We recently discovered that TPM ownership had not been taken during OSD on a majority of our devices. In the past, all we had to do was run two steps in the ‘State Restore’ section of our Windows 10 task sequence. First, install the MBAM agent, then start MBAM encryption via the Invoke-MbamClientDeployment.ps1 script.

First, a bit of background: We had MBAM 2.5 SP1 with Configuration Manager 2012 R2 integration…or at least we did originally. We later upgraded to Configuration Manager 1511, then again to 1602.

If you’re reading this, than like our organization, you’ve lost some log history in the smsts.log file that may have been important for troubleshooting an issue. I started seeing this problem after we integrated MDT into our task sequences. The capabilities MDT gives are you are really nice, however it does come with some downsides, such as significantly longer task sequences. And by longer, I mean many, many more steps. With more steps comes more logging in the smsts.log file. Unfortunately, you may have noticed that this file rolls over at approximately 1MB in size, appends a time and date stamp for a ‘log history file,’ then starts a new file. This can be problematic searching for text in multiple files and can be very frustrating when losing log history altogether. MDT task sequences have many steps right out of the box, you are more than likely going to lose some of that log history if you don’t make some changes.

We recently discovered a problem with Bitlocker on the Dell Latitude E5570 laptops, that after enabling bitlocker (we use MBAM), the computer prompts for a recovery key after every reboot. It turns out this is a problem with the Dell BIOS which is repaired through a BIOS update, though it has been noted that running in UEFI mode may fix this problem as well. There is a nice discussion in this issue here:

Do you hate doing things manually? Do you hate reading through forums and blogs to solve problems? I do, that’s why I write scripts to solve problems. They are concise and usually fairly readable. I referenced Niall Brady’s blog: http://www.windows-noob.com/forums/index.php?/topic/11071-how-can-i-increase-the-smstslog-file-size-for-pxe-based-os-deployments-using-system-center-2012-r2-configuration-manager/ for the solution, so thank you very much Niall! I have difficulty remembering the individual steps at times, so I like to script it out as a quick reference and to create a repeatable process. In this case, I wanted to increase the log size while in WinPE during Operating System Deployment (OSD) task sequences. If you want the specific detail, please refer to Niall’s blog, otherwise modify the variables in the script to suit the needs of your environment. Just change the variables, run the script, and update your boot images on the DPs and you’re all set!

Backup an image

1. Boot from WinPE media.
2. Determine the drive letter to be captured. This is typically C:,D:, or E:, but it can vary depending on which devices are connected to the system.
3. There are a few choices for where to back up the image, but my preference is to back it up to a network drive. To do this, run the following command: Net use Z: \
   You should see “The command completed successfully” if it works correctly. Remember, you need to have write permissions to this directory in order to save the image to it, so you should be prompted for credentials to connect to the share.
4. DISM.exe should already be in the path environment variable in WinPE 5.0, so you can call the DISM executable from pretty much anywhere. DISM.exe /Capture-Image /ImageFile:Z:\capture.wim /CaptureDir:E:\ Where Z:is the path to which you want to save the image and E: is the path to the partition with Windows installed. If the drive contains much data, it will take an amount of time proportional the amount of data and the throughput of your network, USB, or eSATA connection. Be patient Restore an image

Function New-SCCMUserCollection { PARAM ( [Parameter(Mandatory = $true)] $ADCollectionName, [Parameter(Mandatory = $true)] $CMCollectionName, $limitingCollection = “All Users”,

Customize the $path appropriately for your environment.

$path = “OU=Application Deployment,OU=Groups,DC=,DC=”, $description = “Application Deployment Group”,

Customize your domain name in the query.

$queryExpression = “select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where SMS_R_User.SecurityGroupName = ‘\$($ADCollectionName)’”, $ServerName = “”, $SiteCode = “<YourSiteCode” ) ## Get a reference object for grabbing the RefreshSchedule property # Use an existing collection as a template to replicate the RefreshSchedule. $refreshSchedule = (Get-CMDeviceCollection -Name “7zip”).RefreshSchedule[0] $ruleName = $CMCollectionName

## Create AD Security Group New-ADGroup -Name $ADCollectionName -SamAccountName $ADCollectionName -GroupCategory Security -GroupScope Universal -DisplayName $ADCollectionName -Path $path -Description $description -Verbose

## Create SCCM Collection New-CMUserCollection -Name $CMCollectionName -LimitingCollectionName $limitingCollection -Verbose -RefreshSchedule $refreshSchedule -RefreshType 2

## Add collection rule $CollectionName = Get-CMUserCollection -Name $CMCollectionName Add-CMUserCollectionQueryMembershipRule -CollectionId $CollectionName.CollectionID -RuleName $ruleName -QueryExpression $queryExpression -Verbose }

To start off, I should clarify that I typically use SCCM Task Sequences with MDT integration. The following scenario utilizes SCCM 2012 R2 with MDT 2013 integration.