Deployment

How to enable used space encryption using Invoke-MbamClientDeployment.ps1

First and foremost, if you have not had a chance to read the latest Technet article on how to enable BitLocker by using MBAM, please do so here!

It is an excellent guide that explains how to configure MBAM and Bitlocker inside of MDT. Unfortunately the guide does not explain how to enable used space encryption when you are not pre-provisioning your drive. It’s actually pretty simple and can be done by just modifying the registry.

Now I’m assuming that you have Invoke-MbamClientDeployment.ps1 in your task sequence but if you have not set everything up, please read the Technet article that I referenced earlier.

In your task sequence, please navigate to the step that calls Invoke-MbamClientDeployment.ps1. If you followed the Technet guide, the task name should be “Configure BitLocker for MBAM”. Now go ahead and add a Run Command Line step before the “Configure BitLocker for MBAM” step. Let’s name this step “Enable Used Space Encryption”.

In the command line field, you will want to enter the following command:

reg.exe add HKLM\SOFTWARE\Policies\Microsoft\FVE /v OSEncryptionType /t REG_DWORD /d 2 /f

And.. That’s it!

How to configure your Windows 10 default file associations in MDT

You will first need to configure all your file associations on a test machine. Once this has been done, you will want to run the following command to export your file associations:

Dism.exe /Online /Export-DefaultAppAssociations:%USERPROFILE%\Documents\DefaultAppAssociations.xml

The XML file will be exported to your Documents folder

Now you will want to place the XML file that we just exported into your Scripts folder inside of your MDT Deployment Share.

Once that is done, launch MDT and open your deployment task sequence. Locate the PostInstall folder and add a command line task above the Inject Drivers task.


Set File Associations
Set File Associations - 2

Lets go ahead and name the task Set File Associations. In the command line field, insert the following command:

Dism.exe /Image:%OSDisk%\ /Import-DefaultAppAssociations:%SCRIPTROOT%\DefaultAppAssociations.xml

Now you’re all set!

Automatically join a machine to your domain

This short script will join a machine to your domain. This can be useful as a post start up script that will launch after a machine has been imaged.

$domain = "DOMAIN"
$password = "PASSWORD HERE" | ConvertTo-SecureString -asPlainText -Force
$username = "$domain\USERNAME HERE" 
$credential = New-Object System.Management.Automation.PSCredential($username,$password)
Add-Computer -DomainName $domain -Credential $credential

Feel free to comment if you have any questions!

One Column Start Layout

If you haven’t done it already, please read my post on how to deploy a customized start menu in your Windows 10 image.

Do you have a similar start layout that you would prefer to slim down and not have to do it manually for each profile?

Well you can do this by configuring LayoutModification.xml to display only one main column and all you have to do is edit the following line:

<LayoutOptions StartTileGroupCellWidth="6" />

And add StartTileGroupsColumnCount=”1″

<LayoutOptions StartTileGroupCellWidth="6" StartTileGroupsColumnCount="1" />

Customize a Windows 10 Start Layout

To customize the Start Menu in your images, you will need to export a ‘reference’ Start Menu using the Export-StartLayout PowerShell cmdlet.

First you will need to setup the Start Menu exactly the way you want it, and then export the layout.

Export-StartLayout –path C:\LayoutModification.xml

Now, you can import the custom XML into the Default profile before sysprep.
Note: Only new user profiles will be able to see the new layout

Import-StartLayout -LayoutPath LayoutModification.xml -MountPath $env:SystemDrive\

If for some reason you have problems with the import, you can just copy the custom XML file into the Default profile.
Note: Only new user profiles will be able to see the new layout

copy /y LayoutModification.xml “C:\Users\Default\AppData\Local\Microsoft\Windows\Shell”

How to programmatically pin icons in Windows 10

UPDATE 01/01/2017:
Microsoft finally released an approved method to pin icons to the taskbar. I would highly suggest using this method since Syspin is a 3rd party tool that is not approved.
You can find out more info here:
https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-taskbar

In previous versions of Windows, you used to be able to use the verb Pintotaskbar to programmatically pin programs to your taskbar.

Example on how to pin Powershell ISE to the taskbar in Windows 8.1:

    $shell = new-object -com "Shell.Application"  
    $folder = $shell.Namespace((Join-Path $env:SystemRoot System32\WindowsPowerShell\v1.0))
    $item = $folder.Parsename('powershell_ise.exe')
    $item.invokeverb('taskbarpin');

This is no longer the case with Windows 10 and retrieving the verbs with $item.Verbs() from the script above, returns all verbs except for “Pin to taskbar”.  If you right click the file via the GUI, you will see that this verb does indeed exist.

Powershell verb

After a while of researching, I found a great third party tool that can easily pin icons to your taskbar in Windows 10.

The tool is called SysPin and you can download it from the following URL:
http://www.technosys.net/products/utils/pintotaskbar

Below are some instructions on how to use the tool:

Usage : syspin ["file"] c:#### or syspin ["file"] c:"commandstring"
        c:5386  : Pin to Taskbar
        c:5387  : Unpin from Taskbar
        c:51201 : Pin to Start
        c:51394 : Unpin to Start

Samples :
  syspin "%PROGRAMFILES%\Internet Explorer\iexplore.exe" c:5386
  syspin "C:\Windows\notepad.exe" c:"Pin to Taskbar"
  syspin "%WINDIR%\System32\calc.exe" c:"Pin to Start"
  syspin "C:\Windows\System32\calc.exe" c:51201

Unfortunately I haven’t found a way to unpin Edge and the Microsoft App store with this utility but I have been successful using the following tutorial to unpin everything before sysprepping the machine.
http://ccmexec.com/2015/12/removing-the-edge-icon-from-the-taskbar-during-osd/

Good luck and I hope this helps someone!

Windows 10 Upgrade

Depending on your environment, you may or may not need to have prerequisites that need to be done before starting an upgrade. These tasks may include, disabling your antivirus or uninstalling any software that may not be compatible with Windows 10. Once you have automated these tasks you can start the Windows 10 upgrade process by using the following command:

"setup.exe" /auto upgrade /quiet /copylogs %SystemDrive%\Temp\Deployment_Log 

This is a very basic way to silently upgrade your computers to Windows 10.  You can add further customization such as adding a post script that will launch after the upgrade is done.  To do this you can add the /PostOOBE<location>\[setupcomplete.cmd] switch to the command above.

Once you have your scripts ready, you can deploy them with the software that you use to push out your packages (Kaseya, LANDesk, SCCM, etc).

Read more

Windows 10 Sysprep Issue

Recently I noticed that when you sysprep Windows 10 and use CopyProfile=TRUE in your unattend.xml, it will copy over the last used folders and recent files of the built-in admin.

Quick Access

In order to remove the Quick Access history, you will need to place a batch file inside the built-in admin’s %appdata%\Microsoft\Windows\Start Menu\Programs\Startup folder in Audit Mode before running Sysprep.

Read more

Page 2 of 2
« Newer Posts