SCCM Windows 10 Upgrade Task Sequence: BitLocker PIN Protector Issues on Laptops

I’ve recently been looking at using SCCM Windows Upgrade Task Sequences to migrate from Windows 10 1511 to Windows 10 1607 for a customer.

On desktop devices this process ran through as expected and didn’t cause any real problems (i.e. nothing that I wasn’t expecting or that couldn’t be easily resolved).

Laptops with PIN protectors enabled did present a problem however…

It seems that while the upgrade process disables BitLocker automatically, PIN protectors become active again too early (i.e. before the end of the Task Sequence) meaning that end users would need to enter their PIN at least twice (possibly more depending on any additional Restart Computer actions in the Task Sequence) before the Task Sequence completes successfully.

Obviously this might be a pain in the arse for end users so it would be nice to find a way to avoid them having to enter their PIN repeatedly.

My solution for this is shown in the image and text below (steps highlighted in red are the ones required to resolve this specific issue):

upgradets

The commands for each of the highlighted tasks are:

# Disable BitLocker Protectors Indefinitely
cmd.exe /c "manage-bde -protectors -disable C: -RC 0"

# Re-enable BitLocker Protectors
cmd.exe /c "manage-bde -protectors -enable C:"

# Disable BitLocker Protectors for Single Reboot
cmd.exe /c "manage-bde -protectors -disable C:"

The first highlighted command disables BitLocker protectors indefinitely (Reboot Count = “0” turns off protectors until you issue an “-enable” command) which means you can reboot the device as many times as you like without BitLocker rearing it’s ugly head at all.

The second highlighted command re-enables all BitLocker protectors which therefore reverses the “Disable BitLocker Protectors Indefinitely” command.

The final highlighted command (“Disable BitLocker Protectors for Single Reboot”) disables BitLocker protectors on the C: drive again but using the default Reboot Count (when “-RC” isn’t specified the default value is used which is “1”) which only disables the protectors for a single reboot.

This means that after the final “Restart Computer” task the OS has been upgraded, all custom actions in the TS will have completed and all protectors for the C: drive are all switched back on.

Bloody marvellous.

/ JC

Advertisements
Posted in OSD, SCCM Current Branch | 11 Comments

“Finish Installing Device Software” in Windows 10 Action Center

If you get a message in the Windows 10 Action Center saying “Finish installing device software” with a red/white cross and a UAC symbol on then it’s likely that a driver is missing, a driver needs some software installed or that Windows needs your permission to resolve one of these actions (hence the UAC symbol).

In can be an absolute bastard to figure out which device/driver is causing this issue but one way to track it down is to click to allow the install to complete and then look in the file:

C:\Windows\Inf\setupapi.dev.log”

Look for Finish-Install actions (typically they will be the latest entries in the log file if you’ve just clicked to complete the action immediately before looking) and that should lead to you to identifying the troublesome device. Back of the net.

/ JC

 

Posted in Uncategorized | 1 Comment

Increase the Speed of PXE Boot/TFTP When Using SCCM Distribution Point

If you’re looking to improve the performance (quite significantly in my experience) of Trivial File Transfer Protocol/TFTP (in other words to improve the download speed of your SCCM boot images to your clients from the DP) you can add some registry keys on the server hosting the PXE-enabled Distribution Point to achieve this.

The two keys required (and the values I suggest using) are:

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\SMS\DP" -Name RamDiskTFTPBlockSize -PropertyType DWord -Value "16384"
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\SMS\DP" -Name RamDiskTFTPWindowSize -PropertyType DWord -Value "8"

Once the keys have been added, restart the “Windows Deployment Service Server” service and that’s you finished. 🙂

One caveat with this change is that it can also adversely affect performance and in some cases even break PXE altogether (as I found out with my Hyper-V 2012 R2 VM’s – VM’s stopped working completely while physical hardware zipped along like shit off a stick) so some tweaking of the values may be required depending on your environment. Basically one size does not fit all with this change.

Can’t find any proper information on SCCM CB but it looks like this is a supported change from looking at this TechNet post: link

UPDATE 30/09/2016 – some much better detail and testing results for this TFTP optimisation provided by Jörgen Nilsson on the excellent ccmexec.com website – link

/ JC

Posted in SCCM 2012 R2, SCCM Current Branch | Tagged , , , | 4 Comments

Quickly Determine all Local Drive Letters on a Device From Command Line

To quickly see which drive letters/volumes are available from a command prompt you can use wmic to get a quick summary.

The following command will give you the information you need:

wmic logicaldisk get description,name

/ JC

Posted in Uncategorized | Leave a comment

Further simplifying servicing models for Windows 7 and Windows 8.1

Microsoft look to be moving to a cumulative approach to updates with Windows 7 and 8.1 which seems to be similar to what they have already done for Windows 10.

Single Cumulative Updates instead of multiple individual patches moving forward. Better late than never I guess… 😉

See the full blog post on TechNet:

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

/ JC

Posted in Uncategorized | Leave a comment

Windows 10 Language Packs are Release Specific

Just a heads up – after wasting the best part of a day trying to figure out what was wrong it turns out that Language Packs for Windows 10 are release specific and only seem to work with the corresponding release of Windows.

What this means is that Language Packs for Windows 10 1511 won’t install offline via MDT when creating a reference image using 1607 Windows 10 media.

1511 Language Packs only work with 1511 media and NOT 1607 media.

Bastard.

Need to wait for 1607 Language Packs to be released then eh… 😉

/ JC

Posted in Uncategorized | Leave a comment

Run PowerShell Scripts as Windows Scheduled Tasks

It can be useful to have a PowerShell script which runs as a Windows Scheduled task to perform otherwise manual tasks. Being a lazy bugger I like to automate as many boring, shitty tasks as I can so PowerShell and Scheduled Tasks are my friends…

A good example of this would be if you needed to run a cleanup of WSUS to remove declined, superseded, expired updates etc.

The script I want to run looks like the following:

<#
.DESCRIPTION
       Cleans up WSUS on local server
.EXAMPLE
       PowerShell.exe -ExecutionPolicy ByPass -File WSUSCleanup.ps1
.NOTES
       Author:	Jonathan Conway
       Created:	21/07/2016
       Version:	1.1
#>

# Set WSUS port number (standard is 8530 on Windows Server 2012 R2 but can be customised)
$WSUSPortNumber = 8530

# Connect to local server using PowerShell
Get-WsusServer -Name $env:computername -PortNumber $WSUSPortNumber

# Perform required cleanup commands
Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates | `
Out-File -FilePath C:\Tools\Scripts\wsuscleanup.log

In order to run this as a Scheduled Task in Windows I’d need to run it as SYSTEM (NT AUTHORITY\SYSTEM) – change the “Configure for:” section at the bottom to match the OS you’re using as well, for compatibility purposes.

Configure a Trigger – once a week should be more than enough for this particular task.

The action should be configured to “Start a Program” which would be as per the command line example below (example assumes you have a script called WSUSCleanup.ps1 located in a folder called “C:\Tools\Scripts”):

PowerShell.exe -ExecutionPolicy ByPass -File C:\Tools\Scripts\WSUSCleanup.ps1

It should end up looking a bit like this:

ScheduledTask

And that’s about it – should run as per the Trigger Schedule.

/ JC

Posted in PowerShell | Leave a comment