none
Trying to Move computers in MDT TS. RRS feed

  • Question

  • I have ADWebService set up on my server. Testing it does move the pc to my desired OU. It is an OU within an OU and I have that working.

    When adding this to MDT, it doesn't move the pc. I will say that I manually add computers to the "staging OU" prior to kicking off MDT.

    I am using this link to set up the move process:

    https://deploymentresearch.com/Research/Post/562/Moving-Computers-to-another-OU-during-deployment-Webservice-style


    Here is my CS.ini

    [Settings]
    Priority=Default
    Properties=StagingOU, FinalOU

    [Default]
    _SMSTSORGNAME=MSHP
    OSInstall=Y
    SkipAppsOnUpgrade=NO
    SkipAdminPassword=YES
    SkipProductKey=YES
    SkipComputerName=NO
    SkipComputerBackup=YES
    SkipDomainMembership=NO
    SkipUserData=YES
    SkipLocaleSelection=YES
    SkipTaskSequence=NO
    SkipTimeZone=YES
    SkipApplications=NO
    SkipBitLocker=NO
    SkipSummary=YES
    SkipBDDWelcome=NO
    SkipCapture=YES
    SkipFinalSummary=NO
    TimeZone=020
    TimeZoneName=Central Standard Time

    JoinDomain=domain.name
    DomainAdmin=username
    DomainAdminDomain=domain.name
    DomainAdminPassword= p/w
    StagingOU=ou=Install Computers, DC=etc.....
    FinalOU=ou=Win 10 BitLocker Computers,OU=Windows 10 Computers,DC=domain, etc


    [MoveComputerToOU]
    WebService=http://TestMdtServer/ADWebService/ad.asmx/MoveComputerToOU
    Parameters=OSDComputerName, MachineObjectOU

    FinishAction=Reboot

    The italicized lines are newly added from the link.

    I have the MOVE step in MDT near the end. The pc boots up in the staged OU, which it must for our org. Then, after all the regular things going on, it Moves the pc to the Final OU. I added a restart so the policies would kick in, then the last step is Enable Bitlocker.

    I'm unclear on how to add the extra lines into my CS.INI. I already have a
    [Settings]
    Priority=Default
    at the top of my file. Am I adding the extra at the bottom, ver batum? That seems to overwrite my existing Default. This is where I'm messing up.



    Monday, November 20, 2017 3:34 PM

Answers

  • You either need to set AdminPassword or TpmOwnerPassword property.Note: If the TPM password is needed and the TPMOwnerPassword property is not provided, the TPM password is set to the local Administrator password.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Tuesday, November 21, 2017 1:38 PM
    Monday, November 20, 2017 6:38 PM

All replies

  • I read Johan's article. While I do not use his webservice.... Try changing Priority=Default to Priority=Default, MoveComputerToOU to make sure both sections are being processed.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Monday, November 20, 2017 5:38 PM
  • I did get this all to work. Finally. The only thing I had an error with was the TPM password was missing. Is this the BIOS admin password? And can MDT set that?
    Monday, November 20, 2017 5:43 PM
  • You either need to set AdminPassword or TpmOwnerPassword property.Note: If the TPM password is needed and the TPMOwnerPassword property is not provided, the TPM password is set to the local Administrator password.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Tuesday, November 21, 2017 1:38 PM
    Monday, November 20, 2017 6:38 PM
  • I went into the BIOS and manually set the BIOS admin password. The next time through, I did not get any error. I read a thread where you could set the TPM password in the CS.INI but before I do that, can you confirm that this is the BIOS admin password, or are they indeed two different things?

    The only thing remaining in this whole endeavor for me is not seeing the Bitlocker icon anywhere on the task bar. I can't monitor the progress of the encryption. If I bring it up in Control Panel, I see Suspend, Turn off.....but no progress icon. Any idea on that? You won't believe this would be a deal-breaker for them if they can't see that.

    Monday, November 20, 2017 6:46 PM
  • Yep. Two different things. The ZTIBDE script, which does the encryption, uses either your local admin password or tpm owner password (see above) to initialize the TPM chip. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. By the way, how did you setup BitLocker (as in wait for encryption to end?).

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Monday, November 20, 2017 7:10 PM
  • Thanks. I set up Bitlocker in my CS.INI as SkipBitlocker=NO. This way, I'm prompted to choose whether or not to activate it. I was hoping that it would default to "In AD" when selected, but no biggie.
    Being prompted to enable BL, I manually choose Enable, then In Active Directory during the Wizard. I did not choose 'Wait until it completes' which we likely won't be doing anyway.
    After a reboot, I don't see the progress icon.
    For this to work, I suppose each tech cloning a pc will need to set the BIOS admin password before starting. If someone kicks off a TS, selects enable Bitlocker, to AD, but doesn't have the admin password set, I wonder how this can be remedied. For testing, I set that p/w then reimaged and the error didn't appear.

    I'm hoping that the default in MDT is Full Encryption, and New Encryption Mode. Those are we're told to select when doing it manually.

    Monday, November 20, 2017 7:26 PM
  • BIOS password typically is not required to enable and activate the TPM in the BIOS. One of the two properties I outlined above on the other hand... Make sure that you use pre-provisioning so that you do not need to wait for the encryption to complete. Default encryption is used space only. You can change that by modifying ZTIBDE.wsf and commenting out the -used argument.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Monday, November 20, 2017 7:35 PM
  • I'm not sure what pre-provisioning is. Pre-provisioning is if using SCCM, correct? I don't use that but am not familiar with provisioning. It isn't a big deal if the encryption is running while we continue the build of the pc, is it?

    I need to rem out the whole line:

    oUtility.RunWithHeartbeat """" & oEnv("SystemRoot") & "\system32\Manage-bde.exe"" -on " & oUtility.GetOSTargetDriveLetter & " -used"

    and that encrypts the entire drive?
    By default in MDT running Bitlocker, the encryption mode is "New Encryption Mode?" That's the other option we choose manually. "New" and "Entire Drive."


    Monday, November 20, 2017 7:55 PM
  • Here is how you would edit the line:

    oUtility.RunWithHeartbeat """" & oEnv("SystemRoot") & "\system32\Manage-bde.exe"" -on " & oUtility.GetOSTargetDriveLetter '& " -used"

    This will ensure that the entire disk will be encrypted. And just so we are on the same page: this primarily applies to the Enable BitLocker (Offline) step. The Pre-provision BitLocker task sequence step allows you to enable BitLocker from the Windows Preinstallation Environment (Windows PE) prior to operating system deployment. By default, only the used drive space is encrypted (the modification outlined above takes care of that). The cool thing about pre-provisioning is that encryption times are much faster. This is done with a randomly generated clear protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process.

    Make sure you set either AdminPassword or TpmOwnerPassword in CustomSettings.ini for this to work and make sure that TPM is enabled and activated in BIOS before running your task sequence.


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Monday, November 20, 2017 8:44 PM
  • I'm with you so far. I can edit the line above. We do want the entire drive encrypted.
    Pre-provisioning is 'enabling' Bitlocker but encryption does not begin yet, correct?
    Are you saying that Bitlocker (Offline) and Pre-Provisioning steps are two different steps? I got that impression from your statement.
    If you're starting Bitlocker in WinPE, how does it write a key to AD? Or are you just enabling Bitlocker in WinPE but it's not running until the desktop?
    Monday, November 20, 2017 8:54 PM
  • Pre-provisioning start drive encryption, but does not enable any protectors on the drive, The net result is, it saves you time in the end. Let‘s say you wish to fully encrypt the drive. By the time you enable BitLocker, part of the drive is already encrypted so it takes less time to finish encryption. Makes sense? Keith explained the concept of pre-provisioning in great detail here: https://keithga.wordpress.com/2015/01/08/security-week-mdt-litetouch-with-mbam/

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".



    Monday, November 20, 2017 9:00 PM
  • Then at what point does a recovery key get generated and written to AD?
    By default, Enable Bitlocker (Offline) is enabled in my TS. There are as many pc's that we need encrypted as not. Since I changed Skip=NO, I can get prompted to encrypt those we need to. So what is the Offline step doing all along so far, before I started working on Bitlocker in MDT?
    Basically I just need MDT to start a full disk encryption with the key being written to AD, and using the New Encryption Mode. So far, it is encrypting because I can move the pc to that OU. I can edit the line you mentioned, I just don't get how it starts to run in WinPE but will later write a key to AD?

    And just to make things more confusing...my local pc admin password is one thing, the BIOS password is another. I'm assuming I should use the BIOS admin password.

    Monday, November 20, 2017 9:11 PM
  • I can't believe it encrypted in WinPE and then wrote to AD from the desktop. Not that I'm doubting you! I did have a logon issue...after the first reboot, it cam eup wanting to sign on as .\Administrator

    If I can get past that, I'm totally good to go.

    Monday, November 20, 2017 10:53 PM
  • Update: Most of the deployment lagged a bit longer than usual so my suspicion was that it was encrypting in WinPE. For all the extra time it took to get to the desktop, it was at 5% progress. This is because we, unlike most orgs who use MDT, pack our VM's so full that it takes literally 3.5 hours to capture a WIM.
    Dropping an image from beginning to end takes about 25 minutes, not all that bad, so they would crumble if everything was silently installed and installing from the desktop afterwards...they'll choose to keep it this way.

    That being said, I will not use the pre-provisioning method. Anything that takes a bit longer than it has makes them think something is broke and not working correctly. I mean, we are kicking off Bitlocker manually as it is now...so this does save time moving the pc, running gpupdate, logging off, on, and starting encryption.
    My next endeavor is MS Updates. Since our Server Group is in the process of making a WSUS, I will just run off that during MDT.
    Thanks for all your help!

    Tuesday, November 21, 2017 1:37 PM