Screen Shot 2017-11-09 at 6.21.47 AM

For most ConfigMgr pros, third-party patching is a bear of a problem—and that’s putting it politely. In a recent Adaptiva Endpoint Security Survey, 48% of IT pros called it “especially challenging.” At the same time, they rated it as one of their top security priorities.

What Exactly Is Third-Party Patching?

Third-party patching is the process of updating non-Microsoft software applications and drivers.

When it comes to updating Windows itself, Microsoft has a mature process in place for companies using ConfigMgr. Administrators can rely on timely notification of updates to Windows. Microsoft also provides an organized and consistent mechanism for delivering the updates, though it’s up to each organization how quickly it rolls them out.

However, Microsoft does not include updates for other companies’ software in Windows updates. The OS updates do include hardware drivers for many manufacturers and devices, though not all.

This leaves companies on their own to update non-Microsoft:

  • web browsers
  • productivity applications
  • vertical applications
  • anti-virus and anti-malware solutions
  • utilities like FTP software and PDF readers
  • specialized software tools for specific job-functions
  • drivers for some hardware
  • much, much more

Why Is It So Important?

I can explain the importance of third-party patching in one word: security. It really should be in all caps, but I don’t like to yell.

Before the Internet was a thing, PCs were not easily or commonly attacked from the outside. Many PCs didn’t connect to anything. Some used dial-up modems to connect to BBSs and things like that. Vendors patched software infrequently, and usually to fix bugs or add features—not to improve security.

Now we live in the age of Internet everything and broadband everywhere. Productivity is through roof, but so is the danger. Everything that is cloud-enabled opens up an attack surface —even small things like Notepad++ or Evernote.

Cyberattackers are relentless, and an exploit of even the tiniest vulnerability in an application or driver can crush an enterprise. To remain as secure as possible, patches must be applied as soon after the vendor releases them as possible.

Why Is It So Hard?

As technology has progressed, the sheer volume of applications is massive. A midsize company can easily manage hundreds of different software applications, and an enterprise may have thousands.

Adding to this, the pace of updates is extremely rapid. Some applications may be patched as often as multiple times within a week. By the time an IT department is notified of an update, tests it, gets it packaged and deploys it, the next update may already be released!

There is no unified mechanism for keeping track of updates to all of these applications. A company has to formulate a plan for tracking updates for each package from each vendor.

Admins may consider some of the patching solutions on the market. These solutions maintain their own database that they update daily with all the metadata and patches for applications from hundreds of vendors. So a ConfigMgr admin can use one service to update hundreds of vendors’ apps.

Another challenge is the actual rollout of patches. Microsoft ConfigMgr is a strong solution for deployment of patches. However, not all ConfigMgr environments are equal. A ConfigMgr architecture with dozens or hundreds of DP servers may see high numbers of delivery failures due to problems with distribution point servers. If just 1% or 2% of DP servers fail, the result can be thousands of unpatched endpoints.

Peer-to-peer delivery technology such as Adaptiva OneSite can make rollouts faster and easier. OneSite eliminates the need for servers, speeds delivery, and does a lot more improve your success rates and shrink troubleshooting time and effort.

MDM solutions such as Microsoft Intune and VMware AirWatch bring cloud-based distribution to the rollout process, and will see increased adoption in the years ahead.

Here is a recap of things of key challenges you need to solve:

  • Tracking applications and versions across endpoints
  • Knowing what patches vendors have released for which applications
  • Prioritizing which patches to deliver to which endpoints first
  • Having the person-hours and cycles to deal with it
  • Keeping pace with the speed of updates

The One Most Important Best Practice

When I speak to people working in IT, and when I talk to vendors of third-party patching solutions, I hear one thing: Somebody needs to own it. Admins tell me stories of nobody knowing “whose week it is to patch.” I’ve also heard of everybody in IT sort of ducking responsibly for patching. If nobody own third-party patching, it may get done well, or it may not.

So, the one best practice is:

Anoint a Patching King, Queen, Czar, Etc.

This person may also do all the patching, or they may coordinate others. This may be their only responsibility, or it may be one of many. They may also be responsible for operating systems updates, or not. However you organize it, somebody in your company needs be given the responsibility—and the time—for third-party patching.

You need on person responsible for:

  • Tracking all patches from vendors
  • Prioritizing the patches and machines to deliver them to
  • Confirming successful rollout / deployment

Ideally, you will also get executive sponsorship of patching. It is a critical security function. If it is visible at the CSO level, the people in the trenches are more likely to have the time and resources they need to get it right.

How to Implement

Usually when I ask people working in IT to give me their list of best practices, they offer technical advice. In this case, they all gave me the same answer, and it wasn’t technical at all. So the solution for you isn’t terribly technical, either.

Do you know who is responsible for third-party patching in your company? If not, ask your boss–maybe he or she knows. Of course, there is a good chance nobody owns it. In that case, I’ve provided you all the ammo you need to make case to anoint a third-party patching czar—forward this blog. Just be prepared–you could be picked!

Learn More

To learn more about how to accelerate deployment of Windows 10, and speed delivery of updates and patches post-deployment, check out our archived  Windows 10 Accelerator Program Webinar.

Screen Shot 2017-10-09 at 9.27.41 AM

It’s easy to get stressed out when tasked with deploying Windows 10 across an enterprise. While upgrading your personal system was probably cake, migrating 100,000 or more systems is a whole different beast of a challenge. For starters, you can’t hire 100,000 of you to each go to a computer and run an upgrade!

Suddenly you’re worrying about getting the money and time to build out global deployment infrastructure. You may be considering buying several applications for different tasks and hiring expensive contractors to make them all work. Then you realize Windows 10 security must be 100% locked down, and it’s as complex as it is critical.

A poorly orchestrated Windows 10 migration could eat more budget than you have. It could suffer delays that push completion out months or years longer than planned. One top of that, it could require IT staff to work far too many nights and weekends. No wonder IT pros get stressed out thinking about it!

You Can Breathe a Sigh of Relief!

Adaptiva just introduced the Adaptiva Windows 10 Accelerator Program, an end-to-end ecosystem that covers all phases of Windows 10 adoption. Unlike vendors that require you to purchase multiple products, Adaptiva put together a comprehensive program that covers it all.

We curated best-in-class technology, tools and training. With the assembled power of Adaptiva, Microsoft, Microsoft MVPs and the Microsoft ConfigMgr community, you have everything you need.

  • Adaptiva OneSite lets you distribute Windows 10 software and updates across the enterprise rapidly and without the need for a complex IT infrastructure.
  • Adaptiva Client Health for Windows 10 lets you automate Windows 10 security configuration management, corporate policy compliance and endpoint health.
  • Microsoft MVP Training and Guides will get your team deployment-ready with hours of video training and guides created for Adaptiva by leading Windows 10 experts.
  • Windows 10 Community Tools provide best-in-class solutions for automated BIOS to UEFI conversion, application migration, software license management and more.
  • Readily Available Microsoft Technologies save you from third-party complexity with  solutions such as Upgrade Readiness for hardware and software compatibility planning.

How much could a flawless Windows 10 migration from start to finish help your company, your stress levels, and your career?

Regardless of what solution you ultimately choose, you may find it useful to examine this overview of keys to success. We’ve broken it down into three categories: planning, deployment and maintenance.

Planning Makes Everything Better

In a zero-touch, large-scale Windows 10 migration, careful planning can save you from delays of months or even years. “OK,” you say, “but how do I plan correctly?”

Let’s look at six key areas of planning and preparation, and what you need to do to get each one right.

  1. Compatibility – App, Driver & Hardware

You have to assess the compatibility of your hardware, device drivers, and applications. You need to know which features can be used on which devices. Then you need to stage your Windows 10 rollout intelligently to suit.

Everything will go smoother if you separate the easy migrations from the hard ones and the “don’t even try” ones—and plan accordingly. With the Windows 10 Accelerator Program, we guide you on the path to determining exactly which endpoints and apps will run perfectly with Windows 10.

2. App Rationalization Mapping

Everybody wants all their favorite applications, but your company doesn’t want to pay for unused software licenses. For example, why pay for an Adobe Illustrator license for somebody who’s not actually using it?

Providing support for similar applications can eat up IT staff and help desk time. For example, suppose different people are using CuteFTP, FileZilla and Cyberduck. Why not make Cyberduck the standard and leave Cute FTP and FileZilla behind when deploying Windows 10? (Or select FileZilla, CuteFTP, etc., as the standard.)

The Windows 10 Accelerator Program will arm you with information to consolidate your approved software. When you migrate, you can leave nonstandard software behind. This can reduce support costs, help desk burden, and licensing costs.

3. Employee Communication Plan

It’s easy to get so wrapped up in all the technical and logistical challenges of a large-scale Windows 10 deployment that you forget the obvious. You need to tell users that Windows 10 is coming!

The Windows 10 Accelerator Program ecosystem makes it easy for you to engage your workforce early, guiding them through a smooth transition.

4. Windows 10 IT Team Training

Your company may or may not view your training as a priority, but you need to make it one. To roll out Windows 10 like an expert, you need to learn from the experts.

Adaptiva helps you get smart about all phases of deployment with custom training from TrueSec Microsoft MVPs Johan Arwidmark and Mikael Nystrom. You get hours of in-depth video training created specifically for Adaptiva by the world’s foremost authorities on Windows 10 deployment.

5. Infrastructure Architecture

Infrastructure is one of the trickiest challenges you face because it is global—impacting nearly every office. If you choose a server-based solution, you risk delays building it. If it doesn’t work perfectly once built, it can become an expensive albatross.

The Windows 10 Accelerator Program includes Adaptiva OneSite, the fastest way to distribute content across the enterprise. Our award-winning peer-to-peer technology means don’t need to buy hardware. Plus there is no waiting because your infrastructure ready today in every office around the world.

The program goes further. It helps you design the most effective ConfigMgr architecture for your environment by laying it visually and documenting it properly.

6. Windows 10 Security Design Plan

Windows 10 brings a plethora of critical new security features and capabilities. Do you know which ones you should deploy on which endpoints and why?

Adaptiva will help you protect your people and your company by leveraging advanced security features in the best configuration for each system.

Successful Deployments Make Life Easy

Get deployment right, and everybody continues their work without interruption: end users, IT staff and the overall business. Get it wrong and … well, let’s not even go there.

This is a monumental task that starts with perfecting deployment sequences to minimize failures. Smooth running processes will save weeks or months of IT staff time by avoiding troubleshooting and re-deployment. The human factor matters, too. When you properly train users, and involve them in their scheduling, you ensure they remain productive.

Let’s a take deeper look into what it takes to do deployment right.

App Rationalization Automation

It’s one thing to set company standards for certain types of apps, such as FTP software in the example above. It’s quite another to automatically see which user has which apps at deployment time, and give them the right ones in Windows 10.

The Windows 10 Accelerator program arms you with resources to automate everything. This includes automatically replacing non-standard apps with approved ones during migration.

BIOS to UEFI Migration

If you haven’t been living under a rock for the past two years, you know that the Unified Extensible Firmware Interface (UEFI) is critical for deploying Windows 10’s most advanced security features. However, switching endpoints from legacy BIOS to UEFI can be a tedious process.

Adaptiva has been helping people automatically convert systems from legacy BIOS to UEFI for over a year. This program will make it easy for you to switch to UEFI as a simple part of the deployment process, without on-site visits or manual tasks.

Security Features Enablement

Once you’ve designed your Windows 10 security, you need to implement it correctly for each unique endpoint at deployment time.

The program gives you everything you need to ensure that your deployment will enable the best security features in the optimal configuration for each individual endpoint.

Employee Training

Users don’t like surprises, especially ones that prevent them from doing urgent work.

This ecosystem will help you teach users how to use Windows 10 ahead of the migration. When they boot up in the new OS they won’t lose work time or flood the help desk with frequently asked questions.

Windows 10 P2P Zero-touch Deployment

Combining the power of ConfigMgr and OneSite, the program provides the most powerful Windows 10 solution available on the market today. Adaptiva technology automates everything and scales easily to hundreds of thousands of endpoints.

You can do enormous amounts of work without overburdening IT staff. The program lets you deploy remotely without server infrastructure or on-site staff using the peer-to-peer technology embraced by the Fortune 500.

User Self-Scheduling

A migration to Windows 10 can catch a user off-guard. While scheduling deployments for off-hours reduces conflict, some end-users work off hours.

The program curates the best resources to maintain business operations and employee satisfaction by giving users some control over the timing of their individual migrations.

Maintenance Keeps Companies Safe

Migrating endpoints to Windows 10 is a one-time operation, but maintenance will continue for many years to come.

Endpoint maintenance is critical in the age of malware, ransomware, hacks and data breaches. Plus, new kinds of cyber attacks are invented daily. You put your organization in great jeopardy if you do not apply Windows security updates quickly and regularly. The same is true for ever-changing corporate security policies.

The Windows 10 Accelerator Program gives you the technology to automatically keep all endpoints secure and compliant. Let’s look at what this means.

Windows OS Health and Security Checks

Your company’s security policy changes frequently as new cyber attack strategies are revealed. To protect your company, you have to apply the policy changes to every endpoint worldwide. On an ongoing basis, you must find and fix any deviations as quickly as possible.

The Windows 10 Accelerator Program includes Adaptiva Client Health for Windows 10. It can automatically verify that endpoints comply with your company’s Windows 10 security policy, and instantly remediate any deviations.

Windows 10 Servicing Training

Keeping Windows 10 endpoints current with all the latest security fixes is absolutely mandatory. It must be done right after they are released, not every couple of months. Some companies apply them same-day.

Adaptiva delivery technology uses all available bandwidth without impacting other traffic. Unlike competing technologies, it does not require throttling, or scheduling for off-hours. So when new Windows updates are released, you can begin delivering immediately.

The program also provides Windows 10 maintenance and servicing training developed specifically for Adaptiva by TrueSec experts.

OSD Image and Related Content Auto-updating

You will always have new endpoints coming into the organization, and old systems that require an OS refreshing. Also, Windows 10 servicing deploys new version of the OS on a regular basis. Keeping all this massive deployment content current at hundreds of locations worldwide can take a lot of administrator time—unless you automate.

Adaptiva helps you simplify ongoing Windows 10 servicing with efficient, automatic distribution and update of content around the globe. When you change your source content, OneSite detects the change. It then creates a small differential file, which it delivers and applies at every location that needs it.

Stress-free Windows 10 Adoption

With the Windows 10 Accelerator Program, we’ve taken the stress out of large-scale deployment. You can remain calm while delivering on time and keeping your company secure. It’s the fastest and most cost-effective way to plan, deploy, and maintain Windows 10 across the enterprise.

To learn how the Windows 10 Accelerator Program can meet your unique needs, request a demonstration today.

Bill Bernat, director at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visit and follow the company on LinkedIn, Facebook, and Twitter.




Screen Shot 2017-08-29 at 6.20.20 AM

If WannaCry gave businesses a wake-up call, then Petya gave them an air horn in the ear.

In May 2017, WannaCry ransomware hit more than 300,000 computers in 150 countries—including multiple systems at Britain’s NHS, Spanish phone company Telefónica, and German state railways. It spread itself from machine to machine, encrypting hard disks and then demanding ransom to return the data to the owners. Petya followed in June, exploiting the same vulnerability as WannaCry.

Cyberattacks are nothing new, but these two are turning enterprise IT upside down because they were totally preventable. If IT departments used basic security configuration management best practices, neither WannaCry nor Petya would have been able to run amok. Furthermore, with brand image at stake, oversight is being elevated in some cases from the IT department to the board level.

Both WannaCry and Petya exploited a vulnerability that allowed them to spread rapidly from one machine to many others within an organization. WannCry also used a related Windows vulnerability to get onto corporate systems from the open Internet. Microsoft fixed both vulnerabilities on March 14 and classified the update as critical—two months before WannaCry! This was not rocket science; it was a cookie-cutter Windows update.

Organizations are spending more money than ever to defend against a complex, ever-growing universe of cyberthreats, yet are failing to apply OS security patches. Security experts often express frustration that companies aren’t doing “the easy stuff,” the things that are so obvious they’re unsexy and often ignored.

It took these two successive outbreaks to scare businesses enough to upend the way they approach security. Now that they have seen the light, they are moving mountains. Here are the five biggest changes IT departments are adopting.

  1. Getting Every Endpoint under Management

Endpoints fall out of management, and some never even start there. As companies move facilities, acquire staff and hardware, change technologies, and rewrite policies, many computers are left unmanaged. Some IT pros have been known to set up rogue systems and fail to follow policy when setting up others. These are just a couple examples of the hundreds of ways servers, desktops, laptops and other devices wind up unmanaged.

An unmanaged system is a threat. It may have the wrong antivirus software installed—or none at all. It might have an OS that hasn’t been patched in two years. Cyberattackers often just need to get onto a single unmanaged system to compromise a fleet of managed ones. Companies are now creating initiatives to find the unseen systems and bring them into the light.

2. Accelerating Updates

Policy windows are shortening. In this fast-paced modern era, new versions of Windows 10 come twice a year, and patches to them come constantly. Other operating systems are updated more frequently as well. Server-side and client-side applications are updated and patched much more frequently than that.

Many of these updates need to be applied almost immediately after they are released because they contain security fixes. This is a massive burden on IT shops, so it is no wonder that they fall behind. However, as we saw with WannaCry and Petya, letting updates linger can be costly. Enterprises are now making a Herculean effort to figure out how to keep up with all the updates.

3. Identifying the “Critical Process Chain” and Ensuring All Links Are Running

In the past, many considered it a low priority to look for applications and services that were not running. “If something’s broken, a user will complain.”

It is no longer good enough to make sure all the key software is installed and updated. Of course, security solutions such as antivirus software need to be running, but any software or process that is a part of the critical process chain must actually be running. The critical process chain includes any service, program or application that is part of the series of computer and network events required to detect, prevent or respond to a security threat.

For example, suppose a company is running Microsoft System Center Configuration Manager (ConfigMgr) to manage Windows systems. The ConfigMgr client must be running on every endpoint and connecting to the ConfigMgr server. Then, if action must be taken to respond to a threat or a breach, a response—such as an emergency antivirus fix—can be delivered and applied.

Organizations are now busy making sure that every link in that chain is running at full strength and that any failures are quickly addressed.

4. Reviewing Security Tools

Automation is becoming a bare-bones necessity. Manual security enforcement is impossible with so many endpoints, so many applications to configure, so many security policies to comply with and the need to patch everything constantly.

To this end, enterprises are taking a closer look than ever at security configuration management tools. Some of these just provide visibility into security issues and report problems so administrators can take action. More advanced solutions will find security policy violations, fix them automatically and then report back.

Many organizations have previously allowed different groups and departments to choose different technologies. The trend now is to consolidate platforms as much as possible to achieve greater efficiency, visibility, and security.

5. Making Security Teams and Sys Admins Work Hand-in-Hand

Security is the fastest-growing budget area in IT, and security pros are the new technology rock stars. Traditionally, the security team in a company decided what policies to codify and what actions to take when. The operations team was then left to actually make it happen. This process is slow and cumbersome, and leaves room for turf squabbles and finger pointing. By working more closely together, the security and operations teams can:

  • Speed response to threats and outbreaks
  • Reduce the time-consuming friction that can result from inter-team communications and approvals
  • Get practical strategy and design information from the operations team up front to ensure they develop policies that will actually be followed


WannaCry and Petya revealed to many organizations that the security and endpoint management teams don’t have the luxury of living in silos. They’re on the same boat, and the only way to keep it from sinking is to work together. For that reason, many companies are seeing radically increased cooperation and coordination between these teams.

What’s at Stake

The future of nearly every organization depends on successful cybersecurity. That may sound dramatic, but it’s not an overstatement. Great security can literally make the difference between survival and extinction.

By applying security configuration management best practices, your organization is in a much better position to succeed. IT pros can worry less about the basics and focus more attention on the always-changing task of staying ahead of cyberattackers’ latest ploys. I’m encouraged to see so many companies making these changes because I know how hard it is to shift an enterprise. Hard, but not impossible.

As first published in IT Briefcase.

Bill Bernat, director and technology evangelist at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visit and follow the company on LinkedIn, Facebook, and Twitter.


Screen Shot 2017-07-21 at 11.47.52 AM

Sponsored Post

BitLocker disk encryption technology has been a part of the Windows operating system since Windows Vista. It didn’t really hit its stride until Windows 8.1, and now, with Windows 10, it’s almost perfect (in terms of compatibility and manageability).

Bottom line as to why you should use it—it just works. It can be enabled during the imaging process from both MDT and ConfigMgr, or enabled via script and controlled by Group Policy. The decryption and recovery keys can be stored in Active Directory or the Microsoft BitLocker Administration and Monitoring (MBAM) product. There are also several decryption methods, such as TPM unlock, smart card requirements or PIN requirements. All in all, it’s very versatile and totally manageable.

This post assumes that you are running Windows 10 Creators Update on a device that has a TPM module. Also, the ConfigMgr options assume at least version 1702. If you are not running any of these requirements, all features may not be available.

Decryption Methods and Combinations

There are several methods to unlock a BitLocker drive. All the methods are a combination of USB key, password (or PIN) and the TPM module. The TPM module stores the decryption key and only releases it on boot of the disk. The USB method stores the decryption key on a USB drive that must be inserted in the machine at boot. This method can also utilize a smart card. The password method is exactly what it says: the user must type a password to unlock the disk. These three methods can be used in these combinations:

  • TPM only
  • TPM + password
  • TPM + USB
  • TPM + password + USB
  • USB only
  • Password only

Enable During ConfigMgr Task Sequence

Enabling BitLocker is done with two task sequence steps. First, you must Pre-provision BitLocker. This must be done after you have partitioned the disk and before you apply the operating system.


Since the drive has no data at this point, this step runs very fast. This step also assumes that you have a TPM chip, so I recommend keeping the bottom check-box enabled. This step also does not set the protection method. That is done with the second step.


Because BitLocker has already been provisioned, this step also runs very fast. It also gives you most options detailed above, expect for TPM + password + USB. If you want this option, you must configure it from Group Policy. Also, the ConfigMgr step only gives you a PIN option instead of a password. This step will automatically escrow the recovery key into Active Directory, but it will not do anything with MBAM. This step is good for basic BitLocker deployments. The other drawback to this step is setting a PIN. This would be a standard value for all devices imaged using this task sequence, so you would want users to change it after imaging.

The “Pre-Provision BitLocker” step does not have to be used in conjunction with the “Enable BitLocker” step. You can use the pre-provision step with the “manage-bde” command utility or the BitLocker PowerShell cmdlets for more advanced options.

No ConfigMgr? No Problem

If you do not have ConfigMgr, or your devices are already deployed, you must use a script to enable BitLocker. Microsoft provides a good one that can be downloaded here. You can execute this script from Group Policy or deploy via ConfigMgr.

Once the script is activated, you can configure the options for BitLocker from Group Policy. The Group Policy settings for BitLocker are located at Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

There are a lot of advanced options for BitLocker available in Group Policy. I suggest looking at them and deciding what is best for your organization. I am going to hit the highlights.

The most important setting is called “Choose how Bit locker-protected operating system drives can be recovered.” The setting enables the escrow of recovery keys to Active Directory.


Once this policy is enabled, you have the option to check the “Save BitLocker recovery information to AD DS for operating system drives”. Also, I would consider checking the box for “Do not enable BitLocker until recovery information is stored to AD DS for operating system drives,” as it will prevent the drive from encrypting until the recovery information is stored in AD.

Note that this same setting exists for fixed and removable drives, as well.

At the root of the BitLocker section, there are three different drive encryption methods and cipher strengths for different operating system families. I suggest setting those, most importantly for Windows 10 1511 and later.


XTS-AES encryption is only available with Windows 10 1511 and later. I recommend using this algorithm, as it has much better performance than AES-CBC, an older technology considered easier to attack. Because XTS-AES only works on 1511 and up, you may want to leave removable drives at AES-CBC for compatibility.

Viewing Recovery Keys

To view BitLocker recovery keys, you need the BitLocker Recovery Password Viewer from RSAT. This tool adds an additional tab called “BitLocker Recovery” when you view a computer object from Active Directory Users and Computers. It will show you the recovery password for the computer.

If you do not have the computer name, it also adds a “Find BitLocker recovery password” option to the context menu. From this menu, you can type in the password ID displayed on the screen of a locked computer.

Securing Your Organization

Securing Windows endpoints with BitLocker and other measures in a large organization is a challenge because you have so many computers and so little time. Adaptiva offers technology that can automate security configuration management across the company. It can identify violations to security and compliance policies, including Microsoft and third-party security applications, and automatically remediate them. It has built-in checks for BitLocker, but can do a great deal more.

Download this Adaptiva Client Health key features data sheet if you would like to learn more:

Happy BitLocker-ing!

TinneyMatt Tinney is CEO, Windows Management Experts.




If you have started a Windows 10 migration in your corporate environment, you’ve probably heard about MBR2GPT.exe, the tool that helps convert the disk layout on a PC from the legacy Master Boot Record (MBR) to GUID Partition Table (GPT). While the tool was introduced in the Insider Preview versions, it is officially supported in Windows 10 1703 (also known as the Creators Update). MBR2GPT.exe is the only Microsoft-supported way to convert a production disk (one with data already on it) from MBR to GPT without data loss. The tool can be run from an administrative command prompt after an in-place upgrade to Windows 10 1703, or in the Windows PE (WinPE) environment. Furthermore, older versions of Windows 10 (v1511 and v1607) can be converted using the tool if booted into WinPE.

If a drive is protected with BitLocker encryption, then you will need to suspend BitLocker before converting. After conversion, delete the existing protectors (PIN, Password, Certificate, etc.) and recreate them to resume encryption. If you are using third-party disk encryption, you need to work with your ISV. It’s the only sure way to determine the minimum requirements to successfully convert disk partitions without triggering a device lock or brick while keeping the drive encrypted.

How Does It Work?

Converting within Windows

To start the conversion within Windows, open an administrative command (or PowerShell) prompt. To see the full list of command line switches that can be passed to the tool, type mbr2gpt.exe /? Or mbr2gpt.exe /help.

(Tap or click for larger view)

The correct syntax to run the conversion tool within a Windows session is

mbr2gpt.exe /convert /allowFullOS

(Tap or click for larger view)

If you simply want to validate the disk (run a check without converting), then just replace the /convert switch with /validate.

mbr2gpt.exe /validate /allowFullOS

(Tap or click for larger view)

Converting within WinPE

To convert disk layout in WinPE, use a Run Command Line action with the following syntax:

cmd.exe /c mbr2gpt.exe /convert /disk:<disknumber>

(Tap or click for larger view)

What If I’m Refreshing or Replacing the PC?

If you’re re-installing Windows to the current disk, or if you’re replacing the drive or computer, you will not be using the MBR2GPT.exe tool. If the system is booted in UEFI mode before the Format and Partition Disk step happens in the Install Operating System group, the Task Sequence engine will happily format the disk for GPT. If you have created a sequence that restores user data, it will still be able to be restored.

What Are the Limitations?

The first and perhaps most important limitation is that MBR2GPT.exe is not the same thing as “BIOS to UEFI”. MBR2GPT.exe is a tool to convert partition layout while BIOS to UEFI is the process of converting a system’s firmware mode from BIOS to UEFI.

While MBR2GPT.exe can be run from the full OS, or in WinPE, it should be run before the conversion of BIOS to UEFI during an in-place upgrade and most preferably in WinPE. If the tool is run after the firmware mode is converted, and for some reason is unsuccessful with the conversion, the device will essentially be bricked until the PC is manually converted back to BIOS mode.

If you are performing a PC refresh or replace, the PC should be converted before the “Format and Partition Disk” step runs in the Install Operating System Group. It is possible to do this later in the sequence, but this route is more reliable. This is because this group has two Format and Partition actions with variables on them that read whether the PC is in BIOS mode or UEFI mode and formats and partitions the disk accordingly. As you can see below, the top image depicts what the Task Sequence engine will do to the disk if the PC is running in BIOS mode, and the bottom image shows what it will do to the disk if it is in UEFI mode. The most important takeaway is that BIOS mode means the disk will be formatted in MBR layout, and UEFI means it will be formatted in GPT layout.

(Tap or click for larger view)
(Tap or click for larger view)

Legacy versions of Windows aren’t officially supported. If you successfully convert the partition type into GPT layout, you’ve stepped out of the realm of support. Typically, “not officially supported” means it can likely be done, but it isn’t well tested internally, so you’re on your own if something goes wrong or if you have questions. It would be better to upgrade the system to a version of Windows that is supported.

Once the disk layout has been converted, you cannot undo it. Furthermore, if the layout was performed during an in-place upgrade, you will not be able to go back to a previous version of Windows. I was able to test and validate this limitation in all three major PC vendors (Dell, Lenovo, HP).

To use the tool, the disk to be converted needs to have less than four partitions (meaning three partitions is the maximum). In testing the conversion tool, it was noted that Dell models create an extra recovery partition during an in-place upgrade, which can cause the conversion tool to fail if you hit the limit of partitions before the upgrade runs. To get around this, I deleted all recovery partitions, leaving the PC with only two partitions. During the in-place upgrade, the Dell PC created a third partition (as expected) that didn’t cause the conversion tool to fail. The HP and Lenovo models I tested did not create extra partitions during the in-place upgrade.

If you are going to use one sequence to handle all hardware models, ensure that you are supplying the correct driver package for the model running the upgrade and that the engine can read and process the variable. If the variable you set on your driver package is incorrect, setup.exe will not use it. While the discussion about why you need to provide driver packages during an in-place upgrade is a bit off topic, it is important to note. It matters because some of the vendor models that I tested failed the MBR2GPT.exe conversion later in the in-place upgrade when I did not also provide driver packages to them. This may not be true for every vendor model, but it happened consistently enough in my testing to be deemed important to take note of.

How Do I Check What Partition Type My Disks Are Using?

Open an administrative command prompt and type the following:


select disk <disk number>

list part

sel part <partition number>

detail part

If the disk is using MBR partition type, it will display 07 for the type in the detail part command as pictured below on this Windows 7 PC.

(Tap or click for larger view)


list disk

Any disk with an asterisk under GPT in the table is in GPT layout as pictured on this Windows 10 PC.

(Tap or click for larger view)


When the MBR2GPT.exe tool is run, it creates four logs in the %windir% directory (C:\Windows). The four logs are setuperr.log, setupact.log, diagerr.xml, and diagwrn.xml with setuperr.log having the most detailed information. In the example below, I ran the tool and saw in setuperr.log that it failed because there are too many partitions.

(Tap or click for larger view)

A full list of error codes for the tool can be found on TechNet under the Return Codes section here Note that these error codes are specific to the tool itself and shouldn’t be confused with error codes that the Windows 10 setup or the Task Sequence engine may throw.

Real-World Applications

If you would like readymade sequences that handle both MBR2GPT.exe and BIOS to UEFI for both PC refresh/replace and in-place upgrade scenarios, I have created a document that walks through the setup of both scenarios on Adaptiva’s SCCM Academy. The community solution is free, and includes two Task Sequences that can be imported into your environment. It’s up to you to provide all the dependencies (1703 Boot Image, Vendor Tools for BIOS to UEFI, etc.). However, these are working sequences that I have run against all three vendors in my lab, and they could save you days of works.

You can download the Secure 10: BIOS to UEFI 2017 Update Document and Task Sequences from:

Happy migrating!

resources-ami-castoAmi Casto is the technical evangelist for Adaptiva. If you have questions or problems using these task sequences, tweet her at @adaptivaami.

Screen Shot 2017-04-12 at 10.22.26 AM

If you are an IT professional responsible for maintaining thousands or millions of Windows endpoints, questions like this may be keeping you up at night:

  • Are you sure all your applications—security, in-house and third-party—are current, configured correctly and running successfully?
  • Do you know if all your Windows endpoints are operating within company policies for privacy, security and regulatory compliance?
  • If you discover a security breach or vulnerability, do you a have the ability to quickly find out which machines are affected, and automatically remediate them across a global enterprise?

When you combine SCCM with Adaptiva Client Health™, you can rest easy.  Adaptiva Client Health lets SCCM handle those things quickly, easily and automatically. Some of the largest companies in the world, including many in the Fortune 500 and Global 1,000, are using Client Health. One international bank runs 800,000 health checks on its endpoints daily to instantly detect and remediate possible issues.

Client Health At-a-Glance

When SCCM 2012 was released, Microsoft included a tool called CCMEval (a.k.a. SCCM Health Checks). It includes pre-defined health checks and remediations aimed at maintaining the health of SCCM client agent itself.

While Adaptiva Client Health comes with over twice as many pre-built health checks and remediations as SCCM, static checks are just a tiny fraction of what Adaptiva Client Health does. This table provides a quick look at what Adaptiva adds to SCCM.

Screen Shot 2017-04-12 at 10.38.04 AM

Custom Health Checks and Remediations

While SCCM Health Checks are limited to a pre-defined set of checks and remediations, Adaptiva Client Health provides a visual WorkFlow Designer and Engine. Workflows are easy to build and simple to deploy. Adaptiva Client Health can quickly detect, troubleshoot and remediate issues across hundreds of thousands of systems—all automatically. This table shows some basic capabilities, but the possibilities are limitless and can be infinitely more powerful.

Screen Shot 2017-05-01 at 3.06.31 PM


For smaller companies concerned only with the health of the SCCM client itself, and running Microsoft security technologies exclusively, the native SCCM Health Checks may meet your limited needs. For companies looking to maintain the health and security of all settings and applications, as well as Windows itself, Adaptiva Client Health gives SCCM true global health automation. Adaptiva also gives administrators the flexibility to easily create their own checks and remediations as new endpoint health, security and compliance issues arise. Also, if a company is using third-party security software, Adaptiva can ensure your endpoints are properly secured.

For more information about how Adaptiva Client Health can help you rest easy, request a free product demo.

Screen Shot 2017-04-12 at 10.22.47 AMBill Bernat is the director of product marketing at Adaptiva.


Tomorrow, Friday, August 14th, there will be free online training event for Windows 10 in the Enterprise hosted by Microsoft Technical Evangelist Simon May.


The methods for provisioning and managing devices are changing rapidly with Windows 10.   There are opportunities to drastically rethink the way devices receive compliance settings, software, and updates which allow IT organizations to be far more agile than they have been. Improvements to Azure AD Domain Join, Microsoft Intune, and a slew of other cloud technologies also have the potential for changing the way IT challenges had been overcome in the past.


Check this session out for everything you need to get your IT organization ready for Windows 10 in the enterprise. Simon will talk about changes to deployment, servicing, and new features that IT departments will want to be on top of.


Register for the live online Windows 10 Jumpstart training with Simon May


While many enterprises have traditionally had a slow (or very slow) approach to testing and deploying new operating systems, Microsoft hopes to shatter that old paradigm with Windows 10.  Incredibly significant engineering investments have been made to enable highly successful in-place upgrades to Windows 10 from Windows 7 and Windows 8.1.  This means that starting to test and deploy the new operating system no longer requires full wipe and reloads, and business areas can identify devices for production pilots with minimal effort.

I hope that helps,






Hi All, Today I’m pleased to inform that the new beta version (v0.02) of the System Center 2012 R2 Configuration Manager Dashboard (CM12R2Dashboard) has been released. Overview The System Center 2012 R2 Configuration Manager Dashboard (CM12R2Dashboard) enables SCCM administrators and support team to monitor SCCM environment to take the right decision at the right time. It can provide status on client activity, client health, deployments, content status and much more and has been designed to provide clear information to support teams, SCCM administrators and managers. The CM12R2Dashboard is totally customizable allowing it to show the information that is required by the customer. It can determine, based on customized parameters, when the information is in a Warning or Critical states by changing the information background colour. It can run on Windows 7+ and Windows 2008+ with at least PowerShell 3.0 (recommended 4.0) and .Net Framework 4 and depends on the installation…

Read the complete blog:

Over the past few weeks I have been busy updating the System Center 2012 R2 Configuration Manager HealthCheck Toolkit (CM12R2HealthCheck) to the version 0.03 and today I’m pleased to say that is has been released. What is the System Center 2012 R2 Configuration Manager HealthCheck Toolkit? The System Center 2012 R2 Configuration Manager HealthCheck Toolkit (CM12R2HealthCheck) has been created to check for problem and/or misconfiguration in the SCCM environment and, when possible, will provide you with some solutions for problems. This version contains a series of bug fixes, performance improvements as well as new functionality. We also would like to add the following notes/requirements: We have tested this tool on a single primary site and single primary site with secondary sites. We do expect it to work on a CAS environment, however, we have not been able to test. We have run the tool remotely as well locally on the…

Read the complete blog:


SCCM 2012 Hardware Inventory Report

Unveil your Hardware Data

This SCCM 2012 hardware inventory report let you see all your hardware in a single view. No longer need to browse multiple built-in reports. Use it to quicky find a specific machine having particular specification (Disk, Cpu, Serial number…).

This report easily return valuable information to your management team :

How many computers our company owns ? How many DELL Optiplex 780 ?
Which computers are still running Windows XP or Windows 2003 ?
What’s the serial number of computer XYZ ?
We urgently need to update a specific hard drive firmware, which computer has the affected model ?

We split this SCCM 2012 hardware inventory report into 5 sections:

Details, System, Processor, Disk and Video Controller.


Continue to read the complete blog post here :

In part 1 of this SCCM 2012 R2 Installation Guide blog series, we planned our hierarchy, prepared our SCCM 2012 R2 Server and Active Directory.

In part 2, we installed and configured SQL in order to install SCCM 2012 R2.

In part 3, we installed a stand-alone SCCM 2012 R2 Primary site.

In the next 16 parts, we will describe how to install the numerous Site Systems roles available in SCCM 2012 R2. Role installation order is not important, you can install roles independently of others.

This part will describe how to install SCCM 2012 R2 State Migration Point (SMP).

Role Description

The State Migration Point stores user state data when a computer is migrated to a new operating system.

This is not a mandatory Site System but you need a State Migration Point if you plan to use the User State steps in your Task Sequence. These steps integrates with User State Migration Tools (USMT) to backup your user data before applying a new operating system to a computer.


Site System Role Placement in Hierarchy

The State Migration Point is a site-wide option. It’s supported to install this role on a child Primary Site, stand-alone Primary Site or Seconday Site. It’s not supported to install it on a Central Administration site.

Beginning with SCCM 2012 R2, the State Migration Point can be installed on the site server computer or on a remote computer. It can be co-located on a server that have the distribution point role.

SCCM 2012 State Migration Point Installation

  • Open the SCCM console
  • Navigate to Administration / Site Configuration / Servers and Site System Roles
  • Right click your Site System and click Add Site System Roles
  • On the General tab, click Next

Continue to read the complete blog post here :


Hi All, last week, i was helping a customer with their migration from SCCM 2012 R2 to SCCM 2012 R2 CU4. There were already many things that had happen, collection migration, etc.. but the consultant that was performing the migration, wasn’t able to finish the job, so, i was called in. During the migration, we migrated couple of clients to test the migration script/GPO and we noticed the application catalog (probably the most used feature for them) wasn’t returning any result, however, when my user was logged on, i was able to see the applications that were deployed to “All users” collection. Looking at the logs, i saw on the policy logs, that the user policy was always with “0” assignments and so, it was not bringing anything to the Application Catalog. I tried to reset the policy, reinstall the client but none of those things worked. Looking further, on…

Read the complete blog: