Dell...The 80's / Win 10
“Context -
We had been testing Windows 10 for a while (yes we were late to the game) and this was probably a concerted effort (Dell / MS) to force companies into the Windows 10 era. ”
posted Apr 3, 2017, 3:17 PM
Yes its that time again. New hardware / New Problems....(LOL). This round of hardware will be utilizing the Kaby Lake Processor (https://en.wikipedia.org/wiki/Kaby_Lake). Kaby Lake is the first Intel platform to lack official driver support for versions of Windows older than Windows 10. Take a moment to read that again and let it soak in. This particular architecture forces us into the world of Windows 10. For testing purposes FIT is allowed to install Windows 10 on hardware other than Kaby Lake (Lets limit this to our Dell lineage if possible). Initially Windows 10 distributions to users will be limited to the new Kaby Lake chipsets. Later on we will be incorporating re-images and or upgrades.
We will be using ONE VERSION OF WINDOWS 10 (PRO) for notebooks and desktops (in the event you require a LANGUAGE PACK the ENTERPRISE version will be made available). If u would like to drill down deeper on Windows as a Service check this out - https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview. In addition, Windows 10 will be distributed in the 64 bit version only. Ok so moving on.....a few important things to note:
All systems will need to have the BIOS upgraded upon receipt. Why doesn't Dell do this prior to shipping /during the build? Good point but I stopped asking silly questions long ago.
All systems will need to change the BIOS to use Legacy and not UEFI.
We will also need to disable Secure Boot.
Change the Advanced Boot Options to Enable Legacy Option ROMS.
Navigate down to Secure Boot and select Disabled.
Notebooks are shipped with TPM 2.0. TPM 2.0 requires UEFI. In order to support UEFI PXE we will need to make sure all of our WDS (Typically GSI) servers are utilizing Server 2012 so we can have an end to end solution similar to what we have now. As u probably guessed...not gonna happen anytime soon. Also Bitlocker will fail with TPM 2.0. So what does this all mean? This means we will need to downgrade to TPM 1.2 however we will need to do a few preliminary tasks just to get started.
After u have upgraded to the latest BIOS, log in to the OEM (W10 OS that came pre-loaded) version of the operating system from the console / not over remote. Open PowerShell elevated as shown below.
From within the PowerShell console type (set-executionpolicy -scope localmachine unrestricted) and hit Enter. Type Y and hit Enter.
From within the Powershell console type (disable-tpmautoprovisioning) and hit Enter.
Restart the computer and enter the BIOS. Under Security select TPM 2.0 Security. Select the Clear check box. Select Yes to clear any existing keys and reboot into the OS.
After logging into the OS, navigate to the following URL and download the TPM 1.2 Downgrade Utility (TPM Downgrade Utility 5.81.2.1). Execute the program and watch for the following messages:
After clicking OK on the last message, the system will automatically restart into the following screen. When completed another restart will follow. After that u will have officially been downgraded to TPM 1.2.
Bugs
2015 LTSB ENT / Unable to integrate latest cumulative updates - https://social.technet.microsoft.com/Forums/en-US/b2e9af9b-674d-455c-bec1-f5eff76373fc/windows-10-ltsb-2015-1001024016384-can-not-integrate-latest-cumulative-updates?forum=win10itprosetup
WinPe / Initialization of Devices - https://support.microsoft.com/en-us/help/3143760/windows-pe-boot-images-don-t-initialize-in-system-center-configuration-manager
Windows 10 Join Domain / Driver Issue - http://apppackagetips.blogspot.com/2016/02/fix-windows-10-build-fails-when-imaging.html
Group Policy Conflict - Workstation policy changing registry permissions affected the W10 start menu and Edge from working. A new policy was created removing the conflict and only applicable to W10 systems.
FAQ
Q-During the UDI wizard when my credentials are required; why are they not accepted?
A-This is due to the requirement of a FQDN for the domain such as whats shown below.
Q-Does Bitlocker operate the same as Windows 7?
A-There are a few differences. Pre-provisioning is enabled. This means when u pick the Enterprise version (Notebooks Only), that Bitlocker is automatically encrypted and a PIN assigned before u ever login. The graphic below is a representation.
You will need to change the PIN / ensure that the user does.
Q-I am using the Enterprise version and I never get the latest feature updates. Why?
A-The Enterprise version we are using (2015 LTSB) is not entitled to receive any feature updates; only security and quality through the lifespan of the OS.
Q-I have a system that ignores the power settings and will sleep after 2 minutes or so of inactivity or so. What to do?
A-1. Click on the windows icon
2. Type regedit
3. Right-click on regedit icon, click Run as administrator
4. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0
5. Double click on Attributes
6. Enter number 2.
7. Go to Advanced power settings (click on Windows button, write power options, click on Power Options, in the selected plan click on the Change plan settings, click on the Change advanced power settings).
8. Click on the Change settings that are currently unavailable
9. Click Sleep, then System unattended sleep timeout, then change these settings from 2 Minutes to 20 for example.
Q-I am getting the following error "An error occurred while starting the task sequence (0x80070032)" A-This is the good old disk part fix we have applied before and it remains applicable today - Disk Part Fix (submitted by Michael Castelo).
Q - Is there any TPM guidance from Dell regarding errors and or issues when downgrading?
A - Please reference the following link - TPM Firmware Update Issues