So whats up with GARYTOWN, where you been?

Hey Everyone, sorry I haven't had time to do any blogging lately.  I recently transitioned from my position at the State of MN, and started working at Wells Fargo, where I have the privilege of working with several amazing people on a daily basis, like Mike Terrill & Keith Garner.  There are several others there too that I have the privilege of working with occasionally, and to be honest, it's quite overwhelming the amount of talent Wells Fargo has on staff, and I feel honored to be in their ranks.

I no longer have access to the same plethora of equipment, and many of the solutions I've worked on at a smaller / medium business don't scale up well to the size of Wells Fargo.  I used to be under the mindset of getting out of the Management Business, let the vendor tools automatically do the work for you, give up control of the little things (BIOS updates, Drivers installs and updates, Windows updates, 3rd Party software auto updates, etc) to focus on the big things. (Windows as a Service, keeping environment updated, implementing new tech).  However in an environment like this, we need complete control at all times over every little detail.  As I try to change paradigms of workstation management, I'm unsure how that will effect my blog.  Not having access to the same resources as before I'm sure will impact my writing, as well as many of the things just aren't in my new job responsibilities, so I won't be working with them on a daily basis any longer.

As I find time between work, being the best husband I can be, parenting 5 children under the age of 9, being active in our local church community, and assisting with Home Schooling responsibilities at home and in our Co-Op, I'm planning to build out a lab at home, and hopefully get my hands on some Dell equipment. It's been a pleasure contributing to the community, and hopefully I'll be more active again soon, but for at least the immediate future, I hope you find my website valuable, and look forward to chatting on Twitter.

 

Gary Blok

Dell Bios Updates - ConfigMgr App Model - Post OSD

I’m pretty good about keeping our Dell machines at the current BIOS level, usually a couple models get updates every month… then there was that Intel AMT vulnerablity, and they released updates for nearly all of our models, so that was fun.  I tweeted about my exploits and had requests to share how I’m doing it… so here it is…

App Model & Power Shell

I blogged a 3 part post back in Dec 2015, I’m not going to redo everything, but send you there if you need to build your collections yet:

https://garytown.com/updating-dell-bios-with-configmgrpost-1creating-model-based-collections

Another Pre-Req is having a global condition for “Model”, which I cover here: https://garytown.com/updating-dell-bios-with-configmgrpost-3the-application-deployment

Once you have that out of the way, it’s just building your App.

 

It’s really simple, we have a PowerShell script that will:

  1. Suspend Bitlocker (Works for Win 7-10)
  2. Stop the MBAM Service (So MBAM doesn’t start Bitlocker again before rebooting)
  3. Grab Dell Bios info from the Bios EXE file in same directory
  4. Create Log File name based on that EXE
  5. Confirm Bitlocker is Suspended
  6. Update Bios, creating Log File
  7. Reboot Machine
    1. Reboots right away if no one is logged on
    2. Give 5 Minute & 2 Minute warnings if someone is logged on

The nice thing about this method, it’s one script, that never changes. You just add it to your Model Folder. Every time a new BIOS comes out, replace the BIOS.EXE in the source, update the Application Detection Method, and update the content for that deployment.  All Set!

Now the Script:

There are 2 parameters, you tell it where you want your log file, and what your BIOS password is.  That’s it:

The Application
image

Deployment Types, One Per Model, this will make the download quick, as it only downloads the one for that model, and gives you the ability to do easy detection rules.

image

Programs: powershell –executionpolicy bypass –file "BiosUpdate.ps1" –Biospassword P@ssw0rd -LogPath C:\Cabs\InstallLogs
- Change your Bios Password & where you want to save the log files.
image

Detection is just a Registry Key:
image

image

Requirements: Model = the Model (see previous post for more details)

image

Return Code, Change 0 = Hard Reboot

image

My Source Folder Structure:
image

Actual Content for Deployment Type:
Contains the PowerShell File (Which you don’t need to change, works for every model & every version of the Bios)
image

 

There you have it, for your deployments

Download AppExport & Script HERE. If you choose to import the App, you’ll want to build your own Folder Structure and update the Content Tab for each deployment.

Leave a comment if you have a question, or hit me up on Twitter – @gwblok

Windows 10 Customizations–MMS2017 Demos

Hey everyone, MMS has come and gone for another year, and I will say, it was my favorite MMS yet.  This conference keeps getting better and better, but what’s not to like, right?  Mall of America, 4 days with amazingly smart people, who are just people. There are no pedestals here, everyone is approachable, and you can ask questions of people with deep knowledge of the System Center Suite, and Windows!  What MMS does, it brings huge talent from around the world in a friendly and open environment for learning and building relationships, to help equip you for your current job and open doors to conquer new challenges you thought were unsurmountable. The downside.. um.. its only 4 days.

So I had the privilege of presenting 3 topics, over 7 sessions, I’ll be going over the customizing Windows 10 in this post.

The Task Sequence Export is available for download on github. - https://github.com/npherson/MakeItPretty

Please remember, work with your business to determine what you want to customize, and have good business reasons.  The more you customize, the more you’re on the hook for to keep consistent through in-place upgrades.  This list is NOT best practice, or even necessary recommended, just showing what you can do.

Lets take a look:  (Please also look at the slide deck for more info about each of these and how it all works) http://schd.ws/hosted_files/mms2017/96/MMS2017%20-%20Customizing%20Win%2010%20Pt%201%20and%202.pptx

image

  • Tweak – Uninstall Windows 10 Default Apps PS – Script written by Mark Godfrey to remove some apps (Slides 43 & 44)
    image
    image
  • SetOSDinfo PS  - Creates ITLocal WMI Namespace and populates it with handy info, taken from Jason Sandy’s Blog
  • Set Default Apps & Associations – Sides 12 – 15.  Note, this isn’t 100% in 10.  They seem to get reset frequently by Windows.  Recommend GPO if you need to force something.
  • IE Icons, just copying it once to Desktop and once to Accessories Folder, then I can PIN it to Taskbar and StartMenu in future steps.
  • Change “This PC” icon to Machine Name – This does exactly that.
    image
  • PinItems on TaskBar.  This is a script that is adding Office to the TaskBar.
  • Disable Edge default Prompt – I thought there was a GPO for this in 1703, but I can’t find it, must have imagined that.  Here are two examples, the top one is the one in the export.
  • One Drive Disable – 3 “Run Command Line” Steps – Note, if you keep OneDrive, make sure you update it first. (Slide 28)
    • Remove Shell Folder  - REG ADD "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder" /V Attributes /T REG_DWORD /D 4035969101 /F
    • Remove App - %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall
    • Disable (GPP Key – Windows Components\One Drive) - REG ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /V DisableFileSyncNGSC /T REG_DWORD /D 1 /F

Explorer Tweaks
image

  • Explorer Tweaks, these will change the look in the Shell Folder, make it look more like:
    image

    • Remove Pictures Folder: (2 steps, one for x64 & x86)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Remove Video Folder: (2 steps, one for x64 & x86)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Remove Music Folder: (2 steps, one for x64 & x86)
      • REG ADD "REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{a0c69a99-21c8-4671-8703-7934162fcf1d}\PropertyBag" /V ThisPCPolicy /T REG_SZ /D Hide /F
    • Set Explorer to launch “This PC” (Slide 30)
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /V LaunchTo /T REG_DWORD /D 1 /F
    • MyComputer Desktop Icon (Adds “This PC” icon to desktop)
      • REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /V {20D04FE0-3AEA-1069-A2D8-08002B30309D} /T REG_DWORD /D 0 /F
    • Add Run as different user – Adds “run as different user” when you right click on an application in the start menu. – Slide 36
      • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" /V ShowRunasDifferentuserinStart /T REG_DWORD /D 1 /F

OEMInformation section (slide 40-41)
image

image

  • Tweak - OEMInfo Logo (Copy your logo into place, has to be bitmap file) – Requires you specify your Package. I  keep the logo in a subfolder called UserLogo
    • cmd.exe /c copy UserLogo\logo.bmp C:\Windows\system32\logo.bmp /Y
  • Tweak - Set OEM Information 1 – Logo
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V Logo /T REG_SZ /D "C:\Windows\System32\logo.bmp" /F
  • Tweak - Set OEM Information 2 – Manufacturer
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V Manufacturer /T REG_SZ /D "Dell" /F
  • Tweak - Set OEM Information 3 - SupportHours
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V SupportHours /T REG_SZ /D "10AM - 2PM" /F
  • Tweak - Set OEM Information 4 – SupportPhone
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation" /V SupportPhone /T REG_SZ /D "860-5309" /F
  • Tweak - Set OEM Information 5 – SupportURL
  • There is also a script that will do this and automatically set Model & Manufacturer of the computer.  Script is here: https://github.com/npherson/MakeItPretty

Default User Profile Tweaks
image
Note, I’m not going to cover Pinning IE to the TaskBar, so I’m going to skip that step.

  • Tweak - Mount ntuser.dat as defuser FIRST STEP (Required to make changes)
    • reg.exe load HKEY_LOCAL_MACHINE\defuser c:\users\default\ntuser.dat
  • Tweak - Change CMD to PowerShell in WinX (Not required in 1703, it defaults to this now)
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /V DontUsePowerShellOnWinX /T REG_DWORD /D 0 /F
  • Tweak - Delete OneDriveSetup registry Key
    • reg.exe delete HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
  • Tweak - Set Cortana / Search Icon – Slide 38
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /V SearchboxTaskbarMode /T REG_DWORD /D 1 /F
  • Tweak - Disable LockScreen Tool Tips
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /V RotatingLockScreenOverlayEnabled /T REG_DWORD /D 00000000 /F
  • Tweak - Disable Windows Defender First Run (Slide 27)
    • REG ADD "HKEY_LOCAL_MACHINE\defuser\SOFTWARE\Microsoft\Windows Defender" /V UIFirstRun /T REG_DWORD /D 00000000 /F
  • Tweak - Unmount ntuser.dat as defuser LAST STEP
    • reg.exe unload HKEY_LOCAL_MACHINE\defuser

Corporate / Business Branding (Lock Screen / User Profile Pictures / Background / Start Menu)
image

  • Tweak - Default Corporate User Icons – PNGs (Slides 34-35)
    • xcopy UserLogo\* "%SystemDrive%\ProgramData\Microsoft\User Account Pictures" /Q /Y /I
      image
  • Tweak - Default Corporate User Icons – regkey (or use GPO)
    • REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /V UseDefaultTile /T REG_DWORD /D 1 /F
      image
  • Tweak - Replace Default LockScreen Step 1 (Slide 31 - 33)
    takeown /f C:\Windows\Web\Screen\*.*
  • Tweak - Replace Default LockScreen Step 2
    icacls C:\Windows\Web\Screen\*.* /Grant System:(F)
  • Tweak - Replace Default LockScreen Step 3
    cmd.exe /c copy WallPapersLockScreens\DM_LockScreen.jpg C:\Windows\Web\Screen\img100.jpg /Y
    image
  • Tweak - Replace Default LockScreen Step 4
    cmd.exe /c copy WallPapersLockScreens\DM_LockScreen.jpg C:\Windows\Web\Screen\img105.jpg /Y
  • Tweak - Delete Default Wallpaper 4k folder Step 1 (Slide 31 - 33)
    takeown /f C:\Windows\Web\4K\Wallpaper\Windows\*.*
  • Tweak - Delete Default Wallpaper 4k folder Step 2
    icacls C:\Windows\Web\4K\Wallpaper\Windows\*.* /Grant System:(F)
  • Tweak - Delete Default Wallpaper 4k folder Step 3
    cmd.exe /c del /q C:\Windows\Web\4K\Wallpaper\Windows\*.*
  • Tweak - Default Corporate Wallpaper – img0 (Slide 31 - 33)
    cmd.exe /c copy WallPapersLockScreens\DM_Corp.jpg C:\Windows\Web\Wallpaper\Windows\img0.jpg /Y
    image
  • Tweak - Add additional Corporate Wallpapers – img1 (1-5 are same, just using different files)
    cmd.exe /c copy WallPapersLockScreens\DM_Corp.jpg C:\Windows\Web\Wallpaper\Theme1\img1.jpg /Y
  • Tweak - Default Corporate Start Menu (Note, the previous two steps copy in fake programs that I have in the start menu, so when it mounts the start menu, those icons / programs are already “installed” – This is just for Demo) –
    powershell.exe Import-StartLayout -LayoutPath DMStartMenu\DM-Default.xml -MountPath C:\
    image
    See Slides 17 – 23 for more details about the Start Menu

I hope this is helpful, each topic could have it’s own post (and most already do, either here on GaryTown, or CCMExec.com.

Dell BIOS update–WinPE–Model Independent–From Internet

Update 5/26 - Updated Script to use Dell's Enterprise Cab XML data, instead of the ever changing Support Site.  This now truly does work for all Dell Models that I know of. 🙂  Thanks Mark - POST HERE Mark gives some back story as to how we came up with this idea, and why we wanted to switch from our old method.

Updated Script: (Updated Download as well on 7/11/17 - DOWNLOAD HERE)

The new Package contents:

 

 

 

The Task Sequence:

Just an FYI... you might notice that it's not updating the BIOS to the latest BIOS update for that model.  Example, yesterday several bios updates were released for several models to their WebSite. Those will not install using this method.  The Enterprise CAB data has extra layers of Change Management / Testing, so you can feel even better about applying the BIOS updates automatically. Once those extra layers have completed, then they become available.

 

Until Then, I’ve updated scripts and added a script for the TPM update.

2 scripts now, based on Dell Driver Cab, instead of HTML scraping.

  1. DellTPMDownloadUpdatePE – Downloads and install the TPM 2.0 x64 Update for that model (if available)
  2. DellCabBiosUpdate.ps1

----------------

Original Post:

Ok, so you’re thinking, Gary, you just posted about this, and you’d be right, I did, see.. https://garytown.com/dell-bios-upgrade-in-osd-winpe-x64, but in the past week or so, I’ve come up with an idea, after looking at Maurice Daly’s download utilities, thinking, why can’t I just do something like that, and not have to have any content (beside the script and utility) to update the bios, and have it work on any dell model?  So that’s what I did, with the help of @modaly_IT & @geodesicz (my personal powershell guy), we came up with this solution.

DOWNLOAD HERE

Goal of Script:  Update Dell Bios on Any Model without having to maintain and update packages.

What it does:

  1. Gets Model info from WMI
  2. Downloads latest Bios directly from Dell
    1. No testing with Proxy server done, you can probably add this into the script, just don’t ask me how. (I don’t know, ask Maurice, he has it figured out in his cool GUI version)
    2. Mark (@Geodesicz) was able to make the changes to have this work in PE.
  3. Applies Bios to system during WinPE
  4. Create variables to do extra steps based on exit codes

Pros:

  1. Never manually download a BIOS update and build a BIOS package again
  2. Always install the latest Dell BIOS on the system you’re imaging
  3. Works on all dell models, no tracking down a bios per model
  4. See Number 1

Cons:

  1. Giving up control of the Bios Version you’re installing
    1. This doesn’t bother me personally, I haven’t ever had a BIOS update brick a machine, and if the BIOS is coming directly from Dell, it’s supported by them, and they will assist if anything did happen.
  2. Uses the Internet to pull content, while only 8-12MB per Computer, if you’re imaging large numbers, and you don’t plan ahead, this could be potential issue.
  3. Uses HTML scraping, so if Dell ever changes their website, we’d have to update the script.

 

The Script… while very similar to my last one, it has some key differences.

  1. The Bios Password is now parametrized, no longer requiring the text file to pull password (Thanks Mark)
  2. Has large download section in which it has the logic to get the right Bios file (from Maurice) & the Actual download step, (from Mark).
  3. Validating the Bios downloaded.

This script is quite simple still, feel free to add additional logic to it for error handling.

image

image

 

in the TS:

image

Package Content:
image

As before, it will create logs in the SMSTSLog folder in %temp%.
The only difference now, I added a group that will only run if the Download Fails based on lines 86-90 of the script.

For more details on how to setup the rest, check out the old Post:
https://garytown.com/dell-bios-upgrade-in-osd-winpe-x64

Maurice’s new GUI version: http://www.scconfigmgr.com/2017/03/01/driver-automation-tool/

Maurice’s older version, where I stole the code from: https://gallery.technet.microsoft.com/scriptcenter/SCCM-Dell-Client-Bios-ee577b04

Task Sequence Message / Pause with No Package

I’ve created messages and pauses a couple of ways, a “fancy” way with content, based on Niehaus’s blog, and a simple way just using notepad with no content, which is really handy during times you don’t want (or not able) to pull down content yet.  Nash (@kidmystic) would say to use PowerShell (example at bottom), as he has a nifty one line code that will do it for you. However, if you don’t have PowerShell in WinPE, and want to keep it super simple, just do it this way… with notepad.

In the Task Sequence, where you want to create a pause, or message, create two “Run Command line” Steps.

  1. Run Command Line Step 1 = “Create Pause - Step 1”
    1. cmd.exe /c echo "Pausing Task Sequence for Testing, Close this Box to continue the Task Sequence" >> Pause.txt
      image
  2. Run Command Line Step 2 = “Run Pause - Step 2”
    1. cmd.exe /c notepad.exe Pause.txt
      image

This will work even if the HDD is not formatted, as it does not require content.  To Confirm, I Diskpart –> Clean the HDD so nothing was on it, then ran these steps in WinPE.  Worked perfect.  This is great for if you want to pause / blow up your TS early if it it fails any validations, like Bios Password Missing, or UEFI not enabled, etc.

When you close the Notepad Application, the TS will Resume.
image

image

From NASH

powershell.exe -command (new-object -ComObject Microsoft.SMS.TsProgressUI).CloseProgressDialog() ; (new-object -ComObject wscript.shell).Popup('Message Box Text Content goes Here, you can make this as detailed as you want.',0,'Message Box Title in Upper Left',0x0 + 0x30) ; Exit 1

- Set your Exit code to what make sense.  Exit 1 will “Fail” your TS and make it quit, which might be good in times that you want it to fail so something manually can be done. Exit 0 will be success and continue on.
image