23 Dec 2014
Over the past couple of months I’ve occasionally been working with Microsoft Dynamics AX 2012 and moving model and data sets between different environments.
Once of the downsides to this is overwriting the user and role memberships at the destination. To combat this, I had two options, the AX Data Import/eXport Framework (DIXF), or the AX PowerShell module. I think you can guess which one I went for!
Unfortunately the AX module need to be loaded in a wonderfully manual way and there are a lot of features not provided. The cmdlets even have a horrible lack of support for the very things that make PowerShell so great, like pipelining!
Even lacking these things, it’s still PowerShell, so I soldiered on. It took a little while and some features still have to be implemented, but the two scripts allow users to be imported and exported to/from a CSV, which is good enough to release for a first version.
The two scripts can be downloaded from GitHub.
There are also some features I’ll implement if I get the time, such as complete overwrite on import and support for importing/exporting user data from remote servers.
30 Oct 2014
We ran into an issue yesterday with Group Policy Results when using SCEP 2012 R2, the problem exactly follows this particular issue on the TechNet Forums, but appears to affect a couple of extra registry keys.
It’s really unfortunate that this still isn’t fixed in SCCM 2012 R2, having also been an issue in 2012, as the post describes.
To resolve the problem, I used my existing SCEP Group Policy ADMX template in creating a GPO to replicate the default settings pushed out to clients with SCCM, which solves the problem, as the exceptions and settings we push out to standard clients aren’t any different from the Microsoft recommended settings.
In the GPO I had to specify the exclusion settings and also the default threat actions, which are specified in the registry here:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction
Previously these settings were defined as REG_DWORD, but need to be REG_SZ, as shown below:
29 Oct 2014
This post is mostly a follow up to my guide on updating other HP ProBook BIOS in a task sequence. If you haven’t read that, this might not be of too much use to you!
The Problem
When updating a HP ProBook 650 G1 BIOS, I ran into a couple of small issues. This mostly related to an undocumented switch being required for the HPBIOSUPDREC tool. The BIOS update would always cause the computer to perform an unexpected reboot, which would break the task sequence.
The command line I was using was:
HPBIOSUPDREC.exe -s -pBIOSPW.bin -fL77_0120.bin
This would cause the BIOS to update, but then the computer would reboot without returning an exit code to SCCM, causing the task sequence to fail. Searching around, I found this post on the HP support forums, which pointed me in the right direction. Thanks richard429!
The Solution
The correct command line to update the HP BIOS for the ProBook 650 G1 is as follows:
HPBIOSUPDREC.exe -s -r -pBIOSPW.bin -fL77_0120.bin
This -r switch appears to be undocumented, which is a shame really, but this prevents the reboot without exit code. The command now returns a correct exit code and lets SCCM reboot the computer gracefully.
Putting it into Practice
In the SCCM package, I’ve placed both the HPBIOSUPDREC tool and the BIOS binary file. The task sequence runs it as shown below:
The WMI query makes sure it only runs on the selected/supported HP ProBook 640 G1 and 650 G1’s we have in our environment. There’s no danger in making this query less specific, as the update tool will only flash machines that the update is applicable to. I have also added the exit codes 273 and 282, which are exit codes for “BIOS is already same version” (273) and BIOS installed is newer than the one set to install (272).
27 Aug 2014
A quick followup to my earlier post on the SCEP 2012 ADMX template, I was working today with our Citrix environment and needed to remove visibility of the SCEP client interface.
Fortunately, there is an option in the SCCM Endpoint Protection policies, so I know the functionality to do this is there. This doesn’t seem to have been an option in Forefront Endpoint Protection (FEP) 2010, otherwise it would have been in the original policy template.
The value for this is ”UILockdown” and is found next to the other UX configuration settings for SCEP:
HKLM\Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\UILockdown
(1 for disabled, 0 for enabled)
I’ve updated the ADMX template to make this new setting visible, the changes I’ve made to the template are here for the ADMX and here for the ADML.
The files can be downloaded here. I’ll also continue to update the template as I find other settings that weren’t present in FEP 2010.
02 Aug 2014
It’s a quick little script I just had to write, after my testing today ran into the minor issue of a flat battery… halfway through the Operating System Deployment (OSD) process.
It’s a little PowerShell script, very similar to the last one that just pops up a box asking you to plug-in the laptop if you are running on battery. I haven’t put much in the way of validation that the device is actually a laptop with a battery, but since my OSD task sequences have a laptop/desktop divide, it’s not too much of a problem!
Here’s the script, the setup instructions are similar to the earlier script, with a different name and a call to a batch file instead of the ServiceUI command.
The batch script contains the command to run ServiceUI, after deciding which copy to run the PowerShell script with, based on the boot image architecture (x86/x64). I’ve put this in at the beginning of the task sequence, once the laptop has booted to the boot image, so we can get the user input or error states dealt with up front.