This is the registry fix to avoid the computer account of the virtual machine becoming locked.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
“DisablePasswordChange”=dword:00000001
Month: April 2014
If a Second User Profile Gets Created, Fix It
Occasionally, Windows will create a secondary profile with the naming convention Username.Computername (sometimes it has to do with user temp profiles; other times, workgroup/domain issues that either corrupt the original profile or make it appear corrupted to Windows). Error: User Profile Service failed the logon
Let’s say you don’t want that, how do you fix it? Assuming your regular user profile works, you can just change the user profile path specified in the registry under the ProfileList key. By doing this, you’re telling Windows to not use the newly created profile, and go back to the original one. In theory, you could also just rename the Username.Computer profile to just Username (logged is as Administrator)…and make the ProfileList redirect to C:\Users\Username.
@ECHO OFF
setlocal enableextensions enabledelayedexpansion
set UN=%username%
for /f “delims= ” %%i in (‘”wmic path win32_useraccount where name=’%UN%’ get sid”‘) do (
if not “%%i”==”SID” (
set mySID=%%i
goto :SID_END
)
)
:SID_END
:: SETS THE REG KEY TO SCAN
set REGKEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%mySID%
:: CHECKS REG KEY TO SEE IF USER TEMP PROFILE EXISTS – SINGLE PASS
FOR /F “tokens=3” %%j IN (‘C:\Windows\System32\REG.EXE QUERY “%REGKEY%” /v ProfileImagePath’) DO (
IF %%j EQU C:\Users\%UN%.%computername% (
C:\Windows\System32\REG.EXE ADD “%REGKEY%” /v ProfileImagePath /d C:\Users\%UN% /f
)
)
PAUSE
For a better, more usable routine, I will work on adding code to scan for .BAK in the registry – if .BAK exists, delete that whole key.
Update
If you continue to still have problems, ie. a temp profile continues to load, use robocopy to mirror the contents of the username.computername profile (or a simple copy/paste), change the path in the registry under ProfileList to the original profile, and reboot. Note, this has to be done under the Administrator profile.
Reference
https://support.microsoft.com/en-us/kb/947215
http://windows.microsoft.com/en-us/windows/fix-corrupted-user-profile#1TC=windows-7
Return SID via WMIC
This returns the SID of the specified username. Note, this could be either the currently logged on user, or a specific user. This used in tandem with a script that cycles through a list of usernames, could be used to dynamically access the HKEY_USERS registry hive. For me specifically, I was using it for the ProfileList key in the registry.
@echo off
for /f “delims= ” %%a in (‘”wmic path win32_useraccount where name=’%UserName%’ get sid”‘) do (
if not “%%a”==”SID” (
set mySID=%%a
goto :SID_END
)
)
:SID_END
echo %mySID%
pause
Check Windows Activation
Run with cscript.exe
cscript script.vbs
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * From SoftwareLicensingProduct")
Coltest = int(0)
bWinActivated = False
For Each objitem In colItems
WScript.Echo objItem.Description
WScript.Echo "License Status: "& objitem.LicenseStatus
WScript.Echo objitem.GracePeriodRemaining
WScript.Echo "KeyManagementServiceProductKeyID: "&objitem.KeyManagementServiceProductKeyID
IF int(objitem.LicenseStatus) = 0 Then
bWinActivated = True
strActivationType = objItem.Description
strKey = "ProductKey:" & objItem.ProductKeyID
End if
Next
If bWinActivated = False Then MsgBox("Windows is not activated")
If bWinActivated = True Then
MsgBox("Windows is activated using "&strActivationType& " key." & strKey)
End if
Notes
slmgr /dli
Activating Windows 7
Method #1:
Begin by finding Command Prompt (type cmd into your Window Search field) then open it as Administrator (right-click the Command Prompt shortcut and choose “Run As Administrator” if UAC is turned on), and then type in the following command and hit enter:
C:\Windows\System32\cscript slmgr.vbs -skms your.kms.server:1688
You only need to run this command once since it saves the server you point to. Windows waits about 3 days after you install it before it will even try to activate.
You can force it to attempt an immediate activation by opening an Administrator command prompt again and entering:
C:\Windows\System32\cscript slmgr.vbs -rearm
After rearm, restart your computer. Now open an Administrator Command Prompt again and enter:
C:\Windows\System32\cscript slmgr.vbs -ato
One can also find out the current activation status by entering:
C:\Windows\System32\cscript slmgr.vbs -dli
Method #2:
If Method #1 does not work, please try the following. Begin by finding Command Prompt (type cmd into your Window Search field) then open it as Administrator (right-click the Command Prompt shortcut and choose “Run As Administrator” if UAC is turned on), and then type in the following command and hit enter:
slmgr -rearm
After rearm, restart your computer. Now open an Administrator Command Prompt again and enter:
slmgr -ato
Method #3 (requires MAK):
If Method #1 or #2 doesn’t work, just register using the volume license key.
cscript //b c:\windows\system32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX
cscript //b c:\windows\system32\slmgr.vbs /ato
TPM and BitLocker passwords in Active Directory
The process of configuring and save Windows 7 TPM and BitLocker passwords to Active Directory (2008 R2 and above) is multi-stepped. First, Active Directory and Group Policy need to be configured, then the clients needs to be setup, and then you need to know how recover the passwords from Active Directory.
Active Directory & Group Policy Setup
The Add-TPMSelfWriteACE.vbs script needs to be modified to reflect the correct GUIDs listed in the “TPM and FVE scheme object GUID’s” mid-way through the script. You can locate the GUIDs by using ADSIEdit and change the Action –> Settings –> Select a well known Naming Context: Schema. From here, you can look at the properties for the particular items to find the objectGUID.
- After executing the Add-TPMSelfWriteACE.vbs the permission for the computers to write to the Active Directory attribute needs to be completed. This needs to be done before enabling TPM on any client or the passwords won’t save. Follow the information on this TechNet blog. Failure to do this will result in an “Access is Denied. Error 0x80070005” when initializing TPM.
- Follow the original TechNet article for setting Group Policy.
Enable TPM and BitLocker
TPM
- Add the Computer to AD and make sure Group Policy is applied (gpupdate.exe & gpresult.exe /SCOPE Computer /R). Current user needs admin rights for the entire process.
- tpm.msc (or Control Panel > BitLocker Drive Encryption > TPM Administration)
- Click either ‘Initialize TPM’ or ‘Change Owner Password. Note: To change the password, you need the old one.
- If ‘Initialize’, shutdown when prompted, then upon booting acknowledge/allow the BIOS notice regarding TPM. If ‘Change’, provide the current password file (if in AD, see Recovery below).
- Log in with the same account to continue the TPM process. You can verify the TPM Owner Password is saved to AD by using the Recovery section below.
BitLocker via Line Command
- This command will being the process for the C drive, repeat for others. Run using an Elevated Prompt (run as Administrator): manage-bde -on C: -RecoveryPassword
- Reboot, then run the following to see the encryption process status: manage-bde -status
BitLocker via GUI
Control Panel > System and Security > BitLocker Drive Encyrption
- Click ‘Turn on BitLocker’ for the desired drives and follow any prompts.
BitLocker and Updates to BIOS, Hardware, or Startup Files (e.g. OS Upgrades)
See: this article on suspending BitLocker protection before applying certain kinds of updates. The process involves suspending protection and then resuming protection once updates are complete.
Recovery
TPM (reference: technet blog)
- Active Directory Users and Computers > enable ‘Advnaced Features’ in View.
- Open Properties on the desired computer, then the ‘Attribute Editor’ tab.
- Locate the attribute ‘msTPM-OwnerInformation’ and note the value.
- Enter the following into a text editor (such as notepad), but replace the “…..” with the value found in AD. Save the file with a .tpm extension at a location accessible by the computer.
<?xml version=”1.0″ encoding=”UTF-8″?> <ownerAuth>…..</ownerAuth>
BitLocker
- Open Active Directory Users and Computers
- Open Properties on the desired computer, then the BitLocker tab.
- The BitLocker Recovery Password is in the details section.
Turn Off TPM
To turn off the TPM
1.Click Start, click All Programs, click Accessories, and then click Run.
2.Type tpm.msc in the Open box, and then press ENTER. The TPM Management console is displayed.
3.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. For more information, see Additional resources at the end of this document.
4.In the Actions pane, click Turn TPM Off.
Invalid Boot Data while Applying a WIM File
If you receive the boot data error, give this a try.
imagex /compress fast /flags “OS_Version” /verify /check /capture c: I:\image_name “description”
Activating Office
Okay, there are multiple ways to activate Office. But when it comes to automating the process, a layered approach may be your best bet.
Method 1 – VBS
C:\Windows\System32\cscript.exe “C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS” /inpkey:xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
C:\Windows\System32\cscript.exe “C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS” /act
Method 2 – XML
Add the following to a setup.xml file
Method 3 – OCT
Using the Microsoft Configuration Tool
(1) Select Modify Setup properties in the left pane and then click the Add… button in the right pane.
(2) In the Add/Modify Property Value dialog and type AUTO_ACTIVATE in the Name field. Note that property names are case sensitive.
(3) In Value field, type 1, and then click OK.
Deleting Multiple Temp Profiles
@echo off
for /f “delims=” %%a in (‘dir /b C:\Users\Temp*’) do (
echo Profile %%a will be deleted.
rd /q /s “C:\Users\%%a”
)
pause
Notes
I created this to remove LANDesk ALS profiles
@echo off
setlocal enabledelayedexpansion
cls
echo Removing LANDesk ALS profiles…
for /f “tokens=1,2 delims==” %%s IN (‘WMIC path win32_useraccount where name^=’administrator’ get sid /value ^| find /i “SID”‘) do set SID=%%t
set RootSID=%SID:~0,-5%
set RegPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
set /a counter=3
:loop1
if %counter% lss 10 (
reg delete “%regPath%\%RootSID%-100%counter%” /f /reg:64
set /a counter+=1
goto :loop1
)
set /a counter=10
:loop2
if %counter% lss 100 (
reg delete “%regPath%\%RootSID%-10%counter%” /f /reg:64
set /a counter+=1
goto :loop2
)
set /a counter=100
:loop3
if %counter% lss 999 (
reg delete “%regPath%\%RootSID%-1%counter%” /f /reg:64
set /a counter+=1
goto :loop3
)
Waiting for Multiple Processes to End
This is how you would wait for multiple processes to be completed before continuing.
:WAIT
cls
echo Waiting for applications to finish installing…
:: adds timing to the app installs
ping -n 30 127.0.0.1>nul
start /b /wait /LOW c:\windows\system32\TASKLIST.exe /FI “IMAGENAME eq app1.exe” | find /i “app1.exe” && (goto :WAIT)
start /b /wait /LOW c:\windows\system32\TASKLIST.exe /FI “IMAGENAME eq setup1.exe” | find /i “setup1.exe” && (goto :WAIT)
start /b /wait /LOW c:\windows\system32\TASKLIST.exe /FI “IMAGENAME eq cmd.exe” | find /i “cmd.exe” && (goto :WAIT)
start /b /wait /LOW c:\windows\system32\TASKLIST.exe /FI “IMAGENAME eq install.exe” | find /i “install.exe” && (goto :WAIT)
goto :NEXT
:NEXT
echo Do other stuff here
pause
Silently Uninstall Office 2010
This is how you would uninstall Office silently—this can be added to a scripted process.
The Command
“C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe” /uninstall ProPlus /config “desired_path_to_xml\SilentUninstall.xml”
My XML file