CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

In Windows 10 1607 the TPM Password Hash is no longer accessible from within windows. This is design change to increase the Security in windows 10 which you can read more about here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password

Quote: “Starting with Windows 10, version 1607, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.”

The ability to turn on TPM Backup to AD using Group Policy is also removed in the Windows 10 1607 .ADMX files as documented here: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/trusted-platform-module-services-group-policy-settings

The behavoiur is controlled by the registry key called “’HKLM\Software\Policies\Microsoft\TPM\OSManagedAuthLevel” it is default set to “2” which means it will discard the TPM Password Hash, if we set it to “4” it is retained.

When we upgrade ADK to 1607 we get the same behavior in WinPE so the script used before to capture the TPM Password Hash when we use Pre-provision Bitlocker and write it to registry doesn’t work anymore.

When me and my College Johan Schrewelius tested this, we found a Task Sequence variable that contains the TPM password hash if the Pre-Provision Bitlocker step is used in the Configuration Manager Task Sequence called “_OSDOAF”

Johan posted two Powershell Scripts here on Technet Galleries, one that read the TS variable and write it to the registry and set the “OSDManagedAuthLevel” to “4” otherwise it will be removed by Windows again. https://gallery.technet.microsoft.com/for-handling-TPM-Password-be7ee062

And one that simply sets the “OSDManagedAuthLevel” value back to default.

Here are the steps that are involved, I disabled the SaveWinPETPMOwnerAuth.wsf that we used before to achieve the same thing.

TPM Pass the Hash

The “MBAM TPMPassTheHash” step which we call it, runs the following script. A Computer restart must be run before the Invoke-MbamClientDeployment step is run.

TPM Pass the Hash Step1

And the “Reset tpm policy” step will reset the value of the “OSDManagedAuthLevel” back to default.

TPM Pass the Hash Step2

Then we have the TPM password Hash in our MBAM database once again.

Note that it is recommended that the TPM Password Hash isn’t saved anymore as stated in one of the links above. “Microsoft strongly recommends that you do not change the default value of this registry key in order to retain the owner password.”

But in some scenarios we still want to be able to do it.

There are a couple of OS deployment webservices out there like the legendary one from Maik Koster that is great (Should be built-in the product!) We have been using and developing our own OSD webservice at Onevinn which we used a couple of years now. It has been developed by my college Johan Schrewelius who have done a marvelous job with it!!

We have been planning to share this for a long time but never found the time to complete it, at today’s System Center User Group Sweden – Client day at Microsoft in Sweden we thought it was time!

It can be downloaded from Technet Galleries here with complete documentation as well: https://gallery.technet.microsoft.com/Web-Service-for-OS-93b6ecb8

It contains the following features which can be used once installed.

WebserviceFeature

One reason to why we started doing this is for instance the need to delete Primary users during OS deployment during OSD so that it can be set once again during OS deployment but the history is removed.

The installation is a simple setup that you run on the server.

Setup

Configure the service account to be used.

Setup1

To make it easy to use there are sample scripts included as well which can easily be used in a Task Sequence.

Powershell Sample scripts

All Configuration is done in the Configuraiton.ps1 file that all the other scripts use so we only need to configure this once.

Powershellscript config

This makes it really easy to include in a Task Sequence as shown below.

TaskSequenceCommand

Why use a webservice? Well we move the logic to the Server side which makes our OSD much more stable and less latency sensitive when you run scripts against the Configuration Manager server in a Task Sequence. We don’t have to open all more than port 443/80 from clients to the server as we don’t run any scripts in the Task sequence just calls a webservice.

As I wrote before the download includes complete documentation so check it out when you downloaded it on how to get started!

There are many solutions out there for setting the OSD background to show progress during OS deployment. My college Johan Schrewelius at Onevinn has written a great one that shows:

  • Time elapsed
  • Host information
  • Current OSD Step
  • Custom background
  • Yes, it works in full OS in Windows 8.1 and Windows 10 as well.
  • Password Protected debug mode!!
  • Customizable colors
  • Easy configuration in a .xml file.

OSDBackground

It has a password protected debug mode for accessing Task Sequence variables, CMtrace, SMSTS.log and Command Prompt. If you haven’t turned of F8 Support in your boot image, it is time to do so now! It is accessed by Right-Clicking the upper left corner.

OSDBackground1

OSDBackground_Debug

In the Task Sequence, we simply add a step that executes OSDBackground and which step number it is. As shown below.

OSDBackgroundTS

It requires minimal configuration as everything is configured using a .xml file, it does require .NET framework and Powershell support in the Boot image so it needs to be added under optional components. The steps shown in the background is easily added modified, colors, debug password as well.

OSDBackground confguration

It can be downloaded from Technet Galleries, both the binaries and complete documentation on how to use it: https://gallery.technet.microsoft.com/Replacement-for-BGInfo-0095cff3

Great work Johan!!

I have gotten this question so many times now when writing scripts and blog posts what the difference is between a Task Sequence in MDT and SCCM. In some scenarios this makes a huge difference and is important to know about.

When you execute an OSD Task Sequence in MDT you are logged on as the local administrator account as shown below. Which means that all Scripts, Applications etc. is run as the local administrator account.

MDTTS_Context

MDTTS_Context1

When you use Configuration Manager the Task Sequence is executed in System context which means that scripts, applications are executed in System Context. So if we enable F8 support (Remember testing only!) we are running in System Context.
SCCMTS_Whoami

Why is this important?, well if you test and install applications using Configuration Manager you should always test them in System Context and not as the local administrator, this can be done using PSexec. When you develop and run scripts you need to be aware of this as well and again test them in System Context if applicable.
An example would be the script I blogged a while ago to set a corporate wallpaper in Windows 10, when running that script we need to take ownership of the files in question before we can replace them. If we run it in MDT we need to the “Administrator” to own the files to be able to replace them, if we use Configuration Manager we need to use “System” instead to own the files.

Example MDT

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg

takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*

icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant ‘Administrator:(F)’

icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant ‘Administrator:(F)’

Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg

Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*

Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg

Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

Example Configuration Manager

takeown /f c:\windows\WEB\wallpaper\Windows\img0.jpg

takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*

icacls c:\windows\WEB\wallpaper\Windows\img0.jpg /Grant ‘System:(F)’

icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant ‘System:(F)’

Remove-Item c:\windows\WEB\wallpaper\Windows\img0.jpg

Remove-Item C:\Windows\Web\4K\Wallpaper\Windows\*.*

Copy-Item $PSScriptRoot\img0.jpg c:\windows\WEB\wallpaper\Windows\img0.jpg

Copy-Item $PSScriptRoot\4k\*.* C:\Windows\Web\4K\Wallpaper\Windows

I hope this is helpful!

After checking the inbox and the junk mail folder just to be sure many times today, THE mail finally arrived! It is a true honor to be awarded MVP for yet another year, my sixth time!

Thanks to all of you! and Microsoft for making this happen and all your support!!

MVP2016

In Configuration Manager 1606 we got a new option to tweak our PXE boot times, TFTPWindowsSize which we can change in the registry on our PXE enabled DP’s.
PXE booting a machine can never be fast enough!

https://technet.microsoft.com/en-us/library/mt627944.aspx#BKMK_RamDiskTFTP

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name: RamDiskTFTPWindowSize
Type: REG_DWORD

The default value is 1 (1 data block fills the window)

We can also tweak the TFTPBlockSize which has been around for many versions of Configuration Manager.

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name: RamDiskTFTPBlockSize
Type: REG_DWORD
Value: <customized block size>

The default value is 4096 (4k).

So I did a lot of testing and when it comes down to it, you need to verify the settings that are best in your environment with your network configuration, your computermodels and so on.

What we know for example:

  • That HP Probook for instance doesn’t support a higher TFTPBlockSize value than 1456 otherwise it freezes.
  • Vmware 5.x doesn’t support a higher value for TFTPWindowsSize than 8.

I put together this list that could be a good starting point when testing out the different TFTP values, I used a Latitude E7450 and an Optiplex 7010 and Max, who helped me PXE boot otherwise I would have overdosed on Coffee by now!

TFTPSettings

Conclusion UEFI boot is slower! and the values used will be different for many customers as there are now optimal values that will be best in all environments.

Changing the TFTP settings was really boring so when I did the tests I wrote this little powershell tool as well to help in setting the values. I am planning to update it next week to be able to use it on Remote DPs and some more error handling. But you can use it as it is now to do you your testing. Run it as administrator so you have the permisisons necessary to change the registry values.

SCCMTFTPBootChangerIt can be downloaded here: SCCMTFTP

I hope this can be of use!

There seems to be a bug in the Windows 10 1607 ADK when trying to load the components needed to for instance deploy a machine when using 802.1x in your network. The service fails to load with System Error 126 as shown in the screenshot below.

winpeThere are some comments about it on forums and as comments on blog posts as well.

For now the workaround would be to use WinPE from the Windows 10 1511 ADK.

In Windows 10 1607 App-V and UE-V are built-in natively in the Operating System (Not in Pro) and no additional setup needs to be run anymore, this is awesome! Both App-V and UE-V can be enabled using a Group Policy or by using the following Powershell commands, Enable-Appv and Enable-UEV.

In some scenarios especially for App-V we need to enable it during OSD in our Task Sequence so that we can install App-V applications before the Group Policies are applied.

This is really simple we use just use the Powershell to activate it. If we want to enable both App-V and UE-V we use the following command

powershell.exe -NoProfile -Command “&{ Enable-Appv; Enable-Uev }”

activate App-V for instance using the following command:

powershell.exe -NoProfile -Command Enable-Appv

The Run Command Line Step must run after the Setup Windows and Configuration Manager step as shown below.

Task Sequence Step

If we then use the command prompt after that step to check the App-V status, it is now enabled.

App-v during OSD

In many scenarios and solutions, we use a single Task Sequence to deploy multiple Windows Versions in these scenario the following WMI query can be used to only run the command on Windows 10 1607, select * from Win32_OperatingSystem where BuildNumber = “14393″ as shown below.

Conditions using buildnumber

This really makes our life simpler!