Friday, June 29, 2012

Group Policy: Site to Zone Assignment

Adding a URL to an Internet Explorer zone gives you the ability to change the security settings Ineternet Explorer applies to that website. Some websites may require more or les security than what is given through the default Internet Zone.  There are two ways you can add a website to an Internet Explorer zone using Group Policy.  One way is to use policy provided by Microsoft shown below.  A Policy almost always has UI lockout associated with it.  Meaning no user receiving the Site to Zone policy even Admins will be unable to add new sites to IE zones through the UI.  To get around this you could manually add all the sites you need in the different zones and then use Group Policy Preferences Registry Wizard to dig down to where those zone keys are located and have them applied via Preference without the UI lockout.  Below I will demonstrate how most corporations would choose to deploy these sites to zone which is through Policy.

Node: Computer, User
Categorie: Policy
Path: Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
Setting: Site to Zone Assignment List - Enabled

1) In the Site to Zone Assignment List you can click the Show button and enter in a website under value name.  You have a few options on how to enter a website.  Entering *.google.com will set the entire Google.com domain into a particular zone.  This will include mail.google.com, google.com/support and http, https, ftp, or any other protcal for the google.com domain.

Under Value enter a number 1-4 to represent the zone you are placing the site into.

     0 - My Computer
     1 - Local Intranet Zone
     2 - Trusted sites Zone
     3 - Internet Zone
     4 - Restricted Sites Zone


 


Friday, June 22, 2012

Group Policy: Remove Games Folder for the Start Menu

In the Enterprise version of Windows all included games are disabled by default (Solitaire, Checkers, etc).  You may have noticed the games folder still exist in the Start Menu even if there are no games listed.  Here is an easy way to remove the folder using Group Policy Preferences.  Refer to the screen capture below to see how to create the GPP Folders.

TIP: With GPP use the "Apply once" option under the Common tab when a preference only needs to be processed once per object.

     Path: %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Games

Group Policy: Push Gadget Settings

This post will demonstrate how to push settings for currently installed Gadgets such as Weather. 

1)  Open the Weather Gadget and position it in the upper right corner of your screen.  Setup any settings you might want like zip code, opacity, Gadget size, etc.

2) Copy the following file to your deployment share:

     C:\Users\MyProfile\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

3) Setup Computer Group Policy Files Preference similar to the below screen capture.  The file will be copied to the default users profile and therefor any new user will get the Weather Gadget on their desktop along with the proper settings.

TIP: GPP Files will create any folders in the destination path that do not exist. There is no need to create missing folders.

     Source: \\MySCCMServer\Packages\Windows Deployment Files\Settings.ini
     Destination: %SYSTEMDRIVE%\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Settings.ini


Group Policy: Pin Items to the Taskbar

I have seen a lot of posts with solutions to automate taskbar pinning.  The one I choose to work with came from the following link:

http://theitbros.com/copy-taskbar-icons-windows-7-sysprep

This is a well made VBScript that can pin and unpin items from the taskbar.  Depending on the program you are trying to pin you might have to do a little experimenting outside of these blog posts to get it working.  Here I'm going to show a solution that worked for me and my own way of deploying this script over Group Policy for Windows 7 Deployments.

1) Take your final SetTaskbar.vbs script and place in your deployment folder.  Mine is \\MySCCMServer\Packages\Windows Deployment Folder.

2) Recreat the below Computer Group policy Files Preference.  Notice that under the Common tab I checked Apply once and do not reapply.  This Group Policy process only needs to happen once per machine to be effective.

TIP: GPP Files will create any folders in the destination path that do not exist. There is no need to create missing folders.

      Source:  \\MySCCMServer\Packages\Windows Deployment Files\SetTaskbar.vbs

      Destination:  %SYSTEMDRIVE%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SetTaskbar.vbs


3)  Any users who logs on for the first time on a deployed machine will get this VBScript in the startup folder which causes the script to run.  The taskbar links you requested are added or removed and then the script deletes itself.  The script STILL exist in the default users folder waiting for the next new/first time user to log on to run once on a new profile.

SCCM: Rename the Administrator Account during OSD

It is a best practise to rename the local Administrator account if you choose to keep it enabled.  Here is an option for renaming this account during a SCCM Task Sequence.

     CMD Line:  wmic UserAccount where Name="Administrator" call Rename Name="HelpDesk"

SCCM: Name Computer Prompt during OSD

There are a few ways to stage a computer for SCCM OSD.  I will show how I set the computer name during the SCCM OSD without having to prestage the computer in SCCM.  This tip is generally used when your operating system deployments are on site and the IT personnel is going to be in front of the machine.  This may not work as well in a remote deployment scenario as it requires user interaction on the client end and therefor is not considered a zero touch solution. 

1) First we need to create a VBScript which will create an input box and capture the computer name we enter during the OSD.  I have modified the script below (original script author unknown) and added some logic to it that I will explain. 

The script sets some variable and defines what characters are allowed to be in a computer name.  Remember that a computer name can only include the characters a-z, A-Z, 0-9, or a dash.  Next it pops up the input box with instructions and converts the name you enter to uppercase.  If the computer name is longer then 15 characters then SCCM with through a generic error later down the line. Here we verify the name length before moving on.  Next we verify that the computer name contains only valid characters.  If any of these checks are false then the field goes blank and you need to enter a new computer name.  Last, the computer name is saved as a variable OSDComputerName.  This is variable that Microsoft has programed SCCM to check for during a later Task Sequence (I could not find which one but it could be Windows Settings or Setup Windows).  Copy the below script into a text file and name the file SetComputerName.vbs

Note: If you leave the input field blank and click OK and are doing a computer refresh then the original computer name should be used if you also have the Task Sequence capture Windows Setting (This needs to be tested).

<---BEGIN SCRIPT--->

Dim objOSD, objRegEx
Dim Matches, Match
Dim strPattern, strInputBox, strReason
Dim boolLength, boolValid


Set objOSD = CreateObject("Microsoft.SMS.TSEnvironment")
Set objRegEx = New RegExp


' Define valid patterns as and character not in (A-Z, 0-9, or -)
strPattern = "[^a-zA-Z0-9-]"


Do
 strReason = ""
 strInputBoxA = InputBox("Enter desired machine name:" & VbCrLf & VbCrLf & "Names must be less then 16 characters, and only include A-Z, 0-9, or -.","Machine Name",,60,60)
 If strInputBoxA = "" Then TemplateQuit(0)
 'COVERT STRING TO UPPERCASE
 strInputBox = UCase(strInputBoxA)


 ' Check length - must be less than 16 charatcers
 If Len(strInputBox) <= 15 Then
  boolLength = True
 Else
  boolLength = False
 End If
 
 ' Check character validity
 boolValid = True
 ' Return all matches for invalid characters
 objRegEx.Global = True
 objRegEx.Pattern = strPattern
 ' Generate collection of matches
 Set Matches = objRegEx.Execute(strInputBox)
 ' Check for matches on invalid characters
 For Each Match In Matches
  boolValid = False
 Next
Loop While Not (boolLength And boolValid)


objOSD("OSDComputerName") = strInputBox

<---END SCRIPT-->

2) Create an SCCM package that contains only the VBScript we just created.  One of the first Task Sequences should be this Run Command Line with a setup similar to the below screen capture.

     "%SYSTEMROOT%\System32\cscript.exe" ".\SetComputerName.vbs"

Group Policy: Enable Globalization Themes and More

There are four additional globalization themes available besides the United States.

     Australia
     Canada
     United Kingdom
     South Africa

A client of mine had users who worked and traveled all over the world and thought it would be nice if we could allow access to these themes.  Our second goal was to take all of the images of landscapes from the 5 Countries and make one world landscape theme, then make it the default theme for Windows 7 (users can change the theme after deployment).  After a few steps we will have the five installed themes shown in the screen capture below (United States theme not shown as it is listed under Aero Themes).


1) Out first task is to move the four hidden globalization themes. If you unhide all explorer folders and navigate to C:\Windows\Globalization\MCT you can see the hidden themes which need to get moved to C:\Windows\Resouces\Themes.  In the screen capture below I create a Computer Group Policy Preference (GPP) to move files.  I create four preferences, one for each theme to be moved.  Also under the Common tab I selected Apply ones and do not reapply.  Once the files have been moved on the computers first boot there is no need to continue processing the preference in the future.


Below are the paths for the four file moves you need to create.  Also, just a personal best practice, I always capitalize my variables so I they stand out better.  Always use system variables to add another level of automation and self correction to your scripts or Group Policy. 

     %SYSTEMROOT%\Globalization\MCT\MCT-CA\Theme\CA.theme
     %SYSTEMROOT%\Resources\Themes\CA.theme

      %SYSTEMROOT%\Globalization\MCT\MCT-GB\Theme\GB.theme
      %SYSTEMROOT%\Resources\Themes\GB.theme

      %SYSTEMROOT%\Globalization\MCT\MCT-AU\Theme\AU.theme
      %SYSTEMROOT%\Resources\Themes\AU.theme

      %SYSTEMROOT%\Globalization\MCT\MCT-ZA\Theme\ZA.theme
      %SYSTEMROOT%\Resources\Themes\ZA.theme

2)  We have given our users the ability to select from the new themes. You should be able to see the themes under the Windows 7 Personalization settings (after you update your Group Policy).  Next we will allow our users to select which landscape images they want so they could great there own theme.  This will require us to use GPP again to move wallpaper from one location to another.  Please reference the screen shot below and the file move paths.  Also note that under the Processing list in the middle you can see I went under the Common tab I selected Apply ones and do not reapply.


     %SYSTEMROOT%\Globalization\MCT\MCT-CA\Wallpaper\*
     %SYSTEMROOT%\Globalization\MCT\MCT-US\Wallpaper\Canada

     %SYSTEMROOT%\Globalization\MCT\MCT-AU\Wallpaper\*
     %SYSTEMROOT%\Globalization\MCT\MCT-US\Wallpaper\Australia

     %SYSTEMROOT%\Globalization\MCT\MCT-GB\Wallpaper\*
     %SYSTEMROOT%\Globalization\MCT\MCT-US\Wallpaper\United Kingdom

     %SYSTEMROOT%\Globalization\MCT\MCT-ZA\Wallpaper\*
     %SYSTEMROOT%\Globalization\MCT\MCT-US\Wallpaper\South Africa

3) Next we will create a unified World Landscape theme containing all the Landscapes from the five countries.  First you will need to do a Group Policy update to get the wallpaper in place.  Then go to Personalization under Control Panel and select the Windows 7 Aero theme.  Click Desktop background on the bottom of the Personalization page. You should now see all the wallpaper from the five world themes.  As you mouse over the images you can select the check box to include the wallpaper in the World Theme.  I unselected the default Windows 7 wallpaper and selected the wallpaper from the five country themes and the Landscape theme.  This is your chance to select options like shuffle and how often to change pictures.  Click Save Changes at the bottom of the window.


4) Back in Personalization Settings right click the untitled theme you just created and select Save theme.  Name the theme exactly what you want users to see such as World Landscape.  Next navigate to C:\Users\YourProfile\AppData\Local\Microsoft\Windows\Themes and you will find your theme.


5)  Place this theme on the server you use to hold all of your SCCM packages.  I create a folder that contains all my files and folders that get copied by SCCM OSD or Group Policy.  For example: "\\MySCCMServer\Package\Windows Deployment Files". 

6) Use GPP to copy the new theme file in place.

     \\MySCCMServer\Packages\Windows Deployment Files\World Landscape.theme
      %SYSTEMROOT%\Resources\Themes\World Landscape.theme


7)  To set the default theme for your deployment set the USER Policy shown below with the path to the new theme file.  Note: This is a policy but users will be able to change and keep any theme.  If you use Roaming profile then the theme the user choose will follow them.  

     %SYSTEMROOT%\Resources\Themes\World Landscape.theme

Thursday, June 21, 2012

Group Policy: Enable Start Menu Recent Items

I could not find a Group Policy to enable Recent Items on the Start Menu.  I used Group Policy Preference to set a registry setting to enable this menu on the USER configuration.


Here is the key path pictured below as it has been cut off:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced


Wednesday, June 20, 2012

Group Policy: Desktop Shortcut to Libraries

To help in the migration from XP to Windows 7 I have placed a shortcut to the Libraries folder on the desktop similar to My Documents.  To automate this in Group Policy I created a new shortcut in Group Policy Preferences that gets refreshed in the background even if a user deletes the folder (The shortcut is recreated).  Looking at the screen capture below you should see how I accomplished this.  I was also able to have the Libraries shortcut icon match the Libraries shortcut already present on the taskbar.  I named the shortcut "My Files"  to help users further.

PowerShell: Run Commands Remotely from a List of Machines in a Text File

This is a basic example of getting a list of computers from a text file and running commands against each remote machine. 

$list = Get-Content "c:\Myfolder\RemoteComputers.txt"
foreach ($computer in $list) {
    Invoke-Command -ComputerName $computer.name -ScriptBlock {
        Get-Service
    }
}

The Get-Content Cmdlet will pull the list of computers from the text file specified and save them as an array in the variable $list.

$list = Get-Content "c:\Myfolder\RemoteComputers.txt"

The foreach loop automatically moves each object (the information from each computer that was pulled from AD such as name, SID, etc) and applies it to the variable $computer.

foreach ($computer in $list) {
      Invoke-Command -ComputerName $computer.name -ScriptBlock {
           Get-Service
      }

}

The Invoke-Command remotely connects to the computer saved in the variable $computer and runs the commands in the scriptblock and returns the output for us to see (here we get a list of Windows services).

Invoke-Command -ComputerName $computer.name -ScriptBlock {
      Get-Service

}

Invoke-Command will only be able to connect to a computer if you have previously setup Windows Remote Management (Winrm) on each machine you need to connect to. Winrm is disabled by default and will be discussed in a later post.

PowerShell: Run Commands Remotely from an AD List

This is a basic example of getting a list of computers from a specific OU in Active Directory and running commands against each remote machine. 

Import-Module ActiveDirectory
$list = Get-ADComputer -filter * -SearchBase "OU=Desktops,OU=Computers,DC=Contoso,DC=com"
foreach ($computer in $list) {
      Invoke-Command -ComputerName $computer.name -ScriptBlock {
           Get-Service
      }
}


The Active Directory module is imported (included in PowerShell 2.0) which contains all the Cmdlets we will need to work with AD. 

Import-Module ActiveDirectory

The Get-ADComputer Cmdlet searches for all computers (hence the filter * or "all") in the Organizational Unit specified and saves it as an array in the variable $list. 

$list = Get-ADComputer -filter * -SearchBase "OU=Desktops,OU=Computers,DC=Contoso,DC=com"

The foreach loop automatically moves each object (the information from each computer that was pulled from AD such as name, SID, etc) and applies it to the variable $computer. 

foreach ($computer in $list) {
      Invoke-Command -ComputerName $computer.name -ScriptBlock {
                Get-Service
      }

}

The Invoke-Command remotely connects to the computer saved in the variable $computer and runs the commands in the scriptblock and returns the output for us to see (here we get a list of Windows services).

Invoke-Command -ComputerName $computer.name -ScriptBlock {
      Get-Service

}

$computer.name pulls out just the name of the computer from the object carried in the $computer variable (not the SID or any other information not needed).

Invoke-Command -ComputerName $computer.name -ScriptBlock {
      Get-Service
}


Invoke-Command will only be able to connect to a computer if you have previously setup Windows Remote Management (Winrm) on each machine you need to connect to.  Winrm is disabled by default and will be discussed in a later post.

SCCM: Firmware and BIOS Upgrade Through OSD

In this blog post I will show how to update the computer BIOS during my task sequence on SCCM.  This demonstration will specifically show a Dell BIOS upgrade but the concept could be applied to other manufactures or firmware devices like laptop batteries. 

1) I place all of my Dell BIOS updates in folders based on the model and then create an SCCM package pointing to the "Dell BIOS" folder.  That way I only have to have one SCCM package that contains all my Dell BIOS updates.

2) Create one Run Command Line sequence for each model you need to upgrade.  In each sequence I point to the same package containing all of my Dell BIOS upgrades and in the command line point to the folder inside the package that contains the BIOS upgrade for a particular model.  I got the command for the silent install by looking at the readme text file from Dell. 

3) Clicking the options tab you can add conditions that must all be true in order for the sequence to run.  Our conditions will use WMI to see if the BIOS is below the newest version and therefor needs to be upgraded and verify if the BIOS upgrade that this sequence points to is for the computer model being imaged.  The two screen shots below demonstrate these conditions. 


4) To discover the WMI string you need to match against on your machine run PowerShell and type in the command shown in the screen shot below.


Tuesday, June 19, 2012

SCCM: Deploy Microsoft DART through OSD

This post will skip over the "how to build a DART recovery image" and go directly to deployment.  There are few different ways to deploy DART.  We will concentrate on deployment through SCCM in a task sequence.

1) I placed my DART Recovery image on a secondary partition to support BitLocker Drve encryption on the primary drive.  You can use this same partition for Bitlocker.

2) Set up the DART Recovery image partition as follows:

3) Using a Run Command Line we will create a new folder on the recovery partition named "Recovery".  I make use of the %DART% variable used when we created the DART partition to reference that partition during the task sequence progress.

4) In SCCM create a package that contains only the DART recovery image which should be named winre.wim.  We will use the Run Command Line pictured to move the contents of the package (winre.wim) to the Recovery folder we previously created on the DART partition.  If you are curious about the switches for XCOPY you can open a command prompt and run "xcopy /?" to see the descriptions.

5) For both x64 and x86 Windows 7 architectures be sure to check the box "Disable 64-bit file system redirection".  Start in "C:\Windows\System32" which is where the task sequence will run the command to disable Windows Recovery.

6) Next we will again run a Windows Recovery command and specify the new location Windows should look for to run winre.wim when it is needed.  The old location pointed to %SYSTEMDRIVE%\Recovery\GUID#\winre.wim (Recovery is a hidden and security protected folder). 

7) This command will re-enable Windows Recovery.

8) Last, here is how I hide the DART Recovery partition drive.  This way you don't waste a drive letter or add confusion for the users.  The easiest way I've found to get the volume and drive letter you need to hide is during the task sequence. You can press F8 after the partitions are created.  This pops up a command prompt used for troubleshooting.  This command prompt is turned off by default and can be enabled by first going to the properties of your boot images and selecting the Windows PE tab.  There you will see a check box to "Enable Command Support".  You will need to redistribute your boot images to the Distribution Points after this change.

9) Once your are in the command prompt type DISKPART and press enter. You are now in Diskpart and can type LIST VOL and press enter. You will see a list of volumes and drives and can spot one labeled DART (Generic picture below as DART is not shown). Note the volume and drive letter. On my desktop I got a volume of 0 and a drive of D but on my Laptops I got a volume of 1 and a drive of D.

10) Create a new SCCM package containing a text file with commands similar to the image below. I have two text files for my two different deployments. You may only require one text file for all of your deployments, if the drive hides on all of your machines.

11) Finally you run a command line sequence in SCCM that calls DISKPART with a /S which is a switch to call a script. You cannot just type in commands for DISKPART but only pass a text file with the scripted commands you wish to run. The ".\MyTextFileName.txt" will point the /S switch to the attached package and the exact text file you have in the package (provided it is called "MyTextFileName.txt" as in this example). 

For more information on DART deployment options including MDT please refer to this 2011 TechED video: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL306