-
Posts
9163 -
Joined
-
Last visited
-
Days Won
366
Everything posted by anyweb
-
MDT fail at the end of the installation
anyweb replied to Nolfir's question in Microsoft Deployment Toolkit (MDT)
here's the failure... <![LOG[Executing command line: cscript.exe "%SCRIPTROOT%\LTIApply.wsf"]LOG]!><time="15:14:36.471+480" date="02-28-2022" component="TSManager" context="" type="1" thread="2028" file="CommandLine.cpp:819"> <![LOG[Process completed with exit code 5624] which then leads to... Failed to run the action: Install Operating System. Unknown error (Error: 000015F8; Source: Unknown) <![LOG[Let the parent group (Install) decides whether to continue execution]LOG]!><time="15:22:24.166+480" date="02-28-2022" component="TSManager" context="" type="0" thread="2028" file="instruction.cxx:1037"> <![LOG[The execution of the group (Install) has failed and the execution has been aborted. An action failed. Operation aborted (Error: 80004004; Source: Windows) why is there an F:\ drive referenced in the log.... <![LOG[Let the parent group (Install) decides whether to continue execution]LOG]!><time="15:22:24.166+480" date="02-28-2022" component="TSManager" context="" type="0" thread="2028" file="instruction.cxx:1037"> <![LOG[The execution of the group (Install) has failed and the execution has been aborted. An action failed. Operation aborted (Error: 80004004; Source: Windows)]LOG]!><time="15:22:24.166+480" date="02-28-2022" component="TSManager" context="" type="3" thread="2028" file="instruction.cxx:221"> <![LOG[Could not find CCM install folder. Don't use ccmerrors.dll]LOG]!><time="15:22:24.166+480" date="02-28-2022" component="TSManager" context="" type="0" thread="2028" file="String.cpp:1364"> <![LOG[Failed to run the last action: Install Operating System. Execution of task sequence failed. Unknown error (Error: 000015F8; Source: Unknown)]LOG]!><time="15:22:24.166+480" date="02-28-2022" component="TSManager" context="" type="3" thread="2028" file="engine.cxx:249"> <![LOG[Executing in non SMS standalone mode. Ignoring send a task execution status message request]LOG]!><time="15:22:24.166+480" date="02-28-2022" component="TSManager" context="" type="1" thread="2028" file="utils.cpp:6604"> <![LOG[Task Sequence Engine failed! Code: enExecutionFail]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="3" thread="2028" file="tsmanager.cpp:1273"> <![LOG[****************************************************************************]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="1" thread="2028" file="tsmanager.cpp:1301"> <![LOG[Task sequence execution failed with error code 80004005]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="3" thread="2028" file="tsmanager.cpp:1302"> <![LOG[Cleaning Up.]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="1" thread="2028" file="tsmanager.cpp:794"> <![LOG[Removing Authenticator]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="1" thread="2028" file="tsmanager.cpp:922"> <![LOG[Cleaning up task sequence folder]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="1" thread="2028" file="utils.cpp:2707"> <![LOG[File "F:\_SMSTaskSequence\TSEnv.dat" does not exist. (Code 0x80070005)]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="3" thread="2028" file="CcmFile.cpp:219"> <![LOG[Unable to delete file F:\_SMSTaskSequence\TSEnv.dat (0x80070005). Continuing.]LOG]!><time="15:22:24.181+480" date="02-28-2022" component="TSManager" context="" type="1" thread="2028" file="CcmFile.cpp:1154"> see if you have an LTIApply.log anywhere and what does it reveal... -
well those clients would have been using the working CMG before it broke during conversion right ? and that's where they are getting their policy so if the CMG is down (broken) they cannot get new policy, so you'll have to get creative in terms of how to target those clients, see below and linked here for some suggestions, but you'll need a working CMG before trying these so you'll need to stand up a new working CMG... "Once the cloud management gateway (CMG) and the supporting site system roles are operational, you may need to make configuration changes on Configuration Manager clients. Clients that can communicate with the management point automatically get the location of the CMG service on the next location request. The polling cycle for location requests is every 24 hours. If you don't want to wait for the normally scheduled location request, you can force the request. To force the request, restart the SMS Agent Host service (ccmexec.exe) on the computer. For devices that aren't connected to the internal network, there are several options to configure them with a CMG location. For more information, see Install off-premises clients using a CMG. Note By default all clients receive CMG policy. Control this behavior with the client setting, Enable clients to use a cloud management gateway. For more information, see About client settings."
-
ok an update on this, if you want it working right now then I'm afraid you'll have to delete it and start again from scratch (including uploading all the content) don't mess with cnames it's not supported, you might get it to work, but it's not supported so don't bother. I've given your experience as feedback to the Microsoft product group and they are taking the feedback seriously, sorry for the hassles...
-
my experience was back when I wrote the script used in this blogpost, and at that time, it was the only way I could get Windows Autopilot to work in our environment. Our environment has changed since then and no longer uses the same type of proxy, you could say now that it now resembles a transparent proxy and therefore there's no longer any need to use the script. if you can, avoid using Hybrid azure ad join, it's more trouble than it's worth. When I initially wrote the script it was so that we could test Windows Autopilot on the internal LAN, a lot has changed since then and we've learned a lot too. The best advice I can give you is to try modifying this script to work with your environment, or determine if you need it at all based on what happens in Windows Autopilot, maybe you can add exclusions for the urls used during Windows Autopilot, there are lots of options. as regards point 3, you could always use a different network (think of it as an enrollment network) to get your devices through Windows Autopilot OOBE and complete enrollment, you could then apply whatever network/proxy settings you want AFTER windows autopilot is complete using some of the methods I describe here
-
Displaying a welcome page after Windows Autopilot completes
anyweb replied to anyweb's topic in Microsoft Intune
ok so the script will create a scheduled task for each user but basically won't do anything for defaultuser0, as that's not a real user, it's only used by Windows Autopilot during the ESP, so... after the Account Setup phase (user account) part of the ESP is done, and you logon to the desktop, what scheduled tasks do you see ? -
Displaying a welcome page after Windows Autopilot completes
anyweb replied to anyweb's topic in Microsoft Intune
hi @MagnusL I've tested it with AzureAd joined devices only as that's what we use, and it works fine in that scenario, so when you checked task scheduler can you show me what it did create ? ive not seen a defult0 user before, DefaultUser0 yes, but not the other one... did you heavily modify the scripts ? -
there's only one way to find out, try it ! i recommend trying it out using a virtual machine connected to the same network as the network you intend to test, that way you can try different settings in the script on the fly
-
Displaying a welcome page after Windows Autopilot completes
anyweb replied to anyweb's topic in Microsoft Intune
hi, the link works fine you just need to be logged in to download files from windows-noob.com -
how did you configure WSUS, did you use SQL or SQL express, if you used SQL, which version ? have you looked at event viewer for more details ?
-
ok have you updated Server 2016 with the latest patches from windows update ?
-
is WSUS separate from Configuration Manager ? what version of Windows Server is it running on ?
-
Introduction I saw an interesting tweet from @brucesaaaa where he talked about issues observed in multiple tenants during Windows Autopilot enrollment with required Win32 apps. The following was seen for required deployments of Win32 apps during Windows Autopilot enrollment: ESP did not flag these apps as required Required apps took hours and hours to install App install output codes (like for reboots) were not working Problem The problem was investigated and narrowed down to the version of Microsoft Win32 Content Prep Tool that the technicians were using to create the Win32 apps. The is very easy to understand as many admins simply download the tool and re-use it over and over. I’m guilty of that too !, the app I created below was created with 1.8.2.0 and the current version is 1.8.3. I’m not sure what version of the app that caused their issues but as soon as they downloaded the latest version and repackaged their apps the problems went away. Analysis I did some checking with a Win32 app I recently created. If you rename the app from it’s original filename.intunewin extension to filename.zip you can extract the contents. Open the detection.xml file in the metadata folder. If you open the XML file in a suitable reader, you can see the version of the tool that it was made with by reviewing the ToolVersion property highlighted below in yellow. If you start the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe) and use a -v it’ll show the version info. IntuneWinAppUtil -v I guess that Microsoft could force that people use the latest and greatest version of their tool by scanning that detection.xml file prior to accepting the file. Or at the very least inform the user of possible problems if they choose to ignore the fact. This should bypass any issues caused by using older versions of the tool to package the Win32 App. Interesting problem, let’s see where it goes ! cheers niall
-
i'm using the most up to date windows 11 and my taskbar doesn't autohide, i'd imagine lots of people would complain if that did happen without their involvement
-
i've never noticed that, are you sure you are not setting some policy/registry key for that ?
-
I think this covers it.. Primary sites support the installation of site system roles on computers in remote forests. When a site system role accepts connections from the internet, as a security best practice, install the site system roles in a location where the forest boundary provides protection for the site server (for example, in a perimeter network). To install a site system role on a computer in an untrusted forest: Specify a Site System Installation Account, which the site uses to install the site system role. (This account must have local administrative credentials to connect to.) Then install site system roles on the specified computer. Select the site system option Require the site server to initiate connections to this site system. This setting requires the site server to establish connections to the site system server to transfer data. This configuration prevents the computer in the untrusted location from initiating contact with the site server that's inside your trusted network. These connections use the Site System Installation Account. To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data. Additionally, the following site system roles require direct access to the site database. Therefore, firewalls must allow applicable traffic from the untrusted forest to the site's SQL Server: Asset Intelligence synchronization point Endpoint Protection point Enrollment point Management point Reporting service point State migration point For more information, see Ports used in Configuration Manager.
-
if the other forest is untrusted: Install site system roles in that untrusted forest, with the option to publish site information to that Active Directory forest To use a site system role that was installed in an untrusted forest, firewalls must allow the network traffic even when the site server initiates the transfer of data. When a two-way forest trust exists, Configuration Manager doesn't require any additional configuration steps.
-
With the shift in the computing paradigm to the cloud, the Azure ecosystem is quickly becoming a critical platform for IT pros to grasp and adopt. But how do you make the leap while maintaining security, manageability, and cost-control? Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment. Written by veteran IT consultant and trainer Paul Schnackenburg, Altaro’s free 100+ page second edition eBook covers how to create VMs, size them correctly, and manage storage, networking, and security, along with backup. You’ll also learn how to operate groups of VMs, deploy resources based on templates, manage security, and automate your infrastructure. There are also two new chapters on Automanage and Azure Arc to help you bring a lot of automation to IaaS, all lessening the burden on your time. One thing that has changed significantly over the past couple of years is the shift towards making IaaS VMs more like PaaS services. VMs are great but they require a lot of maintenance and care, whereas all the business is really interested in are the applications and data that run inside of them. This explains the popularity of PaaS services such as managed Kubernetes (AKS) and Azure Functions (serverless). If you’re new to the cloud (or have experience with Amazon Web Services and/or Google Cloud Platform but not Azure) this eBook will cover the basics as well as advanced skills. And given how fast things change in the cloud, it covers the why (as well as the how) so that as features and interfaces are updated, you’ll know how to proceed. Make the cloud work for you - download your free copy today!
-
Azure AD joined device is not enrolling into Intune
anyweb replied to learningmode's topic in Microsoft Intune
did the event logs reveal anything about the problem ? -
How can I renew an expired secret in an Azure Function app
anyweb posted a topic in Microsoft Intune
Introduction If you've been looking at my guides, you'll know that I've used httptriggers in functionapps to add functionality to Windows Autopilot, below are some examples of that. Adding devices to an Azure AD group after Windows Autopilot is complete - part 1 Adding devices to an Azure AD group after Windows Autopilot is complete - part 2 Gathering logs and sending an email when resetting Windows Autopilot - part 1 Gathering logs and sending an email when you need to reset Windows Autopilot - part 2 Gathering logs and sending an email when you need to reset Windows Autopilot - part 3 Adding devices or users to an Azure AD group after Windows Autopilot is complete but only when the device is marked as Compliant Using the updated & secure Retire My PC app via Company Portal These work great, but for security reasons the secret attached to the function app itself will expire (after 6 months by default) and should be renewed before that time. Trust me, I learned the hard way. Discovering the problem You might forget to renew the secret and that's when you'll notice things not behaving the way they should. I first became aware of the problem before Christmas, I came into work on the Monday, and kicked off some Windows Autopilot installs but they didn't work correctly. I noticed that the triggers responsible for adding devices to Azure AD groups after Windows Autopilot is complete, but only when the device is marked as compliant were no longer working. I started my investigation on a client with the issue, and the following was reported in the log file. One line jumped out at me, UPN not found, FATAL. Yeah, that doesn't sound good. I then logged into Azure and found the trigger responsible. I fed it with some known good values and looked at the output. The first thing to note is it output the same error (1), even though I supplied a known good UPN (2). Therefore, I knew the error UPN not found, FATAL was a red-herring. I also noticed that there were error code 401 (unauthorized) in the console output (3). That was my first clue ! Next, I select App Registrations in Azure Active Directory, selected the Graph_function app and was greeted with a red error on top showing me that a certificate or secret had expired. Clicking on Certificates and secrets, showed the expired secret. Fixing expired secrets Now that I identified the problem, it was time to fix it. In the Certificates & secrets section, click on + New client secret (1), give it a suitable name (2), select when it expires from the drop down menu (3) and finally Add it (4). The new secret will appear. Notice the expiry date. Now, copy the new secret value. Next, locate the trigger(s) that use the previous secret. It's stored as $AccessSecret in my httptrigger examples. Replace that expired value with the value you copied from the newly created secret and then save your changes. Job done ! Repeat the above exercise for each trigger that uses the expired secret. Conclusion Nothing lasts forever, especially secrets. Now that you know how to renew your expired secrets, maybe it's a good idea to look at your app registrations and take note of when they expire, and pro-actively renew them before they expire next time ! If you'd like to automate that take a look at Peter Klapwijk's post here.