I ran into a small roadblock the other day and thought I would share the resolution.
While using psexec to perform some remote functions on a machine, I was presented with the following error message:
No process is on the other end of the pipe.
I was actually helping a co-worker, so I asked him if he was currently remoted into the machine, which he was. He exited his psexec session and I tried again, receiving the same error. So, I checked the services on the remote machine and found that psexecsvc was still active as a service on the machine. psexec creates this service and drops psexecsvc.exe in the Windows directory of a machine you are remoting into.
I UNC'd into the machine and psexecsvc.exe was defintely in the Windows directory. Checking the version, I noticed that it was two versions previous to the version I was using. I dug a little deeper and this seems to be an intermittent issue with psexec.
Anyhow, the solution is to stop the psexecsvc service and delete the psexecsvc.exe file from the Windows directory of the affected machine.
This article is a follow-up to the articles I posted on June 18, July 11, and July 12, 2011.
Collecting and Reporting on Laptops - Part 1
Collecting and Reporting on Laptops - Part 2
Collecting and Reporting on Laptops - Part 3
Collecting and Reporting on Laptops - Part 4
Just a really short note on a particular gotcha I've encountered while applying BitLocker to Windows 7 machines.
On occasion, when applying BitLocker to a machine, it will not report its status and shows up in the non-reporting section of my reports. I have found that a non-reporting machine is either not encrypted (and never has been encrypted) or has an issue as described below. You can perform the commands following locally or remotely (I use Psexec located here: http://technet.microsoft.com/en-us/sysinternals/bb896649) and run a command prompt on the remote machine.
To get the BitLocker status on the machines, type the following:
manage-bde -status
On a machine which has not been encrypted, you will receive the following message:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
ERROR: There are no disk volumes that can be protected with BitLocker Drive Encryption.
On a machine which has been encrypted but is affected by the issue I'm describing here, you will receive the following message:
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
ERROR: An error occurred (code 0x8004100e):
Invalid namespace
Generally, an invalid namespace indicates that whatever namespace you are trying to query does not exist within the WMI. What I have found, although I do not know why at this time, is that for some reason, during the encryption process, the necessary namespace is never created. (I need to research this when I have some free time.) I've validated this by browsing the WMI with two encrypted machines; one with the error and one acting normally.
By compiling the following MOF file on the affected machine, you can resolve this issue.
Navigate to the following directory:
C:\Windows\System32\wbem\
and issue the following command:
mofcomp.exe win32_encryptablevolume.mof
After the file sucessfully compiles you will receive the following message:
Microsoft (R) MOF Compiler Version 6.1.7600.16385
Copyright (c) Microsoft Corp. 1997-2006. All rights reserved.
Parsing MOF file: win32_encryptablevolume.mof
MOF file has been successfully parsed
Storing data in the repository...
Done!
If you perform another status check, you will receive the following message: (message contents depend upon how you are encrypting the drives as well, but you will get the picture)
BitLocker Drive Encryption: Configuration Tool version 6.1.7600
Copyright (C) Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Default]
[OS Volume]
Size: 232.59 GB
BitLocker Version: Windows 7
Conversion Status: Fully Encrypted
Percentage Encrypted: 100%
Encryption Method: AES 128 with Diffuser
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: None
Key Protectors:
TPM
Numerical Password
Perform a hardware inventory on the now "fixed" machine and after the data flows up, it will fall off your non-reporting report and become "compliant".
I hope this can help some people.
Cheers!
I realize I haven't posted in a bit and have yet to finish the piece on BitLocker. Over the last month or so, I've been studying for my PMP certification and that has consumed a ton of my time. Needless to say, I passed the exam yesterday afternoon and will be back to posting soon - after I rest my poor brain.
Cheers!
Information concerning the hardware device with the details = "PCI\VEN_1217&DEV_8231&SUBSYS_04A91028&REV_03"
Discription without a driver installed:
Mass Storage Controller
Details:
O2Micro OZ600XXX Memory Card Driver for just about every windows desktop operating system back to XP.
Link:
O2Micro OZ600XXX Memory Card link at Dell Support
Silent installation command line:
setup.exe /s /SMS
Requires a reboot.
This article is a follow-up to the articles I posted on June 18, July 11, and July 12, 2011.
Collecting and Reporting on Laptops - Part 1
Collecting and Reporting on Laptops - Part 2
Collecting and Reporting on Laptops - Part 3
Now that we have a report which shows our BitLocker compliance counts, we should provide some detail reports so that we can have those which are out of compliance fixed. Identification of problem machines should always be the end goal of set of reports such as these.
The following two queries identify those machines which have drives not encrypted by BitLocker and those machines which are not reporting their status. In the company for which I work, I am only tasked with the requirement for identifying those machiens on which the C: drive is not encrypted. The query I am posting is easy to adjust to show all unencrypted drives on a machine and I'll detail which SQL line to change at the end. Reports (C) and (D) directly correspond to the counts (C) and (D) in the report shown in Part 3 (link posted above.)
<<>>
-- REPORT SECTION FOR DETAILS
-- REPORT (C) - Display laptops not encrypted with BitLocker
SELECT [(C)]=' ', v_R_System.Netbios_Name0,
v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.TopConsoleUser0 [Primary User],
v_R_System.Operating_System_Name_and0,
v_GS_BITLOCKER.DriveLetter0,
-- Convert the numerical encryption status to something readable
CASE
WHEN v_GS_BITLOCKER.ProtectionStatus0 = 1 THEN 'Encrypted'
ELSE '*** UNENCRYPTED ***'
END AS 'Encryption_Status',
-- Convert the numerical chassis identifier to something readable
CASE
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8 THEN 'Portable'
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9 THEN 'Laptop'
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10 THEN 'Notebook'
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 12 THEN 'Sub Notebook'
ELSE '*** Unidentified ***'
END AS 'Chassis_Type'
FROM
v_GS_BITLOCKER INNER JOIN
v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID INNER JOIN
v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP ON v_R_System.ResourceID = v_GS_SYSTEM_CONSOLE_USAGE_MAXGROUP.ResourceID
WHERE
(((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =12)) AND
((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 0)))
-- Sort the report by NetBIOS name, then drive letter
ORDER BY
v_R_System.Netbios_Name0, v_GS_BITLOCKER.DriveLetter0
-- REPORT (D) - Show Windows 7 laptops not reporting in BitLocker
SELECT
[(D)]=' ', v_R_System.Netbios_Name0,
v_R_System.User_Name0,
v_R_System.Operating_System_Name_and0,
-- Convert the date value in the pwdLastSet AD attribute to something readable
CAST(v_R_System.pwdLastSet0 / 864000000000.0 - 109207 AS DATETIME) AS Pwd_Last_Changed,
'Not Reporting' [Status]
FROM
v_FullCollectionMembership_Valid INNER JOIN
v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID
WHERE
(v_FullCollectionMembership_Valid.CollectionID = 'CEN00390') AND
v_R_System.Operating_System_Name_and0 LIKE 'Microsoft Windows NT Workstation 6.1%' AND
-- Exclusionary query to identify those not reporting
v_R_System.ResourceID NOT IN
(SELECT
v_R_System.ResourceID
FROM
v_GS_BITLOCKER INNER JOIN
v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
WHERE
(((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =14)) AND ((v_GS_BITLOCKER.DriveLetter0='C:'))))
<<>>
If you chain all the reports I've posted together, you can produce a single, consolidated report for BitLocker compliance. This is far easier for a "quick glance" review than having to produce three separate reports. I'm posting the entire report here, but the top two queries are for reports (C) and (D). (As you can see, we have no non-compliant laptops which are reporting in so there are no machines showing up in the report.)
If you have a need to report on all unencrypted drives, change the following line in report (C) in the WHERE section:
((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 0)))
to:
((v_GS_BITLOCKER.ProtectionStatus0 = 0)))
You can remove one set of parenthesis if you wish, but I generally leave them in just in case I have to add a conditional on the fly that needs to be included in certain AND statements. Changing this statement will produce the following results in that section of the report.
In my next post, I'll lay out some troubleshooting techniques to deal with those which are not reporting.
This article is a follow-up to the articles I posted on June 18 and July 11, 2011.
Collecting and Reporting on Laptops - Part 1
Collecting and Reporting on Laptops - Part 2
Now that you have created laptop collections, began collecting BitLocker status from your SCCM clients and have a basic report to show encrytpion status, it would be nice to have a single report which provides some comprehensive information upon which you can act. At the company for which I work, we also have Pointsec encrypting the Windows XP machines. I'll be leaving out those specific queries so these reports are not muddled with items I'm not discussing. So, the number of total laptops will NOT match the number of Windows 7 machines. (Just so you know why.)
First, we need to set up the counts so that the numbers presented can be reconciled to management. The following set of queries provides the counts for total number of laptops, Windows 7 laptops, Windows XP laptops, BitLocker compliant laptops, BitLocker non-compliant laptops, and those laptops which are not reporting status one way or the other.
<<>>
-- REPORT SECTION FOR COUNTS --
--
-- Variable declaration section --
-- Declare variables used in the count functions
SET NOCOUNT ON
DECLARE @COLLCOUNT AS INT
DECLARE @COUNTWIN7 AS INT
DECLARE @COUNTWINXP AS INT
DECLARE @LAPTOTAL AS INT
DECLARE @BLCOMP AS INT
DECLARE @BLNON AS INT
DECLARE @BLNOTREP AS INT
-- Calculations section --
-- Count the number of laptops
SELECT
@LAPTOTAL=count(*)
FROM
v_FullCollectionMembership_Valid INNER JOIN
v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID
-- Conditional equal to the collection ID of the All laptops collection
WHERE
(v_FullCollectionMembership_Valid.CollectionID = 'CEN00390')
-- Count the number of Windows 7 laptops
SELECT
@COUNTWIN7=count(*)
FROM
v_FullCollectionMembership_Valid INNER JOIN
v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID
WHERE
(v_FullCollectionMembership_Valid.CollectionID = 'CEN00390') AND
(v_R_System.Operating_System_Name_and0 LIKE 'Microsoft Windows NT Workstation 6.1%')
-- Count the number of Windows XP laptops
SELECT
@COUNTWINXP=count(*)
FROM
v_FullCollectionMembership_Valid INNER JOIN
v_R_System ON v_FullCollectionMembership_Valid.ResourceID = v_R_System.ResourceID
WHERE
(v_FullCollectionMembership_Valid.CollectionID = 'CEN00390') AND
(v_R_System.Operating_System_Name_and0 LIKE 'Microsoft Windows NT Workstation 5.1%')
-- Count BitLocker compliant machines
SELECT
@BLCOMP=count(*)
FROM
v_GS_BITLOCKER INNER JOIN
v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
WHERE
(((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =12)) AND
((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 1)))
-- Count BitLocker non-compliant machines
SELECT
@BLNON=count(*)
FROM
v_GS_BITLOCKER INNER JOIN
v_R_System ON v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID INNER JOIN
v_GS_SYSTEM_ENCLOSURE ON v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
WHERE
(((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =12)) AND
((v_GS_BITLOCKER.DriveLetter0='C:' AND v_GS_BITLOCKER.ProtectionStatus0 = 0)))
-- Count machines not reporting BitLocker status *troubleshoot these*
SELECT
@BLNOTREP=@COUNTWIN7-@BLCOMP-@BLNON
-- Display laptop divisions by OS and encryption reporting status
SELECT
@LAPTOTAL [Total Laptops],
@COUNTWINXP [Windows XP],
@COUNTWIN7 [Windows 7],
@BLCOMP [BitLocker Compliant],
@BLNON [BitLocker Non-Compliant (C)],
@BLNOTREP [Not Reporting (D)]
<<>>
In my next post, I'll fill out the reconciliation report with items on which we can act. Below is the report produced from the above queries. (The (C) and (D) will be clarified in my next post.)
This article is a follow-up to the article I posted on June 18, 2011.
Collecting and Reporting on Laptops - Part 1
The first thing that needs to be done in order to get BitLocker information from a computer is to ensure that the status is properly reported to SCCM. I won't go into the details on how to do this as the Configuration Manager Support Team has a very nice blog entry on the procedure here:
Config Mgr Team Blog on BitLocker Status
As the blog entry states, once this is complete a view named v_GS_BITLOCKER will be created in the SCCM database. Columns created in the view are as follows:
- ResourceID
- GroupID
- RevisionID
- AgentID
- TimeStamp
- DeviceID0
- DriveLetter0
- DriverLetter0
- ProtectionStatus0
So, now for a basic report showing encryption status. (Again... lengthy query because I like readability)
<<>>
-- Query to report on BitLocker encryption status
-- Retrieve system name, user name, OS, drive letter, status and chassis
SELECT
v_R_System.Netbios_Name0,
v_R_System.User_Name0,
v_R_System.Operating_System_Name_and0,
v_GS_BITLOCKER.DriveLetter0,
-- Convert the numerical encryption status to something readable
CASE
WHEN v_GS_BITLOCKER.ProtectionStatus0 = 1 THEN 'Encrypted'
ELSE '*** UNENCRYPTED ***'
END AS 'Encryption_Status',
-- Convert the numerical chassis identifier to something readable
CASE
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8 THEN 'Portable'
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9 THEN 'Laptop'
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10 THEN 'Notebook'
WHEN v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 14 THEN 'Sub Notebook'
ELSE '*** Unidentified ***'
END AS 'Chassis_Type'
FROM
v_GS_BITLOCKER INNER JOIN v_R_System ON
v_GS_BITLOCKER.ResourceID = v_R_System.ResourceID
INNER JOIN v_GS_SYSTEM_ENCLOSURE ON
v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
-- Pull only valid chassis types
WHERE
((v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =10) OR
(v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 =14))
-- Sort the report by NetBIOS name, then drive letter
ORDER BY
v_R_System.Netbios_Name0, v_GS_BITLOCKER.DriveLetter0
<<>>
In my next post, I'll go into some more reporting which brings it all together - Cheers!
(The report is below)
It has been quite busy here, putting new procedures into play, acting upon those procedures and developing auditing processes to report on those procedures. I thought I would take some time to post a few articles on one of those areas in which I had a good deal of input in all areas - Laptop Encryption.
As part of our compliance readiness effort, we have been put a significant effort into ensuring that any data which may be on our laptops is properly encrypted. In addition I was tasked with creating methods for reporting the status of encryption and creating remediation processes for those which may be or may fall out of compliance.
In this series, I'm going to concentrate only on those areas in which I used capabilities of SCCM to help with the end-game reporting.
One of the first steps in accomplishing our overall goal was to ensure that I could validate our laptop counts. The key is to capture all possible objects, while not duplicating the objects during the reporting phase. Chassis type is the logical choice for differentiating between computer object types. There is a nice write-up on the various chassis types here: http://msdn.microsoft.com/en-us/library/aa394474%28v=VS.85%29.aspx.
After reviewing the article above, I determined that the chassis times I would need to flag on were: 8, 9, 10, 12, 14 and 21. Chassis type 21 is how the Lenovo port replicator is identified. After producing a query which listed the computer names, OS types and chassis types, I added a SELECT DISTINCT statement to validate that docking stations and the like were indeed counted in addition to the laptops themselves.
Here is the query: (Please excuse the length - I like my queries readable)
-- Query to identify laptop chassis types
-- Retrieve the system name, OS type, mfg and chassis type
SELECT DISTINCT
v_R_System.Netbios_Name0,
v_R_System.Operating_System_Name_and0,
v_GS_SYSTEM_ENCLOSURE.Manufacturer0,
-- Remove this column and the comma above to remove
-- the extra records caused by the docks
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0
FROM
v_R_System INNER JOIN v_GS_SYSTEM_ENCLOSURE ON
v_R_System.ResourceID = v_GS_SYSTEM_ENCLOSURE.ResourceID
WHERE
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 8 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 9 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 10 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 12 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 14 OR
v_GS_SYSTEM_ENCLOSURE.ChassisTypes0 = 21
-- Sort by system name to validate that system and dock are both counted
ORDER BY
v_R_System.Netbios_Name0
The next piece which was needed was a collection dedicated to laptop-type computer objects so I created a collection query as a subcollection of the "All Windows Workstation or Professional Systems" collection. In addition, I limited the membership query to that collection as well. Once this collection was created, I validated that the same number of systems were being reported in both the SQL query above and the collection.
Here is the collection membership query for the "All Windows Workstation or Professional Laptops" collection:
SELECT
SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,
SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,
SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client
FROM
SMS_R_System INNER JOIN
SMS_G_System_SYSTEM_ENCLOSURE ON
SMS_G_System_SYSTEM_ENCLOSURE.ResourceID = SMS_R_System.ResourceId
WHERE
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "8" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "9" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "10" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "12" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "14" OR
SMS_G_System_SYSTEM_ENCLOSURE.ChassisTypes = "21"
That is all for Part 1. In Part 2, I will go into detecting and reporting on encryption status.
As always, if anyone finds error in my methods or has a more efficient way of doing these things, please feel free to post a comment or email me directly.
--- Cheers!
Although I put this process together a while back, I've performed enough testing that I now feel comfortable posting this. As we all know, there are many ways to do things, and some processes do not work in all environments. Hopefully, what I have put together will be helpful for some people. Please post comments should you find issues with the techniques posted here.
Corporate Branding:
Many companies find it desirable to “brand” their workstations for consistency or to comply with certain corporate policies. The best time to apply a corporate branding process is at the time of system build, although with a little work, a corporate branding process can be made to replace current user settings. Some companies do not employ these types of practices and chose to implement branding during system refreshes. Please refer to your company’s policies in this area during your branding planning process.
Branding task sequence:
This task sequence snippet can be placed anywhere after all drivers, both good and bad, are installed on the workstation being built. Each of the line items below are pointing to specific packages containing the files mentioned. You do not need to create any programs for the packages to work within this task sequence. These could be consolidated to save space within the task sequence, but they are expanded here for learning purposes.
· Run Command Line – User Mini Pic
o CMD /C copy /y user.bmp "C:\ProgramData\Microsoft\User Account Pictures\user.bmp".
o Graphic should be a max of 128 X 128 pixels for best results.
· Run Command Line – Guest Mini Pic
o CMD /C copy /y guest.bmp "C:\ProgramData\Microsoft\User Account Pictures\guest.bmp"
o Graphic should be a max of 128 X 128 pixels for best results
· Run Command Line - Copy Theme Graphic
o CMD /C copy /y [corporate].jpg "%SystemRoot%\web\wallpaper\Windows\[corporate].jpg"
o Graphic should be 1960 X 1200 pixels for best results.
· Run Command Line - Copy Theme File
o CMD /C copy /y [corporate_theme].theme "%WinDir%\Resources\Themes\[corporate_theme].theme"
o *** See below for specific lines to change in a basic .theme file.
· Run Command Line – Set Logon Image Registry Key
o REG IMPORT "Police Key.reg"
o *** See below for the contents of the registry key.
· Run Command Line – Create Logon Image Folder
o CMD /C MKDIR "C:\Windows\System32\oobe\info\backgrounds"
· Run Command Line – Copy Logon Image
o CMD /C COPY /Y backgroundDefault.jpg "C:\Windows\System32\oobe\info\backgrounds\backgroundDefault.jpg"
o Graphic should be 1960 X 1200 pixels for best results.
Theme file specifics:
There are many things which can be customized in the .theme file, but the only lines we are changing for this branding exercise are those which refer to the desired name for the theme and the location of the corporate wallpaper image file.
Find the following sections in the .theme file and customize the line shown for your corporation.
[Theme]
DisplayName=[Your Company’s Official Name for this Theme]
[Control Panel\Desktop]
Wallpaper=%SystemRoot%\web\wallpaper\Windows\[corporate].jpg
The “Wallpaper” path setting and .jpg name above MUST match the path setting and .jpg name which you have placed into the “Run Command Line – Copy Theme Graphic” line in the task sequence.
Police Key.reg file:
Remember, modifying the registry is not something to be taken lightly. Always test any adjustments to the registry in a test environment to ensure proper operation prior to implementing in production.
Create the registry file and paste the following text into it: (copy and paste text between the <<>>)
<<>>
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"UseOEMBackground"=dword:00000001
<<>>
Group policy object:
This setting forces the loading of the corporate theme upon first logon of a new user. In our company, we do not prevent users from changing their themes, nor do we enforce a specific theme, but there are group policies to accomplish these tasks. Please see the Windows 7 group policy reference for those settings.
User Configuration > Policies > Administrative Templates > Control Panel/Personalization
- Load a specific theme – Enabled
o Path to theme file – the path to the corporate theme file (typically C:\Windows\Resources\Themes\corporate_theme.theme)
o This path MUST match the path you set in the “Run Command Line – Copy Theme File” line in the task sequence.
I was working on a task sequence consolidation this morning and thought I would throw this one out there in case anyone else has a similar situation.
In our environment, we have several applications which require location-specific parameters... basically, the developers have created different configuration files which are based on the site location of the end-user. If you use task sequences for both OSD and application deployment, this should work for you as well, depending upon your machine naming convention. I prefer to use a convention which is organized as such:
[Location Acronym][Unique Identifier][Departmental Acronym]
i.e. and machine in Austin with a serial number of 123456 and a department of Technology would be AST123456TECH - just an example
Although the application programs have dependencies, the configuration program is the last step in the process. So, I have created the first two dependency programs and then configuration programs for each location dependent upon the last program in the dependency chain. All of these are placed in the same task sequence, in order of dependency, and then I use a WMI query to ensure that the proper configuration program is run at the end of the chain based on machine name. (Machine name just happens to be convenient for us, but you could use this same technique for anything obtainable in the WMI which could be used as a locational identifier.)
Query used for the Austin configuration program:
SELECT * FROM Win32_ComputerSystem WHERE Name LIKE "AST%"
You can follow the results in the SMSTS.log file: (I've taken out the time stamps)
Query = SELECT * FROM Win32_ComputerSystem WHERE Name LIKE "AST%"
Expand a string: root\cimv2
Expand a string: SELECT * FROM Win32_ComputerSystem WHERE Name LIKE "AST%"
The WMI condition expression is evaluated to be TRUE
The AND expression is evaluated to be TRUE
The condition for the action (Install - [Location Configuration Program] - AST) is evaluated to be true
Really pretty simple when you look at it, but quite handy for consolidation.
Cheers!
Just a short FYI for people who happen to enable the class, Win32_ComputerSystemProduct, within the MOF file. Within the database, this will show up as dbo.v_GS_Client0. A bit confusing in my opinion, but I wanted to get this out so that others don't have to spend too much time looking for it.
Cheers!
I was out this morning looking for an update to the device ID file for Craig Hart's PCI32 bus sniffer and was disappointed to find that the domain where it was formerly hosted is no longer in existence. (Or perhaps there is a DNS issue somewhere.)
The website listed in the README file is: http://members.datafast.net.au/dft0802 and it is yielding a 404 error, while the base address is connecting to http://w3.eftel.com.au/home.cms
In any case, it seems that either the web crawlers are not updated with the new location, (whereever that may be) or this tool and it's creator have disappeared. I would hate to see this tool fall off the face of the earth, so I'm going to post a zip file of the last version I downloaded for those who may have an interest in using it, or posting its new location here.
The last PCIDEVS update I have is from June of 2009.
Cheers!
Our network team wanted IPV6 turned off on Windows 7 machines so I put together this reg hack and package to deploy it via SCCM.
.reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters]
"DisabledComponents"=dword:ffffffff
Program command line:
regedit /S "Disable_IPV6.reg"
I've been finalizing an XP image for the Lenovo X-201 laptop and had a warning on the TPM device, ACPI\SMO1200. I found the driver here:
http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-74404
Silent installation: STM_TPM_Setup.msi /q
One thing I found a bit amusing was that the driver package was created with a piece of freeware - which I thought was a bit odd. But, I suppose this may be typical with some third-party devices.
More Posts
Next page »