Change BitLocker Drive encryption to XTS-AES 256 during OSD with #ConfigMgr

Windows 10 Current Branch (1607 & 1703) is using a default drive encryption of XTS-AES 128 if you encrypt the disk during OSD using ConfigMgr Current Branch.
001

Command above: manage-bde -status

Some customer maybe have the requirement to change the default to a different mode like XTS-AES 256.

This can be changed using a GPO or CIs in ConfigMgr but then you have first to decrypt the disk, assign the new policy and encrypt the disk again. This is annoying and not very user & admin friendly.

Since a while ConfigMgr is using an option called Pre-provision Bitlocker. This step in the TS is encrypting only the currently used diskspace. As it is in WinPE this is a very small part of the disk and also a quick step. But this step is using the command “manage-bde.exe  -on C: -used” and you are not able to change the encryption method.

Solution

To change the method to XTS-AES 256 or a different method, use following registry key just before the Pre-provision BitLocker step:

cmd /c reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

The DWORD value 7 ist setting the method to XTS-AES 256. Use the list bellow to assign a different method:

Value 3, AES_128:
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 128 bits.

Value 4, AES_256
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 256 bits.

Value 6, XTS_AES128 *
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 128 bits. – This is the default of Windows PE 10.0.586.0 (1511 Release)

Value 7, XTS_AES256 *
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 256 bits.

* Only supported for deployments of Windows 10 images build version 1511 or higher

The Task Sequence step I used is a command line and is configured to run just before “Pre-provision” BitLocker:

004005

This has been testet with the Windows 10 Enterprise Builds 1607 (Anniversary) & 1703 (Creators).

Disable OneDrive in #Windows10 1607 and #Office365

I know, most of you (including me) using OneDrive or OneDrive for Business in your environment. But in some cases customers won’t allow users to save stuff on OneDrive or won’t let them connect to this service.

If you plan to disable OneDrive in Windows 10 1607 and Office365 Version 16 you have to consider two steps. Disabling it in the File Explorer of Windows 10 and the second point is preventing Office to offer for saving stuff to OneDrive.

All that can be done using a single group policy. Create a group policy and name it with your preferred naming convention. If you use the loop back mode you can use just one policy for computers and user settings.

First: Navigate to Computer Configuration\AdministrativeTemplates\Windows Componets\OneDrive\ and enable “Prevent the usage of OneDrive for file storage”. This will disable OneDrive in File Explorer and removes the cloud icon in the status bar of your Windows Clients.

1

Second: Navigate to Users Configuration\Preferences\Windows Settings\Registry and add a new Registry item. Create a new key with the following settings:

Hive: HYEY_Current_User
Key path: Software\Microsoft\Office\16.0\Common\Internet
Value Name: OnlineStorage
Value Type: Reg_DWORD
Value: 3
Base: Decimal

2
3

This key disables the option to save files on additional Online Storage such as OneDrive. Of course you won’t be abele to use SharePoint Online as well. Assign the policy to your computers and test it.

The result in the Office365 applications such as Word, Excel, PowerPoint, etc… is like that:

(Save as)
4

Thanks for the hint @ericatoelle on http://ericatoelle.com/2016/manage-save-as-locations-in-office-2016/

Let me know if you have any questions regarding this.

 

 

 

Still buggy: #ConfigMgr Current Branch 1610 – download still hangs in the console

I thought that some bugs will be fixed during the time. Ok, sometimes it happens with a new KB :-).

Today I had to upgrade a 2012 R2 ConfigMgr Server to 1606 and then 1610. 1606 is not an big deal as you have the baseline ISO for that. After that you will receive the 1610 in the console. But it hangs still with the status “Downloading”.

As one solution you will find to restart the SMS_Executive. But with restartig the service you won’t still be able to install the CB 1610. Restarting the SMS_Executive restarts also the SMS_DMP_Downloader and you can follow the process using the dmpdwonloader.log under the log folder from your Primary Site server.

In that log you recognize that some cab files can’t be downloaded. All sources will be downloaded to the CM “Program Files\Microsoft Configuration Manager\EasySetupPayload” folder. The log shows you the download link of the mssing root cab file and also the used proxy server. Copy that link to your preferred browser link bar and download the cab file. Place it in the EasySetupPayload folder. – Restart SMS_Executive. The download will continue after 1-2 minutes.

In my case was ConfigMgr not able to download all the prereq tools to the “redist” folder. Some where Ok, but not all. 14 tools where still missing. If you have the same issue, navigate to \EasySetupPayload\”extractedCABName”\SMSSETUP\BIN\x64 and run setupdl.exe to download all the Prereq tools. You can directly download the contet to the \EasySetupPayload\”extractedCABName”\redist folder.

Restart the SMS_Executive Service again. The Configuration Manager 1610 Update should now switch to the status Available.

configmgr

Have fun installing 1610.

 

 

 

#ConfigMgr 1702 released – Enable FastRing

Yesterday Microsoft released the new Current Branch version 1702 of ConfigMgr. The update will bring a lot of new features. For a detailed overview visit the docs.microsoft.com site.

Be aware that the support for following products dropped with the version 1702:

SQL Server 2008 R2, for site database servers. Deprecation of support was first announced on July 10, 2015. This version of SQL Server remains supported when you use a Configuration Manager version prior to version 1702.

  • Windows Server 2008 R2, for site system servers and most site system roles. Deprecation of support was first announced on July 10, 2015. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.
  • Windows Server 2008, for site system servers and most site system roles. Deprecation of support was first announced on July 10, 2015.
  • Windows XP Embedded, as a client operating system. Deprecation was first announced on July 10, 2015. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.

 

If you’re not seeing the update in you console and your ConfigMgr Server is running in the online mode using the Service Connection Point (available with Version 1602 and later) , you can enable the Fast Ring using the TechNet gallery PowerShell script.

2017-03-28 07_37_02-S2023 - ConfigMgr

  • Force an update check in the CM console
  • The new update starts to download. You can verify that in the dmpdownloader.log file.

After the upgrade you will have installed following version numbers:

Version 1702
Console Version 5.000.8498.1400
Site Version:5.0.8498.1000

Step-by-step configuring Enterprise State Roaming (ESR) with Azure AD Connect Password sync

During the last couple of month, we had a lot of discussions with our customers regarding the new modern way to roam user settings. I’m sure that you agree with me, that roaming profiles are a legacy way to do this.

Microsoft introduced Enterprise State Roaming a while ago. First a consumer version was available when Windows 8 was released. Microsoft accounts did roam user settings to the cloud. Settings like Wi-Fi Profiles, Internet Explorer Settings and Start menu configurations where roamed.

With ESR you can now roam settings to Azure in a professional enterprise way. Some prerequisites are necessary when you would use Domain Joined Devices to roaming user settings:

  • Licensing: Azure AD Premium Plan / or EM&S Licenses
  • Azure AD Connect latest version
  • Device Write back activated in Azure AD Connect
  • Password sync enabled in Azure AD Connect
  • ESR enabled on the Azure Tenant
  • Windows 10 Enterprise 1607 / Windows Server 2016
  • Domain Joined Devices

2017-02-07-08_04_21-s2021-dc

Let’s have a look at the implementation steps:

Step 1: Get Licenses

The first step is to activate a trial license of an Azure AD Premium plan. You can use an Azure AD P1 or P2 or even an EM&S. EM&S is not available for trial. For large enterprises contact your CSP to assign you some EM&S trial licenses to your tenant. Without an active plan, you won’t be able to enable ESR on Azure.

Step 2: Enable ESR on the Azure AD tenant

Go to your old Azure portal (manage.windowsazure.com) and login as a global admin. Under your directory select “CONFIGURE” and navigate to “devices”. “Enable the Users may sync settings and enterprise app data” option. You can select an Azure AD Group or allow ALL users to sync settings.
1-active-directory-microsoft-azure-and-4-more-pages-%e2%80%8e-microsoft-edge

Step 3: Configure your local AD

During the setup, you need to configure device write back in your On-Prem Active Directory. Use the PowerShell scripts bellow to enable device writeback:

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory\Connect\AdPrep\AdSyncPrep.psm1"

$ aadAdminCred = Get-Credential

Initialize-ADSyncDomainJoinedComputerSync AdConnectorAccount [connector account name] -AzaadAdminCred;ureADCredentials $

When you run $aadAdminCred = Get-Credential, you are required to type a user name. For the user name, use the following format: user@example.com

When you run the Initialize-ADSyncDomainJoinedComputerSync cmdlet, replace [connector account name] with the domain account that’s used in the Active Directory connector account. This is based on the MS article here.

Step 4: Register your devices

I’m not covering the part when you use AD FS. This is a different way to do this and you will need to setup some clame rules on your AD FS Servers. Please follow the steps in the above link under step 3.

In a no federated scenario you need some requirement do have a device registered automatically:

  • You are either running Windows 10 and Windows Server 2016 on your device
  • Your devices are domain-joined
  • Password sync using Azure AD Connect is enabled

If all of these requirements are satisfied, you don’t have to do anything to get your devices registered.

Registerd devices appearing after that in you on-Prem AD under the root\RegisteredDevices. Make sure you have Device Wirteback enabled on your Azure AD Connect configuration.

2017-02-06-15_59_38-s2021-dc

Step 5: Create a Group Policy object to control the rollout of automatic registration

To control the rollout of automatic registration of domain-joined computers with Azure AD, you have to deploy the Register domain-joined computers as devices Group Policy to the computers you want to register.

GPO to enable: Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration. Right-click Register domain joined computers as devices and “Enable” the policy.

2017-02-06-16_05_30-s2021-dc

During a reboot or a user’s sign in to Windows the device will be registered to Azure and written back to the On-Prem Active directory. You will not be able to see the device name in the dsa.msc. For that launch the Active Directory Administrative Center where you have an additional row of the devices “Display name”.

2017-02-06-16_13_01-s2021-dc

Step 6: Usage

When a user now logs in to his domain joined (or Azure AD joined)  Windows 10 machine using his UPN, the user account is added to the users profile and visible under Settings – Accounts – Email & App accounts as a Work Account.

2017-02-06-16_20_05-hwa10001

The user sync setting is enabled by default and users can change this options. Under Settings – Accounts – Sync your settings you will also recognize that the users UPN is used to sync all the settings.

2017-02-07-07_51_20-hwa10001

Conclusion::

Try it out! You will recognize that settings are changed immediately. For example, change the wallpaper, the taskbar position or even Internet Explorer favorites. This is a great feature for roam user settings across enterprise devices. The next step will be to use conditional access for those users:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access

First look at the new #OneDrive Admin Center (Preview)

The new OneDrive Admin Center Preview  is now available since a few days. During the past it was just a pain in the a** for admins to manage the OneDrive for Business settings. This has pretty changed a with the new portal which is not yet GA.

If your tenant already has been upgraded then you will be able to access your portal with a Global Admin account using the URL https://admin.onedrive.com

Let’s have a look on the settings.

Home Tab
The home tabs shows just the welcome message.

2017-01-09-11_38_02-onedrive-for-business-admin-preview-internet-explorer

Sharing Tab
On the sharing tab you find all the settings for sharing files outside of your organization. Let them share files outside the company using OneDrive or SharePoint, setting up sharing links, anonymous accces, limiting sharing to a sepzific domainand also what external users can do.

onedrive-for-business-admin-preview-sharing

Sync
The sync tab allows the admin to have control over the syncing settings. Also you have a link for downloading always the latest and newest OneDrive Client and another link to the support.office.com website to see the latest syncing issues.

Following options can be configured:

  • let users install the sync client from the OneDrive website
  • Allow syncing onlx PCs joined to specific domain
    • Enter a GUID for your domain(s)
  • Block syncing of specific file types
    • Enter file extentions you don’t want. For example mp3

onedrive-for-business-admin-preview-sync

Storage
Use the storage tab to configure the limits of the users storage. Default OneDrive value is 1024 MB. In here you can also set the retention time for accounts that have been marked as deleted.

Device Access
These settings applies to OneDrive an SharePoint.

  • Control Access based on a network location
    • Enter here your IP addresses or ranges for access to OneDrive. IPv4 & IPv6 is supported.
  • Mobile Application Management trough Intune is supported. You need an Intune license to use this option.

onedrive-for-business-admin-preview-intune

After assigning an Intune license to your GA Account you will be able to modify the settings for device management. This is an disadvantage in my point of view. It should be possible to change settings as admin without having any licenses applied.

Compliance
A few regulatory, legal and technical standards for OneDrive can be set here. This part helps to protect your data and preform security standard settings.

  • Auditing
    • View users activities related to OneDrive – deleted, shared, moved files
    • DLP – Data loss prevention, protect your organizations sensitive data
    • Configure retention policies
    • eDiscovery for emails, documents an Skype for Business conversations
    • Alerting, user and admin logs will be created

Note also the title of the page which gives you a hint to the Security and Compliance Center of Office 365.

I’m pretty sure that the new portal will be integrated into the Office 365 Admin Center. Until then, the admin portal is a good way to manage your OneDrive settings. Try it out today.

 

 

 

 

An easy way to add Langauge Packs to Windows 10 1511

Today I would like to show you how you can add Language Packs to Windows 10 Current Branch 1511 with using the Windows Imaging and Configuration Designer. This nice tool is a part of the new ADK’s and available since a while.

With the Windows Imaging and Configuration Designer, short WICD, you’re able to create pkkg Files. This files can be deployed to Windows Desktops or even Windows Mobile Devices.

First make sure you have the right ADK installed. Download it from here. It is still recommended to use the “older” version instead of the 1511 ADK. For more details check this links:
https://blogs.technet.microsoft.com/configmgrteam/2015/11/20/issue-with-the-windows-adk-for-windows-10-version-1511/

Also download the correct version of the Language packs. There is dedicated ISO available for Windows 10 1511 which contains x86 and x64 LPs. Mount the ISO and copy the required lp.cab files to a shared folder. You can use a single folder and rename the LPs instead of using subfolders. (Just rename each cab so they can all exist in the same folder e.g. de-de.cab for German etc…).

This could look like this:

0.1

Start the WICD and create a new provisioning package and save the project to a share.

1

2

Hit next for the “Next” options

3
Select “Common to all Windows desktop editions” and click “Next”

4.PNG
Leave this blank and click “Finish”

5.PNG

On the newly created project expand the Deployment assets – Language packages and browse to your LP cab files. You have to select each LP for import. in my case I only use one single LP – German. Name it and click Add at the bottom.

Now you can create the PPKG file. On the Menu select Export and then “Provision package”. On the “Build” windows click Next (or change the settings if you like).

7.PNG

Do not encrypt the ppkg file for now. Select where to save the ppkg package
8

Hit Build to build the package
9
10