Tuesday, October 21, 2014

Affecting Changes to Image During Deployment via Uanattended

In my last blog we began discussing images thin verses thick and how to affect changes when using a thin image. Recently while at a client I got asked what about features, lets say I use the standard Windows image deploying updates via the Task Sequence, and application as well, then how about regular Windows features.

There are two potential solutions to this issue the first is the Microsoft Windows System Image Manager and the second is scripting by way of Deployment Image Service Management Tool or DISM for short.

The two examples that I will demonstrate bellow are

  1. Adding Microsoft .Net Framework 3.5.1 to Microsoft Windows 8, Microsoft Windows Server 2012, Microsoft Windows 8.1 or Microsoft Windows Server 2012 R2
  2. Changing the Default Internet Explorer search engine to Google

Deployment System Management Tool

DISM is a command line tool that is used to affect changes either on a mounted image (WIM) file or on a deployed Operating System for Microsoft Windows 7, Microsoft Windows Server 2008 R2, Microsoft Windows 8, Microsoft Windows Server 2012, Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2.

  1. Open the Microsoft Windows System Image Manager as Admin 


  2. Choose File -> Open Answer File 
  3. Select the Appropriate .WIM image file 
  4. Importing the image to the console may take some time as it requires a Catalog File (.clg) this file is created automatically if one does not exist however depending on on your system it may take as much as a few hours the first time. 
  5. You may either choose to create a new Answer File or import the existing one, I recommend that you utilize the existing one that MDT or SCCM create when you build the Task Sequence the first time. 
  6. Your Unattend file should be located for MDT in the \\<MDT Server>\DeploymentShare$\Control\<Task Sequence ID>\Uanttend.xml 
  7. In the Windows Image field there two trees one for components and another for packages, components contains all the possible changes that can be affected for your Windows Image, packages contains all the possible features that can be added for your image. First things first we will add to new features to our image the first being Microsoft .Net Framework 3.5.1 and the second being TelNet Client. 
  8. In the Windows Image Field click on the packages tree -> Foundation -> amd64_Microsoft-Windows-Foundation-Package 
  9. Right Click and choose Add to Answer File 
  10. Two changes should have occurred in the console you should see the package being listed at the bottom of the tree and the second change the options appearing for editing in the far right panel 
  11. At this point select your package of choice from the right hand panel 
  12. Click on the pull down menu on the right hand side and choose enable 
  13. Click File->Save Answer File in order to save the answer file and check that the file can be validated 
  14. Your Message Pane should be free of any related errors as seen bellow 
  15. That's it you have added the Tel Net client to all computers that will receive this answer file.

Setting the Default Search Engine for Internet Explorer

This came up a few years ago we had so many requests in help desk the change the default search engine that my manager asked me if there was a way that I could script a solution. Now sure you can script it which would be great for regular deployments but for simplicity's sake one place for as many changes as possible is always preferable.

  1. Open the Microsoft Windows System Image Manager 
  2. Choose File -> Open Answer File 
  3. Select the appropriate .Wim Image File
    1. Importing the image to the console may take some time as it requires a Catalog File (.clg) this file is created automatically if one does not exist however depending on on your system it may take as much as a few hours the first time. 
    2. On the bottom left hand side within the Windows Image pane choose the Componets tree 
    3. Once the Components branch is opened right click on amd64_Microsoft-Windows-IE-InternetExplorer_11.0.9600.16384_neutral 
    4. Choose add setting to Pass 4 specialize 

    5. Within the Answer File pane amd64_Microsoft-Windows-IE-InternetExplorer_11.0.9600.16384_neutral should now have appeared as an option 
    6. Open the new branch and right click on Search Scopes and choose Insert New Scope 
    7. Insert the below information found in the chart into your Answer File 
      Setting
      Value
      Display Quick Pick
      True
      Favicon URL
      http://www.google.com/favicon.ico
      ScopeDefault (Overwrites Bing)
      True
      ScopeDisplayName
      Blass Deployment Solutions Google Search (Replace Blass Deployment Solutions with your own company name)
      ScopeKey
      1
      ScopeUrl
      http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
      ShowSearchSuggestions
      True
      ShowTopSearch
      True
      ShowTopeResult
      True
      SuggestionsURL
      http://clients5.google.com/complete/search?q={searchTerms}&client=ie8&mw={ie:maxWidth}&sh={ie:sectionHeight}&rh={ie:rowHeight}&inputencoding={inputEncoding}&outputencoding={outputEncoding}
    8. Save the File and copy it to the appropriate folder within <DeploymentShare>\Control\<TaskSequenceName> for MDT or add it to the Package for SCCM and your Done.
    QA: Microsoft Windows 7x86, Microsoft Windows 7x64, Microsoft Windows Server 2008R2, Microsoft Windows 8x86, Microsoft Windows 8x64, Microsoft Windows Server 2012, Microsoft Windows 8.1 x86, Microsoft Windows 8.1 x64, and Microsoft Windows Server 2012R2.

    Happy Deployments all and I look forward to hearing from you as usual question comments and even requests are welcome :-)




    Thursday, August 7, 2014

    Managing BitLocker Computers in your Organization the easy way...

    A couple of days ago my manager came to me asking for a more unified way to manage our TPM enabled computers and to bring up our compliant rate for BitLocker encryption. Now for those of you dealing with multiple vendors as I am this raises large issues as there is very little standardization in the market regarding Bios settings access from within the Operating System. 

    Challenges to face...

    First and foremost what we need to consider is the inconsistency between different Operating Systems and how they control the Trusted Module Platform. As well their are differences in commands and in the BitLocker architecture that we need to account for. In this script I have accounted for Microsoft Windows 7 and up.

    Operating System
    Language
    Microsoft Windows 7
    Batch
    Microsoft Windows 8
    PowerShell
    Microsoft Windows 8.1
    PowerShell
    Secondly we need to account for various manufacturers and how they interact with the Bios and their individual WMI structure. This script accounts for the bellow Manufacturers and enables the TPM in the Bios without and user interaction.

    Manufacturer
    Solution
    Toshiba
    TPM.vbs
    Lenovo
    TPM.vbs
    Dell
    Dell Client Configuration Toolkit
    Hewlett Packard
    TPM.vbs

    Stages

    In order to activate the TPM and Encrypt your machines we have the four stages...

    Stage
    Purpose
    Enable TPM in Bios
    Assuming the TPM is disabled in the bios it is required to enable it.
    Initialize the TPM
    Windows requires us to initialize the TPM making it’s features available to Windows
    Take Ownership
    Provide Ownership or permissions on the TPM to the user currently running the script or in this case all Administrators on the machine
    Encrypt the Hard Disk
    Encryption of the Hard Disk

    Due to these various stages there are also three required reboots, but we will let the Task Sequence manage these reboots and the rerunning of the script.

    Add the Package 

    1. Copy the Files to a temporary location
    2. Open the Deployment Workbench 
    3. Navigate to the Applications Node 
    4. Create an appropriate folder if you do not have one already 
    5. Right click on your folder and choose new application 
    6. Choose Application with Source Files and click Next 
    7. Specify the Details for this Application
    8. Enter a Source Directory (Your Temp Location) and click Next 
    9. Click Next 
    10. Enter the Name of the Batch 
    11. Click Next 
    12. Click Finish 
    13. Right clikfc on your application and choose properties 
    14. Check the hide this application and click apply 


    Changes to the Task Sequence

    1. Navigate to the Task Sequences Node 
    2. Right click on the relevant Task Sequence and choose properties 
    3. Choose the Task Sequence Tab 
    4. Scroll Down toward the end of your Task Sequence after the Install Applications Task and click Add and choose Create a New Group if you do not already possess a an appropriate one
       
    5. Click on your group and return to the Add button and choose General-> Install Application 
    6. Choose Install a single Application 
    7. Click Browse and Navigate to the TPM Universal Application and click OK 
    8. Copy and paste from Application to Install to Name 
    9. Click on the Options Tab 
    10. Click on Add and Choose If Statement 
    11. Choose Any Conditions 
    12. Click on Add Choose Query WMI 
    13. Change WMI namespace to root\WMI
    14. WQL Query: SELECT * FROM BiosSetting WHERE TPM = "Enable" 
    15. Click on Add Choose Query WMI 
    16. Change WMI namespace to root\WMI
    17. WQL Query: SELECT * FROM BiosSetting WHERE TPM  = "Disable"
    18. Click on Add WMI Query
    19. Change WMI namespace to root\WMI 
    20. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Active" 
    21. Click on Add WMI Query 
    22. Change WMI namespace to root\WMI 
    23. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Inactive" 
    24. Click on Add WMI Query 
    25. Change WMI namespace to root\WMI 
    26. WQL Query: SELECT * FROM SELECT * FROM Lenovo_SetBiosSetting WHERE SecurityChip = "Disable" 
    27. Click on Add WMI Query Change WMI namespace to
      Root\HP\InstrumentedBios 
    28. WQL Query: SELECT * FROM SELECT * FROM HP_BIOSSettingInterface WHERE "TPM Device" Like "%%" 
    29. Click on Add WMI Query 
    30. WQL Query: SELECT * FROM SELECT * FROM Win32_ComputerSystem WHERE "Manufacturer" = "Dell" 
    31. Check the Check Box Continue on Error and Click Apply 
    32. Click on Add -> General -> Restart the Computer 
    33. Repeat Steps 7-11 to account for all scenarios in the script and click Apply when finished
    34. Repeat Steps 11-30 for all six steps in your Task Sequence
    35. When you are finished your Task Sequence should appear like this 

    That's it standardization in TPM and BitLocker management the easy way!

    Of course as usual all Script and otherwise free content is available from my Google Drive at the following address Script Location 

    I hope you enjoyed this Blog entry and usual I fully encourage you too share your comments, questions and or thoughts.