Windows Autopilot – Configure OneDrive from OOBE?!

Windows AutoPilot OneDriveRecently Microsoft introduced Windows Autopilot. This is a feature where you can register your corporate devices and where users can use their internet connection to sign in with their Azure AD credentials. The device is automatically enrolled with MDM like Intune and will receive apps and policies from there. According to Microsoft’s recent blog post and instruction video, a user needs to insert their WiFi password as the device will get the configuration from MDM and is already enrolled, without having the option to change the MDM provider or enroll the device as a personal device. The device really becomes a corporate-owned device. This looks a bit like the Apple Device Enrollment Program. One of the interesting parts of that instruction video, is that it looks like OneDrive can be pre-configured from OOBE as well:

WindowsAutoPilotOneDrive.PNG

I hope that Microsoft will further expand the possibilities of this service. What I would like to see is that the device can cache/download applications and settings from Intune during the factory imaging process. This ensures that applications, policies and settings are pre-loaded on a device and don’t need to be downloaded anymore. This will dramatically decrease network bandwidth and deployment time.

Hyper-V RemoteFX doesn’t work with Shielded VMs

Cause

Recently I replaced my workstation and that was a perfect time to rebuild my home lab. After I got green lights from my employer to install the all new Windows 10 Creators Update, I also installed Hyper-V and started to build servers in my lab. I was playing around with Shielding, Virtual TPM and SecureBoot until I found out that RemoteFX didn’t work anymore. I added the RemoteFX adapter to a VM with shielding enabled, but saw in the Hyper-V Settings menu that “0 virtual machines are currently using this GPU”. I first thought about updating my drivers, but I realized that I was playing around with some new features. After disabling Shielding for this VM, RemoteFX started to work!

Continue reading

PowerShell Function to Restart a Process

My notebook connects to a Docking Station with access to my receiver with speakerset, 2 screens, power and a KVM switch for my mouse and keyboard. When I lock my laptop, the sounds switches from the receiver to my internal speakers. When I unlock my laptop, the sound switches back but the Spotify application doesn’t play any sound. Closing the application doesn’t solve this problem, because the application will crash and I have to use the Task Manager to force the application to close. I made a PowerShell function that I’ve added to my PowerShell profile.

The Restart-Spotify function looks for any process that ends with “spotify” and stops the process. When all the processes are killed, a new instance of Spotify will be opened and the PowerShell console will close itself.

Even a reinstall of Spotify doesn’t help solving this issue I’m facing for months now. So the above script is a great workaround for me.

Remove default Windows 10 Apps

WARNING: Removing Windows 10 Apps can make your system unstable. I had issues with my NUC after removing some default applications. Don’t do this in your master Enterprise image! Block apps with AppLocker instead.

Use the following PowerShell command to check which Windows 10 Apps are installed:

Get-AppxPackage | Select Name

Make sure that you get all the packages that you want to delete in one view. For example:

Get-AppxPackage | Where {$_.Name -ilike "Microsoft.ZuneVideo" -or $_.Name -ilike "Microsoft.WindowsCamera"}

To remove those packages, pipe it to Remove-AppxPackage.

Get-AppxPackage | Where {$_.Name -ilike "Microsoft.ZuneVideo" -or $_.Name -ilike "Microsoft.WindowsCamera"} | Remove-AppxPackage

SCCM – IIS Error code 403 13 2148081683

Problem:

If you see the following error in your IIS Logs (C:\inetpub\logs\LogFiles\W3SVC1), it’s possible that the CRL of your Certificate Authority isn’t reachable or valid anymore:

<IP Address> GET /SMS_MP/.sms_aut MPLIST 443 – <IP Address> SMS_MP_CONTROL_MANAGER – 403 13 2148081683 5701 18

Solution:

Export a certificate from your personal certificate store, for example, an SCCM Client Certificate to your C: drive. Open a command prompt with elevated rights and type:

certutil -url “C:\Certificate.cer”

Check if the CRL can be verified. Open the CRL manually and check that the BASE and DELTA CRL’s aren’t expired. In this case, the AD CS service wasn’t started and the Delta CRL’s were not up-to-date. The service may have been crashed because the startup type was set to “Automatic”.

How to Clear a TPM 2.0 chip with SCCM and PowerShell

With TPM 1.2, Microsoft was able to clear the TPM during the SCCM Task Sequence without asking for permission to clear the TPM. With TPM 2.0, SCCM is unable to clear and activate the TPM chip during the deployment. The first time you boot your computer, you need to provide a BitLocker Recovery Key, or the tpm.msc console will tell you that the TPM is ready for use, with reduced functionality.

Continue reading