that would do the upgrade but it has given the option to do so. I'm going in! Wish me luck!

Got a link? I don't see it on MS VL or anywhere else.

Got there in the end. Thanks for pointing me in the right direction. I think it did need the pushd / popd in the batch file. In the TS I did: net use z: \\server\share\hpstuff and specified credentials to the share etc. then z:\hpbios.cmd

Hi Peter, Still stuck on this! I have a package with the required files and a batch file with the command line in it. I have added a run command line task and tried every combination of calling the batch file or running the command directly: cmd /c hpbioscommand.bat hpbioscommand.bat BiosConfigUtility.EXE /setconfig:"8200.txt" /cursetuppassword:"password" cmd /c BiosConfigUtility.EXE /setconfig:"8200.txt" /cursetuppassword:"password" Install.cmd sits in the package folder and contains the command line I am now getting error 0x80004005 - it's like it can't find the source but everything is up to date. ProgramName = 'cmd /c hpbioscommand.bat' SwdAction = '0001' Found the location for the package _SMSTSLAB00071. The location is on !sPackageLocation.empty(), HRESULT=80004005 (e:\nts_sccm_release\sms\framework\tscore\resolvesource.cpp,3236) TS::Utility::ResolveSource(pszPkgID, sPath, 0, hUserToken, sUserName.empty() ? NULL : sUserName.c_str(), sUserName.empty() ? NULL : sUserPassword.c_str()), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\runcommandline.cpp,395) cmd.Execute(pszPkgID, sProgramName, dwCmdLineExitCode), HRESULT=80004005 (e:\nts_sccm_release\sms\client\osdeployment\installsoftware\main.cpp,372) Failed to read _SMSTSLAB00071 from theenvironment. Code 0x80004005 Failed to resolve the source for SMS PKGID=LAB00071, hr=0x80004005 Install Software failed to run command line, hr=0x80004005"

I'm having problems running the HP BIOS tools in a SCCM 2012 task sequence. The TS fails and the logs say: "The step (HP AHCI) must be running in full OS TSManager 15/11/2012 11:40:58 1640 (0x0668)" Failed to run the action: HP AHCI. The request is not supported. (Error: 80070032; Source: Windows) TSManager 15/11/2012 11:40:58 1640 (0x0668) Now this is not true. The software is supported by HP on WinPE. Also, I can hit F8 when in PE and can run the BIOS command from a mapped drive or a USB stuck and it works perfectly well and makes the BIOS change I need. So it is only in a TS that it does not work. The change I want to make is to switch the storage driver mode from a legacy setting of IDE to AHCI. I have to do this in PE before the device drivers stage so that the AHCI driver gets installed. Any thoughts? I'll probably log this with HP, but if it's just not possible, will there be any noticable effect on performance in IDE mode. I'm thinking it will be negligable on a standard corporate desktop.

Niall do you know if the pre-provisioning feature works on Windows 7?

Is Oracle VM compatible? I don't know. Try a physical machine. Second thought is try reloading the boot wim - software library / boot images / properties / images tab -> reload

Probably not relevant to you but I saw this today on a laptop which was encrypting the disk. When I paused BitLocker the apps would install. It might point at system resources issue in general though.

We do this by importing the MAC and final computer name into SCCM and the build will rename the computer automatically. This works well except when using a CD build. We have found that it does not rename the computer from MININT-xxxxxxx to the proper name in maybe 10% of cases. This was logged with MS Premier support and has been accepted as a bug. A fix will be included in SCCM 2012 SP1 due in October. There is no problem when using a client or PXE build.

Early in the build the time is indeed set to the future! I though this was a problem too and was causing failed domain joins but it's not that. If you run a command prompt where it has failed, the computer name is still MINI-NTxxxx - in our build and probably yours, we join specific OU's based on the computer name and it will fail if it's not the proper name e.g. WS12345. I think this is a bug in 2012. When it fails, the computer record in SCCM looks fine, i.e. not obsolete or grey, I have deleted the computer from AD and SCCM, deleted an unknown recrod and checked for duplicate MAC addresses. I have left it for days but the same computer can fail to build / rename. We have no control over the rename process, it should just work so I'm going to log a Premier support call on this as it's a big issue. It would be interesting if anyone else can replicate i.e. is the computer still called MINI-NTxxxx when a failed domian join occurs.

These are the settings I'm using in unattend.xml - I'm not using MDT though - just straight into the WAIK. This works for me. <component name="Microsoft-Windows-International-Core" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <InputLocale>0809:00000809</InputLocale> <SystemLocale>en-GB</SystemLocale> <UILanguage>en-GB</UILanguage> <UserLocale>en-GB</UserLocale> </component>

Right-click on the task sequence and choose "Create task sequence media" to make a bootable DVD

Same issue here, though I hadn't realised it was the IEAK build that was at fault. Still at least it's coinsistent! I don't think IEAK is supported so we may not see a hotfix for this one. I'm just changing permissions to the folder with a cacls script to get around it.