Windows Autopilot (It’s Not for Everyone)

If you’re reading this you’ve probably heard of Windows Autopilot / Modern Desktop being thrown around like confetti by Microsoft, their flunkies and other nerds on YouTube.  They have gone so far as to declare Autopilot as being the ultimate solution while dismissing SCCM / OSD (Operating Systems Deployment) as being relics slated for extinction like the dinosaurs.  So as an independent Microsoft Consultant whose core practice evolves around SMS/SCCM and desktop automation (15+ years of experience and countless desktop replacement projects), I’m naturally skeptical.  But as a matter of professional curiosity, I have a vested interest in this technology and have serviced several progressive customers who have bought into Autopilot/Intune hook, line and sinker.

Does Autopilot sound awesome in theory?  Absolutely.  Does it have the legs to supplant SCCM/OSD?  Doubtful…  at least not now anyways, or unless your end-user compute requirement is so basic much of the caveats don’t apply to you.  This is not just my opinion, at Ignite 2019 Microsoft announced Endpoint Manager (co-management using both SCCM and Intune) which seems to be a step backwards.   So what’s with the about face?

Here are some of the reasons why I consider Autopilot to be impractical for most organizations:

  1. Users don’t want to have to wait for hours before they can start using their PCs (this is assuming they need more than just Office).  Not every user has gig Internet, speeds we are accustomed to in LAN environments
  2. Speaking from prior experience (could of improved by now) deploying Win32 apps through Intune is unreliable.  Logging and reporting is sketchy for those looking to troubleshoot.  Your best bet is to put the app inside a wrapper with better logging
  3. Most enterprises have sizable investments in on-prem solutions, their needs are more complex than just Office 365 or SaaS solutions
  4. Group Policy is much more extensive than Intune policies
  5. Most mature organizations already have made investments in other 3rd party MDM solutions
  6. Drivers and firmware get out of date.  If you have to do a wipe and load you have to account for this shortfall
  7. Many features in Intune are still in preview mode, which speaks to its immaturity.  When you work with this stuff, you just get a sense of its rawness

There are more.. but I’m just trying to get the point across to support the subject line.

My take:

SCCM is not going away soon.  For those who have invested heavily in this technology, they should continue to utilize it to the fullest and maybe consider the adoption of Intune (more like a proof-of-concept) to provide unified management outside your perimeter network.

For that, I would recommend using Azure Hybrid AD Join, SCCM and Intune for co-management.  I will release a series of blogs on how to set this up, but more from the vantage point of customers who are deeply vested in SCCM, on-prem AD and looking to extend management to Intune just to round things out.

Posted in Uncategorized | Leave a comment

SCCM / Microsoft Business Store Sync Fails

 

 

  1.  You see the Sync Status as “Failed” in SCCM Console
    2019-12-26 11_43_55-sobcms33 - Remote Desktop Connection
  2.  When you parse the WsfbSyncWorker.log file you see “Exception: [Microsoft.ConfigurationManager.CloudBase.CMHttpRequestException: Unsuccessful response when content result expected for request.”2019-12-26 11_39_21-sobcms33 - Remote Desktop Connection
  3. Make sure to log into Microsoft Business Store, under Manage –> Settings (must be an admin) add the Web App that you have created for your SCCM Connector and “Activate” it.

    2019-12-26 11_48_16-Microsoft Store for Business

 

Posted in Uncategorized | Leave a comment

“MBAM policy was detected. Verify that the OU used for pre-deployment does not apply MBAM policy.”

This happens when you run the Invoke-MbamClientDeployment.ps1 PowerShell script say within a Task Sequence.

 

To bypass this issue you have to comment out the following in the script:

mbam_bypass

This will essentially not conduct MBAM policy check and go proceed with encryption.

Posted in Uncategorized | Leave a comment

MDT – How to Scrub Primary Disk in WINPE before calling LiteTouch.wsf

Unlike SCCM, MDT does not have a “pre-start” field when you create a boot image.  The ask is for MDT to scrub the primary disk before attempting to load the list of task sequence(s).  Doing so is useful because sometimes a machine in a dirty state will kill the MDT from initializing and reboot prematurely.

 

Multiple things you have to do to achieve this:

  1. Alter the C:\Program Files\Microsoft Deployment Toolkit\Templates\Unattend_PE_x64.xml file:

Unattend.xml

 

2. Create an “Extra Folder” to contain the necessary scripts to do this.  In my case I created a folder call D:\SRVAPPS\CMTRACE

extrafiles

3.  The cleandisk.txt would look like this:

cleandisktxt

4.  While the cleandisk.vbs would look like this:

cleandiskvbs

5.  Go to your Workbench Properties and go to Windows PE tab.  Add your Extra Folder created in Step 2 into the field as outlined below:

extrafolderboot

6.  Update your Deployment Share.  IT IS IMPORTANT, that you select “Completely Regenerate the Boot Image”

7.  Optionally update the Boot Image on the WDS service (if you have it) and restart the service.

There you have it.  When you PXE boot into WINPE and press F8 you will see all those files in the Root of X: and it should call the scrub disk VBS script before calling LiteTouch.vbs.

Just to note I originally tried just calling it with CMD.EXE, but it just kept an command prompt window open.  I advise using VBS for this.

Posted in Uncategorized | Leave a comment

HP BIOS Update in Task Sequence Returns Error Code 260

You’re missing the BIOS recovery partition.  Be sure to use the -h switch in your Task Sequence Command Line.

2018-11-13 14_12_15-HpFirmwareUpdRec64

“.\BIOS\Elitebook\840\G5\sp91951\HpFirmwareUpdRec64.exe” -s -h -r -p”yourpasswordfile.bin”

Posted in Uncategorized | Leave a comment

USMT fails as task sequence 4005 if you rerun

Had to rerun USMT restore on a machine, keep getting failures indicating it has no permission to the State Migration Point share.  Try running this command:

Remove-Item -Path ‘HKLM:\SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates*’ -force; restart-service ccmexec

Posted in Uncategorized | Leave a comment

Migrate Office 2010 Profiles to Office 2013/2016 using USMT

Using USMT to facilitate Windows 7 to Windows 10 migration using SCCM, part of the success condition is to migrate Outlook profiles.  Migrating signature(s) is simple enough, but migrating Outlook profile(s) may prove to be a little more involved because they are kept in different spots in the registry–in my case it is Office 2010 to Office 2016.  You basically have to copy from registry key to another.  Here’s the exerpt to be included in your XML file.  I just integrated this in my main config.xml file.  Apologize for the formating in advanced.

 

<component type=”System” context=”UserAndSystem”>
<displayName>Outlook2010-to-Outlook2016</displayName>
<role role=”Settings”>
<rules>
<include>
<objectSet>
<pattern type=”Registry”>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\* [*]</pattern>
</objectSet>
</include>
<locationModify script=”MigXmlHelper.RelativeMove(‘HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles’,’HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles’)”>
<objectSet>
<pattern type=”Registry”>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\* [*]</pattern>
</objectSet>
</locationModify>
</rules>
</role>
</component>

<component type=”System” context=”UserAndSystem”>
<displayName>Outlook2013-to-Outlook2016</displayName>
<role role=”Settings”>
<rules>
<include>
<objectSet>
<pattern type=”Registry”>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\* [*]</pattern>
</objectSet>
</include>
<locationModify script=”MigXmlHelper.RelativeMove(‘HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles’,’HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles’)”>
<objectSet>
<pattern type=”Registry”>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\* [*]</pattern>
</objectSet>
</locationModify>
</rules>
</role>
</component>

Posted in Uncategorized | Leave a comment