#ConfigMgr and Unknown Computer – SMSPXE.log displays a “Rejected” entry

Hi everybody!

Let’s talk about Unknown Computer Support in ConfigMgr Current Branch. I’m personally not a big fan of this feature, but some customer have a requirement to enable this option and that’s OK .

In one case we had to enable this because the customer missed to get a hardware list from his hardware vendor and was not able to do a bulk import of the devices to ConfigMgr. So we decided to build a service which is using PowerShell in a WIM to create a computer asset in the CMDB. The other reason to enable “Unknown Computer” support can be, the issue with DELL SMBIOS GUIDs.
If you boot some DELL devices (also new models like Latitude 7280), you receive a different SMBIOS GUID on the Screen of the Device compared to the one you get with WMI or in the SMSPXE.log of the Distribution Point. Here an example:

DELL Screen:
2017-07-05 21_38_52-20170705_124207.jpg ‎- Photos

SMSPXE.log
2017-07-05 21_39_27

This can be a reasons to enable Unknown Computer support. But I’m still not a fan of. Why? Normally when you PXE boot a Unknown Computer it will create a new entry in the Console called “Unknown”. To find all the current Unknown devices select the Devices and filter them by “Unknown”:

2017-07-05 21_31_19-srvitsm33vm - Remote Desktop Connection - __Remote

But not all devices are listet – for some reason and I couldn’t find out why. Reply to me if you have some information’s about.

If you now would like to boot the device again as Unknown, you won’t be able and the SMSPXE.log will show you a “Rejected” message for the specific SMBIOS GUID.

No advertisement found, No boot action, Rejected, Not serviced
 2017-07-05 21_43_34-Remote

You can do any queries to find the MAC or the SMBIOS GUID of the device in the Console (GUI), but you won’t find any entries.
To get that sorted, start the SQL Management Studio and navigate to your CM_SiteCode Database. There select “Tables” and scroll down to the table called dbo.LastPXEAdvertisement. You can right click the table and show the first 1000 entries. This will list you a few entries and hopefully your SMBIOS will be listet there.

Run the following query to get your SMBIOS GUID (for your own use, change the bold entries, DB name and GUID)

select * from [CM_ABC].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

To delete the PXE flag for the Unknown device run the following script:
Be careful with deleting entries from any databases. This is a workaround. Make sure you’re aware what you do!

delete from [CM_M01].[dbo].[LastPXEAdvertisement]
where
SMBIOS_GUID = ‘4C4C4544-0037-4E10-8047-B4C04F425331

This is how you will be able to boot the device again as Unknown Computer. Each PXE flag also get an Advertisement ID from your deployed Task Sequence. You can find this entry in the same table called LastPXEAdvertisementID.

Hope this helps.

 

Change BitLocker Drive encryption to XTS-AES 256 during OSD with #ConfigMgr

Windows 10 Current Branch (1607 & 1703) is using a default drive encryption of XTS-AES 128 if you encrypt the disk during OSD using ConfigMgr Current Branch.
001

Command above: manage-bde -status

Some customer maybe have the requirement to change the default to a different mode like XTS-AES 256.

This can be changed using a GPO or CIs in ConfigMgr but then you have first to decrypt the disk, assign the new policy and encrypt the disk again. This is annoying and not very user & admin friendly.

Since a while ConfigMgr is using an option called Pre-provision Bitlocker. This step in the TS is encrypting only the currently used diskspace. As it is in WinPE this is a very small part of the disk and also a quick step. But this step is using the command “manage-bde.exe  -on C: -used” and you are not able to change the encryption method.

Solution

To change the method to XTS-AES 256 or a different method, use following registry key just before the Pre-provision BitLocker step:

cmd /c reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v EncryptionMethod /t REG_DWORD /d 7 /f

The DWORD value 7 ist setting the method to XTS-AES 256. Use the list bellow to assign a different method:

Value 3, AES_128:
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 128 bits.

Value 4, AES_256
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an AES key size of 256 bits.

Value 6, XTS_AES128 *
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 128 bits. – This is the default of Windows PE 10.0.586.0 (1511 Release)

Value 7, XTS_AES256 *
The volume has been fully or partially encrypted with the Advanced Encryption Standard (AES) algorithm, using an XTS-AES key size of 256 bits.

* Only supported for deployments of Windows 10 images build version 1511 or higher

The Task Sequence step I used is a command line and is configured to run just before “Pre-provision” BitLocker:

004005

This has been testet with the Windows 10 Enterprise Builds 1607 (Anniversary) & 1703 (Creators).

Disable OneDrive in #Windows10 1607 and #Office365

I know, most of you (including me) using OneDrive or OneDrive for Business in your environment. But in some cases customers won’t allow users to save stuff on OneDrive or won’t let them connect to this service.

If you plan to disable OneDrive in Windows 10 1607 and Office365 Version 16 you have to consider two steps. Disabling it in the File Explorer of Windows 10 and the second point is preventing Office to offer for saving stuff to OneDrive.

All that can be done using a single group policy. Create a group policy and name it with your preferred naming convention. If you use the loop back mode you can use just one policy for computers and user settings.

First: Navigate to Computer Configuration\AdministrativeTemplates\Windows Componets\OneDrive\ and enable “Prevent the usage of OneDrive for file storage”. This will disable OneDrive in File Explorer and removes the cloud icon in the status bar of your Windows Clients.

1

Second: Navigate to Users Configuration\Preferences\Windows Settings\Registry and add a new Registry item. Create a new key with the following settings:

Hive: HYEY_Current_User
Key path: Software\Microsoft\Office\16.0\Common\Internet
Value Name: OnlineStorage
Value Type: Reg_DWORD
Value: 3
Base: Decimal

2
3

This key disables the option to save files on additional Online Storage such as OneDrive. Of course you won’t be abele to use SharePoint Online as well. Assign the policy to your computers and test it.

The result in the Office365 applications such as Word, Excel, PowerPoint, etc… is like that:

(Save as)
4

Thanks for the hint @ericatoelle on http://ericatoelle.com/2016/manage-save-as-locations-in-office-2016/

Let me know if you have any questions regarding this.

 

 

 

An easy way to add Langauge Packs to Windows 10 1511

Today I would like to show you how you can add Language Packs to Windows 10 Current Branch 1511 with using the Windows Imaging and Configuration Designer. This nice tool is a part of the new ADK’s and available since a while.

With the Windows Imaging and Configuration Designer, short WICD, you’re able to create pkkg Files. This files can be deployed to Windows Desktops or even Windows Mobile Devices.

First make sure you have the right ADK installed. Download it from here. It is still recommended to use the “older” version instead of the 1511 ADK. For more details check this links:
https://blogs.technet.microsoft.com/configmgrteam/2015/11/20/issue-with-the-windows-adk-for-windows-10-version-1511/

Also download the correct version of the Language packs. There is dedicated ISO available for Windows 10 1511 which contains x86 and x64 LPs. Mount the ISO and copy the required lp.cab files to a shared folder. You can use a single folder and rename the LPs instead of using subfolders. (Just rename each cab so they can all exist in the same folder e.g. de-de.cab for German etc…).

This could look like this:

0.1

Start the WICD and create a new provisioning package and save the project to a share.

1

2

Hit next for the “Next” options

3
Select “Common to all Windows desktop editions” and click “Next”

4.PNG
Leave this blank and click “Finish”

5.PNG

On the newly created project expand the Deployment assets – Language packages and browse to your LP cab files. You have to select each LP for import. in my case I only use one single LP – German. Name it and click Add at the bottom.

Now you can create the PPKG file. On the Menu select Export and then “Provision package”. On the “Build” windows click Next (or change the settings if you like).

7.PNG

Do not encrypt the ppkg file for now. Select where to save the ppkg package
8

Hit Build to build the package
9
10

 

 

 

 

 

 

 

 

ConfigMgr 2012 R2 SP1 Application Catalog promts for cridentials

sccm2012_logo.gif-1200x0[1]

If you start using the Application Catalog from Configuration Manager 2012 R2 SP1 you have to configure some settings before the users can access it.

Probably you recieve a login propt when accessing the application catalog from your client.

Solution

After installing the role and checking the logs for a successfull installtion (SMSAWEBSVCSetup.log & SMSPORTALWEBSetup.log) you have to change the client settings:

  • Change the “Computer Agent” settings:

1

  • Select your Application Catalog website:
2
  • Add your Application Catalog website to your clients by using Group Policy:
3
This steps will allow you to use the Application Catalog without any logon prompts. Configure also your Enterprise Mode settings when you use Windows 10 EDGE Browser. EDGE does not support Silverlight but the Software Center and the Application Catalog is using Silverlight.
Cheers
Al

New blog

After blogging on sccmfaq.ch I finally started my own blog – blog.alschneiter.com. I’m focused on all the new and rising Microsoft Windows Client technologies. This includes stuff like, Windows 10, Configuration Manager (ConfigMgr), EMS, Office365, Azure RemoteApps, Remote Desktop Services (RDS), MDOP and much more! Just the modern workplace. Any questions to me? Feel free to contact me using this blog or twitter!

And, don’t miss all the technical deep dives, technical news and also some fun stuff. Subscribe right now!

Cheers,
Al

itnetX_portraits_2015_14

Windows 10 Technical Preview not offering the new Build 10041

Hi, When you check for new builds of Windows 10 Technical Preview, you’re not offered with the new Build 10041. You already tried to change the settings here: Settings > Update & Recovery > Advanced options, and setting Choose how preview builds are installed to Fast.   Solutions: Option 1:  Install the Windows Update that will reset your Flight Registry Settings You can download the update directly from the Microsoft Update Catalog:

Option 2:  Edit your registry If you’re not able to install the update, you can instead edit the registry yourself.  A word of warning:  these instructions ONLY apply to devices on Build 9926 that have set Choose how preview builds are installed to Fast: Continue reading “Windows 10 Technical Preview not offering the new Build 10041”