Customizing Intel NUC BIOS with Intel Integrator Toolkit

I’ve noticed that the newer models of NUCs that I’m purchasing (specifically the NUC7i7BNH) ship with a 12 character serial number populated in BIOS. A while back, I wrote a post about how to add it should it be missing. The utility used in that post is no longer available for download, and the last time I used it, the NUC  bricked, so I set off to find a new tool to interact with NUC BIOS. Enter the Intel Integrator Toolkit.

This is a really pretty picture, strategically placed to reduce your disappointment that you will encounter in the next paragraph 🙂

Now, don’t get mad at me, but to use the Intel Integrator Toolkit, you have to disable Secure Boot to turn on the “Internal UEFI Shell” feature (which isn’t something you should leave on because it requires a keystroke to quit before it interrupts normal boot into Windows). I’m not really fond of tools that not only provide little automation in the end, but that also require you to turn off security features just to use it. Especially when you can manipulate BIOS properties of other major PC vendors from within Windows and it can be automated and distributed via a sequence engine and leave Secure Boot turned on.

 

Look, I have no idea what they were thinking. I’m just as confused as you.

Now on to the purpose of this post:

If you want to use the Windows Autopilot Script on your Intel NUCs, you’re in for some failure if the serial number is missing on account of the script requires a serial number 🙂

So, to fix it in a scenario where you want to add/change/remove/whatever a serial number or other bios properties, you need to:

  1.  Download the Intel Integrator toolkit (which is a .EFI file and some documentation)
  2. Format a USB drive in FAT32
  3. Copy the .EFI file from the download to your formatted USB drive
  4. Disable Secure Boot
  5. Enable Internal UEFI Shell

Now to manipulate the Serial Number property, simply boot into the Internal UEFI Shell (if it’s enabled in BIOS, it will give you a few seconds to cancel out of before it interrupts the normal Windows boot process, so best not to leave this turned on outside of this scenario).

To edit the serial number use the following syntax:

ITK6.efi –s –t system –f serial –v mySerial

Where “mySerial” is the serial number you want to enter. The -s, -t -f are flags that drill specifically to the Serial Number property. Full documentation on how to use the switches is in the guide that ships with the toolkit.

Here’s a list of customizations you can do with v 6.1.6 of the toolkit:

Manufacturer

Product Name

Serial Number

SKU Number

Family

Asset Tag

Chassis Type

OEM String (up to 3)

 

 

 

OneDrive Woes in the Win10 AU

I have a *workaround* for anybody experiencing One Drive crashing in the Windows 10 AU (1607). What I’m doing isn’t a sustainable practice if you’ve got the error across a large environment.

Not so shiny error in the event log!

Not so shiny error in the event log! Faulting application name: OneDrive.exe

Event Name: SkyDriveClientError

Event Name: SkyDriveClientError

My environment:
-Bare metal deployment of AU
-Domain Joined
-The domain account logging in is not an administrator account, although when signing in with an admin account, the problem persists.

I did my homework:
-There are no GPOs blocking MS accounts or One Drive – it works in Windows7, Windows 8.1, and Win10 1511.
-McAfee Enterprise: see above – it works in other environments, we’ve got nothing configured that would interfere.
-Firewall/QoS/etc: see above – nothing that would prevent the app from running.
-Obtained media from VLSC and imported into MDT – zero customization done here.

After doing a lot of reading, I’m kind of relieved I’m not the only person with the issue, a lot of you are having it. The only workaround I ever saw posted was to roll back to 1511 or check EMET settings. Neither applies here because I did a bare metal deployment and we aren’t using EMET.

So, if I can’t rollback, what can I do?
I decided to add a Microsoft account (not the same one I was using for One Drive mind you) as a user on the PC. I didn’t make it administrator, just a regular user. BAM! One Drive works. That MS account had ~20GB data I was able to sync. Time to test on the domain account – and what do you know? Now it works and is happily syncing 200GB data.

Edit: I’m told by Sandy that in an upgrade scenario if you’re having the issue you can delete HKLM\Software\Policies\Microsoft\Windows\OneDrive

#SQLSunday – Find Device Collections and Collection Membership

I try to use the ConfigMgr console as little as possible these days (long story).  So, here’s a SHINY and FUN thing you can do in SQL!

Want to know what device collection an endpoint belongs to?

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Here's the collections my MDT server currently belongs to.

Here’s all the collections my MDT server currently belongs to in this environment.

Alternatively, want to return all the rows?

select * from v_FullCollectionMembership
where name =’MDT01′

And the most useful I’ve found from that view for reports is:

select distinct
v_FullCollectionMembership.CollectionID As ‘Collection ID’
, v_Collection.Name As ‘Collection Name’
, v_R_System.Name0 As ‘Machine Name’
,Domain
,SiteCode
,IsClient
,IsVirtualMachine
,VMHostName
from v_FullCollectionMembership
JOIN v_R_System on v_FullCollectionMembership.ResourceID = v_R_System.ResourceID
JOIN v_Collection on v_FullCollectionMembership.CollectionID = v_Collection.CollectionID
–Uncomment below if you want to be specific.  You can use ‘AND’ operator if you want multiple specific systems returned.
–Where v_R_System.Name0=’MDT01′

Very SHINY columns are returned when running this query!

Very SHINY columns are returned when running this query!

OSD – HP Driver Tips

Working on certifying drivers for some older model HPs in the shop. My options are:

1. Use Mikael Nystrom’s PowerShell is King – Export drivers from Windows good stuff if you have a box already configured how you want and it’s not Windows 7

(do a get-command export* and you'll see you can't use export-windowsdriver in Win 7)

(do a get-command export* and you’ll see you can’t use export-windowsdriver in Win 7)

Good Windows 7 Options:

2.  If you get stuck installing a driver as an application, check in Program Files/Program Files (x86) for the unpacked files to see if an .inf was dropped there.  Be careful pulling the .inf file as some of the softpaqs need the software stack to work properly (see method 4 below for this scenario).

Found the driver for bluetooth in this folder in Program Files (x86)

Found the driver for Bluetooth for a ZBook in this folder in Program Files (x86)

3. If HP, I generally find the majority of the unpacked files in c:\swsetup and then I search Program Files.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

C:\SWSetup is a common unpack directory for Support Assistant and manual installs.

4.  Another HP trick is to use the HP Softpaq Download Manager.  Once you load up the model you want, you can right click on any of the given drivers to get the fly out menu and select cva file.  If it exists, it will give you install + silent install instructions for those pesky drivers that need to be installed as applications.

Using HPSDM to get the driver package and install instructions.

Using HPSDM to get the driver package and install instructions.

Install instructions are in a cva that you open with notepad - then scroll to the install section.

Install instructions are in a cva that you open with notepad – then scroll to the install section.

A fun tip about the cva file is if you know the softpaq number, you can just find it in this URL  (this only works if there is actually a cva – not everything has one – but better than nothing, right??)

SQL Report: Unused Applications SCCM

This post is inspired by System Center Dudes post on auto uninstalling unused apps in your environment. It also has the same requirements (aka have Software Metering working in your environment if you want actual usage stats vs is this thing installed or not.)

Disclaimer: I’m non-technical so these SQL queries come without warranty.  The good news is it’s only reads, so you’re not destroying anything 🙂

System Center Dudes post uses WQL to create device collections that allow you to gather info on specific installed applications and also to be able to uninstall a specific application if it hasn’t been used within a certain time frame (120 days is good enough for me!) it’s an awesome idea, but I simply want to report on the presence of software and said usage to help management decide if we should buy the same amount of licenses for a specific software at renewal time.

Here’s what I came up with:

--Specific Product Installed
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
from
dbo.v_r_System
inner join v_GS_INSTALLED_SOFTWARE on v_GS_INSTALLED_SOFTWARE.ResourceID = v_r_system.ResourceID
where
v_GS_INSTALLED_SOFTWARE.ProductName0 like 'Stata%'


--Usage count Last 120 Days
select Name0 as ComputerName, Resource_Domain_OR_Workgr0 as 'Domain/WorkGroup', Client0
from
dbo.v_r_System
inner join v_MonthlyUsageSummary
on v_R_System.ResourceID = v_MonthlyUsageSummary.ResourceID
inner join v_MeteredFiles
on v_MonthlyUsageSummary.FileID = v_MeteredFiles.MeteredFileID
where
v_MeteredFiles.ProductName like 'Stata%' AND DATEDIFF (day, v_MonthlyUsageSummary.LastUsage, GetDate()) < 120

Find text using PowerShell

I totally broke the setup of a non ConfigMgr system that I’ve been tasked with setting up.

Oops, I did something wrong!

Oops, I did something wrong!

Some how, in some way, I hard coded the TEST SQL server/database rather than the PROD SQL server/database into a config file.  The bigger problem was that this is a system I had never heard of  until a few days ago, so my only hope was combing through logs to find my error.

Log files always have the answer ;)

Log files always have the answer 😉

Once I found it, I started clicking through the install directory only to see there were too many config files and folders to know where to start.  I had two options, open every file or find it in PowerShell.

Here’s what I came up with to find what I was looking for:
dir "C:\program files\Ami FP Test" -I *.* -R | select-string SQLTEST
Sure enough, here’s the very config file where I made the mistake.

PowerShell is KING!

PowerShell is KING!

Found my mistake!

Found my mistake!

Hey, Scripting Guy has a more “pretty” and correct way of using this same method and you should read it.  But if you’re new to PowerShell, I want you to know that if it works, it doesn’t have to be pretty.  Use what works as your base to learn better ways to do things.

Create Local User Based on Serial Number

If you ever find yourself wanting to create a local user based on something super specific (like Serial Number) then this post is for you.

First you need your script:


#
#Created by Ami Casto Twitter:@MDTPro Blog:http://amicasto.com
#
#This script will create a local user account based on Serial Number, set the password to never expire, prevent user from changing the password, and add it to the Local Admin Group
#
#Make it all clean - this could be commented out if unwanted
#
$Error.clear() # Clear errors
$startupVariables=””
#
#Queries Win32_Bios for Serial Number and pulls out the serial number to return it on a single line which gets captured as a variable
#
$SN = gwmi win32_bios | Select-Object -Expandproperty SerialNumber
#
# $SN now equals the hardware's Serial Number and this variable is used to create a user account, set a password, and prevent that user from changing it
#
net user $SN P@ssw0rd /add /passwordchg:no
#
#This step sets the password to never expire
#
wmic useraccount where "name='$SN'" set passwordexpires=false
#
#This step adds the newly created account to the Local Admin group
#
net localgroup administrators $SN /add
#

Just copy/paste and save it as user.ps1 in the Scripts folder.

In MDT, open your preferred task sequence and create a new group where you would like the step to go.  Since this account is a local user and won’t be able to access anything specific to the deployment anyway, I’m adding the account near the end.

I've added the PowerShell script in a group I created for this step.

I’ve added the PowerShell script in a group I created for this step.

Notice that I call on it this way %SCRIPTROOT%\user.ps1 .  You could create a separate folder within the scripts folder, but you’ll have to remember to include that in the path as well, otherwise your deployment will fail.

And, Success!

Complete

It worked as expected – the user account matches what’s in the Serial Number property.

Disclaimer: It is very important that you pick a property that is short and doesn’t have special characters.  So I wouldn’t do this on a VM for example, I’d pick something from win32_bios such as model.

If you want to make this work on a Intel NUC, then you need to read my post about how to assign a Serial Number for your NUC.

Add a Serial Number to your NUC

As an Intel NUC owner, you might have noticed that your NUC doesn’t come with the serial number hard-coded into the BIOS:

NUC with no Serial Number

NUC with no Serial Number

You can actually do this yourself with the Intel Integrator Toolkit.  The site says support ended for it and it would be taken down in 2015, but here we are mid 2016 and it’s still available :).  You get a list of client OS’s that support it but I installed it on Server 2016 TP 5 with no issues.

When you launch the application, you get a dialog box giving you some options.  As you can see, you could run this from another PC entirely (but don’t – you need to be present to accept the config changes).  If you’re running it from your NUC however, you can walk the wizard below to customize the BIOS and get right to it. (NOTE: You must have an active internet connection!)

Menu showing configuration options when you launch the tool.

Since I’ve picked to customize locally, the toolkit gives me a lot of options as you can see below.

Intel Integrator Toolkit

Lots of customization options!

In the SMBIOS menu, I simply input a value.  I had the Serial Number from an old HP laptop I happened to have written down handy so I input that as the value . Just kidding, I picked Beaker.  The toolkit allows you to paste in values, so you could create your own custom Serial Numbers and import them.

When you’ve finished your customization, you simply select “Save BIOS” from the ribbon.  This will install the BIOS and add all your custom configurations.

Save BIOSTime to make it happen!

YOU CANNOT DO THIS REMOTE – YOU NEED TO HAVE A KEYBOARD ATTACHED TO ACCEPT THE CONFIGURATION CHANGE (and a monitor to read the message, or just remember to press 9 on the keyboard).  Don’t say I didn’t warn you 🙂

Be ready to press 9 to accept the change

Be ready to press 9 to accept the change

When the configuration is complete and you sign in again, you’re greeted with a dialog box from the toolkit letting you know your change was successful.

Woohoo, you did it!

Woohoo, you did it!

And of course, you can validate in PowerShell too!

PowerShell is King! And your Intel NUC has a Serial Number!

PowerShell is King! And your Intel NUC has a Serial Number!

 

BONUS FOR READING THIS FAR!

Another important feature to customize is the display image.  I opted for a picture of Beaker because he’s my hero.

changing images

 

Save

Save

Save

Save

Office 365 Advice!

Today I was a guest on On The Air a live tech talk show put on by Spiceworks.  In the episode we talked about deploying Office 365 and played Servers and Sysadmins (a super fun IT version of the popular Dungeons and Dragons RPG).  If you haven’t already seen it, here’s the link to the episode.

13082542_814719664621_1599884150665550650_n

I wanted to also make sure to give some professional advice aside from the silliness on the show (but for real, I had a good time) so I have come up with some basic advice for getting started on your own.

Also, be sure to check out the EMS book by Kent Agerlund and Peter Daalmans.  It’s due to hit Amazon in May and will walk you through a full setup using both cloud and hybrid options.  I will post the link as soon as the book is available for purchase.

Preparing for Office 365 Migration:

Install

WinRM

https://www.microsoft.com/en-us/download/details.aspx?id=40855

 

Microsoft Online Services Sign-In Assistant for IT Professionals Beta

http://ref.ms/msolsignin/

 

Azure AD cmdlets

http://ref.ms/azureposh

 

Enable Script Execution (Admin PoSH)

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

 

Get to know service descriptions – pick what’s best for your organization and understand what you’re signing up for – it would be better to sign up for too much than not enough service.

http://www.microsoft.com/en-us/download/details.aspx?id=13602

 

Office 365 Deployment Guide – advice on deployment models –these are my requirements – here’s the model that works best for me.

http://technet.microsoft.com/en-us/library/hh852466.aspx

Deployment Readiness Toolkit – environment prechecker

http://www.microsoft.com/en-us/download/default.aspx

Office 365 admin resource center

http://office.microsoft.com/en-us/support/office365-administrator-resource-center-FX103995410.aspx

Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit – troubleshoot config issues

http://www.microsoft.com/en-us/download/details.aspx?id=626

Know your network or get to know your network admins – bring whiskey!

The slowest connection to Office 365 is going to be from your gateway to ISP and then ISP to Office 365 data center (if your ISP isn’t part of the Internet Backbone)

Think about how users will be accessing services like OWA/ActiveSync and also how much data do you have to migrate to the cloud (think Exchange S4B and SharePoint)

Get to know your organization’s QoS settings (this is where the whiskey comes in handy!)

Office 365 Community site

http://community.office365.com/en-us/forums/default.aspx

Learning PowerShell for Office 365:

Simply put, you’re going to use PowerShell for automation and management.

Many of the administrative tasks can be performed through the admin center UI, some tasks are difficult to do without PowerShell and some tasks can be performed only with PowerShell.

Get to know/use PowerShell ISE because the complexity of PowerShell is reduced in ISE basically, you don’t have to memorize every single command ISE is pretty smart.

Pro tip: ALWAYS run as admin

It is a good idea to have a test tenant with a few users so you can test your PowerShell scripts. Alternatively, you can use your production tenant with test users. In both scenarios, the test users most likely will have to be assigned Office 365 licenses, at least during script testing. Microsoft does not provide free test tenants or free test user licenses.

 

Real-World Challenges (that I have seen):

Not understanding licensing or really not being ready to push users to the cloud because your legacy AD needs some love.  Take some time to review for stale accounts and clean them up before you migrate – it will save some pain on the other side.

Qos for Skype for Business – packet loss can really impact voice meetings so make sure you’re aware of/reviewing your organization’s QoS.  Really this isn’t just a step for review for S4B, but this is one area that’s really not going to play nice if you aren’t prepared properly.

UPN – corp.amicasto.com vs. amicasto.com

Perficient has a really good blog post about the topic.

Not understanding the design/implementation of your legacy environment– if you want a seamless user experience, you need to understand how and why things are setup the way they are in your legacy environment.  From SharePoint layout and permissions to user vs equipment mailboxes in Exchange.  Some things you did in your legacy environment are now charged as per user license in your new environment.

Not testing – either with a test tenant or test users in production – you need to understand the impact of your changes!

Understand that in Exchange, some legacy features/resources won’t be available in the cloud.  So if a user connects to another mailbox or resource, it also needs to be available in the cloud.  We saw this with Public Folders and equipment mailboxes that were setup as user mailboxes.

Upgrade your 2012 R2 SP1 ConfigMgr environment to 1602 #LikeABoss

Yesterday I went from CM 2012 R2 SP1 CU whatever to CM 1602.

 

 

It’s a really simple process, but if you haven’t done any kind of CM site upgrades before, maybe you feel a bit overwhelmed.  To get started to need to do two things.  The first being verify you have a backup.  If you don’t know how to do this, check out Steve Thompsons blog.

Next, go to your VLSC and download the required media.  (Note: I was already running a fully patched version of SQL Server 2014, so I didn’t need to download that media, and I wont be covering it in this post.)

After the download completes and you’re certain you have a backup of your site, I’d make sure the server that hosts your site is fully patched so that pending reboots don’t break the upgrade.

 

When you’re back up and running, mount the ISO and launch splash.hta which will start the application to perform the upgrade.

You’ll be greeted with this page that defaults to the upgrade so you can leave it as-is.

And you’ll need to accept three sets of EULAs before you can continue.

Now, just like in your production version of 2012, you have prereqs to download.  If you’ve already done so, here’s where you would tell the wizard to grab them for the install.  I prefer to keep anything that’s not the OS on my E:\ drive.

And if you did specify a path to download (aka you didn’t download the prereqs beforehand), the app will then initiate the download as soon as you click next (and it’s really quick too!).

When the download completes you can add language support.  While you  can add languages after the fact, if you plan to add support for anything other than the default, do it now please :).

 

You’ll then configure service connection point and select (the only option) setup type.  If you choose not to connect the service now, you’ll have to do it after the fact.  So unless you have a really good reason not to, just connect now.

Next comes the prerequisite check for the upgrade.  You can ignore the warnings if you want, but you have to remediate all failures to be able to continue.  As you can see here, I needed to install USMT as well as remove Distribution Point role (the only role installed on that server – which is how I knew what to do 🙂 ) from the server that sat on the same cluster as my primary site.

You’ll click through a few more steps and then the upgrade starts.  You can watch what’s going on in the ConfigMgrSetup log on C:\ by opening it in CMTrace.

Go ahead and take a coffee break (I recommend this) because it will take a bit to complete.  When it’s done you can close the app.

Now comes the fun part – getting to 1602.  I, like an idiot had left the console open during the upgrade and saw in the setup log that the new console failed to install.  Even if I hadn’t seen it, I was blocked with an error message that told me I couldn’t connect to my site.  Before worrying about permissions, I decided to reinstall the console – if this happens to you, you can easily reinstall the console by navigating to your ISO and go to SMSSETUP\BIN\I386 and launch consolesetup.exe .

With the console open, go to Administration – Overview – Cloud Services – Updates and Servicing.  (As of today) You’ll see the upgrade for 1602.  Right click it and first run the prerequisite check and then finally right click again to install it.

Note:  You can choose to run against a non-production collection if you have such a thing 🙂 or you can go ahead straight to production.  Since I’m my own boss, I don’t have much of a reason to pick a collection to test against.

And when it’s finished you’ll need a new version of the console again.  This time, clicking Ok caused the console to upgrade without any manual work for me.

If you didn’t already have automatic client upgrades turned on, I really think you should.  I say this because I had it turned on and configured to what works for my environment as far as days to install the client.  It’s great because the new client package was already distributed for me and I can see that some of my endpoints already have the new client.  To turn it on, go to  Administration – Overview – Site Configuration – Sites and go to Heirarchy Settings (on the ribbon) and tick the box to allow the auto upgrade.

And finally you’ll want to check to make sure the client package has been distributed (and if it hasn’t you’ll need to do so) by going to  Software Library – Application Management – Packages.  While you’re in there, check on your boot images too by going to the Operating Systems node in Software Library – they get updated during the upgrade and therefore should be replaced on all your distribution points too.

Depending on the complexity of your environment or if you want to add or remove roles/features you’ll have more work to do.  Of course if you need help, you can always ping me on Twitter.