So, you think you’re setting the lock screen, just to have OSD finish and be like “Why is the lock screen missing and showing a dark blueish color?” or “Argh, it’s the stinking Windows default lock screen, not the one I wanted”. Perhaps you have a lab, and don’t activate your PC’s, so you get the rotating Bing Picture of the day, which is actually pretty cool and all, unless you’re trying to test Lock Screens. Thanks to Doug (managedoug.com) for bringing this to my attention and having me dig into it a bit more.
I’ve got Several Steps to control this during OSD which include Copying Files over the default lock screen images, and setting registry keys, basically depends on exactly what outcome you’re looking for.
Scenario 1, you want to set the Lock Screen and NEVER allow the user to change it.
Scenario 2, you’re cool with the user changing it, but want to set it to your own custom default.
To accomplish both, there are several things in common you need to do, so I’ll start with the steps you need to do for either situation, then break apart the single additional step that enables scenario 1. Read more
So this will be the first of several posts, well, it’s sorta the second, this heavily relies on the Script I posted for writing values to registry & WMI a few posts ago, however I’ve made several modifications to it since then, and have done A LOT of testing. Hence my last post about testing Low Disk Space machines.
WaaS Process, as Designed by Mike Terrill & Keith Garner quick overview:
- PreAssessment: Set of Rules run against hardware inventory data to rule out machines that be known to fail the upgrade. Rules include:
- Hardware Checks
- Free Disk Space
- Software Checks (Software we know that needs to be at specific versions to survive IPU, or not block it)
- 3rd Party Encryption Version level
- 3rd Party AV Version level
- Several other Apps
- General Checks
- Last HWInv Date
- Last MP Checkin
- OS / Build / OS Arch
- CCM Cache Size
- PreCache / Compat Scan (Task Sequence): After it passes all of the rules, the computer then added to a collection targeted with this TS. The TS is setup as a Required Deployment, and set to Pre-Download Content, and Download all Content before starting the TS. Then will dynamically download the driver packages, run the Check Readiness, and then Compat Scan.
- Schedule for Upgrade: After it has been cached, and passes the compat scan, the machines can be schedule (added to collection targed with the upgrade).
That’s a really quick overview of how we’ve setup WaaS, we went over this in great detail @ MMS, and I’d expect Mike Terrill to eventually blog that detail, I just don’t want to steal all of this thunder, but felt you needed a little overview to explain where this TS fits in.
If (You Enjoy Reading)
I thought that was a clever title, but it seems more confusing the longer I look at it… anyway, this is the follow up post to take BGinfo from MDT, and add it’s capabilities to the ConfigMgr In-Place Upgrade Task Sequence Process. If you’ve been working with in-place upgrade task sequences, you’ll know they are a different beast than regular OSD. You can’t just call an application and expect it to show up on the screen.. like in OSD, you can say Command Line Step: notepad.exe… and guess what, a notepad.exe window opens during the TS.. freaking amazing! Read more
Update 2017.11.29 - Thanks to @MrPRSmith for the idea, I was able to get FDE working using a pass-through disk, see bottom of post for more info.
Short post to go over something I found while researching Bitlocker Full Disk Encryption on Hyper-V virtual machines.
I was testing Enabling Bitlocker during our Task Sequence, and I didn’t have any physical machines to test on, no problem right? With Hyper-V, you can now enable virtual TPM on Gen2 VMs, and have all the yummy goodness of UEFI, Secureboot, Bitlocker, Credential Guard all on your VM! So I started testing, everything worked! But when I checked the Bitlocker Status (manage-bde –status), it showed I was only encrypting Used Space. While this would be fine for a Virtual Machine, I was confused because I told it to use Full Disk, NOT used space. I ran many tests, trying several different things, but in the end, it never came out as I expected, with Full Disk. Even post OSD, if I decrypted, ensured policy was set for Full Disk, it would only encrypt Used Space. Finally, I gained access to a physical test machine, ran the exact same Task Sequence, and there it was, Full Disk Encryption. – Testing done on Hosts: Win 10 1607, 1709 & Server 2016. VM’s running 1703 and 1709. Security settings were set to Enable Secure Boot & Enable TPM, tested Dynamic expanding & fixed disks. (Not Pass-through)
Just another group of tasks to add to your arsenal. We run a Check Readiness step before our upgrades, with a minimum of 20GB Free. We have many clients that do not meet this minimum requirement and fail, and then have to remediate. While we have long term plans to automate much of this, and prevent the Task sequence from ever running on machines that don’t reach these pre-reqs, for now, a Band-Aid.