Posts Tagged ‘OSD’

Recently we noticed some performance issues in laptops with shared graphics when the Windows 7 Basic Theme was being used (particularly with external monitors using display port cables) These issues were resolved when selecting the Windows 7 Aero Theme. We were even able to reproduce the problems on the manufacturers image.

I have asked on a few international Configuration Manager forums and apparently the Windows 7 Basic theme being used as a default is a well known issue / problem for people when you capture an image using a virtual platform such as Hyper V or VMWare. Some are deploying custom branded themes (which utilizes the aero technology) and others are setting the default Windows 7 Aero theme with Group Policy as we have done with this solution. Others are aware of the setting but have elected to do nothing and leave it as is with Windows 7 using the Basic Theme as the default.

We have applied two distinct actions.

1. Apply an additional step at the end of our build Task Sequences to run winsat.exe dwm which assesses the ability of a system to display the Aero desktop effects.

pic1

2. Created a new Group Policy which targets the Windows 7 OS version via a WMI query to set the Windows 7 Aero theme (Settings located at User Configuration \ Administrative Templates\ Control Panel \Personalization: Force a specific visual style or force Windows Classic & Load a specific theme file)

pic2

2014-08-13_091526

Our builds are now using Windows 7 Aero theme as the default upon login.

Cheers

Damon

Advertisements

Recently our organisation decided to enable BitLocker protection for all of our new laptops. The idea was to provision the drive encryption as the laptops were built with our Configuration Manager 2012 R2 environment. The laptop models were the HP EliteBook 850 and the Elitebook 820.

A few steps were required to achieve this and some tweaking of the default steps in my Configuration Manager Task Sequence.

Now before you even start with BitLocker you need to ensure that your Active Directory environment meets a few prerequisites, for the purposes of this blog I’m assuming that this has been checked and is in place. Some documentation on this can be found here:

http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj592683.aspx
http://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx

Step 1 – Enable the TPM

In order to enable BitLocker during a Configuration Manager Task Sequence we first need to enable the TPM (Trusted Platform Module) in the BIOS. Its worth noting that a lot of the newer devices such as Surface Pro’s come with UEFI where the TPM is already enabled, again my blog is dealing with BIOS as our new laptops don’t come out of the box with UEFI enabled.

To enable the TPM in the BIOS we also need to set a password and tweak a few of the other security settings associated with the TPM. Luckily there is a HP BIOS Configuration Utility which we can use as part of a Task Sequence that will set these options for us automatically! I’m using version 2.14.0.8 of the HP BIOS Configuration Utility which you can download from ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe.

Extract the contents of sp49507 and create a package in your Config Manager instance. No program is required just the files as the Task Sequence is going to execute the utility.

2014-01-30_100153

We now need to create a file for the utility to use which contains the settings we want to change inside the BIOS. I have done this by copying the BiosConfigUtility.exe to my target laptop, then launching a command prompt as an administrator and executing the below command. You can then modify the text file to contain only the required settings to enable the TPM for your particular laptop. For my laptops these settings are shown as per below. Once you have the file trimmed down to what you require, rename it to .REPSET and copy it to your HP Bios Configuration Utility package source folder and update your distribution points.

2014-01-30_101157

2014-01-30_100749

Now we can update our Task Sequence with a step which executes the utility, this should be formatted as:

BiosConfigUtility.exe /SetConfig:%YOURSETTINGS.REPSET% /NewAdminPassword:%YOURPASSWORD%

I have created a group in my TS and have restricted the group to run only if the device is a laptop using the IsLaptop variable and have then created a step for each type of laptop model as each model has its own REPSET file with the settings required to activate the TPM.

2014-01-30_103332

2014-01-30_103647

2014-01-30_103742

Step 2 – Set BitLocker Steps in your Task Sequence

Now that we have turned on the TPM using the config utility provided by HP we can turn our attention to the BitLocker steps. I have modified mine slightly as I have used the integrated MDT Task Sequence and prefer the Configuration Manager Enable BitLocker step rather than the MDT step that is provided in the default TS. Why? It just seems to work better 🙂

Disable the default MDT ‘Enable BitLocker’ step and then add the standard SCCM Enable BitLocker step. I have renamed mine to ‘Enable BitLocker for Laptops’ and moved my new step down the TS so that its one of the last to be actioned. I have done this as personally I have had performance issues with the hardware once encryption has started which slows down the TS steps.

2014-01-30_104813

Again I have restricted this step from running by using the IsLaptop variable. Your BitLocker drive encryption options will vary depending on how you are implementing it in your organisation. We have  just enabled the TPM and encrypted the drive, storing the recovery key in AD.

2014-01-30_105417

Step 3 – Test Your Task Sequence!

Now that we have our TPM being enabled automatically and our BitLocker steps in our Task Sequence as required, we can test everything to ensure it works.

I had to make one adjustment to my Active Directory permissions so that Configuration Manager could write the recovery key information, however this may not be required in other environments. Here is the blog about how to fix this should you run into the issue:

http://blogs.technet.com/b/bitlocker/archive/2010/09/14/access-denied-error-0x80070005-message-when-initializing-tpm-for-bitlocker.aspx

Happy BitLockering!

Damon

I think a lot of people look at UDI (User Driven Installation) Task Sequences as just that – an option for users in an organisation to perform actions associated with the deployment of an Operating System. Well that’s perfectly acceptable however when I first installed Configuration Manager 2012 in my lab I looked at the new UDI options and immediately saw a way of replacing my old HTA that I had with Configuration Manager 2007. I was fairly sure I could adapt the UDI Wizard to suit my deployment model taking full advantage of what the MDT team had already written. The following blog briefly describes what I have done with UDI in my organisation.

Implementing the out of box UDI solution is actually fairly straight forward.

  1. Integrate MDT with your Configuration Manager 2012 installation
  2. Create your MDT files package, I have done this with MDT 2012 Update 1
  3. Create a standard MDT client task sequence, this will automatically include the steps that call the UDI Wizard
  4. Test your Task Sequence to ensure that it works and calls the UDI Wizard as expected.

Once you have these basics configured you can then take a closer look at customising what built in panes the wizard presents and how that information is collected and used.

Its worth noting as this point that I haven’t had a need to create any custom panes which set variables. Having said that, you can do this and MDT 2013 includes the ability to create your own pages using a GUI which is a vast improvement on what was offered in MDT 2012 Update 1.

Using the UDI Wizard Designer, I have removed quite a few of the built in panes. This is because I have tailored it for my Service Desk technicians to use and rely on the other built in Task Sequence steps to set variables. I have modified the New Computer and Refresh page libraries and have a separate USMT scripted process for the replace scenario.

2013-08-19_133314

New Computer UDI Steps

2013-08-19_140310

Refresh Computer UDI Steps

I have created separate UDI XML files for each Operating System that I deploy or refresh so that I can control settings and what applications are installed. To call different UDI Wizard XML files, save your UDI XML template file with an appropriate name into your MDT Files package then modify the two UDI Wizard steps in the Task Sequence.

2013-08-19_140608

2013-08-19_133757

You can customise the default header image (as I have) so the UDI Wizard is customised to your organisation. To do this you will need to locate the UDI_Wizard_Banner.bmp file located in your MDT Files package. Modify both copies of this file within the \Tools\x86 and \Tools\x64 folders respectively. The image needs to be 759 x 69 pixels. Rename the old file to UDI_Wizard_Banner.original in case you wish to roll back. Once your changes are complete, update your Distribution Points.

2013-08-20_094912

2013-08-20_094756

Here are some screen captures on my New Computer UDI Wizard. You can use the wizard to add Organizational OU’s, a pre-populated Domain Name, Applications and other variable settings.

2013-08-19_134119

Collecting Computer and Network Settings

2013-08-19_134436

Application Selection and Installation

2013-08-19_134521

Summary Page

As the MDT Gather step runs before the UDI Wizard starts, you can also pre-populate other variables which will then automatically appear within the UDI panes. For example you may wish to run a separate script to generate a computer name, if this is run prior to the UDI Wizard running, it will be displayed in the pane that contains the field referencing that variable. Another good example of this is to pre-populate the domain join account username and password using CustomSettings.ini.

2013-08-19_135828

You can also use the UDI Wizard to present groupings of Applications which when selected will then be installed as part of the base variable COALESCEDAPPS during the Install Applications step of your TS . To correctly configure this for OSD you will need to create a collection within your Configuration Manager Console, then Deploy each Application to that collection that you want to make available during an OSD Task Sequence. The Deployment type needs to be set to availableAlternatively you can use an existing collection, if you have one setup, that already has your Applications deployed in this manner.

Note: If you rename an application in Configuration Manager 2012, you will have to update your UDI XML file, save and redistribute your MDT Files package.

2013-08-20_100030

When this has been completed you can use the UDI Wizard Designer to create your Software Groups. Ensure that you have set the Site Settings within the designer by selecting the Configuration Manager ribbon button. You will need to set your Site Server Name and the name of the Application Collection that you have created and deployed your Applications to otherwise your Applications will not appear when you try to search and add them.

Note: You need to tick the option “Allow this application to be installed from the Install Application task sequence action without being deployed” for each Application that you want to install as part of a TS

2013-08-20_101716

2013-08-20_100603

Using UDI as an alternative has allowed me to transition into Configuration Manager 2012 OSD easily, retiring my old HTA. I have been able to take advantage of the built in panes and were suitable, set and populate information automatically. With the new version of MDT 2013 around the corner, the new Custom Page Designer will no doubt add further options and capabilities in this area.

Hopefully this blog gives you some broad ideas around how you can implement UDI in your organisation and what is possible to achieve when using it.

2013-08-20_103446

Cheers Damon