The Deployment Guys

PXE Deployment with Surface Pro

Ben Hunter — Thu, 16 May 2013 20:44:43 GMT

PXE support has been added to Surface Pro as part of the May firmware update. This means that as long as you have the Surface Pro Ethernet Adapter and installed the firmware update you can now perform PXE based deployments to Surface Pro. For detailed guidance on updating firmware on Surface pro please refer to my previous blog post - http://blogs.technet.com/b/deploymentguys/archive/2013/05/14/deploying-drivers-and-firmware-to-surface-pro.aspx.

To perform a deployment from your existing Windows Server 2008 R2 or Windows Server 2012 WDS server you need to do the following:

Attach the Surface Pro Ethernet Adapter to the Surface Pro.
Press and hold the volume down button and then press the power button, continue to hold the volume down button until the Surface starts to boot from the USB key.

A dialog box will appear that states that it is “Checking Media Presence……”. Then it will “Start PXE over IPv4”.

3. When prompted press Enter for network boot service.

The Surface Pro should now connect to your PXE server and allow you to perform a normal deployment.

For further details on Surface Pro deployment please refer to the Surface Pro - Enterprise Deployment Quick Start Guide within the Surface Pro firmware and driver pack that I worked with the Surface Team create.

This post was contributed by Ben Hunter, a Solution Architect with Microsoft Consulting Services.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

Deploying Drivers and Firmware to Surface Pro

Ben Hunter — Thu, 16 May 2013 20:44:33 GMT

In the last month the Surface Pro team have started releasing driver and firmware packs that include all on the drivers and firmware required for Surface Pro. This pack is a simple zip file that contains all of the drivers as INF files that can be installed with out requiring an executable, which for those of you that have followed my previous posts will know is the way I like to see drivers provided.

Firmware Deployment

Perhaps the coolest thing about this pack is the fact that it includes firmware that is delivered in the form of a driver package. This is possible due to a UEFI feature called capsule packages. These capsule packages can be installed several ways:

Published via Windows Update
Injected into an offline Windows image
Installed into Windows 8 online

Note - They cannot be installed via Windows Software Update Service (WSUS).

The firmware is exposed to the machine as a device under the firmware node in device manager.

To update the firmware manually simply install the driver package on the machine then Windows will then seamlessly take care of the update process for you, ensuring that the correct firmware is applied. Once installed a flag is set for the loader and on restart all available firmware updates are applied. During the boot process a dialog will appear that states “installing system updates”. If you are deploying the drivers as part of an OS deployment, perhaps with the Microsoft Deployment Toolkit or System Center Configuration Manager 2012 you simply add these firmware drivers to your existing driver deployment methodology and the Windows will handle handle the update process for you.

Driver Deployment

Deploying these drivers as part of your existing OS deployment process is simple, however what happens if you want to update drivers on a Surface Pro that has already been deployed. This is definitely something you will want to do as the Surface team has already delivered a number of significant performance improvements as driver and firmware updates. One option would be to manually right clicking on the device in device manager, and select the appropriate driver to install. However this is a laborious process. It is possible to automate this process using a PowerShell script that calls the PnPUtil utility.

The following script iterates recursively through the pack and installs all of the drivers that it finds:

$ScriptPath = Split-Path -parent $MyInvocation.MyCommand.Definition

$files = get-childitem -path $Scriptpath -recurse -filter *.inf

foreach ($file in $files)

{

Write-host "Injecting driver $file"

pnputil -i -a $file.FullName

}

To use this script extract the driver pack and place the script in top level folder of the extracted zip file. Then execute the script, it will install all drivers (including firmware). This could also be packaged into a System Center Configuration Manager package and deployed to existing machines.

This post was contributed by Ben Hunter, a Solution Architect with Microsoft Consulting Services.

Supporting Windows 8 Mail App in the Enterprise

lutz seidemann — Tue, 14 May 2013 21:21:00 GMT

In a recent project we faced an interesting problems using the Windows 8 Mail App.

Windows 8 include a built-in email app named Mail (also referred to as Windows 8 Mail or the Windows 8 Mail app). We used a Standard User Account without any local Admin privileges, logged on to the Domain and tried to add our Exchange information to the mail app. After adding our Account information an error is popping up “To sync username@yourdomainname.com, you will need to change this PC’s settings to match the mail server’s security settings.”

After some investigation about this error we found out there are few settings Enterprises need to prepare before using the mail app in an environment with logged down user rights.

The Windows 8 Mail to allows users using ActiveSync (EAS) for Exchange synchronization. If you add your account to the Mail application your Exchange policies will pushed down and the stronger policy will take presence (http://blogs.technet.com/b/exchange/archive/2012/11/26/supporting-windows-8-mail-in-your-organization.aspx). If your EAS is stronger than your Domain or local policy the Windows Policy Engine requires admin access to apply policy changes, since non-admins are not allowed to make changes to computer/account configurations, you will get the issue documented above.

In a next step you have to compare the policy that is applied on the device(s) against what is being requested by the Exchange server.

Control the corresponding Group Policy (Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options /) to have the same settings as you have configured in Exchange. If both are identical you can add your Exchange Account without getting any popup.

AllowSimpleDevicePassword                                     : Windows Policy Engine would try to apply this policy,
MaxInactivityTimeDeviceLock                                    : Windows Policy Engine would try to apply this policy,
MaxDevicePasswordFailedAttempts                       : Windows Policy Engine would try to apply this policy,
DevicePasswordExpiration                                          : Windows Policy Engine would try to apply this policy,
DevicePasswordHistory                                                 : Windows Policy Engine would try to apply this policy,
RequireDeviceEncryption                                              : Windows Policy Engine would try to apply this policy,
MinDevicePasswordComplexCharacters               : domain accounts, password length and complex characters are not governed by EAS,
MinDevicePasswordLength                                         : domain accounts, password length and complex characters are not governed by EAS,

This post was contributed by Lutz Seidemann, a Solution Architect with Microsoft Consulting Services.

The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.

Windows 8 – Supporting proxy services with Static Configurations, Web Hosted PAC files and Domain Policy Configured Proxy

Scott Culbertson — Wed, 08 May 2013 19:32:07 GMT

Many companies have started using Windows 8 and have noticed with some of the new features there are times when things just don’t seem to work the way they expected them too; this was due to configuration needs and not actual issues in many cases. We have found this is normally due to some additional configurations that are required to enable the newer features and applications that have been introduced with the new OS.

I would like to focus on one that I have been putting some extra effort towards to help customers get the best experience they can when the enterprise has proxy services enabled and they see issues such as the Windows 8 apps and basic services are not communicating with web services.

Sometimes communities identify issues and is important that we help improve the user experience when issues are identified. There are a couple articles currently articles addressing some of the original issues. Specifically the need to use the NETSH commands to correct the WINHTTP Proxy service; see the reference articles within this blog for links to them. This include transitioning to new networks and the use of WPAD for the most robust model for Windows 8.

Note: It is important to also understand before we review these scenarios and options that for the best Windows 8 experience it is recommended to use WPAD to enable all the features of Windows 8 without additional work for the client. Use these links to understand how to implement WPAD and enabling Authenticated Proxy support.

Supporting Articles:

Implementing WPAD: KB2777643

Authenticated Proxy Support: KB2778122

Proxy Service in the Enterprise:

Key Scenarios: Typical results in the following scenarios with “Static Proxy”, “Web Hosted Proxy PAC Files” and “Domain Policy Defined Proxy”, hosted PAC files is the following:

Window 8 Network Location Awareness: NLA is required for Windows 8 applications to function properly by determining that you are connected to the internet by looking for a file called ncsi.txt on the internet and is the feature that tells the Windows 8 applications if your online. When this is working right your Network Icon will reflect your online and when you access Windows 8 Application such as Bing Sports it will identify your access and function properly. Properly define proxy services will enable this.

Windows 8 Applications: In general testing Windows 8 applications will function as designed. Note: This is not a blanket statement for all Windows store application due to the lack of testing. I have tested the normal inbox apps and some additional application downloaded.

The Windows Store Application updates: This feature is functioning while using Static or PAC files when the user is on public networks only. In some cases it has been noticed that the Inbox Windows 8 apps will be able to update while connected to the corporate network. If the updating is needed internally and you must use a PAC file you may wish to look at using WPAD. Another option is to use the PAC file model I describe below.

The Windows Store Catalogue: Can be viewed and searched.

Windows Store Apps Downloads: This feature is functioning while using Static or PAC files when the user is on public networks only to purchase apps and download. If the download is needed internally and you must use a PAC file you may wish to look at using WPAD. Another option is to use the PAC file model I describe below.

Windows Update: For Windows updates it has been observed that Automatic Updates do not work with Proxy configuration but both User Activated updates in the Windows 8 WU and the Classic Update model they will work. Once the computer is on the public network it will be able to receive Automatic Updates or with the user checking for updates.

Note: There is a known Issue for Authenticating Proxies Solutions: You will need to follow the guidance in the KB2778122 for whitelisting certain HTTP address’s listed in article to ensure the best experience while on the corporate network.

Note: Known issue with local installed PAC files: Local install of PAC files will not work for more than Local Browser services.

Enabling these PROXY scenarios:

We will walk through the simplest implementation which also has most limitation to the preferred method and options for configuration of PAC files.

Static Proxy Services:

Note: Only noted to help customers understand chance for negative experience. This is not preferred, this shouldn’t be used unless you are supporting desktop only. I just wanted to make people aware of it. Preferred approach is WPAD and then Web Proxy PAC file

This model is a direct insertion of the proxy server address and port used for communication via Internet Explore through the configuration via “Internet Options” and clicking on “Connections Tab” then “LAN Settings” and setting up your proxy definition under Proxy Server”

Load Internet Explorer and open Settings / Internet Options

With this implementation you will find that as long as your computer is on the proper network where the proxy server can be found your services as described above will work. If the Proxy Server is not locatable the following error will be observed due to WEB services not routing properly. Resolution will be to connect the system back to the proper network.

Put the system back onto the proper network or remove the static proxy setting.

Web Based Proxy PAC File:

Note: Using the following two configuration options in the Proxy path configuration do not work:

If Proxy PAC files need to be used in the enterprise environment using a web hosted service is the preferred method. This can be hosted on the proxy server or any other IIS services hosting the file so it can be accessed by the computer at boot. To do this you need to configure the PROXY setting in the manner below.

This model is a direct insertion of the web server address for the PAC file for communication via Internet Explore through the configuration via “Internet Options” and clicking on “Connections Tab” then “LAN Settings” and setting up your proxy definition under Proxy Server

Load Internet Explorer and open Settings / Internet Options

In this case you will have the expected results I noted above in the top of this Blog. I also want to provide a couple sample PAC files that I have found to help make the user experience work well. I also will discuss a model where you could potentially enable the Windows 8 App Store for downloading applications that was mentioned above where it may potentially not work with PAC files.

Sample PAC file #1:

Net Results will be that your system will function with new Windows 8 Apps but you will not be able to download new apps till the device is placed outside the corporate network. The proxy will be offline and your system will default to standard full internet access allowing the download of the selected applications. If for some reason you have an external Proxy you will need to consider the second sample file for the best results.

This file is the simplest and will identify your host network and then designate the Proxy Server for that network. If the network host is not found it instructs the WINHTTP services to use the default gateway of the computer. While on the company network Windows 8 App Store Downloads may not work but when the computer is on a public network it will be able to download Windows Store Apps.

You can use notepad.exe to create a simple test file, example: Sample1.PAC

//Begin

function FindProxyForURL(url, host)

{

if (isInNet(myIpAddress(), "10.0.0.0", "255.255.255.0"))

return "PROXY ProxyServerName:8080";

else "Proxy Direct";

}

//End

Sample PAC File #2:

Note: This will require corporate review and approval most likely. The purpose of this Script is to enable Windows Application Store Downloads within the corporate network with proxy services or if the company is using an External Web based Proxy Service.

In this scenario you have a Default Gateway on the corporate network that is open to the internet but normal traffic is always processed through the Proxy server. With this configuration we have directed any traffic required to communicate with Microsoft to be allowed to operate through the default gateway and the limited capabilities are now removed and Windows Store Apps will now be successfully downloaded on the corporate network.

You can use notepad.exe to create a simple test file, example: Sample2.PAC

//Begin

function FindProxyForURL(url, host)

{

// variable strings to return

var proxy_online = "PROXY ProxyServer:8080";

var proxy_offline = "DIRECT";

if (shExpMatch(url, "http://*.microsoft.com*"))

{ return proxy_offline; }

if (shExpMatch(url, "https://*.microsoft.com*"))
{ return proxy_offline; }

// Proxy anything else

return proxy_online;

}

//END

Domain Policy Configuration for a PAC File:

This procedure assumes you are familiar will traversing the Group Policy Management tool using either Server 2012 or the Remote Server Administration Toolkit for Windows 8.

First create a policy for Internet Explorer 10 for the proxy configuration under “User Settings” Preference – Control panel settings.

Wizard will pull up and then you can select “Connection” Tab and then “LAN settings” Radio Button

Enter the required Proxy settings and then link the GPO to you target OU

Make sure to select F5 on the Field when you enter the Name so it is accepted.

This will allow you to now set the Proxy GPO on your system.

Additional information for PAC Files Scripting options can be found here: MS TechNet on PAC File Scripting

This post was contributed by Scott Culbertson, a Solution Architect with Microsoft Consulting Services.

USMT Restore Status Notification HTA in Full Operating System

Brad Tucker — Tue, 09 Apr 2013 16:35:15 GMT

In my previous blog entry, I explained my customer’s need for stand-alone USMT Capture and USMT Restore task sequences and their need for a notification box to pop up and let the technicians know the process completed successfully. This post will continue in that vein and discuss the notification HTA for the USMT Restore task sequence.

The requirement was to make a notification box pop up and pause the task sequence until it is acknowledged or closed.

I created a simple HTA that will look for the loadstate.log in the CCM\Logs\SMSTSlog folder based on architecture. As I am sure you are aware, the SMSTSLog folder is where the logs are placed during the task sequence, so they are always guaranteed to be current. It isn’t until the task sequence is closed out that the logs are moved one level up and the SMSTSLog folder removed.

If they are running on a Windows XP machine the path is:

C:\Windows\System32\CCM\Logs\SMSTSLog\loadstate.log.

If they are running on a Windows 7 x64 machine, the path is:

C:\Windows\SysWow64\CCM\Logs\SMSTSLog\loadstate.log

The HTA then parses this log file looking for ‘MIGACTIVITY_SUCCESS’. If this message exists in the log file, the HTA returns the following box…

If it doesn’t exist, they see the following box…

Now that the HTA is functional, I have to put it in the task sequence and make it visible while running inside the full operating system. This is where the fun really begins…

Luckily, we can take advantage of ServiceUi.exe that exists in the Tools\x86 or Tools\x64 folders within the Microsoft Deployment Toolkit package. We can launch this by calling it from %toolroot%.

Placing my HTA file in a folder called CustomScripts underneath the Scripts folder in the toolkit package allows me to use the command line…

%toolroot%\serviceui.exe –process:tsprogressui.exe %systemroot%\system32\mshta.exe %scriptroot%\CustomScripts\USMTRestoreStatus.hta

Here is an example of how to call my HTA using the ServiceUi.exe…

For more information on the use of ServiceUI.exe, see ‘Can I use ServiceUI.exe to launch other programs besides the UDI Setup Wizard?’ on Cameron’s Blog – Cravings of System Center.

USMTRestoreStatus.hta

<html>
< head>
< title>USMT Restore Status</title>
< HTA:APPLICATION
APPLICATIONNAME="USMT Restore Status"
ID="USMTRestoreStatus"
SCROLL="no"/>
< /head>

' *****************
' * Window_OnLoad *
' *****************

Sub Window_OnLoad
'This method will be called when the application loads
   window.resizeTo 600,300
   window.moveto 1,1
   USMTStatus
End Sub

' *****************
' * USMTStatus *
' *****************

Sub USMTStatus
Const ForReading = 1

' Set the search parameter
Set objRegEx = CreateObject("VBScript.RegExp")
objRegEx.Pattern = "MIGACTIVITY_SUCCESS"

' Prepare log file connectivity
Set objFSO = CreateObject("Scripting.FileSystemObject")

' WMI Connectivity
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

' Query WMI for processor architecture type
Set colProcessors= objWMIService.ExecQuery ("Select * From Win32_Processor")

' Set log file location based on processor architecture type
For Each objProcessor in colProcessors
If objProcessor.Architecture = 0 Then
Set objFile = objFSO.OpenTextFile("C:\windows\system32\ccm\logs\SMSTSLog\loadstate.log", ForReading)
Else
Set objFile = objFSO.OpenTextFile("C:\windows\syswow64\ccm\logs\SMSTSLog\loadstate.log", ForReading)
End If

' Set initial returnSuccess to 'False'
returnSuccess = False

' Parse the scanstate.log file for search parameters
Do Until objFile.AtEndOfStream
    strSearchString = objFile.ReadLine
    Set colMatches = objRegEx.Execute(strSearchString)
    If colMatches.Count > 0 Then
        For Each strMatch in colMatches
            returnSuccess = True
        Next
    End If
Loop

' Set HTA pop-up box text based on search results
If returnSuccess = True Then
DataArea.InnerHTML = "The user state was SUCCESSFULLY restored.<br><br>PLEASE CLOSE THIS BOX TO END THE TASK SEQUENCE."
Else
DataArea.InnerHTML = "The user state was NOT SUCCESSFULLY restored.<br><br>PLEASE CLOSE THIS BOX TO END THE TASK SEQUENCE."
End If

End Sub

< /script>

</body>
< /html>

USMTRestoreStatus.hta

This post was contributed by Brad Tucker, a Senior Consultant with Microsoft Services, East Region, United States

USMT Capture Status Notification HTA in Full Operating System

Brad Tucker — Tue, 09 Apr 2013 13:48:26 GMT

Recently, I had a customer that wanted separate, stand-alone USMT Capture and USMT Restore task sequences. They had key depot locations that would allow users to drop off an old machine, and have the depot technicians image and restore data to a new device. They would then repurpose the old machine.

Evidently, they had issues with USMT not running successfully or perhaps it was forgotten by the technician in the first place. So they asked for a notification box to pop up and let the technician know the data was, in fact, captured successfully.

The requirement was to make a notification box pop up and pause the task sequence until it is acknowledged or closed.

I created a simple HTA that will look for the scanstate.log in the CCM\Logs\SMSTSlog folder based on architecture. As I am sure you are aware, the SMSTSLog folder is where the logs are placed during the task sequence, so they are always guaranteed to be current. It isn’t until the task sequence is closed out that the logs are moved one level up and the SMSTSLog folder removed.

If they are running on a Windows XP machine the path is:

C:\Windows\System32\CCM\Logs\SMSTSLog\scanstate.log.

If they are running on a Windows 7 x64 machine, the path is:

C:\Windows\SysWow64\CCM\Logs\SMSTSLog\scanstate.log

The HTA then parses this log file looking for ‘MIGACTIVITY_SUCCESS’. If this message exists in the log file, the HTA returns the following box…

If it doesn’t exist, they see the following box…

Now that the HTA is functional, I have to put it in the task sequence and make it visible while running inside the full operating system. This is where the fun really begins…

Luckily, we can take advantage of ServiceUi.exe that exists in the Tools\x86 or Tools\x64 folders within the Microsoft Deployment Toolkit package. We can launch this by calling it from %toolroot%.

Placing my HTA file in a folder called CustomScripts underneath the Scripts folder in the toolkit package allows me to use the command line…

%toolroot%\serviceui.exe –process:tsprogressui.exe %systemroot%\system32\mshta.exe %scriptroot%\CustomScripts\USMTCaptureStatus.hta

Here is an example of how to call my HTA using the ServiceUi.exe…

For more information on the use of ServiceUI.exe, see ‘Can I use ServiceUI.exe to launch other programs besides the UDI Setup Wizard?’ on Cameron’s Blog – Cravings of System Center.

USMTCaptureStatus.hta

<html>
< head>
< title>USMT Capture Status</title>
< HTA:APPLICATION
APPLICATIONNAME="USMT Capture Status"
ID="USMTCaptureStatus"
SCROLL="no"/>
< /head>

' *****************
' * Window_OnLoad *
' *****************

Sub Window_OnLoad
'This method will be called when the application loads
   window.resizeTo 600,300
   window.moveto 1,1
   USMTStatus
End Sub

' *****************
' * USMTStatus *
' *****************

Sub USMTStatus
Const ForReading = 1

' Set the search parameter
Set objRegEx = CreateObject("VBScript.RegExp")
objRegEx.Pattern = "MIGACTIVITY_SUCCESS"

' Prepare log file connectivity
Set objFSO = CreateObject("Scripting.FileSystemObject")

' WMI Connectivity
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

' Query WMI for processor architecture type
Set colProcessors= objWMIService.ExecQuery ("Select * From Win32_Processor")

' Set log file location based on processor architecture type
For Each objProcessor in colProcessors
If objProcessor.Architecture = 0 Then
Set objFile = objFSO.OpenTextFile("C:\windows\system32\ccm\logs\SMSTSLog\scanstate.log", ForReading)
Else
Set objFile = objFSO.OpenTextFile("C:\windows\syswow64\ccm\logs\SMSTSLog\scanstate.log", ForReading)
End If

' Set initial returnSuccess to 'False'
returnSuccess = False

' Set HTA pop-up box text based on search results
If returnSuccess = True Then
DataArea.InnerHTML = "The user state was SUCCESSFULLY captured.<br><br>PLEASE CLOSE THIS BOX TO END THE TASK SEQUENCE."
Else
DataArea.InnerHTML = "The user state was NOT SUCCESSFULLY captured.<br><br>PLEASE CLOSE THIS BOX TO END THE TASK SEQUENCE."
End If

End Sub

< /script>

</body>
< /html>

USMTCaptureStatus.zip

This post was contributed by Brad Tucker, a Senior Consultant with Microsoft Services, East Region, United States

Create Windows-To-Go drives in a simple Factory mode

DeploymentGuys — Wed, 27 Feb 2013 16:22:00 GMT

Windows To Go is a feature in Windows 8 Enterprise that allows Windows 8 Enterprise to boot and run from mass storage devices such as USB flash drives and external hard disk drives. It is a fully manageable corporate Windows 8 environment.

During a recent project we faced the need to generate hundreds of WTG drives in a short time. We evaluated USB disk duplicators such as the ILY Spartan USB duplicator (http://ily.com/other_usbdupe.html or http://www.ily.com/super_usbdupe.html ). We successfully tested the 7 and 118 port versions but finally decided to just use PowerShell and a USB hub.

We used MDT 2012 Update1 for image engineering and Ben’s guidance for the Start Screen customization to generate our master image (WTGContoso.WIM). This image is customized for all WTG usage and therefore we injected all corporate supported drivers.

When the WTG image runs for the first time it will perform the same process as your normal image installation. If you provide the unattend.xml the configuration and domain join process is also automated.
There is also no need for special naming convention (lucky for us), so don’t have to mess around with naming script logic. We only ensured that Windows 8 started from a WTG stick is in a special OU that applies Group Policy with extra hardening settings.

Attached is the PowerShell script to generate multiple WTG sticks at the same time. The script will create the unattend.xml, format the WTG drive, enable BitLocker and deploy the image to the drive.

For mass production use a USB hub and add as many WTG sticks to the PC as you can. The script will build all of them in a single process. During the first boot of the WTG drive, all unattend.XML settings are applied, the host hardware is detected and all drivers are installed.

There are few script updates you need to perform for your environment:

Domain credentials
Domain join account
Join OU container
Organization and Owner
Timezone
If needed you can add a run once script.

This post was contributed by Lutz Seidemann, a Solution Architect with Microsoft Consulting Services.

Printer Remapping in Windows 7 Deployments

DeploymentGuys — Tue, 12 Feb 2013 18:05:00 GMT

One of the challenges that I frequently come across is the shift from 32-bit operating system environments to 64-bit operating system environment during deployment projects. Windows 7 ships as both 32-bit as well as 64-Bit, with the 64-bit version becoming more popular due to its ability to handle large amounts of RAM and the wider availability of OEM 64-bit drivers.

With this in mind, most customer we see are moving from Windows XP 32-bit to Windows 7 64-bit and as part of the effort of migrating we often see a need to migrate their printing infrastructure into a 64-bit compatible printing infrastructure.

This introduces challenges around the migration of existing printers configured on the windows XP 32-bit environment. The User State Migration tool (USMT) is the great tool for migrating the user’s data and settings and it also helps migrating the network printers, but USMT does not takes care of the new print queues.

To begin - lets examine how USMT handles network printers.

During the USMT scan state phase USMT scans the HKCU\Printer\Connection registry keys and values and during the restore phase it restore the HKCU\Printer\Connection registry keys and values. Once the Print Spooler services get started it validates the network printer connection and then it makes the network printer visible under Devices and Printers within the operating system.

In order to migrate network printers to a new queue, a scripted solution can be used which takes care of remapping the network printers. The challenging part in the solution is around using System Center Configuration Manager 2007 or System Center 2012 Configuration Manager. Because printers are populated per user, and the task sequence runs under the system context, any scripted solution that runs from the task sequence will not be able to find printers for any specific users. Moreover when the tasks sequence is running in the system context, it would not have access to HKCU.

Because of these challenges, a scripted solution need to be run with the user’s rights – which allows for two options

1. Run the scripted solution via Group Policy Object(s) (GPO

2. Inserting a run once registry values (If there is only one primary user associated with the machine) to run the scripted solution at user logon.

Each of these deployment methods has its own pros and cons. Typically, a customer environment has PCs which in most part are used by a single user – the preference would be to add the run once registry value as part of the deployment task sequence as the last step or finish action in the task sequence.

The script solution provided below is a solution that was developed to be deployed via the run once registry value. The script solution provides the ability to map old to new printer queues in a text file (PrintRemap.txt) which is then consumed by the PrintRemapRegistry script to make the changes.

The PrintRemapRegistry script creates a log file under %Temp%\PrinterRemap_<ComputerName>.log which logs all the events. This log will also let you know if there is no mapping found. This script will not touch existing print queues unless they are listed in the printRemap.txt

This post was contributed by Kaushal Pandey (Guest Blogger), an Associate Consultant with Microsoft Global Delivery

Windows 8 BitLocker Deployment and PowerShell

DeploymentGuys — Thu, 17 Jan 2013 11:29:27 GMT

With Windows 7 deployments, BitLocker installation for Operating System and data volumes has typically been configured as a post Operating System deployment activity – usually using the Enable BitLocker task sequence actions or by using the manage-bde.exe command line.

The impact on the Windows 7 deployment process is that the full volume encryption process may take several hours as BitLocker requires that all data and free space on the drive is encrypted. This is especially true with the large volumes.

With Windows 8, BitLocker can also be provisioned before the Operating System is installed, from within Windows PE. This is achieved by using a randomly generated protector that is stored clearly on the volume. The volume is then encrypted, all before the Windows setup process has started.

That’s a great feature, however you’ll be thinking it will still take time to encrypt your entire disk – however Windows 8 also includes the option to encrypt only used disk space.

When the Used Disk Space Only encryption option is configured during BitLocker setup, only the area of the drive that has data will be encrypted with free disk space remaining unencrypted. The result is that the encryption completes much faster – which will speed up the Windows provisioning process.

The great news is that MDT 2012 Update 1 will handle this for us. The ZTIBDE.wsf script is executed during the PreInstall phase and will automatically enable BitLocker Offline from with Windows PE, using the UsedSpaceOnly parameter (if the partition is not already encrypted). This will literally take seconds to run. The data written to the volume during OS and application installation is then encrypted as it is written to the disk, with a very small impact on performance (less than 1%)

Once the OS image, applications and configurations have been installed, we include the standard Enable BitLocker task to configure the encryption protectors as required.

One challenge is configuring BitLocker on additional data partitions. Using the Enable BitLocker task sequence action will not allow us to set the parameters for Used Space Only. This is where we can use the new BitLocker PowerShell cmdlets.

There are a host of new BitLocker cmdlets available in Windows 8, all described in the TechNet article at the end of this post. For this example, I am going to use the Enable-BitLocker cmdlet to encrypt my extra data partition and specify the –UsedSpaceOnly parameter.

Then literally by the time I had typed Enable-BitLockerAutoUnlock D: to configure Autounlock for the D partition, the encryption process had completed and the Protection Status had changed to On.

The PowerShell cmdlets can be called during the deployment process using the Run Command Line or even better, put together in a PowerShell script and called using the new Run PowerShell Script action in MDT 2012 Update 1 (thus making use of the integrated logging features with BDD.Log). A very simple example is illustrated below.

The output from the script will be logged into the BDD log file automatically, as highlighted below:

Take a look at the new BitLocker cmdlets documented in the following article:

http://technet.microsoft.com/en-us/library/jj647767.aspx#BKMK_blcmdlets

This post was contributed by Matt Bailey, a Consultant with Microsoft Services - UK.

Windows 8 – Customizing the Default Lock Screen

Ben Hunter — Tue, 11 Dec 2012 20:30:00 GMT

Have you tried to change the default wallpaper on the Windows 8 lock screen? Now I live in Seattle and quite like the stylized picture of Seattle but in an enterprise environment you may want a more “corporate” image.

Until now you have not been able to do this without using an unsupported method of “hacking” file permissions and replacing the default wallpaper file.

Well this has now changed , the Windows 8 and Windows Server 2012 cumulative update: November 2012 allows us to customize the start screen.

There is a new Group Policy that allows you to “Force a specific default lock screen image”. For all the details on using this group policy setting please refer to the following TechNet article - http://support.microsoft.com/kb/2787100/EN-US.

This post was contributed by Ben Hunter, a Solution Architect with Microsoft Consulting Services.