Integrate DaRT 10 Tools into your Recovery Partition during OSD

 

Requirements:

  1. Windows 10 ADK (Build 10586) – Download HERE
  2. Windows 10 ADK Hotfix to fix issue in ADK– Download HERE (We’ll get to this later)
  3. DaRT Recovery Image Installed –> Part of MDOP
  4. Windows 10 Media (Build 10586) Mounted

Setup:

ADK 10
image

DaRT
image

 

Launch the MS DaRT Recovery Image Wizard – If you see this error, it’s because of your Powershell group policy, to get around this, open elevated command prompt and do this: 
Reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\Powershell /v ExecutionPolicy /f
– Now try again
http://garytown.com/wp-content/uploads/2016/03/image-11.png

Choose 64-bit Dart Image – I’ve mounted the Windows 10 ISO to the D: drive
image

You can leave the tools to default
image

Check the box “Allow…” and let it default to 3388
image

Advanced Options, add any Storage & NIC drivers you’ll need & any WinPE addons
image image

Create Image: Select Create WIM, set the path to c:\cabs
image

– Note, if you want, at this step, you can check the box “Edit image” and then after it a short period, you’ll get the opportunity to add files.  I did this to add cmtrace and some other tools into the image

Now wait for a few minutes while it is generated
image

 

 

 

Adding HotFix to boot.wim (Only if you’re using Windows 10 1511 build 10586)

Extract the HotFix to c:\Cabs (I’m using 7zip)
It will create 2 schema files.

image

Also create the folder mount (C:\Cabs\Mount)

Make sure your boot.wim file is save to C:\Cabs\DaRT10\x64\boot.wim, you’ll then need to run these commands: ( original documentation here: https://support.microsoft.com/en-us/kb/3143760), this is modified based on where I’ve saved the files in my example.
Run from elevated “Deployment and Imaging Tools Environment”
image

  1. dism /mount-wim /wimfile:C:\Cabs\DaRT10\x64\boot.wim /index:1 /mountdir:C:\Cabs\mount
    image
  2. icacls C:\Cabs\mount\Windows\System32\schema.dat /save “%temp%\AclFile”
    image
  3. takeown /F C:\Cabs\mount\Windows\System32\schema.dat /A
    image
  4. icacls C:\Cabs\mount\Windows\System32\schema.dat /grant BUILTIN\Administrators:(F)
    image
  5. xcopy “C:\Cabs\schema-x64.dat” C:\Cabs\mount\Windows\System32\schema.dat /Y
    image
  6. icacls C:\Cabs\mount\Windows\System32\schema.dat /setowner “NT SERVICE\TrustedInstaller”
    image
  7. icacls C:\Cabs\mount\Windows\System32\ /restore “%temp%\AclFile”
    image
  8. dism /unmount-wim /mountdir:C:\Cabs\mount /Commit
    image

As you can see, Before:
image

After:
image

 

Ok, now we have our boot.wim file, it’s time to get it into the OSD process.

In the Standard ConfigMgr MDT Task Sequence, go to the Format and Partition Disk (UEFI)

Change the Windows RE Tools name to WinRE and change the size from 300 to 900
image

Create a Package with your boot.wim file and three batch files: (Download here)

SetDriveLetterLabel.cmd (This will take the Partition Labeled WinRE and assign letter R)
——-

REM ======start batch script=======
@echo off
setlocal ENABLEDELAYEDEXPANSION
:: Full path to diskpart.exe. Defaults are:
:: Windows 2000: “C:\Program Files\Resource Kit\diskpart.exe”
:: 2003/XP: “C:\windows\system32\diskpart.exe”
set dp=c:\windows\system32\diskpart.exe

:: Volume label
set label=WinRE

:: Temporary command file for diskpart.exe
set dps=”%TEMP%\dp.txt”

echo list volume>%dps%
echo exit>>%dps%
set label_short=%LABEL:~0,11%
if exist %dp% (
for /f “delims=” %%i in (‘%dp% /s %dps%’) do (
set string=%%i
if not “!string:%label_short%=!”==”!string!” (
set volnum=!string:~9,3!
set volnum=!volnum: =!
)
)
if not “!volnum!”==”” (
echo Volume Label: %label%
echo Volume Number: !volnum!
echo select volume !volnum! >>%TEMP%\assignr.txt
echo assign letter=R >>%TEMP%\assignr.txt
%dp% /s %TEMP%\assignr.txt
) else (
echo Cannot find volume with label %label%
)
) else (
echo Cannot find %dp%&goto :EOF
)
REM =======end batch script========

 

——-

RemoveDriveLetterLabel.cmd (This will remove the drive Letters D/E/R).  I was having some computers add a D or E drive based on other factors, so I just added it to this script to remove those letters too.
———
 

REM ======start batch script=======
@echo off
setlocal ENABLEDELAYEDEXPANSION
:: Full path to diskpart.exe. Defaults are:
:: Windows 2000: “C:\Program Files\Resource Kit\diskpart.exe”
:: 2003/XP: “C:\windows\system32\diskpart.exe”
set dp=c:\windows\system32\diskpart.exe

:: Volume label
set label=WinRE

:: Temporary command file for diskpart.exe
set dps=”%TEMP%\dp.txt”

echo list volume>%dps%
echo exit>>%dps%
set label_short=%LABEL:~0,11%
if exist %dp% (
for /f “delims=” %%i in (‘%dp% /s %dps%’) do (
set string=%%i
if not “!string:%label_short%=!”==”!string!” (
set volnum=!string:~9,3!
set volnum=!volnum: =!
)
)
if not “!volnum!”==”” (
echo Volume Label: %label%
echo Volume Number: !volnum!
echo select volume !volnum! >>%TEMP%\remover.txt
echo remove letter=r >>%TEMP%\remover.txt

echo select volume !volnum! >>%TEMP%\removed.txt
echo remove letter=d >>%TEMP%\removed.txt

echo select volume !volnum! >>%TEMP%\removee.txt
echo remove letter=e >>%TEMP%\removee.txt

%dp% /s %TEMP%\remover.txt
%dp% /s %TEMP%\removed.txt
%dp% /s %TEMP%\removee.txt
) else (
echo Cannot find volume with label %label%
)
) else (
echo Cannot find %dp%&goto :EOF
)
REM =======end batch script========

——-

 

InstallDartUEFI.cmd (This deletes the old Windows Recovery WIM, creates the new folder structure and copies the boot.wim into place and assigns it as the recovery wim – It calls the script above to remove the drive letter when it’s done.)
——–

REM SetDriveLetterLabel.cmd – Now doing in Previous Step, sets WinRE partition to Letter R

REM Make Directory where DaRT Recovery WIM will be placed
mkdir R:\Recovery\WinRE

REM Copy DaRT Recovery WIM into Recovery Partition
copy boot.wim R:\Recovery\WinRE\winre.wim

REM Set Windows to use the new DaRT Recovery WIM
C:\Windows\System32\ReAgentc.exe /disable
C:\Windows\System32\ReAgentc.exe /setreimage /path R:\Recovery\WinRE /target C:\Windows
C:\Windows\System32\ReAgentc.exe /enable

REM Remove the Drive Letter for the Recovery Partition – Removes Letter R and D/E if exist.
RemoveDriveLetterLabel.cmd

——-

Package Contents:
image

 

In the TS:
In the State Restore Group, add two Steps

  1. Install WinRE – Dart10 – UEFI – Step1 (cmd /c SetDriveLetterLabel.cmd)
    image
  2. Install WinRE – Dart10 – UEFI – Step2 (cmd /c InstallDartUEFI.cmd)
    image

After OSD, you can go into your recovery options..  and choose Advanced Startup  – Once at the Option Screen, pick Troubleshoot –> Advanced –> Command Prompt
image image image

It will now reboot into the Windows Recovery Partition.
You’ll see a prompt for “Would you like to initialize network connectivity..”, click yes

It will now prompt you for your bitlocker Key, if bitlocker is enabled.  Enter it and click continue
The Command Prompt will Open, just go ahead and close it.

You will now see options, choose Troubleshoot –> Microsoft Diagnostics and Recovery Toolset will be an option.

Now that you launched DaRT, you’ll have several options available to you, including Remote Connection, which is what I’m using to connect in to grab the screen capture.
image

 

Several hand tools built in like LockSmith, to recover Admin Passwords.  This is handy if you have LAPS implemented, and the machine is deleted from the domain so you no longer have access to the Admin password.
image

File Restore in action:
image

 

And if you like, you can even add a web browser to your Image, because hey, why not!  Pale Moon 64bit seems to work alright. Smile  Just Extract the Program to a folder and copy that folder into your image.  Then use Explorer to browse to it.

image

So there you have it, integrating DaRT 10 into your Windows 10 10586 Deployments

I’ve tested this on Dell Latitude E6540, Precision 7510 & MS Surface Pro.  I’ve done this in the Past with DaRT 8 on an entire range of Dell devices without any issues.  But I’ve only started to implement this with DaRT10.

Enable Credential Guard in Windows 10 during OSD w/ ConfigMgr

I set this up a couple weeks ago and have been meeting to write something up.  Then before I could, Peter over at syscenramblings posted a nice how to HERE.

I’m going to post mine anyway, even if it’s not as fancy.  I’ve been going with the “KISS principle (keep it stupid simple)” model for OSD, and it’s been working well for me.  So while sure, you can do it in one step, I’m going to show you how to do it in several additional steps, but no packages are required. Smile

All information used to create these steps were based on this information: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard
I did find what appears to be a discrepancy in their documentation, I make more notes at the bottom.

My Example is done on a New Dell Laptop
UEFI & SecureBoot Enabled in Bios.
My Credential Guard Setup is:

  1. Require Secure Boot and DMA Protection
  2. Credential Guard Enabled

I’ve got two sections in my TS setup for this, one Group that installs the Windows Components, and another that sets the registry keys.

  1. Group “Enable HyperV & Isolated User Mode UEFI” – This is done nearly right after applying the image, my image gets loaded to drive C, you’ll want to make sure you adjust accordingly.  This is still while in PE, even before loading the Drivers.
    image
    image
    1. Enable HyperV Role – Step 1
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:Microsoft-Hyper-V /All
      image
    2. Enable HyperV Role – Step 2 (This is Optional, I like to add the Client tools as many of my users use Local Virtual Machines)
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Management-Clients /All
      image
    3. Enable Isolated User Mode- Step 3
      cmd /c Dism.exe /image:c: /Enable-Feature /FeatureName:IsolatedUserMode
      image
  2. Group “Turn on Credential Guard” – Much later in TS, typically after I’ve already installed Apps, etc.
    image
    image
    1. Tweak – Enable virtualization-based security Key 1
      REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F
      image
    2. Tweak – Enable virtualization-based security Key 2 *Differs from TechNet documentation, see notes below.
      REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F
      image
    3. Tweak – Enable virtualization-based security Key 3
      REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA” /V LsaCfgFlags /T REG_DWORD /D 1 /F
      image

Just make sure you get a reboot in there, I got a few reboots in my TS between the first group and after the last group for other processes in the TS, since I already had reboots for those steps, I didn’t need to add any additional.  I would suggest doing what Peter illustrates in his post to add a reboot outside of the Task Sequence, I’ve been doing this for a couple years to resolve other issues at the advice of Johan during one of his sessions.  Peter’s Blog shows a nice illustration of how to set that up. 
After First Logon, I double check msinfo32 to confirm that indeed Credential Guard is running with the settings I wanted.

One thing I’ve noticed that seems to be a discrepancy in the TechNet article.
image

When I set the RequirePlatformSecurityFeatures  to 2, it does not list Secure Boot
image

However, if I set that key to 3, it then reports:
image

While I honestly don’t know if this makes a difference, I’d really like it to show up in msinfo32 correctly.  If you set the setting via Group Policy and NOT OSD, it does show correctly, and it will set the Registry to value 3.  So that’s what I’m going with.

PS.. I also have it setup in Group Policy using the settings outlined in that article for the Machines that were Imaged before I implemented this.  After imaging, and group policy applies, it does “fix” the registry keys you set during OSD, and it will show up in msinfo32 correctly.  I’d just let to get it right out of the gate instead of having to wait for Group Policy to kick in and reboot the machine.

Group Policy will also add the registry key HypervisorEnforcedCodeIntegrity ,which I’m not setting at all during OSD.
Here are the settings from machine setup via Group Policy post OSD
image

Here are is one that is setup through OSD before Group Policy updates it:
image

I hope you find this useful.

For the Machines that I had already deployed, I used Group Policy to enable the Settings, and pushed out a “Application” to finish the setup.
image

image
image

image
I changed Return Code 0 to “Hard Reboot” so when it’s done it would request you to reboot, so it could finish the Feature Installs, the Detection Method will also fail until after the reboot, as it is looking for the Feature IsolatedUserMode to be enabled in the registry.

Batch File: You don’t need the registry info in there, but incase you want to set this up without group policy , just add the keys.  I had it set that way so I could test before using Group Policy.
———

dism /online /Enable-Feature /FeatureName:IsolatedUserMode /LogPath:C:\CABS\InstalLLogs\IsolatedUserMode.log /NoRestart

REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V EnableVirtualizationBasedSecurity /T REG_DWORD /D 1 /F
REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard” /V RequirePlatformSecurityFeatures /T REG_DWORD /D 3 /F
REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA” /V LsaCfgFlags /T REG_DWORD /D 1 /F

—————

image

I only had to enable the feature IsolatedUserMode because I have HyperV enabled on all of my Windows 10 machines by default in OSD.  If you didn’t do this, you can modify that line to look like:

dism /online /Enable-Feature /FeatureName:IsolatedUserMode /FeatureName:Microsoft-Hyper-V /All /LogPath:C:\CABS\InstalLLogs\IsolatedUserMode.log /NoRestart

Hope this was useful.  Feel free to leave a comment.

OneDrive Disable / Hide in Windows 10

OneDrive, if you’re not using it, it’s just another annoying thing in Windows 10.  If you’re able to use it, awesome.  But for those environments that want it gone, here is how I’ve removed it from our environment.  I’m using several methods to attack this thing to drive it into submission.

 

  1. OSD Steps
  2. Group Policy
  3. AppLocker

So, Let me break this down:

  1. OSD (3 Steps) – Scripts available Here
    1. Tweak – Remove OneDrive ShellFolder (Command Line Step)
      REG ADD “HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder” /V Attributes /T REG_DWORD /D 4035969101 /F
      image
    2. Tweak – Delete OneDriveSetup registry Key (Command Line Step)
      OneDriveRemove\DeleteOneDriveSetup-DefaultUser-RegisteryRun.cmd
      image
      Batch File Contents: (mounts Default user Profile, delete the run registry key for OneDrive)
      reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
      reg.exe delete HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
      reg.exe unload HKEY_LOCAL_MACHINE\defuser
      image
    3. Tweak – Remove OneDrive App (Command Line Step)
      %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
      image

  2. Group Policy (Make sure you have the latest 1511 ADMX files
    1. Machine Policy \ Administrative Templates\Windows Components\OneDrive
      Prevent the usage of OneDrive for file storage = Enabled
      image

  3. AppLocker (Add to your already implemented AppLocker configuration, not covering that here)
    1. Deny ONEDRIVESETUP.EXE, in WINDOWS LIVE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
      1. Create New EXE Rule, Choose Deny
        image 
      2. Choose Publisher:
        image
      3. Browse to c:\Windows\SysWOW64 and choose OneDriveSetup.exe
        image 
      4. Change the Slider to File Name, so it will block any version of that file.
        image
      5. Leave the Exceptions default (Blank)
        image
      6. Add Description if you like
        image
      7. Click Create
        image

After implementing these 3 processes, OneDrive is no longer showing up in our environment.

Pin Items to TaskBar during OSD in Windows 10 (1511)

image

This one took me a little while.  The hard one was Internet Explorer, which I had to do completely differently than the others.

In this post I’ll give two ways to do it, the first way worked for all of them but Internet Explorer, and I was able to do natively without any “3rd” party tools.  The second way uses a Free Utility a community member wrote, which I was able to use to Pin Internet Explorer. Note, I was unable to remove Edge from the taskbar, still haven’t figured that one out yet.
The Scripts used are located HERE in the subfolder TaskBarPins

Method 1 – Registry Edit & File Copy – Using this to Pin the Office Icons

  1. Create your Folder for the Source Files on your ConfigMgr Source Share
  2. Pin all of the Items you want
  3. Copy the contents from %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar to a Subfolder in your Source called TaskBar
    image
    image
  4. Export this KEY from the registry to your Source Folder: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
    image
  5. Edit your exported Registry File, replace HKEY_Current_User with HKEY_LOCAL_MACHINE\defuser, so the string looks like:
    [HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband]
    image
  6. Create a Batch file that contains these lines: (This will mount the default profile keys and allow you to import your exported keys into the default user profile registry, and copy the shortcuts into the default user TaskBar location)
  7. reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
    reg.exe import “TaskBarPins\TaskBarPinItems-OfficeOWXP.reg”
    reg.exe unload HKEY_LOCAL_MACHINE\defuser

    xcopy TaskBarPins\TaskBar\*.lnk “C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar”  /Q /Y /I
    image

     

  8. Add Command Line Step in TS – cmd.exe /c TaskBarPins\TaskBarPinItems.cmd, referencing the Windows10 OSD Package
    image
    My Windows 10 OSD Package.  It contains all of the tweaks in one package, which is why in the command line, I have to reference the folder name, then the script.
    image

Method 2 – Using PinTo10.exe tool provided by community member – This was the only way I’ve been successful in getting IE to Pin to TaskBar.  Information was found here on Connect.Microsoft.Com – You can get the Utility referenced in that thread HERE – It will also be in the Download I provide with all of the Scripts HERE

  1. Create your Folder for the Source Files on your ConfigMgr Source Share (I’m using the same folder as the one created for Method 1), mine looks like:
    image
  2. Create a batch file with these contents call PinTo10-Setup.cmd (Sorry for word wrap)
  3. reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
    reg.exe ADD HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v PinIE /T REG_SZ /D “c:\cabs\PinTo10IE.cmd” /F
    reg.exe unload HKEY_LOCAL_MACHINE\defuser


    xcopy “TaskBarPins\TaskBar\Internet Explorer.lnk” “c:\programdata\Microsoft\Windows\Start Menu\Programs\Accessories”  /Q /Y /I
    xcopy “TaskBarPins\PinTo10IE.cmd” “c:\cabs” /Q /Y /I
    xcopy “TaskBarPins\PinTo10.exe” “c:\cabs” /Q /Y /I

    image

  4. Create a batch file with these contents called PinTo10IE.cmd:
  5. echo off
    ECHO Pinning Internet Explorer to TaskBar
    c:\Cabs\PinTo10.exe /PTFOL01:”c:\programdata\Microsoft\Windows\Start Menu\Programs\Accessories” /PTFILE01:”Internet Explorer.lnk”
    image

  6. Save those 2 Batch files & the PinTo10.exe you downloaded to your Source Folder, should like similar to my example in Method2 – Step1
  7. In the TS, add a command line Step: cmd /c TaskBarPins\PinTo10-Setup.cmd
  8. , referencing the Windows10 OSD Package
    image

Basically what’s happening, the Setup Script Adds a line to the RunOnce registry that will trigger a script to call the PinTo10 script on a users’s first logon.  It then copies the Shortcut it will PIN in the Taskbar to the ProgramData Folder, the PinTo10.exe Utility & PinTo10.cmd files to c:\Cabs. At first logon, you’ll see a command box popup while it’s doing the pin.  Then you’ll see Internet Explorer show up in the TaskBar.

image

image

image

 

If you like, you can modify the PinTo10.cmd file to include all of the items you wish to PIN, and do all of them in One step, I already had the Office Icons setup, so I didn’t bother changing everything over.

Wipe Drive with Active Kill Disk Task Sequence w/ Logs

For those of you who have Active Kill Disk, and want to automate it with ConfigMgr, this is how I’ve done it.  This is very similar to the sdelete TS I made, however sdelete was not approved by our security team, so I had to reinvent with Active Kill disk. Active Kill Disk did offer some additional functionality, so I’ve redone this post with Active Kill Disk for those of you who might want to try this.

  • First, install Active Kill Disk and Register it on a Test Computer
  • On your Source Server, create a Folder where you will keep the Package Contents
  • Copy the Files from your test machine to your Package Folder
    • C:\Program Files\LSoft Technologies\Active@ KillDisk Suite X.X (Use 9.2 and above to support x64 Boot Media)
    • Skip the KillDiskBootDisk.iso file
      image
  • Next we’ll use a Batch File that will run the process and log the results to the server.
  • Download Scripts here (Contents shown below), and add it to your Package Source
  • Create a Package in ConfigMgr, (no program), and distribute the contents.  You’ll then point your TS at this package to grab the files needed.

Echo off

REM Script to Wipe Computer using Active KillDisk to meet State Requirements
REM Creates Logs on Network Drive (L:) Which you map in a task sequence step before the Script.
REM FingerPrints Computer with Wipe Results.
REM Created 08.01.2014 by Gary Blok

REM Create FlashDrive Removal Warning:
echo Remove Flash Drive From Machine if Present and Close this Box >>X:\Windows\FlashWarning.txt
echo Will Automatically Continue in 30 seconds >>X:\Windows\FlashWarning.txt
echo Flash Drive WILL BE ERASED if NOT Removed >>X:\Windows\FlashWarning.txt
start X:\Windows\FlashWarning.txt

REM Poor Mans way to pause the script for a short period allowing users to remove the flash Drive.
ping 10.1.1.1

REM – MAP NETWORK DRIVE FOR LOGS (Done in TS Step)
REM net use l: \\server.fqdn\DiskWipeResults /user:domain\useraccount PASSWORD REMOVED (in TS NOW)

REM – RUN KILLDISK PROCESS
REM Options = -ea (Erase all Disk)
REM Options = -em=3 (US DoD 5220.22-M ECE (7 passes, verify)
REM Options = -bm (BatchMode = no user interaction)
REM Options = -fp (Finger Print = When computer boots, displays when it was wiped)
REM Options = -logpath & -certpath (Path were it will save the files)

%WinDir%\killdisk.exe -ea -em=3 -bm -fp -logpath=l:\ -certpath=x:\

 

REM – SET VARIABLE FOR TAG – Rename PDF File and Copy to Folder on Server (L:\Certificates)
REM http://killdisk.com/killdisk-faq.htm#serial
For /f  “skip=2 tokens=2 delims=,” %%i in (‘wmic bios get serialnumber /FORMAT:csv’) do (set “servicetag=%%i”)
ren x:\*.pdf ServiceTag-%servicetag%.pdf
copy x:\*.pdf l:\Certificates\ /Y

REM – Append the ServiceTag number to the KILLDISK.LOG file (including date/time stamp) on Server (L:\KILLDISK.log)
echo %date:~4,10% %time:~0,10% ServiceTag#: %servicetag% >> l:\KILLDISK.LOG
echo ———————————–END OF WIPE PROCESS FOR %servicetag%——————————————- >> l:\KILLDISK.LOG
echo .>> l:\KILLDISK.LOG
echo .>> l:\KILLDISK.LOG
echo .>> l:\KILLDISK.LOG
echo ———————————–NEXT WIPE PROCESS STARTS HERE————————————————– >> l:\KILLDISK.LOG

REM – SET VARIABLES FOR REPORTING
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic systemenclosure get serialnumber /FORMAT:csv’) do (set “serial=%%A”)
set serial=%serial:~-15%
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic csproduct get vendor /FORMAT:csv’) do (set “compvendor=%%A”)
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic csproduct get name /FORMAT:csv’) do (set “compname=%%A”)
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic CPU get name /FORMAT:csv’) do (set “CPUname=%%A”)
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic computersystem get totalphysicalmemory /FORMAT:csv’) do (set “memory=%%A”)
set /a memory = memory / 1048576
for /F “skip=2 tokens=2 delims=,” %%A in (‘wmic diskdrive get size /FORMAT:csv’) do (set “hddsize=%%A”)
set hdd=%hddsize:~0,-4%
set /a hdd=hdd/1048576
set TimeStamp=%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%

 

REM Creates Network Log File (L:\DiskWipeResults.log) and appends information
echo. >>l:\DiskWipeResults.log
echo Date:             %TimeStamp% >>l:\DiskWipeResults.log
echo Serial:           %serial% >>l:\DiskWipeResults.log
echo Vendor:           %compvendor% >>l:\DiskWipeResults.log
echo Model:            %compname% >>l:\DiskWipeResults.log
echo CPU Type \ Speed:      %CPUname% >>l:\DiskWipeResults.log
echo Memory:          %Memory%MB >>l:\DiskWipeResults.log
echo HDD Size:         %hdd%GB >>l:\DiskWipeResults.log
echo ____________________________________________________________ >>l:\DiskWipeResults.log

 

REM Creates Network Label for Machine – (L:\DiskWipe-SerialTag.txt) – Print & Fillout and Tape to Physical Machine
echo Vendor:           %compvendor% >>l:\DiskWipe-%serial%.txt
echo Model:            %compname% >>l:\DiskWipe-%serial%.txt
echo Serial:           %serial% >>l:\DiskWipe-%serial%.txt
echo CPU Type \ Speed:      %CPUname% >>l:\DiskWipe-%serial%.txt
echo Memory:          %Memory%MB >>l:\DiskWipe-%serial%.txt
echo HDD Size:         %hdd%GB >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Asset Tag:        ____________________ >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo DoD 5220.22-M sanitization Wipe using KILLDISK – 7 Passes >>l:\DiskWipe-%serial%.txt
echo Date Sanitized:    %TimeStamp% >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo. >>l:\DiskWipe-%serial%.txt
echo Sanitized and Verified By:  ______________________________ >>l:\DiskWipe-%serial%.txt

 

REM Creates Local Log file that displays at end of Process on the Screen.
echo Disk Wipe Complete, Please Record Data for Records >>X:\Windows\JobComplete.txt
echo This computer has finished with a DoD 5220.22-M sanitization of the local hard drive. >>X:\Windows\JobComplete.txt
echo Please close this file and turn off the computer. >>X:\Windows\JobComplete.txt
echo. >>X:\Windows\JobComplete.txt
echo Date:             %TimeStamp% >>X:\Windows\JobComplete.txt
echo Serial:           %serial% >>X:\Windows\JobComplete.txt
echo Vendor:           %compvendor% >>X:\Windows\JobComplete.txt
echo Model:            %compname% >>X:\Windows\JobComplete.txt
echo CPU Type \ Speed:      %CPUname% >>X:\Windows\JobComplete.txt
echo Memory:          %Memory%MB >>X:\Windows\JobComplete.txt
echo HDD Size:         %hdd%GB >>X:\Windows\JobComplete.txt

REM End of Script

JobComplete.bat (Very Simple, just calls the JobComplete.txt file)

Echo off
REM Launched JobComplete.txt that was created in the WipeProcess.bat

X:\Windows\JobComplete.txt

 

Task Sequence: (Boot image is WinPE x64)

  1. Disable Bitlocker if starting from Windows & Reboot to PE
  2. Partition if Necessary (Copied from MDT TS)
  3. Bios Settings – Wipe Bios Password
  4. Wipe Drive (KillDisk)
    image

I’m going to focus on the Wipe Drive section

  1. Format and Partition Disk
    image
  2. Copy KillDisk to X drive (Virtual PE Drive)
    image
  3. Map Drive L (Used for log files)
    image
  4. Run Kill Disk
    image
  5. The HDD Has been wiped clean (Notification on Screen)
    JobComplete.bat –> Launches JobComplete.Txt File created during WipeProcess.bat
    image

 

In Action

image image image 
Warning to remove the bootable Flash Drive.. (IT will securely wipe that too)
image image image

 image
Sorry, my VM doesn’t provide the best results for the demo, but it’s much easier to grab the screenshots.  Should give you the overall picture of the Task Sequence.

 

File Server Share Logs:
killdisk.log:
image image

creates a page to print out to place on computer:

image

The Active Kill disk Certificates:
image

Certificate Example:
image

 

Hope those of you with Active Kill Disk find this useful.