Enable Credential Guard in Windows 10 during OSD w/ ConfigMgr

I set this up a couple weeks ago and have been meeting to write something up.  Then before I could, Peter over at syscenramblings posted a nice how to HERE.

I’m going to post mine anyway, even if it’s not as fancy.  I’ve been going with the “KISS principle (keep it stupid simple)” model for OSD, and it’s been working well for me.  So while sure, you can do it in one step, I’m going to show you how to do it in several additional steps, but no packages are required. Smile

All information used to create these steps were based on this information: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard
I did find what appears to be a discrepancy in their documentation, I make more notes at the bottom.

My Example is done on a New Dell Laptop
UEFI & SecureBoot Enabled in Bios.
My Credential Guard Setup is:

  1. Require Secure Boot and DMA Protection
  2. Credential Guard Enabled

I’ve got two sections in my TS setup for this, one Group that installs the Windows Components, and another that sets the registry keys.

  1. Group “Enable HyperV & Isolated User Mode UEFI” – This is done nearly right after applying the image, my image gets loaded to drive C, you’ll want to make sure you adjust accordingly.  This is still while in PE, even before loading the Drivers.
    image
    image
    1. Enable HyperV Role – Step 1
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:Microsoft-Hyper-V /All
      image
    2. Enable HyperV Role – Step 2 (This is Optional, I like to add the Client tools as many of my users use Local Virtual Machines)
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Management-Clients /All
      image
    3. Enable Isolated User Mode- Step 3
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:IsolatedUserMode
      image
  2. Group “Turn on Credential Guard” – Much later in TS, typically after I’ve already installed Apps, etc.
    image
    image
    1. Tweak – Enable virtualization-based security Key 1
      REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F
      image
    2. Tweak – Enable virtualization-based security Key 2 *Differs from TechNet documentation, see notes below.
      REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F
      image
    3. Tweak – Enable virtualization-based security Key 3
      REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA” /V LsaCfgFlags /T REG_DWORD /D 1 /F
      image

Just make sure you get a reboot in there, I got a few reboots in my TS between the first group and after the last group for other processes in the TS, since I already had reboots for those steps, I didn’t need to add any additional.  I would suggest doing what Peter illustrates in his post to add a reboot outside of the Task Sequence, I’ve been doing this for a couple years to resolve other issues at the advice of Johan during one of his sessions.  Peter’s Blog shows a nice illustration of how to set that up. 
After First Logon, I double check msinfo32 to confirm that indeed Credential Guard is running with the settings I wanted.

One thing I’ve noticed that seems to be a discrepancy in the TechNet article.
image

When I set the RequirePlatformSecurityFeatures  to 2, it does not list Secure Boot
image

However, if I set that key to 3, it then reports:
image

While I honestly don’t know if this makes a difference, I’d really like it to show up in msinfo32 correctly.  If you set the setting via Group Policy and NOT OSD, it does show correctly, and it will set the Registry to value 3.  So that’s what I’m going with.

PS.. I also have it setup in Group Policy using the settings outlined in that article for the Machines that were Imaged before I implemented this.  After imaging, and group policy applies, it does “fix” the registry keys you set during OSD, and it will show up in msinfo32 correctly.  I’d just let to get it right out of the gate instead of having to wait for Group Policy to kick in and reboot the machine.

Group Policy will also add the registry key HypervisorEnforcedCodeIntegrity ,which I’m not setting at all during OSD.
Here are the settings from machine setup via Group Policy post OSD
image

Here are is one that is setup through OSD before Group Policy updates it:
image

I hope you find this useful.

For the Machines that I had already deployed, I used Group Policy to enable the Settings, and pushed out a “Application” to finish the setup.
image

image
image

image
I changed Return Code 0 to “Hard Reboot” so when it’s done it would request you to reboot, so it could finish the Feature Installs, the Detection Method will also fail until after the reboot, as it is looking for the Feature IsolatedUserMode to be enabled in the registry.

Batch File: You don’t need the registry info in there, but incase you want to set this up without group policy , just add the keys.  I had it set that way so I could test before using Group Policy.
———

dism /online /Enable-Feature /FeatureName:IsolatedUserMode /LogPath:C:\CABS\InstalLLogs\IsolatedUserMode.log /NoRestart

REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F
REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F
REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA” /V LsaCfgFlags /T REG_DWORD /D 1 /F

—————

image

I only had to enable the feature IsolatedUserMode because I have HyperV enabled on all of my Windows 10 machines by default in OSD.  If you didn’t do this, you can modify that line to look like:

dism /online /Enable-Feature /FeatureName:IsolatedUserMode /FeatureName:Microsoft-Hyper-V /All /LogPath:C:\CABS\InstalLLogs\IsolatedUserMode.log /NoRestart

Hope this was useful.  Feel free to leave a comment.

OneDrive Disable / Hide in Windows 10

OneDrive, if you’re not using it, it’s just another annoying thing in Windows 10.  If you’re able to use it, awesome.  But for those environments that want it gone, here is how I’ve removed it from our environment.  I’m using several methods to attack this thing to drive it into submission.

 

  1. OSD Steps
  2. Group Policy
  3. AppLocker

So, Let me break this down:

  1. OSD (3 Steps) – Scripts available Here
    1. Tweak – Remove OneDrive ShellFolder (Command Line Step)
      REG ADD “HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder” /V Attributes /T REG_DWORD /D 4035969101 /F
      image
    2. Tweak – Delete OneDriveSetup registry Key (Command Line Step)
      OneDriveRemove\DeleteOneDriveSetup-DefaultUser-RegisteryRun.cmd
      image
      Batch File Contents: (mounts Default user Profile, delete the run registry key for OneDrive)
      reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
      reg.exe delete HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
      reg.exe unload HKEY_LOCAL_MACHINE\defuser
      image
    3. Tweak – Remove OneDrive App (Command Line Step)
      %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
      image

  2. Group Policy (Make sure you have the latest 1511 ADMX files
    1. Machine Policy \ Administrative Templates\Windows Components\OneDrive
      Prevent the usage of OneDrive for file storage = Enabled
      image

  3. AppLocker (Add to your already implemented AppLocker configuration, not covering that here)
    1. Deny ONEDRIVESETUP.EXE, in WINDOWS LIVE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
      1. Create New EXE Rule, Choose Deny
        image 
      2. Choose Publisher:
        image
      3. Browse to c:\Windows\SysWOW64 and choose OneDriveSetup.exe
        image 
      4. Change the Slider to File Name, so it will block any version of that file.
        image
      5. Leave the Exceptions default (Blank)
        image
      6. Add Description if you like
        image
      7. Click Create
        image

After implementing these 3 processes, OneDrive is no longer showing up in our environment.

Pin Items to TaskBar during OSD in Windows 10 (1511)

image

This one took me a little while.  The hard one was Internet Explorer, which I had to do completely differently than the others.

In this post I’ll give two ways to do it, the first way worked for all of them but Internet Explorer, and I was able to do natively without any “3rd” party tools.  The second way uses a Free Utility a community member wrote, which I was able to use to Pin Internet Explorer. Note, I was unable to remove Edge from the taskbar, still haven’t figured that one out yet.
The Scripts used are located HERE in the subfolder TaskBarPins

Method 1 – Registry Edit & File Copy – Using this to Pin the Office Icons

  1. Create your Folder for the Source Files on your ConfigMgr Source Share
  2. Pin all of the Items you want
  3. Copy the contents from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar to a Subfolder in your Source called TaskBar
    image
    image
  4. Export this KEY from the registry to your Source Folder: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
    image
  5. Edit your exported Registry File, replace HKEY_Current_User with HKEY_LOCAL_MACHINE\defuser, so the string looks like:
    [HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
    image
  6. Create a Batch file that contains these lines: (This will mount the default profile keys and allow you to import your exported keys into the default user profile registry, and copy the shortcuts into the default user TaskBar location)
  7. reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
    reg.exe import “TaskBarPins\TaskBarPinItems-OfficeOWXP.reg”
    reg.exe unload HKEY_LOCAL_MACHINE\defuser

    xcopy TaskBarPins\TaskBar\*.lnk “C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar”  /Q /Y /I
    image

     

  8. Add Command Line Step in TS – cmd.exe /c TaskBarPins\TaskBarPinItems.cmd, referencing the Windows10 OSD Package
    image
    My Windows 10 OSD Package.  It contains all of the tweaks in one package, which is why in the command line, I have to reference the folder name, then the script.
    image

Method 2 – Using PinTo10.exe tool provided by community member – This was the only way I’ve been successful in getting IE to Pin to TaskBar.  Information was found here on Connect.Microsoft.Com – You can get the Utility referenced in that thread HERE – It will also be in the Download I provide with all of the Scripts HERE

  1. Create your Folder for the Source Files on your ConfigMgr Source Share (I’m using the same folder as the one created for Method 1), mine looks like:
    image
  2. Create a batch file with these contents call PinTo10-Setup.cmd (Sorry for word wrap)
  3. reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
    reg.exe ADD HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v PinIE /T REG_SZ /D “c:\cabs\PinTo10IE.cmd” /F
    reg.exe unload HKEY_LOCAL_MACHINE\defuser


    xcopy “TaskBarPins\TaskBar\Internet Explorer.lnk” “c:\programdata\Microsoft\Windows\Start Menu\Programs\Accessories”  /Q /Y /I
    xcopy “TaskBarPins\PinTo10IE.cmd” “c:\cabs” /Q /Y /I
    xcopy “TaskBarPins\PinTo10.exe” “c:\cabs” /Q /Y /I

    image

  4. Create a batch file with these contents called PinTo10IE.cmd:
  5. echo off
    ECHO Pinning Internet Explorer to TaskBar
    c:\Cabs\PinTo10.exe /PTFOL01:”c:\programdata\Microsoft\Windows\Start Menu\Programs\Accessories” /PTFILE01:”Internet Explorer.lnk”
    image

  6. Save those 2 Batch files & the PinTo10.exe you downloaded to your Source Folder, should like similar to my example in Method2 – Step1
  7. In the TS, add a command line Step: cmd /c TaskBarPins\PinTo10-Setup.cmd
  8. , referencing the Windows10 OSD Package
    image

Basically what’s happening, the Setup Script Adds a line to the RunOnce registry that will trigger a script to call the PinTo10 script on a users’s first logon.  It then copies the Shortcut it will PIN in the Taskbar to the ProgramData Folder, the PinTo10.exe Utility & PinTo10.cmd files to c:\Cabs. At first logon, you’ll see a command box popup while it’s doing the pin.  Then you’ll see Internet Explorer show up in the TaskBar.

image

image

image

 

If you like, you can modify the PinTo10.cmd file to include all of the items you wish to PIN, and do all of them in One step, I already had the Office Icons setup, so I didn’t bother changing everything over.

Wipe Drive with Active Kill Disk Task Sequence w/ Logs

For those of you who have Active Kill Disk, and want to automate it with ConfigMgr, this is how I’ve done it.  This is very similar to the sdelete TS I made, however sdelete was not approved by our security team, so I had to reinvent with Active Kill disk. Active Kill Disk did offer some additional functionality, so I’ve redone this post with Active Kill Disk for those of you who might want to try this.

  • First, install Active Kill Disk and Register it on a Test Computer
  • On your Source Server, create a Folder where you will keep the Package Contents
  • Copy the Files from your test machine to your Package Folder
    • C:\Program Files\LSoft Technologies\Active@ KillDisk Suite X.X (Use 9.2 and above to support x64 Boot Media)
    • Skip the KillDiskBootDisk.iso file
      image
  • Next we’ll use a Batch File that will run the process and log the results to the server.
  • Download Scripts here (Contents shown below), and add it to your Package Source
  • Create a Package in ConfigMgr, (no program), and distribute the contents.  You’ll then point your TS at this package to grab the files needed.

Echo off

REM Script to Wipe Computer using Active KillDisk to meet State Requirements
REM Creates Logs on Network Drive (L:) Which you map in a task sequence step before the Script.
REM FingerPrints Computer with Wipe Results.
REM Created 08.01.2014 by Gary Blok

REM Create FlashDrive Removal Warning:
echo Remove Flash Drive From Machine if Present and Close this Box >>X:\Windows\FlashWarning.txt
echo Will Automatically Continue in 30 seconds >>X:\Windows\FlashWarning.txt
echo Flash Drive WILL BE ERASED if NOT Removed >>X:\Windows\FlashWarning.txt
start X:\Windows\FlashWarning.txt

REM Poor Mans way to pause the script for a short period allowing users to remove the flash Drive.
ping 10.1.1.1

REM – MAP NETWORK DRIVE FOR LOGS (Done in TS Step)
REM net use l: \\server.fqdn\DiskWipeResults /user:domain\useraccount PASSWORD REMOVED (in TS NOW)

REM – RUN KILLDISK PROCESS
REM Options = -ea (Erase all Disk)
REM Options = -em=3 (US DoD 5220.22-M ECE (7 passes, verify)
REM Options = -bm (BatchMode = no user interaction)
REM Options = -fp (Finger Print = When computer boots, displays when it was wiped)
REM Options = -logpath & -certpath (Path were it will save the files)

%WinDir%\killdisk.exe -ea -em=3 -bm -fp -logpath=l:\ -certpath=x:\

 

REM – SET VARIABLE FOR TAG – Rename PDF File and Copy to Folder on Server (L:\Certificates)
REM http://killdisk.com/killdisk-faq.htm#serial
For /f  “skip=2 tokens=2 delims=,” %%i in (‘wmic bios get serialnumber /FORMAT:csv’) do (set “servicetag=%%i”)
ren x:\*.pdf ServiceTag-%servicetag%.pdf
copy x:\*.pdf l:\Certificates\ /Y

REM – Append the ServiceTag number to the KILLDISK.LOG file (including date/time stamp) on Server (L:\KILLDISK.log)
echo %date:~4,10% %time:~0,10% ServiceTag#: %servicetag% >> l:\KILLDISK.LOG
echo ———————————–END OF WIPE PROCESS FOR %servicetag%——————————————- >> l:\KILLDISK.LOG
echo .>> l:\KILLDISK.LOG
echo .>> l:\KILLDISK.LOG
echo .>> l:\KILLDISK.LOG
echo ———————————–NEXT WIPE PROCESS STARTS HERE————————————————– >> l:\KILLDISK.LOG

REM – SET VARIABLES FOR REPORTING
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic systemenclosure get serialnumber /FORMAT:csv’) do (set “serial=%%A”)
set serial=%serial:~-15%
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic csproduct get vendor /FORMAT:csv’) do (set “compvendor=%%A”)
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic csproduct get name /FORMAT:csv’) do (set “compname=%%A”)
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic CPU get name /FORMAT:csv’) do (set “CPUname=%%A”)
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic computersystem get totalphysicalmemory /FORMAT:csv’) do (set “memory=%%A”)
set /a memory = memory / 1048576
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic diskdrive get size /FORMAT:csv’) do (set “hddsize=%%A”)
set hdd=%hddsize:~0,-4%
set /a hdd=hdd/1048576
set TimeStamp=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%

 

REM Creates Network Log File (L:\DiskWipeResults.log) and appends information
echo. >>l:\DiskWipeResults.log
echo Date:             %TimeStamp% >>l:\DiskWipeResults.log
echo Serial:           %serial% >>l:\DiskWipeResults.log
echo Vendor:           %compvendor% >>l:\DiskWipeResults.log
echo Model:            %compname% >>l:\DiskWipeResults.log
echo CPU Type \ Speed:      %CPUname% >>l:\DiskWipeResults.log
echo Memory:          %Memory%MB >>l:\DiskWipeResults.log
echo HDD Size:         %hdd%GB >>l:\DiskWipeResults.log
echo ____________________________________________________________ >>l:\DiskWipeResults.log

 

REM Creates Network Label for Machine – (L:\DiskWipe-SerialTag.txt) – Print & Fillout and Tape to Physical Machine
echo Vendor:           %compvendor% >>l:\DiskWipe-%serial%.txt
echo Model:            %compname% >>l:\DiskWipe-%serial%.txt
echo Serial:           %serial% >>l:\DiskWipe-%serial%.txt
echo CPU Type \ Speed:      %CPUname% >>l:\DiskWipe-%serial%.txt
echo Memory:          %Memory%MB >>l:\DiskWipe-%serial%.txt
echo HDD Size:         %hdd%GB >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Asset Tag:        ____________________ >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo DoD 5220.22-M sanitization Wipe using KILLDISK – 7 Passes >>l:\DiskWipe-%serial%.txt
echo Date Sanitized:    %TimeStamp% >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Sanitized and Verified By:  ______________________________ >>l:\DiskWipe-%serial%.txt

 

REM Creates Local Log file that displays at end of Process on the Screen.
echo Disk Wipe Complete, Please Record Data for Records >>X:\Windows\JobComplete.txt
echo This computer has finished with a DoD 5220.22-M sanitization of the local hard drive. >>X:\Windows\JobComplete.txt
echo Please close this file and turn off the computer. >>X:\Windows\JobComplete.txt
echo. >>X:\Windows\JobComplete.txt
echo Date:             %TimeStamp% >>X:\Windows\JobComplete.txt
echo Serial:           %serial% >>X:\Windows\JobComplete.txt
echo Vendor:           %compvendor% >>X:\Windows\JobComplete.txt
echo Model:            %compname% >>X:\Windows\JobComplete.txt
echo CPU Type \ Speed:      %CPUname% >>X:\Windows\JobComplete.txt
echo Memory:          %Memory%MB >>X:\Windows\JobComplete.txt
echo HDD Size:         %hdd%GB >>X:\Windows\JobComplete.txt

REM End of Script

JobComplete.bat (Very Simple, just calls the JobComplete.txt file)

Echo off
REM Launched JobComplete.txt that was created in the WipeProcess.bat

X:\Windows\JobComplete.txt

 

Task Sequence: (Boot image is WinPE x64)

  1. Disable Bitlocker if starting from Windows & Reboot to PE
  2. Partition if Necessary (Copied from MDT TS)
  3. Bios Settings – Wipe Bios Password
  4. Wipe Drive (KillDisk)
    image

I’m going to focus on the Wipe Drive section

  1. Format and Partition Disk
    image
  2. Copy KillDisk to X drive (Virtual PE Drive)
    image
  3. Map Drive L (Used for log files)
    image
  4. Run Kill Disk
    image
  5. The HDD Has been wiped clean (Notification on Screen)
    JobComplete.bat –> Launches JobComplete.Txt File created during WipeProcess.bat
    image

 

In Action

image image image 
Warning to remove the bootable Flash Drive.. (IT will securely wipe that too)
image image image

 image
Sorry, my VM doesn’t provide the best results for the demo, but it’s much easier to grab the screenshots.  Should give you the overall picture of the Task Sequence.

 

File Server Share Logs:
killdisk.log:
image image

creates a page to print out to place on computer:

image

The Active Kill disk Certificates:
image

Certificate Example:
image

 

Hope those of you with Active Kill Disk find this useful.

DaRT & VNC Remote during OSD without Integration

During our Windows migration, we did a lot of upgrades remotely, we wanted the ability to “watch” the progress, besides just watching the server reports.  I decided to look into using Dart Remote for this.  There were some great blogs out there, and I’ll reference them here. Much of what I have done has been borrowed form Alex Verboon – http://www.verboon.info/2013/04/integrating-dart-8-0-sp1-remote-connection-into-the-sccm-2012-osd-process/ 

After finding DaRT was limited to PE, I decided to also use VNC for the later steps in the TS, pulling much of the information from this Post:  Jeremy .. http://syswow.blogspot.com/2012/05/remote-control-during-sccm-osd-without.html

Highly recommend you look at those posts for additional information, as they describe some of the things in more detail.  Several of my steps are borrowed nearly directly from them… just updated slightly.

The way I’m proposing you do it, everything is contained in the package, no changes to the Boot Media or OS, and all the files get deleted automatically at the end of the TS Process.

Left Side = DaRT Remote Monitoring OSD Process (PE) – Right Side = Machine during OSD (VM)image

Left Side = VNC Remote Monitoring OSD Process (Windows) – Right Side = Machine during OSD (VM)

image

Requirements

  • Install Windows ADK – Using Windows 10 (July release – 10.0.26624)
  • Install MDOP DaRT (Example is 2015, DaRT 10, but have done with with DaRT 8.1 in past)
  • Windows 10 Media – I’m using July Release – Have available to mount for creating Dart file.
  • VNC – Assumes you have vncviewer.exe in c:\Program Files\VNC\vncviewer.exe
    • Download the ZIP file with required file here (ultravnc 1210 ALL bin zip 1.2.1.0)
  1. Once ADK & DaRT are installed, You will need to grab the Toolsx86.cab & Toolsx64.cab files located in: C:\Program Files\Microsoft DaRT\v10  – In this example, I’ll be building the x64 version, as we only use x64 boot media, but it should be easy to replicate this process for the x86 version.
  2. On your Source Server, create this Directory Structure: ..\DaRT10OSD\DaRTRemote\Windows\System32
  3. Extract the following files from the CAB File (note that I’m using the x64 version) and copy them to the System32 folder.
    1. FirewallExceptionChange.dll
    2. LockingHooks.dll
    3. mfc100u.dll
    4. MSDartCmn.dll
    5. msvcp100.dll
    6. msvcr100.dll
    7. RdpCore.dll
    8. rdpencom.dll
    9. RemoteRecovery.exe
    10. WaitForConnection.exe
  4. Extract the files from the VNC Download Uvnc_1210_bin.zip\win7\X64
    1. vncviewer.exe will need to be placed on here: c:\Program Files\VNC\vncviewer.exe on your IT machines that you wish to monitor from
    2. winvnc.exe copied to the ..\DaRT10OSD folder
    3. create StartVNC.cmd file that
      1. netsh advfirewall set currentprofile state off
      2. cmd.exe /c start winvnc.exe
    4. launch winvnc.exe on a test computer, it should prompt to set the settings for the server, set your password, I used OSD@dm1n for VNC Password & OSDV13w for ViewOnly – which will be referenced later on in another script.
      1. image
      2. copy the created UltraVNC.ini file you just created (same location as the winvnc.exe file) to the ..\DaRT10OSD folder
      3. image
        It show now look like that
  5. Download the StartRemoteRecovery.zip created by Alexey Semibratov, but modified by me HERE – Original File by Alexey HERE
    1. StartRemoteRecovery.wsf
    2. ZTIUtility.vbs
      1. StartRemoteRecovery.wsf has a lot of additional lines I’ve added to set the Link Name, and create a Link for VNC as well.
      2. Line 160 = VNC password you created earlier
      3. Line 147 = Path of your DartRemoteViewer, might need to be changed based on the version of DaRT you’re using.
  6. On some networks, not all ports are open, so we will set it to use static port 3388.  This information is stored in a file called DartConfig.dat, which is only generated using the DaRT Recovery Image wizard (PreReq) – So lets walk through that…
    1. Launch the MS DaRT Recovery Image Wizard – If you see this error, it’s because of your Powershell group policy, to get around this, open elevated command prompt and do this: 
      Reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell /v ExecutionPolicy /f
      More info HERE – Now try again
      image
    2. Choose 64-bit Dart Image – I’ve mounted the Windows 10 ISO to the E: drive
      image
    3. You can leave the tools to default
    4. Check the box “Allow…” and let it default to 3388
      image
    5. Advanced Options leave Default
    6. Make sure you check the box for Create WIM, optional Create ISO – If you wanted this for other reasons, and make sure you check Edit image
      image
    7. Now wait for a few minutes while it is generated
      image
    8. Click “Open in Windows Explorer”
      image
    9. Copy DartConfig.dat from Windows\System32 to your folder structure: ..\DaRT10OSD\DaRTRemote\Windows\System32
      image
    10. You should now have all the files you need in your system32 folder:
      image
  7. Now you need to create the DartRemote.cmd file that will launch DaRT remote in PE
  8. @echo off

    for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic systemenclosure get serialnumber /FORMAT:csv’) do (set “serial=%%A”)
    set serial=%serial:~-15%

    XCOPY DaRTRemote X:\ /y /s
    CSCRIPT X:\Windows\System32\StartRemoteRecovery.wsf /ShortCutShare:<\\servername\share> /UserID:<username> /UserDomain:<domain> /UserPassword:<password>

  9. Now that you created this file, your root folder should look like:
    image

If you downloaded the ZIP file I Created, you will have everything you need already complete, except the files you’d need to copy over from the x64 DaRT cab (License issue) – Includes the winvnc.exe and ini files, along with scripts, just update the scripts for your environment.

Create your Package:
image

No Program needed
image

Lets add it to the TS
I’ve added it right before the HTA we use launches when someone manually starts image on a New PC, or during in place upgrade (refresh) right after it reboots to PE
image

Then run the VNC once Windows is up and running in your TS, after drivers applied, etc.
image

You will need to ad that step every time after you reboot the machine. (after applying updates, etc… if you want the vnc server to launch again)

Once you have this in your TS and you run your Image, it will populate the share you created:

image

Then as long as you have the Dart Tools installed, and the VNCviewer.exe in c:\Program Files\VNC, the links will work. (The shortcuts are auto populated with the passwords required)

Special Thanks to the two guys who blogged about these originally, Alex Verboon & Jeremy

There is a lot to this post, so if I forgot something, leave a comment so I can get it updated.