BitLocker & BIOS Boot Order

One of the “gotchas” of BitLocker security is that by not having the hard drive first in the boot order within BIOS, can cause BitLocker security to become enacted and thus needing manual entry of the 48-character key upon the next system restart.  This can be a frustration for users who have this happen to them, especially while travelling and unable to reach the help desk.  So, during an OS deployment, make efforts to change the boot order in BIOS.

To do this with HP

• Obtain the BIOSConfigUtility in the Systems Software Manager
• Create a text file named “BootOrder.REPSET”.  The text file contains the below content.  Note that I found it is necessary to define two devices to modify the boot order.

English
Boot Order
     Hard Drive(C:)
     Notebook Upgrade Bay

• Run command

BiosConfigUtility.EXE /SetConfig:BootOrder.REPSET

To do this with Dell

• Obtain the Client Configuration Toolkit
• Run command

cctk.exe bootorder --sequence=hdd

If you find yourself in a position that you did not do this during the initial deployment of the OS, never fear, SCCM is here!  Using task sequences, you can automate the process as to set the hard drive to be first in the boot order and re-seal the TPM by performing the following steps:

1. Suspends BitLocker protection
   
2. Reconfigure the boot order (for HP or Dell)
    
3. Restarts Windows
   
4. Resumes BitLocker protection
   

VBScript to Run SCCM Software Updates Scan

A challenge with installing software updates during a task sequence is that it may occur where not all updates are applied on the first pass.   The workaround is run software updates, run a VB Script or PowerShell script to force another scan, then run a software updates task again.  Others have posted their scripts on this before, so it’s nothing new.  However, I failed trying to quickly locate those scripts.  So I’m just posting my own of what I use….

'==========================================================================
' AUTHOR: Nick Moseley , http://t3chn1ck.wordpress.com
' DATE  : 7/30/2010

' COMMENT: Initiates an SCCM client scan
' Script from http://msdn.microsoft.com/en-us/library/cc144313.aspx
' Updated 7/15/11 to include a sleep before exiting script
'==========================================================================
' Set the required variables. 
actionNameToRun = "Updates Source Scan Cycle"
' Create a CPAppletMgr instance.
Dim oCPAppletMgr
Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")
' Get the available ClientActions object.
Dim oClientActions
Set oClientActions = oCPAppletMgr.GetClientActions()
' Loop through the available client actions. Run the matching client action when it is found.
Dim oClientAction
For Each oClientAction In oClientActions
 If oClientAction.Name = actionNameToRun Then
  oClientAction.PerformAction  
 End If
Next
' Wait for 3 minutes for scan completion before exiting script
wscript.sleep(180000)

How to Add a Language Pack to Win7 OSD Without MDT

For those whom need to add language packs to a Win7 image build/deployment, but only have SCCM infrastructure (without MDT integration), a TechNet forum posting gives the answer (which I’ve posted below).

1. Create a package and copy each lp.cab file into the root (Just rename each cab so they can all exist in the same folder e.g. de-de.cab for German etc…)
2. In your task sequence, after the Setup windows and ConfigMgr step and before you apply any updates (important) add a Run command line step with the following properties:
   1. Package: The package from step 1
   2. Disable 64-bit file system redirection: Enabled
   3. Command Line: cmd.exe /c dism.exe /online /add-package /PackagePath:”%CD%”

This will add all language packs that exist in the package directory to the installed OS. If you need to add more languages later, just drop a CAB file in the package and update it the command line stays the same. This also has the added benefit of only downloading the package once to install all the required languages. If you specify multiple tasks to do this in the task sequence it has to download each one separately which can add some additional overhead to the time to install.

Differentiating Vostro 360 AIOs

We purchase and use Dell all-in-ones (Vostro line) as the primary desktop in our organization.  The difficulty is that, as consumer hardware, the model can be modified or discontinued at any time without prior notice.  Needless to say it creates headaches from time-to-time.  Recently the Vostro 360 hardware was changed, resulting in the need for new drivers.  Within my SCCM task sequences, I have the install of drivers (within the full OS) limited based upon the name of the model.  The challenge with the Vostro 360 is that they maintained the same exact model name, but had different hardware configurations.  What I found was a main difference between the two types was the Bluetooth hardware ID.  So in addition to querying the model, I added a new query for the Bluetooth hardware.

The point of this post isn’t so much about the Vostro, but more about how I used Win32_PnPEntity to differentiate the two models so that the old config would get one set of drivers and the new config would get the other set of drivers.  In the driver install package step for the task sequence, simply click on the Options tab and add a WMI Query action with the following code:

Select * from Win32_PnPEntity where DeviceID like 'USB\\VID_0CF3&PID_3002%'

Workaround for Installing Office Updates During an Image Build

Ran into an interesting situation with an image build.  I created a custom Office 2010 SP1 install using the OCT.  During execution of my image build task sequence, Software Updates was not detecting any of the updates for Office.  Further diagnosis revealed that the OCT-built install did not put its “hooks” into the Windows Update Agent, therefore neither the SUP or Microsoft Updates could detect for Office updates.  (Side note: once the image was sysprepped, captured, and added into a deployment task sequence, the updates were suddenly available and installed.)

While the cause as to why an OCT-built Office 2010 SP1 install prohibits installation of updates has not been found yet, there is a workaround to run a script that forces Microsoft Update (e.g. WUA) to receive updates for “other products”.  By executing the following VBScript after installing Office, SCCM Software Updates will then be able to install the updates during the image build task sequence.  The original code is from a TechNet blog post, I just added some extra logging for troubleshooting.  Also, if your TS advertisement is configured to “run from server”, then the script will cause the TS to fail.  To get past this, simply copy the script locally first then execute it from that location.

Const ForAppending = 8
Set oFSO = CreateObject ("Scripting.FileSystemObject")
Set oLogFile = oFSO.OpenTextFile ("C:\ConfigOfficeUpdates.txt", ForAppending, True)
oLogFile.WriteLine "Starting execution of VBScript to configure Office to use Microsoft Updates"
Set ServiceManager = CreateObject("Microsoft.Update.ServiceManager")
ServiceManager.ClientApplicationID = "My App" 

' add the Microsoft Update Service by GUID
Set NewUpdateService = ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d",7,"")
oLogFile.WriteLine "Script completed successfully"
wscript.Quit(oLogFile.Close)

Displaying Front-End HTAs within a SCCM Task Sequence

I’ve often heard the phrase “MDT solves problems to issues you didn’t even know you had.”  And it’s certainly true in this case!! 

I was  looking for a process or procedure that would allow me to present my current custom OSD front end HTA to an active end-user who is logged into Windows.  Unfortunately, standard SCCM task sequences don’t allow this to happen.  To workaround this, my first consideration was to run the HTA as a prerequisite of the task sequence, but therein lay another issue with SCCM task sequences – since the HTA was run as a prerequisite Program, it was not technically within the Task Sequence environment and therefore I could not set task sequence variables, etc.

Fortunately the good folks on the MyITForum discussion list were able to steer me in the right direction.  MDT 2010 Update 1 contains a standalone executable (ServiceUI.exe) that allows execution of anything (not just an HTA) within a task sequence and enables the end-user to interact with it.  To utilize ServiceUI without integrating MDT with SCCM, perform the following:

1. Install MDT 2010 Update 1 on your local computer
2. Find ServiceUI.exe (for the appropriate target architecture) and put it into the same directory as your HTA front end script(s)
3. Create a script that will
   a)  Make a copy of the HTA on the local executing computer (only if your advertisement is set to “run from server”)
   b)  Run command: ServiceUI.exe -session:1 %SYS32%\mshta.exe C:\CustomSystemOptions.hta
   Note: it’s important to know that the options “-session:1″ will only work if the user logged into Windows has local admin rights.  My suggestion is to restart Windows and login as the local Administrator account.
4. Update your task sequence to include a “Run Command Line” as the very first item in the task sequence
   a)  Name it something like “Service UI – Custom System Options”
   b)  Set the command line as “TheNameOfYourScript.vbs”
   c)  Use the package which contains your scripts
   d)  CRITICAL: Do not set option “Time-out (minutes)” as this will cause ServiceUI to error!
   e)  On the Options tab, add a condition to check that TS variable “_SMSTSInWinPE” = false

In short, this should be all that you need to get going to display the HTA to end-user.  However, the thing that I do not yet have resolved in this all this is that when connected to a system through RDP, ServiceUI will launch the HTA, but it’s not displayed.  Still gotta figure that one out….and then update this post of course ;-)

OSD Options Chooser v2

The following custom HTA can be used during OSD when imaging computers with SCCM 2007.  It has been updated from my previous version and will do the following:

• Section 1 – for the name to be give to the computer.
• Section 2 – for the technician imaging the computer
• Section 3 – for a ticket number
• Section 4 – for adding a user to the local admins group
• Section 5 – for selecting the computer’s time zone
  Note: additional time zones can be found at http://technet.microsoft.com/en-us/library/cc749073(WS.10).aspx
• Section 6 – for selecting a flavor of Acrobat as post installed software
• Section 7 – for selecting other software to be installed

Note that on the first three sections, if the option is left empty, then after clicking finish a circular prompt is done until a value is added.  Also, they set custom Task Sequence variables which you will need to use later in your process, such as in custom logging or setting a registry key for your organization, etc.

Also, remember to enable HTA support in your boot images – http://t3chn1ck.wordpress.com/2010/01/28/hta-support-in-sccm-boot-images/

<!-- -----------------------------------------------------------
Created by Nick Moseley http://t3chn1ck.wordpress.com
For this script to function, HTA support must have been added into the boot image
See for more information - http://technet.microsoft.com/en-us/library/dd799244.aspx

--------------------------------------------------------------- -->

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>OSD Options Chooser</title>
<HTA:APPLICATION APPLICATIONNAME="OSD Options Chooser" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="normal" BORDER="thin">

<script language="vbscript" type="text/vbscript">

window.resizeTo 375,700
window.moveTo 5,5

Sub FinishClickTasks
'On Error Resume Next
Dim oTaskSequence, oShell, sComputerName, bErrComputerName, bErrTechName, bErrTicketNumber, sCurPath, sKioskName
Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment")
Set oShell = CreateObject ("WScript.Shell")
sComputerName = UCase(ComputerName.Value)


' Set values inputed from HTA dialog
If sComputerName = "" Then
oTaskSequence ("OSDComputerName") = "null"
Else
oTaskSequence ("OSDComputerName") = sComputerName
End If

If TechName.Value = "" Then
oTaskSequence ("OSDTechName") = "null"
Else
oTaskSequence ("OSDTechName") = TechName.Value
End If
If TicketNumber.Value = "" Then
oTaskSequence ("OSDTicketNumber") = "null"
Else
oTaskSequence ("OSDTicketNumber") = TicketNumber.Value
End If

' Check for errors with the computer name or technician name
Dim sTSVar1, sTSVar2, sTSVar3, bNoErr
sTSVar1 = oTaskSequence("OSDComputerName")
sTSVar2 = oTaskSequence("OSDTechName")
sTSVar3 = oTaskSequence("OSDTicketNumber")
bNoErr = False

If sTSVar1 = "null" Then
bErrComputerName = True
End If
If sTSVar2 = "null" Then
bErrTechName = True
End If
If sTSVar3 = "null" Then
bErrTicketNumber = True
End If

' Display error message
If bErrComputerName And bErrTechName And bErrTicketNumber Then
MsgBox "Error: Computer name, technician name, and Incident or Service Request number cannot be blank.", vbCritical, "Error"
ElseIf bErrComputerName And bErrTechName Then
MsgBox "Error: Computer name and technician name cannot be blank.", vbCritical, "Error"
ElseIf bErrComputerName And bErrTicketNumber Then
MsgBox "Error: Computer name and Incident or Service Request number cannot be blank.", vbCritical, "Error"
ElseIf bErrTechName And bErrTicketNumber Then
MsgBox "Error: Technician name and Incident or Service Request number cannot be blank.", vbCritical, "Error"
ElseIf bErrComputerName Then
MsgBox "Error: Computer name cannot be blank.", vbCritical, "Error"
ElseIf bErrTechName Then
MsgBox "Error: Technician name cannot be blank.", vbCritical, "Error"
ElseIf bErrTicketNumber Then
MsgBox "Error: Incident or Service Request number cannot be blank.", vbCritical, "Error"
End If 

' Loop until end-user enters a value
Do 
If bErrComputerName Then
sComputerName = InputBox ("Please enter a COMPUTER name to continue", "", , 30,30)
If sComputerName <> "" Then
oTaskSequence ("OSDComputerName") = sComputerName
bErrComputerName = False
End If
ElseIf bErrTechName Then
sTechName = InputBox ("Please enter a TECHNICIAN name to continue.", "", , 30,30)
If sTechName <> "" Then 
oTaskSequence ("OSDTechName") = sTechName
bErrTechName = False
End If
ElseIf bErrTicketNumber Then
sTicketNumber = InputBox ("Please enter an Incident or Service Request number to continue.", "", , 30,30)
If sTicketNumber <> "" Then 
oTaskSequence ("OSDTicketNumber") = sTicketNumber
bErrTicketNumber = False
End If
Else
bNoErr = True
End If
Loop Until  bNoErr

' Set local time zone
For Each oTimeZone In TimeZone
If oTimeZone.Checked Then
oTaskSequence("OSDTimeZone") = oTimeZone.value
End If
Next

' UserName to add as a local administrator
If UserName.Value <> "" Then 
oTaskSequence ("OSDAdminUser") = UserName.Value
End If

' Applications to install
' Acrobat
If Acrobat(1).checked Then
oTaskSequence ("OSDAcrobat10") = "standard"
ElseIf Acrobat(2).checked Then
oTaskSequence ("OSDAcrobat10") = "professional"
End If

' Other Apps
If ProjectStd2010.checked Then
oTaskSequence ("OSDProjStd2010") = "true"
End If
If VisioStd2010.checked Then
oTaskSequence ("OSDVisioStd2010") = "true"
End If
If StreetsTrips2010.checked Then
oTaskSequence ("OSDStreetsTrips2010") = "true"
End If

window.close
End Sub
</script>
</head>

<body>
<!-- HTML goes here -->
<body STYLE="font:10 pt arial; color:white; background-color: #336600">

<p>Computer Name<BR>
<input type=text id="ComputerName" name=ComputerName size=45></p>

<p>Technician Name Imaging Computer<BR>
<input type=text id="TechName" name=TechName size=45></p>

<p>Incident or Request Number<BR>
<input type=text id="TicketNumber" name=TicketNumber size=45></p>

<p>Username to add to Local Admin Group (if applicable)<BR>
<input type=text id="UserName" name=UserName size=45></p>

<p><b>Select Time Zone For the Computer</b><br>
<input type="radio" name="TimeZone" value="Pacific Standard Time">PST (US West Coast)<BR>
<input type="radio" name="TimeZone" value="US Mountain Standard Time">AZT (US Arizona)<br>
<input type="radio" name="TimeZone" value="Mountain Standard Time" checked="True">MST (US Mountain)<BR>
<input type="radio" name="TimeZone" value="Central Standard Time">CST (US Central)<BR>
<input type="radio" name="TimeZone" value="Eastern Standard Time">EST (US East Coast)<BR>

<p><b>Select Post Installed Applications</b><br>
<input type="radio" name="Acrobat" checked="True"> Do not install Acrobat<br>
<input type="radio" name="Acrobat"> Adobe Acrobat Standard X<br>
<input type="radio" name="Acrobat"> Adobe Acrobat Professional X<br>
<br>
<input type="checkbox" name="ProjectStd2010"> Microsoft Project Standard 2010<br>
<input type="checkbox" name="StreetsTrips2010"> Microsoft Streets and Trips 2010<br>
<input type="checkbox" name="VisioStd2010"> Microsoft Visio Standard 2010<br>

<p><button accesskey=N type=submit id=buttonFinish onclick=FinishClickTasks>Finish</button>
<br>Created by Nick Moseley, http://t3chn1ck.wordpress.com</font>
</body>
</html>

Scripting Dell TouchPad configurations

We recently received the new Dell E6320 and E6420 laptops.  After deployment of our standard image, which does not contain drivers, we package the full driver installers as provided by the manufacturer.  We found that for these new laptops, scrolling was not automatically enabled for the TouchPad’s.  I would say scrolling is a defacto usability standard.  To enable scrolling for the TouchPad, simply set the following in the registry:

Key: HKLM\SOFTWARE\Alps\Apoint\Button
Value Name: EnableWheel (dword)
Value: 33

Once a user logs into Windows for the first time, the values in HKLM are then sucked into HKCU.  In this way, scrolling is enabled by default but not enforced upon the user.

WinXP Configurations

These are a few things I have done on my WinXP images

System Settings

• Configured Windows XP Tour to Disabled = Set value RunCount (dword) to 0 in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour
• Disabled System Restore for the image build process = Set value DisableSR (dword) to 1 in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
• Configured Automatic Updates to Off = Set value NoAutoUpdate (dword) to 1 in HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\
• Configured Event Viewer log files to “Overwrite as necessary” = Set value Retention (dword) to 0 in HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\[Application, Security, System]
• Configured “Wait for network at logon” = Set value SyncForegroundPolicy (dword) to 1 in HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\CurrentVersion\Winlogon\
• Configured Offline Files to be disabled = Set value Enabled (dword) to 0 in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache
• Uninstalled the language bar using command “regsvr32 /u /s /msutb.dll”
• Set WinXP to use Microsoft Update (instead of Windows Update)
• Disabled automatic restart on system failure (BSOD) = Set value AutoReboot (dword) to 0 in HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\

User Settings (see Scripting HKCU Settings for more info)

• Configured task bar to “unlocked” = Set value TaskbarGlomming (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ and set value TaskbarSizeMove (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
• Configured highlight newly installed programs to “disabled” = Set value Start_NotifyNewApps (dword) to 0 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
• Configured Desktop Cleanup Wizard to be disabled = Set value NoRun (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz\
• Configured IE icon on desktop to be hidden = Set value NoInternetIcon (dword) to 1 in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
• Configured Outlook 2003 Navigation Pane order to be Mail, Calendar, Contacts, then Folder List = Set value ModuleOrder (string) to “1,2,3,6,5,4,7,8″ in HKCU\Software\Microsoft\Office\11.0\Outlook\Preferences\

Settings accomplished via Unattend.txt during the XP image build

• [Shell]
  CustomDefaultThemeFile = “C:\Windows\Resources\Themes\CompanyCustom.theme”
• [Unattended]
  hibernation = No
• [Components]
  msnexplr = Off
  OEAccess = Off
  rootautoupdate = On
  zonegames = Off
  deskpaper = Off
• [Display]
  Xresolution = 1024
  Yresolution = 768
• [TerminalServices]
  AllowConnections = 1
• [PCHealth]
  RA_AllowToGetHelp = 0
• [WindowsFirewall]
  Profiles = WindowsFirewall.TurnOffFirewall
• [WindowsFirewall.TurnOffFirewall]
  Mode = 0

Binary Differential Replication for Boot Images

I had a strange issue arise with my production SCCM boot images yesterday after including new drivers.  The package update status would go from Install Pending (version 25) and to Install Retrying (version 24) and back and forth.  In reviewing the distmgr.log file, the following subtle errors were occuring.

• Unpacked folder for package version ENT00001.24 is being used by 9 user(s) currently
• merging temp-delta-0000151c-00000501.rdc to \\SVR01\SMSSIG$\SMSSTAGE\\ENT00001\boot.ENT00001.wim
• failed to read complete data from file
• Invalid old remote file. Might be corrupted
• Failed to copy chunks to temp file. Error code 0x8007054f
• UpdateStagedFile failed; 0x8007054f
• Cannot copy package ENT00001 from C:\Program Files (x86)\Microsoft Configuration Manager\osd\boot\i386\boot.ENT00001.wim to \\SVR01\SMSPKGE$\ENT00001\, Win32 Error = 0

Some SCCM forums seemed to indicate that this was an issue with BDR for image.  To resolve the situation, I did the following

1. Removed all distribution points for the package
2. Enabled boot image property “Disconnect users from distribution points”
   Note: I kept BDR enabled for the boot image; if my process didn’t work, then I was going to disable the setting
3. Updated the distributions points to refresh the package version
4. Added the boot images back onto the distribution points

So far everything looks good and is working….