Tuesday, 17 November 2020

Autopilot White Glove issue

Windows Autopilot white glove feature has been renamed to Windows Autopilot for pre-provisioned deployment. The pre-provisioning service allows partners or IT staff to pre-provision a fully configured and business-ready Windows 10 PC. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.

I recently encountered a problem with the process while deploying Windows 10 v1909. 


This UAC prompt for User OOBE Create Elevated Object Server appeared just after the Device setup phase. 


Clicking No caused a real problem and the process started again, this time getting stuck for hours trying to join the organization. This was never going to work. I could see in the MEM console that the device had joined Azure AD and enrolled in Intune and the apps had successfully installed.


Clicking Yes allowed the process to successfully finish.


The prompt is caused by a setting in the security baseline - Local Policies Security Options > Administrator elevation prompt behaviour. It was configured by default to Prompt for consent on the secure desktop. Changing that to Prompt for consent on non-Windows binaries did the trick and removed the prompt.

Thanks to my former colleague Dan Padgett for figuring that out.

Until next time.....


Sunday, 8 November 2020

Tip for capturing custom Windows 10 multi-session image for WVD

Azure gives us a nifty feature for capturing images from virtual machines. The high-level process is as follows:
  • Create the VM with Windows 10 multi-session
  • Install apps and customize
  • Snapshot the VM for future use
  • Sysprep and generalize the image
  • Capture the image
  • The image is then available in the gallery for creating WVD host pools

You'll find the capture feature in the Overview of the VM. Note that the capture renders the VM unusable and you can check a box to automatically delete the VM. If you want to revert you will have to create a new VM and apply the snapshot.

That all sounds great so what is the problem? The problem is actually a well known issue with capturing custom Windows 10 images. If you allow the reference computer (often a Hyper-V VM) to connect to the internet then the device can connect to the Windows 10 Store and update the built-in apps. This can cause Sysprep to fail. 


The easy way around that is to remove the NIC from the VM so that this cannot happen. 

However what can we do in Azure? You can't remove the NIC as you wouldn't be able to access the VM in that case. 


This is the Sysprep error I was seeing on my Azure reference computer. 

SYSPRP Failed to remove staged package Microsoft.PPIProjection_10.0.18362.449_neutral_neutral_cw5n1h2txyewy: 0x80070002.[gle=0x00000002]

I needed to prevent internet access but still maintain network access. DNS to the rescue. Normally a VM inherits DNS settings from the virtual network. However you can configure a custom DNS server for any VM. If you configure a DNS server that doesn't exist then the VM will not be able to access the internet but you still retain network access.

Click on the network interface for the VM.
 

You'll find that in the Networking blade.


Configure the dummy DNS server. Remember you have to be quick. Do this as soon as the VM is created. This worked for me and I was able to successfully syprep and capture the image. 

I hope this helps. Until next time........