Logs of an SMS Administrator at myITforum.com

Losing Hair Daily in the Name of Technology

Syndication

Blog to Blog

Some of My Favorite Web Sites

I ran into a small roadblock the other day and thought I would share the resolution.

While using psexec to perform some remote functions on a machine, I was presented with the following error message:

No process is on the other end of the pipe.

I was actually helping a co-worker, so I asked him if he was currently remoted into the machine, which he was. He exited his psexec session and I tried again, receiving the same error. So, I checked the services on the remote machine and found that psexecsvc was still active as a service on the machine. psexec creates this service and drops psexecsvc.exe in the Windows directory of a machine you are remoting into.

I UNC'd into the machine and psexecsvc.exe was defintely in the Windows directory. Checking the version, I noticed that it was two versions previous to the version I was using. I dug a little deeper and this seems to be an intermittent issue with psexec.

Anyhow, the solution is to stop the psexecsvc service and delete the psexecsvc.exe file from the Windows directory of the affected machine.

Posted by mlucero | with no comments
Filed under:

This article is a follow-up to the articles I posted on June 18, July 11, and July 12, 2011.

Collecting and Reporting on Laptops - Part 1

Collecting and Reporting on Laptops - Part 2

Collecting and Reporting on Laptops - Part 3

Collecting and Reporting on Laptops - Part 4

Just a really short note on a particular gotcha I've encountered while applying BitLocker to Windows 7 machines.

On occasion, when applying BitLocker to a machine, it will not report its status and shows up in the non-reporting section of my reports. I have found that a non-reporting machine is either not encrypted (and never has been encrypted) or has an issue as described below. You can perform the commands following locally or remotely (I use Psexec located here:  http://technet.microsoft.com/en-us/sysinternals/bb896649) and run a command prompt on the remote machine.

To get the BitLocker status on the machines, type the following:

manage-bde -status

On a machine which has not been encrypted, you will receive the following message:

BitLocker Drive Encryption: Configuration Tool version 6.1.7600

Copyright (C) Microsoft Corporation. All rights reserved.

 ERROR: There are no disk volumes that can be protected with BitLocker Drive Encryption.

On a machine which has been encrypted but is affected by the issue I'm describing here, you will receive the following message:

BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.

ERROR: An error occurred (code 0x8004100e):
Invalid namespace

Generally, an invalid namespace indicates that whatever namespace you are trying to query does not exist within the WMI. What I have found, although I do not know why at this time, is that for some reason, during the encryption process, the necessary namespace is never created. (I need to research this when I have some free time.) I've validated this by browsing the WMI with two encrypted machines; one with the error and one acting normally.

By compiling the following MOF file on the affected machine, you can resolve this issue.

Navigate to the following directory:

C:\Windows\System32\wbem\

and issue the following command:

mofcomp.exe win32_encryptablevolume.mof

After the file sucessfully compiles you will receive the following message:

Microsoft (R) MOF Compiler Version 6.1.7600.16385
Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
Parsing MOF file: win32_encryptablevolume.mof
MOF file has been successfully parsed
Storing data in the repository...
Done!

If you perform another status check, you will receive the following message: (message contents depend upon how you are encrypting the drives as well, but you will get the picture)

BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Default]
[OS Volume]

    Size:                 232.59 GB
    BitLocker Version:    Windows 7
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100%
    Encryption Method:    AES 128 with Diffuser
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: None
    Key Protectors:
        TPM
        Numerical Password

Perform a hardware inventory on the now "fixed" machine and after the data flows up, it will fall off your non-reporting report and become "compliant".

I hope this can help some people.

Cheers!

Posted by mlucero | with no comments

I realize I haven't posted in a bit and have yet to finish the piece on BitLocker. Over the last month or so, I've been studying for my PMP certification and that has consumed a ton of my time. Needless to say, I passed the exam yesterday afternoon and will be back to posting soon - after I rest my poor brain.

Cheers!

 

Posted by mlucero | 1 comment(s)

Information concerning the hardware device with the details = "PCI\VEN_1217&DEV_8231&SUBSYS_04A91028&REV_03"

Discription without a driver installed:

Mass Storage Controller

Details:

O2Micro  OZ600XXX Memory Card Driver for just about every windows desktop operating system back to XP.

Link:

O2Micro OZ600XXX Memory Card link at Dell Support

Silent installation command line:

setup.exe /s /SMS

Requires a reboot.

Posted by mlucero | with no comments

 This article is a follow-up to the articles I posted on June 18, July 11, and July 12, 2011.

Collecting and Reporting on Laptops - Part 1

Collecting and Reporting on Laptops - Part 2

Collecting and Reporting on Laptops - Part 3

Now that we have a report which shows our BitLocker compliance counts, we should provide some detail reports so that we can have those which are out of compliance fixed. Identification of problem machines should always be the end goal of set of reports such as these.

The following two queries identify those machines which have drives not encrypted by BitLocker and those machines which are not reporting their status. In the company for which I work, I am only tasked with the requirement for identifying those machiens on which the C: drive is not encrypted. The query I am posting is easy to adjust to show all unencrypted drives on a machine and I'll detail which SQL line to change at the end. Reports (C) and (D) directly correspond to the counts (C) and (D) in the report shown in Part 3 (link posted above.)

<<>>

-- REPORT SECTION FOR DETAILS
-- REPORT (C) - Display laptops not encrypted with BitLocker

SELECT  [(C)]=' ', v_R_System.Netbios_Name0,
   v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.TopConsoleUser0 [Primary User],
   v_R_System.Operating_System_Name_and0,
   v_GS_BITLOCKER.DriveLetter0,
   
   -- Convert the numerical encryption status to something readable
   
   CASE
    WHEN v_GS_BITLOCKER.ProtectionStatus0 = 1 THEN 'Encrypted'
    ELSE '*** UNENCRYPTED ***'
   END AS 'Encryption_Status',
   
   -- Convert the numerical chassis identifier to something readable
   CASE
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8 THEN 'Portable'
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9 THEN 'Laptop'
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10 THEN 'Notebook'
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 12 THEN 'Sub Notebook'
    ELSE '*** Unidentified ***'
   END AS 'Chassis_Type'
   
FROM        
 v_GS_BITLOCKER INNER JOIN
 v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
 v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID INNER JOIN
 v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP ON v_R_System.ResourceID = v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.ResourceID
 
WHERE
 (((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =12)) AND
 ((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 0)))

-- Sort the report by NetBIOS name, then drive letter 

ORDER BY 
 v_R_System.Netbios_Name0, v_GS_BITLOCKER.DriveLetter0


-- REPORT (D) - Show Windows 7 laptops not reporting in BitLocker

SELECT  
 [(D)]=' ', v_R_System.Netbios_Name0,
 v_R_System.User_Name0,
 v_R_System.Operating_System_Name_and0,
 
 -- Convert the date value in the pwdLastSet AD attribute to something readable
 
 CAST(v_R_System.pwdLastSet0 / 864000000000.0 - 109207 AS DATETIME) AS Pwd_Last_Changed,
 'Not Reporting' [Status]
 
FROM       
 v_FullCollectionMembership_Valid INNER JOIN
 v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID
 
WHERE  
 (v_FullCollectionMembership_Valid.CollectionID = 'CEN00390') AND
 v_R_System.Operating_System_Name_and0 LIKE 'Microsoft Windows NT Workstation 6.1%' AND
 
 -- Exclusionary query to identify those not reporting
 
 v_R_System.ResourceID NOT IN
  (SELECT
   v_R_System.ResourceID
   
  FROM        
   v_GS_BITLOCKER INNER JOIN
   v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
   v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
   
  WHERE
   (((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
   (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
   (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
   (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =14)) AND ((v_GS_BITLOCKER.DriveLetter0='C:'))))

<<>>

If you chain all the reports I've posted together, you can produce a single, consolidated report for BitLocker compliance. This is far easier for a "quick glance" review than having to produce three separate reports. I'm posting the entire report here, but the top two queries are for reports (C) and (D). (As you can see, we have no non-compliant laptops which are reporting in so there are no machines showing up in the report.)

BitLocker Consolidated Report

 

 If you have a need to report on all unencrypted drives, change the following line in report (C) in the WHERE section:

((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 0)))

to:

((v_GS_BITLOCKER.ProtectionStatus0 = 0)))

You can remove one set of parenthesis if you wish, but I generally leave them in just in case I have to add a conditional on the fly that needs to be included in certain AND statements. Changing this statement will produce the following results in that section of the report.

BitLocker All Drives

 

 

 In my next post, I'll lay out some troubleshooting techniques to deal with those which are not reporting.

 

 

This article is a follow-up to the articles I posted on June 18 and July 11, 2011.

Collecting and Reporting on Laptops - Part 1

Collecting and Reporting on Laptops - Part 2

Now that you have created laptop collections, began collecting BitLocker status from your SCCM clients and have a basic report to show encrytpion status, it would be nice to have a single report which provides some comprehensive information upon which you can act. At the company for which I work, we also have Pointsec encrypting the Windows XP machines. I'll be leaving out those specific queries so these reports are not muddled with items I'm not discussing. So, the number of total laptops will NOT match the number of Windows 7 machines. (Just so you know why.)

First, we need to set up the counts so that the numbers presented can be reconciled to management. The following set of queries provides the counts for total number of laptops, Windows 7 laptops, Windows XP laptops, BitLocker compliant laptops, BitLocker non-compliant laptops, and those laptops which are not reporting status one way or the other.

<<>>

-- REPORT SECTION FOR COUNTS --
--
-- Variable declaration section --
-- Declare variables used in the count functions

SET NOCOUNT ON

DECLARE @COLLCOUNT AS INT
DECLARE @COUNTWIN7 AS INT
DECLARE @COUNTWINXP AS INT
DECLARE @LAPTOTAL AS INT
DECLARE @BLCOMP AS INT
DECLARE @BLNON AS INT
DECLARE @BLNOTREP AS INT


-- Calculations section --
-- Count the number of laptops

SELECT
 @LAPTOTAL=count(*)
 
FROM        
 v_FullCollectionMembership_Valid INNER JOIN
 v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID

-- Conditional equal to the collection ID of the All laptops collection

WHERE    
 (v_FullCollectionMembership_Valid.CollectionID = 'CEN00390')
 
 
-- Count the number of Windows 7 laptops

SELECT
 @COUNTWIN7=count(*)

FROM        
 v_FullCollectionMembership_Valid INNER JOIN
 v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID

WHERE    
 (v_FullCollectionMembership_Valid.CollectionID = 'CEN00390') AND
 (v_R_System.Operating_System_Name_and0 LIKE 'Microsoft Windows NT Workstation 6.1%')


-- Count the number of Windows XP laptops

SELECT
 @COUNTWINXP=count(*)

FROM        
 v_FullCollectionMembership_Valid INNER JOIN
 v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID
 
WHERE    
 (v_FullCollectionMembership_Valid.CollectionID = 'CEN00390') AND
 (v_R_System.Operating_System_Name_and0 LIKE 'Microsoft Windows NT Workstation 5.1%')


-- Count BitLocker compliant machines

SELECT
 @BLCOMP=count(*)
 
FROM        
 v_GS_BITLOCKER INNER JOIN
 v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
 v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
 
WHERE
 (((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =12)) AND
 ((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 1)))


-- Count BitLocker non-compliant machines

SELECT
 @BLNON=count(*)

FROM        
 v_GS_BITLOCKER INNER JOIN
 v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
 v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
 
WHERE
 (((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
 (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =12)) AND
 ((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 0)))


-- Count machines not reporting BitLocker status *troubleshoot these*

SELECT 
 @BLNOTREP=@COUNTWIN7-@BLCOMP-@BLNON
 

-- Display laptop divisions by OS and encryption reporting status

SELECT
 @LAPTOTAL [Total Laptops],
 @COUNTWINXP [Windows XP],  
 @COUNTWIN7 [Windows 7],
 @BLCOMP [BitLocker Compliant],
 @BLNON [BitLocker Non-Compliant (C)],
 @BLNOTREP [Not Reporting (D)]

<<>>

In my next post, I'll fill out the reconciliation report with items on which we can act. Below is the report produced from the above queries. (The (C) and (D) will be clarified in my next post.)

BitLocker Count Report

 

This article is a follow-up to the article I posted on June 18, 2011.

Collecting and Reporting on Laptops - Part 1

The first thing that needs to be done in order to get BitLocker information from a computer is to ensure that the status is properly reported to SCCM. I won't go into the details on how to do this as the Configuration Manager Support Team has a very nice blog entry on the procedure here:

Config Mgr Team Blog on BitLocker Status

As the blog entry states, once this is complete a view named v_GS_BITLOCKER will be created in the SCCM database. Columns created in the view are as follows:

  • ResourceID
  • GroupID
  • RevisionID
  • AgentID
  • TimeStamp
  • DeviceID0
  • DriveLetter0
  • DriverLetter0
  • ProtectionStatus0

 So, now for a basic report showing encryption status. (Again... lengthy query because I like readability)

<<>>
-- Query to report on BitLocker encryption status

-- Retrieve system name, user name, OS, drive letter, status and chassis

SELECT  
   v_R_System.Netbios_Name0,
   v_R_System.User_Name0,
   v_R_System.Operating_System_Name_and0,
   v_GS_BITLOCKER.DriveLetter0,
   
   -- Convert the numerical encryption status to something readable
   
   CASE
    WHEN v_GS_BITLOCKER.ProtectionStatus0 = 1 THEN 'Encrypted'
    ELSE '*** UNENCRYPTED ***'
   END AS 'Encryption_Status',
   
   -- Convert the numerical chassis identifier to something readable
   
   CASE
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8 THEN 'Portable'
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9 THEN 'Laptop'
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10 THEN 'Notebook'
    WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 14 THEN 'Sub Notebook'
    ELSE '*** Unidentified ***'
   END AS 'Chassis_Type'
   
FROM        
   v_GS_BITLOCKER INNER JOIN v_R_System ON
   v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID
   INNER JOIN v_GS_SYSTEM_ENCLOSURE ON
   v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID

-- Pull only valid chassis types

WHERE  
   ((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
   (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
   (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =10) OR
   (v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =14))
   
-- Sort the report by NetBIOS name, then drive letter

ORDER BY 
   v_R_System.Netbios_Name0, v_GS_BITLOCKER.DriveLetter0
<<>>

In my next post, I'll go into some more reporting which brings it all together - Cheers!

(The report is below)

 Basic BitLocker Report

 

 

It has been quite busy here, putting new procedures into play, acting upon those procedures and developing auditing processes to report on those procedures. I thought I would take some time to post a few articles on one of those areas in which I had a good deal of input in all areas - Laptop Encryption.

As part of our compliance readiness effort, we have been put a significant effort into ensuring that any data which may be on our laptops is properly encrypted. In addition I was tasked with creating methods for reporting the status of encryption and creating remediation processes for those which may be or may fall out of compliance.

In this series, I'm going to concentrate only on those areas in which I used capabilities of SCCM to help with the end-game reporting.

One of the first steps in accomplishing our overall goal was to ensure that I could validate our laptop counts. The key is to capture all possible objects, while not duplicating the objects during the reporting phase. Chassis type is the logical choice for differentiating between computer object types. There is a nice write-up on the various chassis types here: http://msdn.microsoft.com/en-us/library/aa394474%28v=VS.85%29.aspx.

After reviewing the article above, I determined that the chassis times I would need to flag on were: 8, 9, 10, 12, 14 and 21. Chassis type 21 is how the Lenovo port replicator is identified. After producing a query which listed the computer names, OS types and chassis types, I added a SELECT DISTINCT statement to validate that docking stations and the like were indeed counted in addition to the laptops themselves.

Here is the query: (Please excuse the length - I like my queries readable)

 

-- Query to identify laptop chassis types


-- Retrieve the system name, OS type, mfg and chassis type

SELECT DISTINCT    
   v_R_System.Netbios_Name0,
   v_R_System.Operating_System_Name_and0,
   v_GS_SYSTEM_ENCLOSURE.Manufacturer0,
   
   -- Remove this column and the comma above to remove
   -- the extra records caused by the docks
   
   v_GS_SYSTEM_ENCLOSURE.ChassisTypes0
   
FROM        
   v_R_System INNER JOIN v_GS_SYSTEM_ENCLOSURE ON
   v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
   
WHERE  
   v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8 OR
   v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9 OR
   v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10 OR
   v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 12 OR
   v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 14 OR
   v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 21

-- Sort by system name to validate that system and dock are both counted
   
ORDER BY 
   v_R_System.Netbios_Name0

 

 The next piece which was needed was a collection dedicated to laptop-type computer objects so I created a collection query as a subcollection of the "All Windows Workstation or Professional Systems" collection. In addition, I limited the membership query to that collection as well. Once this collection was created, I validated that the same number of systems were being reported in both the SQL query above and the collection.

Here is the collection membership query for the "All Windows Workstation or Professional Laptops" collection:

SELECT
  SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,
  SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
  SMS_R_SYSTEM.ResourceDomainORWorkgroup,
  SMS_R_SYSTEM.Client

FROM
  SMS_R_System INNER JOIN
  SMS_G_System_SYSTEM_ENCLOSURE ON
  SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId

WHERE
  SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "8" OR
  SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "9" OR
  SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "10" OR 
  SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "12" OR
  SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "14" OR
  SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "21"

That is all for Part 1. In Part 2, I will go into detecting and reporting on encryption status.

As always, if anyone finds error in my methods or has a more efficient way of doing these things, please feel free to post a comment or email me directly.

--- Cheers!

 Although I put this process together a while back, I've performed enough testing that I now feel comfortable posting this. As we all know, there are many ways to do things, and some processes do not work in all environments. Hopefully, what I have put together will be helpful for some people. Please post comments should you find issues with the techniques posted here.

 

Corporate Branding:

Many companies find it desirable to “brand” their workstations for consistency or to comply with certain corporate policies. The best time to apply a corporate branding process is at the time of system build, although with a little work, a corporate branding process can be made to replace current user settings. Some companies do not employ these types of practices and chose to implement branding during system refreshes. Please refer to your company’s policies in this area during your branding planning process.

 

Branding task sequence:

This task sequence snippet can be placed anywhere after all drivers, both good and bad, are installed on the workstation being built. Each of the line items below are pointing to specific packages containing the files mentioned. You do not need to create any programs for the packages to work within this task sequence. These could be consolidated to save space within the task sequence, but they are expanded here for learning purposes.

·         Run Command Line – User Mini Pic

o    CMD /C copy /y user.bmp "C:\ProgramData\Microsoft\User Account Pictures\user.bmp".

o    Graphic should be a max of 128 X 128 pixels for best results.

·         Run Command Line – Guest Mini Pic

o    CMD /C copy /y guest.bmp "C:\ProgramData\Microsoft\User Account Pictures\guest.bmp"

o    Graphic should be a max of 128 X 128 pixels for best results

·         Run Command Line - Copy Theme Graphic

o    CMD /C copy /y [corporate].jpg "%SystemRoot%\web\wallpaper\Windows\[corporate].jpg"

o    Graphic should be 1960 X 1200 pixels for best results.

·         Run Command Line - Copy Theme File

o    CMD /C copy /y [corporate_theme].theme "%WinDir%\Resources\Themes\[corporate_theme].theme"

o    *** See below for specific lines to change in a basic .theme file.

·         Run Command Line – Set Logon Image Registry Key

o    REG IMPORT "Police Key.reg"

o    *** See below for the contents of the registry key.

·         Run Command Line – Create Logon Image Folder

o    CMD /C MKDIR "C:\Windows\System32\oobe\info\backgrounds"

·         Run Command Line – Copy Logon Image

o    CMD /C COPY /Y backgroundDefault.jpg "C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg"

o    Graphic should be 1960 X 1200 pixels for best results.


Theme file specifics:

There are many things which can be customized in the .theme file, but the only lines we are changing for this branding exercise are those which refer to the desired name for the theme and the location of the corporate wallpaper image file.

Find the following sections in the .theme file and customize the line shown for your corporation.

[Theme]

DisplayName=[Your Company’s Official Name for this Theme]

 

[Control Panel\Desktop]

Wallpaper=%SystemRoot%\web\wallpaper\Windows\[corporate].jpg

 

The “Wallpaper” path setting and .jpg name above MUST match the path setting and .jpg name which you have placed into the “Run Command Line – Copy Theme Graphic” line in the task sequence.

 

 

Police Key.reg file:

Remember, modifying the registry is not something to be taken lightly. Always test any adjustments to the registry in a test environment to ensure proper operation prior to implementing in production.

Create the registry file and paste the following text into it: (copy and paste text between the <<>>)

<<>> 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]

"UseOEMBackground"=dword:00000001

<<>> 

 

 

Group policy object:

This setting forces the loading of the corporate theme upon first logon of a new user. In our company, we do not prevent users from changing their themes, nor do we enforce a specific theme, but there are group policies to accomplish these tasks. Please see the Windows 7 group policy reference for those settings.

User Configuration > Policies > Administrative Templates > Control Panel/Personalization

-          Load a specific theme – Enabled

o    Path to theme file – the path to the corporate theme file (typically C:\Windows\Resources\Themes\corporate_theme.theme)

o    This path MUST match the path you set in the “Run Command Line – Copy Theme File” line in the task sequence.

 

I was working on a task sequence consolidation this morning and thought I would throw this one out there in case anyone else has a similar situation.

In our environment, we have several applications which require location-specific parameters... basically, the developers have created different configuration files which are based on the site location of the end-user. If you use task sequences for both OSD and application deployment, this should work for you as well, depending upon your machine naming convention. I prefer to use a convention which is organized as such:

[Location Acronym][Unique Identifier][Departmental Acronym]

i.e.  and machine in Austin with a serial number of 123456 and a department of Technology would be AST123456TECH  -  just an example

Although the application programs have dependencies, the configuration program is the last step in the process. So, I have created the first two dependency programs and then configuration programs for each location dependent upon the last program in the dependency chain. All of these are placed in the same task sequence, in order of dependency, and then I use a WMI query to ensure that the proper configuration program is run at the end of the chain based on machine name. (Machine name just happens to be convenient for us, but you could use this same technique for anything obtainable in the WMI which could be used as a locational identifier.)

Query used for the Austin configuration program:

SELECT * FROM Win32_ComputerSystem WHERE Name LIKE "AST%"

You can follow the results in the SMSTS.log file: (I've taken out the time stamps)

Query = SELECT * FROM Win32_ComputerSystem WHERE Name LIKE "AST%" 
Expand a string: root\cimv2
Expand a string: SELECT * FROM Win32_ComputerSystem WHERE Name LIKE "AST%"
The WMI condition expression is evaluated to be TRUE
The AND expression is evaluated to be TRUE
The condition for the action (Install - [Location Configuration Program] - AST) is evaluated to be true

Really pretty simple when you look at it, but quite handy for consolidation.

Cheers!

Posted by mlucero | with no comments

 Seems to be a common issue so I thought I'd post this link to the current Dell WinPE CAB file:

ftp://ftp.dell.com/sysman/Dell-WinPE-Drivers-A00.cab

The main driver page is:

http://www.delltechcenter.com/page/Dell+Business+Client+Operating+System+Deployment+-+The+.CAB+Files

 

Cheers!

Just a short FYI for people who happen to enable the class,  Win32_ComputerSystemProduct, within the MOF file. Within the database, this will show up as dbo.v_GS_Client0. A bit confusing in my opinion, but I wanted to get this out so that others don't have to spend too much time looking for it.

 

Cheers!

Posted by mlucero | with no comments

I was out this morning looking for an update to the device ID file for Craig Hart's PCI32 bus sniffer and was disappointed to find that the domain where it was formerly hosted is no longer in existence. (Or perhaps there is a DNS issue somewhere.)

The website listed in the README file is:  http://members.datafast.net.au/dft0802 and it is yielding a 404 error, while the base address is connecting to http://w3.eftel.com.au/home.cms 

In any case, it seems that either the web crawlers are not updated with the new location, (whereever that may be) or this tool and it's creator have disappeared. I would hate to see this tool fall off the face of the earth, so I'm going to post a zip file of the last version I downloaded for those who may have an interest in using it, or posting its new location here.

The last PCIDEVS update I have is from June of 2009.

Cheers!

Posted by mlucero | with no comments
Filed under:

 Our network team wanted IPV6 turned off on Windows 7 machines so I put together this reg hack and package to deploy it via SCCM.

 

.reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters]
"DisabledComponents"=dword:ffffffff

 

Program command line:

regedit /S "Disable_IPV6.reg"

Posted by mlucero | with no comments
Filed under:

 I've been finalizing an XP image for the Lenovo X-201 laptop and had a warning on the TPM device, ACPI\SMO1200. I found the driver here:

http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-74404

Silent installation:  STM_TPM_Setup.msi /q

One thing I found a bit amusing was that the driver package was created with a piece of freeware - which I thought was a bit odd. But, I suppose this may be typical with some third-party devices.

More Posts Next page »