SCCM 2012 R2: OSD Windows 7 Bitlocker pre-provisioning

Similar Messages

• SCCM 2012 CU2 OSD forest trust: ReleaseRequest failed with error code 0x87d00317

  Hello,
  Actually i have a difficult Problem with my SCCM 2012 R2 CU2 Windows 7 x64 SP1 Tasksequence:
  I get the folowing error in smsts.log:
  ::RegQueryValueExW(hSubKey, szReg, NULL, NULL, NULL, &dwSize), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,811) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  RegQueryValueExW is unsuccessful for Software\Microsoft\SMS\Task Sequence, SMSTSEndProgram TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  GetTsRegValue() is unsuccessful. 0x80070002. TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  End program:  TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Finalize logging request ignored from process 1736 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Waiting for CcmExec service to be fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CcmExec service is up and fully operational TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle will be read from _SMSTSActiveRequestHandle TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Access handle: {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Attempting to release request using {B699D570-B2BF-4874-8CB7-3B208B380969} TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  CoCreateInstance succeeded TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  pISoftwareExecutionRequestMgr->ReleaseRequest(ActiveRequestGUID), HRESULT=87d00317 (e:\nts_sccm_release\sms\client\tasksequence\tsmanager\tsmanagerutils.cpp,136) TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  ReleaseRequest failed with error code 0x87d00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Task Sequence Manager could not release active TS request. code 87D00317 TSManager 9/5/2014 1:20:35 PM 1740 (0x06CC)
  Here is the complete smsts.log: http://1drv.ms/1pwTEBf
  To explain the Problem in Detail:
  The SCCM Primary Site Server and the Clients are in different trusted (bidirectional) forests!
  Everythings working fine in this Scenario, I can install SCCM Agent on the Clients with Manual ccmsetup and with Client Push Installation. Additionally i can deploy Software Updates and so on... only OSD is crashing in the releaserequest step.
  During my Tasksequence new Clients are joined to Domain A while SCCM Primary Site Server is installed in Domain B
  If I change my TS and let the Clients also join Domain B everything works without any Problems and the Tasksequence finish without any Errors.
  My Problem must be related to the different Domains and the forest trust.
  My Setup:
  MP published to DNS in both domains
  Schema Extended in both domains
  System Management Container published and verified in both domains
  ccmsetup Parameters in TS: ccmsetup SMSMP=sccm.domain.b FSP=sccm.domain.b DNSSUFFIX=Domain.b
  Network Access account configured with Domain B account
  Domain Join account has create Computer rights on the OU in Domain A (Domain join is successful)
  DNs conditional forwarders configured in both Domains and DNS resolutin is working in both directions
  Any suggestions?
  Many thanks.
  regards,
  Christian

  Hi Christian,
  So do you actual get an error message in your TS or is it just failing to join Domain B?  (Could be both if the machines fails to join the domain).
  Can you review netsetup.log on the machines after the issue and see what error message you might be getting during the domain join process?
  Also, if it a domain join issue, can you try manually joining to domain B using the same service account?

• Prestaged Media and Bitlocker Pre-Provisioning

  Hi all
  I am working on a project right now that requires all computers to be pre-provisioned with bitlocker
  I have managed to get pre-provisioning working with no issues. the pre-provisioning kicks in directly after the disk formatting and the Enable Bitlocker step works perfectly after the domain join.
  I have also been able to get pre-staging of media working (after a short fight with it) and I can deploy my task sequence to a pre-staging WIM. I can then deploy that to a disk as a data image and the build proceeds after the first boot.
  What I cant get to work, it both together.
  In an ideal world, I would pre-provision the bitlocker in the pre-staging task sequence before deploying the data image. bit I cant get it to work.
  If I partition with more than one partition (so I have a BDE partition) and use the small partition as a boot disk, the machine fails to boot.
  If I make the larger partition the boot partition, the bitlocker pre-provisioning task tells me that the disk os the os image and fails to work
  has anyone done this or have any ideas?
  thanks
  Stephen

  I guess the pre-provision bitlocker cannot work for booting Windows PE. This is why the system cannot boot.
  The screenshot is a capture of the prestage disk bcd store. We can see the system boots from a ramdisk mouted from boot.wim. The process is different from a traditional system boot, the wim cannot be booted from anencrypted disk.
  Juke Chou
  TechNet Community Support

• Fasten the Process of MDT UDI OD Installation in SCCM 2012 R2 OSD

  Hi,
  I have implemented MDT UDI Task Sequence in SCCM 2012 R2 OSD. The issue  which I am facing is the UDI Installation progress is very slow. it is taking around 2 hours to complete the whole Installation. 
  Is there any way to fasten the Process of MDT UDI OD Installation in SCCM 2012 R2 OSD.
  Thanks & Regards,
  Sanjay Dubey

  Application installs can take awhile - it depends on what applications you're installing, and how many.  For instance, installing Office is clearly going to take longer than say 7-Zip.  How many applications are you installing during a normal OS
  deployment?  You can check the AppEnforce.log to see how long an application(s) is taking to install, as the start and end times are recorded.  
  As for the MDT Settings package, how many times are you calling this package?  My task sequence only calls it 5 times, and one of them is before you even get the UDI wizard, while the second and third is an either/or situation, depending on whether
  you do a refresh or a fresh PC build. 

• SCCM 2012 R2 OSD - Pre Provision Bit-Locker Drive Label Name Issues

  I am trying to image machines Pre-provisioned for BitLocker.  Everything works great in the Task Sequence except the Drive Label on Boot is "MININT-XXXXX" rather than the actual computer name.  This happens whether the computer is known
  or unknown.
  The only other post regarding this issue I can find suggested changing the OSDComputerName variable name in the TS but that will not work because the hostname is set during the WinPE setup.
  http://social.technet.microsoft.com/Forums/en-US/f9c6f565-e137-4c59-a8de-7314d9b88fe7/how-to-change-computername-on-bitlocker-pinrecovery-password-screen-drive-label?forum=mdt
  I have tried to set the OSDComputerName variable during the Pre-Start and TS but the Drive Label always remains "MININT-XXXXX".
  Any ideas?

  First in Customsettings.ini or in a TS set the %OSDComputerName%
  Then just add this to a Command in the task sequence before provisioning.
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
  REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %OSDComputerName% /f
  SCCM now believes the name of winpe is %OSDComputerName%
  Joakim Tomren

• OSD: bitlocker pre-provisioning, what's the mechanism?

  Hi,
  Please clarify the mechanism behind bitlocker preprovisioning. We got it working fine but in the pre-provisioining step the disk does NOT seem to be bitockered. Only the step to enable bitlocker it seems bitlocker is enabled.
  Where is the time gain then? Is there an article which could shed some light?
  Please advise.
  J.
  Jan Hoedt

  Hi,
  Niall describes the process here:
  http://www.windows-noob.com/forums/index.php?/topic/6451-how-can-i-pre-provision-bitlocker-in-winpe-for-windows-8-deployments-using-configuration-manager-2012-sp1/
  The biggest benefit is that the disk is encrypted when it is empty using used-space-only encryption so that when the image is applied the disk is already encrypted so there is no time to wait in the end of the TS for the disk encryption to complete..
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Can not install Windows 8.1 to a Bitlocker Pre-Provisioned volume

  Hello,
  I'll come straight to the point. What I'm trying to do is to install Windows 8.1 Enterprise to a Pre-Provisioned volume but Windows does not let me do that. The steps I've performed are.
  With Microsoft ADK I created me a WinPE media which has the components installed to get the manage-bde command working. I used the article hxxp://technet.microsoft.com/en-us/library/hh824926.aspx for that.
  I prepared an USB stick with the manage-bde components on it and booted my test laptop with it.
  Started diskpart and used commens in order to get a new clean partition:
  Select Disk 0
  clean
  Create Partition Primary
  Format fs=ntfs quick
  Assign letter=c
  exit
  After that I pre-provisioned the volume with the command:
  manage-bde -on -used c:
  When I check with manage-bde -status it states that:
  Conversion Status: Used Space Only encrypted
  Percentage: 100
  Protection Status: Protection Off
  Lock Status: Unlocked
  Identification Field: Unknown
  Automatic Unlock: Disabled
  Key Protectors: None Found
  OK. After that I use the net use command to map a network share with the Windows 8.1 x64 Enterprise installation media itself. I execute setup.exe without any parameters.
  I can navigate all the way through the dialog "Where do you want to install Windows?". I can see there now "Drive0Partition 1" with a Total size of 119.2 GB and almost as many free space BUT when I select it and click next there comes
  only a warning dialog saying:
  We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
  The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
  BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
  What I am missing here? Is there a special trick how to get Windows installed on a pre-provisioned drive? I also loaded the correct driver for the disk controller but no help. As soon as I clean the disk and create the partition new without pre-provisioning
  I can install Windows without any problems.
  Sorry for the long text. Hope someone of you has an idea.
  Regards
  Robert

  We couldn't not create a new partition or locate an existing one. For more information, see the Setup log files."
  The best description of the problem I've found from the file x:\windows\panther\setupact.log where are lines like:
  BLOCKING reason for disk 0 offset bla bla is either "The partition is too small" (????) or "Bitlocker Drive Encyption is enabled on the selected partition".
  Hi,
  For this issue,when you assign letter,you need to mark a partition as active.
  Using a command line
  1.Open Command Prompt.
  2.Type: diskpart
  3.At the DISKPART prompt, type: list partition
  Make note of the number of the partition that you want to mark as active.
  4.At the DISKPART prompt, type: select partitionn
  Select the partition, n, you want to mark as active.
  5.At the DISKPART prompt, type:
  active
  Hope this helps.
  Regards,
  Kelvin Xu
  TechNet Community Support

• OSD SCCM 2012 R2: Dart on bitlockered machine

  Hi,
  Please advise on implementing dart on SCCM 2012 R2 task sequence on bitlcokered machines.
  Have to start from scratch (working task sequence with bitlocker though).
  J.
  Jan Hoedt

  Hi,
  Using Dart as boot image is just like the other boot images. See the steps below to add a Dart into SCCM. Please notice my first post, you need to disable Bitlocker before booting into any PE to do an OSD.
  http://www.ideadata.co.uk/index.php/pxe-booting-dart-8-1-with-sccm-2012-including-remote-viewer/
  Juke Chou
  TechNet Community Support

• MBAM 2.0 SP1, SCCM 2012 SP1 - OSD

  Found a few threads on this but just looking for an answer before I spend to much time fiddling to get this to work.  What I am looking to do is encrypt laptops during OSD as follows:
  Enable TPM (working fine)
  Activate TPM (working fine)
  Pre-Provision Bitlocker (using Win 7 Ent SP1)
  Install OS
  Install MBAM
  Enable Bitlocker and escrow both TPM and Drive recovery keys to MBAM server
  The bit I am not too sure about is the Pre-Provision and also the TPM key backup.  Ideally I'd like both the TPM and Disk keys stored in MBAM but I am not sure if this will work if I have activated the TPM pre OS?
  Cheers

  Pre-provisioning only works on a bare metal machine and occurs in WinPE. It also uses TPM so you need to make sure that is on an active in the BIOS. 
  This blog post provides some detail on how to enable MBAM and pre-provisioning.  If you are using Windows 8+, and you want MBAM to back up TPM to its db instead of AD, you have to turn off auto-provisioning or Windows 8+ will take ownership automatically
  and escrow to AD.  To disable auto-provisioning you can set the following key when the OS has come up:
  Reg Key to disable auto-provision:
  HKLM\System\CurrentControlSet\Services\TPM\WMI
  NoAutoProvision   = 1
  you
  will need  
  to create a
  regkey called
  NoAutoProvision=1
  Hope that helps!
  Lance

• Latitude E6330 BSOD via SCCM 2012 R2 OSD

  Hi All,
  I'm currently struggling to build some Latitude E6330 laptops via SCCM 2012 R2 CU3 OSD . I'm getting a BSOD with error code 0000007E after the drivers are applied and the laptop reboots.
  I've built nearly 100 OptiPlex desktops without issue from the same server. I've tried both the A09 and A10 E6330 driver CABs, and both have the same issue. I was having an issue even building the boot image with these drivers, but removed a faulty driver
  before importing them into SCCM (Conexant USB Modem driver) which resolved that issue. I'm assuming that the removal of this driver wouldn't be causing the BSOD - but I'm currently trying to find a replacement driver to see if that resolves it anyway.
  I've tried using 'Auto Apply Drivers' and 'Apply Driver Package' in the task sequence, using a WMI query and also without a WMI query to no avail. I've blown away all previous drivers, imported only the A09 and then blew away + imported only the A10
  drivers, rebuilt the driver packages and re-added to the boot image numerous times. Yep I've been distributing/updating distribution points each time too :)
  Unfortunately I can't get onto the laptop to check the smsts/setupact/etc etc logs because it blue screens even in safe mode.
  My last resort will be to add just the network+HDD drivers, and then slowly add drivers until I figure out what driver is causing the BSOD. Unfortunately this would be quite a lengthy procedure, so I'm hoping that someone has had a similar problem and
  may know which driver could be causing me this grief.. Or perhaps could point me in a different direction as to what may be causing this issue....
  Thanks for your time.

  Are you trying to deploying Windows 7 to the laptops?
  If so does your WIM file include the platform update (how long has it been since you created / updated it)? If not then you may need to update / capture a new wim and try again. 
  A lot of newer drivers will cause this sort of problem if you try and inject them into an older wim file.
  If this isn't the case, then I have had this happen to me a long time ago with a webcam driver so maybe exclude these drivers first? A long shot though.
  Cheers
  Damon

• SCCM 2012 R2 and Windows 8.1

  Hi,
  I have installed SCCM 2012 R2. SCCM client deployed on 10 PCs and I can explore Hardware resources on all PCs except 1 PC which is 8.1
  so my question now does SCCM 2012 R2 supports 8.1?
  Thanks,
  Kareem Behery

  Hi,
  Yes, ConfigMgr 2012 R2 supports Windows 8.1. Check the Windows 8.1 computer to make sure that the SCCM client is operational and sends in Inventory to the Site server. Inventpryagent.log file on the computer is a good place to start.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Wifi profiles SCCM 2012 R2 and Windows Intune

  Hi All,
  A quick question regarding SCCM 2012 R2 and the new Wifi Profiles feature...
  Can anyone confirm if you need windows Intune combined with SCCM 2012 R2 to be able to deploy WIFI profiles to users devices i.e Windows 8.1, IOS and Android platforms?  Microsoft documentation is not clear on this subject.
  Any help would be much appreciated.
  Regards PowerShell90

  It not as straight forward as one would hope. I am running the latest version of SCCM 2012 R2 CU2 connected to my Windows Intune subscription. There are a lot of hickups. One is that the direct of management needs to be all or nothing. In other words you
  either need to use Windows Intune solely to manage your devices or SCCM 2012 R2 (via connector). If the later then you must do everything from in SCCM 2012 R2. You cannot hybrid manage your devices as this will screw things up.
  Android for some reason is left out on a lot of features. I would think that MS Devs would work hard on the market share that being Android, not iOS. Any way, accord to some official MS articles Android is supported, but others claim that not all features
  are, these being the important ones like Email and Wi-Fi Profiles. They simply do not work.
  I think MS is heading in the right direction but there is a lot of work that needs to be done before this is a competitive product. I could care less if connects to my SCCM 2012 R2 server or not. Here are few things that I sent o a MS Support Rep today that
  need to be address.
  1. Better response time when updating devices after enrollment (e.g. Name change).
  2. The ability to locked down uninstalling Windows Intune from device.<o:p></o:p>
  3. The ability to locked down certain features in the Windows Intune app on device (e.g. User can reset device with Windows Intune app, rename, etc...).<o:p></o:p>
  4. Ability to rename device in either Windows Intune Admin Portal and/or SCCM 2-12 R2.<o:p></o:p>

• SCCM 2012 SP1 OSD in 802.1X environment

  Dears, 
  we have SCCM 2012 SP1 CU5, and the network team has enabled the CISCO port security (802.1X network authentication) on the desktops VLAN and OSD is not working since then until port security is removed. i've seen some guides regarding how to make SCCM 2007
  OSD, WinPE 3.0 and 802.1X work together like : http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx  , but ot's very confusing.
  does anybody have the same scenario with SCCM 2012, WinPE 5.0, and 802.1X . please help me.

  Hello,
  What confused you here? 802.1X authentication is to authenticate before sending network packages. That is why we need import netwrok profile to win pe for anthentication. The point is authenticate, so I think it won't be any difference between
  ConfigMgr 2012 and 2007.          
  Another good article here:
  http://blogs.technet.com/b/deploymentguys/archive/2010/03/02/adding-support-for-802-1x-to-winpe.aspx
  Please also pay attention to the shared document in the blog.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SCCM 2012 R2 and windows 7 folder redirection

  Hello gurus
  I want to ask a quick question. Does anyone know if I can do folder redirection, offline folders, roaming profiles and network drive on Windows 7 using SCCM 2012 R2?
  Thanks in advance. 
  Regards,

  The setting does not apply to Windows 7. I tested and DCMagent just thought it is Non-applicable.
  Juke Chou
  TechNet Community Support

• SCCm 2012 R2 - OSD fails when multiple computers are getting built

  Hi everyone,
  I ran into a weird issue with my SCCM 2012 R2. I noticed when I build one computer with SCCM OSD, it works fine. But when I try to run more than one built at a time, only one usually works. The rest usually doesn't get apps installed in the task sequence,
  some don't get added to the domain etc. Any idea what it might be? Could it be that simultaneous connections to the distribution point are getting terminated and imaging fails?
  Appreciate your help! 

  Ok guys, this seems to be a false alarm here. It turns out I was missing a driver for ethernet card on my Dell T1600. I kicked off 3 Dell Optiplex 9020 and they all worked flawlessly. This is weird though, since I did install OS on some T1600 before and
  they all worked fine...
  Anyway, I downloaded the driver and added it to SCCM. I will kick off the install again today and see if that solved it.