More UEFI Fun: Apply Operating System Fails Again and Again

Y’know, I’m just going to stop mentioning 0x80004005 because we all know it’s the most common thing that happens when a deployment craps out, and it’s the least useful error code ever anyway.

The situation was that, on yet another Latitude E7470 with UEFI boot, my Win 10 1703 EDU task sequences are failing at the very early “Apply Operating System” step.  Consistently.  SMSTS.log tells me stuff about the system drive and partitions, so I’m wondering then if it can’t find the drive for some reason.

I do a search on “Unable to find the partition that contains the OS boot loaders. Please ensure the hard disks have been properly partitioned”

CMTrace also identified this information:

Unspecified error (Error: 80004005; Source: Windows) ApplyOperatingSystem 6/16/2017 8:54:50 AM 2004 (0x07D4)

I happened upon Henk’s blog post.  Flippin’ Secure Boot.

I went into BIOS after a reboot, turned off Secure Boot…..and now I’m watching a beautiful vision of task sequence that’s actually applying.

 

UEFI? Book it!

This past week, my Win10 task sequences were failing on the Latitude E7470s.  Yet they were fine on my testbed Intel NUCs.  The same task sequences, so it wasn’t the software.  What the hell was going on here?

Then I started piecing it together.  Intel NUCs vs. Lat 7470s.  The task sequence on the Lats go really quickly to Applying Operating System where it failed.  SMSTS.log said:

There are no more volumes available for use.

The requested target could not be resolved to a valid volume on this computer. Check your task sequence to ensure this drive is correct and that it is being createdThe requested target could not be resolved to a valid volume on this computer. Check your task sequence to ensure this drive is correct and that it is being createdThe parameter is incorrect. (Error: 80070057; Source: Windows) ApplyOperatingSystem 6/15/2017 9:03:44 AM 1596 (0x063C)

I then noticed that the step where the TS should be formatting my drive to UEFI was not actually starting.  Why?  It had to be that step, because the NUCs, which are on legacy boot, partition normally as BIOS.  I looked at my task sequence variables, because everything else looked fine.  Then, I saw it:

The variable “_SMSTSBootUEFI” had somehow changed to “_SMSTSBookUEFI.”

And since I copy/paste tasks from sequence to sequence, I had inadvertently copied this error to all of my Win 10 task sequences.  After correcting that, my Lat 7470s partitioned, formatted, and applied the OS correctly.

But how in the hell did that get changed in the first place?

Deploying Sketchup 2017 with SCCM & Windows 10 1703 EDU

For the past few months, I’ve been struggling to deploy Sketchup 2017 with SCCM.  2015 seemed to deploy much more smoothly, despite having to implement a few kludgy workarounds.  But no matter what I tried, 2017 would fail during a task sequence with the dreaded 0x80004005.

Sketchup’s support site mentioned that 2017 requires .NET Framework 4.5.2, and seemed to imply that 4.5.2 was the only version that it supported.  That sounded strange to me, especially since attempting to install 4.5.2 on an updated and patched Win10 introduced even more work than I wanted to put in.  And once I ran updates, I had .NET 4.7 anyway.

But they also mentioned needing to install the Visual C++ 2015 Redistributable.  My vanilla Win10 install has 2013 installed.  OK, so let me give that a try!

I manually installed VC++ 2015, then installed Sketchup.  Success!

I wiped the machine and tried to install Sketchup by itself.  FAILURE!  I forget the exact error message, but it would fail:

For our friendly neighborhood search engine crawlers, the text of the error is:

Module C:\Program Files\SketchUp\SketchUp 2017\ThumbsUp.dll failed to register. HRESULT -214024770. Contact your support personnel.

 

I grabbed the stand-alone installer for VC++ 2015, packaged that up, then applied it to my task sequence.  I also created some basic .CMD files to copy the volume license file and to clean the desktop of the shortcuts that Sketchup created.

In my source folder, I have four files: the Sketchup MSI installer itself, my activation_info.txtcleanuplinks.cmd, and actinfo.com.

cleanuplinks.cmd:

@echo off
del "C:\users\public\Desktop\Layout 2017.lnk"
del "C:\users\public\Desktop\SketchUp 2017.lnk"
del "C:\users\public\Desktop\Style Builder 2017.lnk"

:SUCCESS
exit /b 0

actinfo.cmd:

@echo off
copy "\\systemcenter\sources\Apps\SketchUp Pro 2017\Files\activation_info.txt" "c:\programdata\sketchup\sketchup 2017"

Naturally, both could be combined into a single batch file, but I kept them separate so that I could activate & deactivate either in my task sequence while I’m still testing.

Finally, how the task sequence is built:

 

 

Customizing Windows 10 for Schools

Using Windows 10 1703 Education, I applied a number of customizations, drawn from several expert sources and cobbled together into my own Frankenstein’s-Monster of a deployment, with SCCM 1702.

Strategy and Design

Like with all good projects, we need to figure out what the hell we’re trying to do in the first place before leaping into actually doing it.  So we’re going to move all of our deployed computers throughout the district to Windows 10.

Great.

How?

It’s not as simple as “build an image, slap in some software that’s common to everyone, wait for the summer, and hit the uncooled classrooms in the middle of July.”  The default installation of W10 is, at first glance, geared more toward a home-user/personal-experience motif than a professional environment where we take things seriously.

We need to get rid of the superfluous stuff in the Start menu, provide only what’s necessary in the task bar, shut down all the privacy holes, but at the same time still allow staff and students to be able to customize the computing experience (within reason).  We’re not so draconian as to prohibit changing wallpapers and color themes, but we’d also like to provide at least a more organization-centric set of options to begin with.

We’d like to see some simplified task sequences in SCCM, so that if we need to make updates district-wide, we’re not stumbling over the entire console, making repetitive changes to every task sequence.  This means more creative use of task sequence variables and making sure our OUs in AD are cleaner (hah!) and appropriate (hee!).

Setting the Stage

In my SC deployment share (\\[SCCMShare]\sources\packages), I created a folder named “Win10Customizations.”  This will house all of the files, scripts, and folders.

The Details

Start Layout

I wanted to use a partial Start layout so that the commonly used apps in our organization are available immediately, all the superfluous nonsense removed, and still allow users customization ability.  I used my reference machine to build out the Start Menu the way I wanted to see it, then exported its XML with Powershell (see Links & Resources below).

I created a GPO simply titled “Win 10 Start Layout Customization” and made the following changes:

Computer Config > Policies > Administrative Templates > Start Menu and Taskbar set to Enabled and added the path to where my XML would reside on the local drive (in my case, C:\StartLayout\start17.xml)

The second step is to use a Powershell script to create the folder and copy start17.xml to the local drive from our SCCM share.  The script that I used (through lots of trial and error, as I’m quite a PS newbie) is:

$folder = "C:\StartLayout"
$file = "start17.xml"
$fullPath = "$folder\$file"

$source = "\\systemcenter\sources\packages\Win10Customizations\Start Layout\start17.xml"

# Check if folder & file already exist

if (!(Test-Path -path $fullPath)) {
 # File & folder do not exist, so check if the folder by itself exists
 if (!(Test-Path -path $folder)) {
 try {
 New-Item $folder -ItemType Directory
 }
 Catch {
 Write-Warning "Error in creating folder: $error"
 break
 }
 }

}


# Folder has been created or already existed, so copy the file to it

try {
 Copy-Item -path $source -destination $folder
}
Catch {
 write-warning "File already exists."
 break
}

As I’m looking at this code, I realize that I made a few inefficient moves already, but again, I’m still learning!  If you have a cleaner or more robust way of accomplishing the same thing, I’m all ears!  But I think you get the point of what I’m trying to do here.

I placed both the Powershell script and the Start layout XML in the same folder.  Then, I created a no-program package in SCCM for the Start Layout.  This is then added to my task sequence, calling a Powershell script referencing the above:

Next, I wanted to get rid of some of the apps in the Start Menu that we’re not going to need in-district.  To do this, I followed Jörgen Nilsson’s instructions for grabbing a list of apps and then manipulating the script to remove them.

Links & Resources

https://blogs.technet.microsoft.com/deploymentguys/2016/03/07/windows-10-start-layout-customization/#Partial

Pin apps to the Taskbar in Windows 10 1607 with Group Policy

SCCM Query for Windows 10 Versions Less than 1607

We started deploying Windows 10 on a wider scale to our users in the summer of 2016.  However, our SCCM installation was broken at the time, so we weren’t able to provide too much in the ways of updates.  We created a from-scratch task sequence of Windows 10 using 1511 as our base, figuring that once that was done ahead of the 2016-17 school year, we could then concentrate on repairing, restoring, or reinstalling SCCM.

Several months later, we reinstalled SCCM and updated to 1702.  Now we can get back to work.

I wanted to know which of the machines out there that have Win10 are still on versions older than 1607 so we’d know what we’re dealing with for the forthcoming upgrade project.  To do this, I created a query in the Config Mgr console:

The query pane

Start by clicking Create Query either in the ribbon or right-clicking on “Queries” in the navigation pane or in the results pane.  This launches the Create Query Wizard.

Enter a name.  I used “Who’s not Win10 1607?”  I also limited the search to “All Workstations.”  Click “Edit Query Statement…”

Under the “Criteria” tab, I created a new criterion (click the star button).

In Criterion Type, leave the type as “Simple Value” and click “Select…”  Choose “Operating System – Version.”  For the Operator, choose “is less than” and type “10.0.14393” in “Value.”

Note: if you want to include 1607, change the operator to “less than or equal to” instead.

Also note: the value field is a string value, so we’re lucky in that “10.0.xxxxx” occurs earlier as a string than Windows 7 and Windows 8 versions (which start with 6).  If I wanted only Windows 7 or Windows 8 machines, I’d have to get a little fancier with my criteria if I didn’t want to include Windows 10 in the results.

Click OK.

For my query, I only wanted certain fields (columns), not all of them.  So I chose Name, Last Logon User Name, Last Logon Time Stamp, Version, Last Boot-up Time, IP Addresses, and Operating System Readiness Branch.  You can choose other fields by clicking the “Select” button and going through the desired attributes.

To use this set, you can also use my query in a query language window if you don’t want to go through the click/select process.  Click the “Show Query Language” button and copy/paste this:

select SMS_R_System.Name, SMS_R_System.LastLogonUserName, SMS_R_System.LastLogonTimestamp, SMS_G_System_OPERATING_SYSTEM.Version, SMS_G_System_OPERATING_SYSTEM.LastBootUpTime, SMS_R_System.IPAddresses, SMS_R_System.OSBranch from  SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Version < "10.0.14393" order by SMS_G_System_OPERATING_SYSTEM.Version

Note: Change the < to <= if you want to include 1607.

Once you’re done, run the query.  I have 45 devices on versions of Win 10 earlier than 1607:

I can see now that most of my users are on Current Branch.  I have three on 1507 (support for which just ended), and given who the users are, they need updates (updating won’t break what they do).  Everyone else is on 1511.

When I change my query to <= 10.0.14393 instead, I get over 150 results, so that means most of my deployments are on 1607 (yay!).

Finally, a side benefit I discovered in this query is that I could find a few incorrectly named computers that have Windows 10 deployed.  Our naming convention includes the form factor of a device as well as its OS version so that we can see what we’re dealing with at a quick glance without having to look it up.  Within the first five entries, I see three computers that need to be renamed (which is a help desk ticket for the technicians responsible for those areas).

 

 

 

Windows 10 Enterprise vs. Education

Numerous posts and bits of info exist on the difference between Windows 10 Enterprise edition and its counterpart, Education.  In a nutshell, they are both functionally the same product.  The main immediate difference is that Win10 Education, which is only available through an educational institution’s volume licensing agreement with Microsoft, allows an in-place upgrade over Windows 10 Home Edition.

This allows schools to purchase devices with the lower-cost Home edition installed, and upgrade to Enterprise-grade Education version on top of it.

However, I overheard at the Midwest Management Summit this past week (May 15 – 18, 2017) that Microsoft is beginning to hint that educational institutions that have been using Win10 Enterprise should really switch over to Education instead.  I haven’t found any confirmation on this or what’s planned for the future to enforce this shift, however.