Aug 142022
 
HP Printer on VDI

When it comes to troubleshooting login times with non-persistent VDI (VMware Horizon Instant Clones), I often find delays associated with printer drivers not being included in the golden image. In this post, I’m going to show you how to add a printer driver to an Instant Clone golden image!

Printing with non-persistent VDI and Instant Clones

In most environments, printers will be mapped for users during logon. If a printer is mapped or added and the driver is not added to the golden image, it will usually be retrieved from the print server and installed, adding to the login process and ultimately leading to a delay.

Due of the nature of non-persistent VDI and Instant Clones, every time the user goes to login and get’s a new VM, the driver will then be downloaded and installed each of these times, creating a redundant process wasting time and network bandwidth.

To avoid this, we need to inject the required printer drivers in to the golden image. You can add numerous drivers and should include all the drivers that any and all the users are expecting to use.

An important consideration: Try using Universal Print Drivers as much as possible. Universal Printer Drivers often support numerous different printers, which allows you to install one driver to support many different printers from the same vendor.

How to add a printer driver to an instant clone golden image

Below, I’ll show you how to inject a driver in to the Instant Clone golden image. Note that this doesn’t actually add a printer, but only installs the printer driver in to the Windows operating system so it is available for a printer to be configured and/or mapped.

Let’s get started! In this example we’ll add the HP Universal Driver. These instructions work on both Windows 10 and Windows 11 (as well as Windows Server operating systems):

  1. Click Start, type in “Print Management” and open the “Print Management”. You can also click Start, Run, and type “printmanagement.msc”.
    Launch Print Management
  2. On the left hand side, expand “Print Servers”, then expand your computer name, and select “Drivers”.
    Print Management Drivers
  3. Right click on “Drivers” and select “Add Driver”.
    Print Management Add Driver
  4. When the “Welcome to the Add Printer Driver Wizard” opens, click Next.
    Add Printer Driver Wizard
  5. Leave the default for the architecture. It should default to the architecture of the golden image.
  6. When you are at the “Printer Driver Selection” stage, click on “Have Disk”.
    Print Management Add Printer Driver Location
  7. Browse to the location of your printer driver. In this example, we navigate to the extracted HP Universal Print Driver.
    Browse Printer Driver Location
  8. Select the driver you want to install.
    VDI Select Printer Driver to Install
  9. Click on Finish to complete the driver installation.
    Finish installing Instant Clone Printer Driver

The driver you installed should now appear in the list as it has been installed in to the operating system and is now available should a user add a printer, or have a printer automatically mapped.

Screenshot of Printer Driver installed on non-persistent VDI Instant Clone golden image
Printer Driver installed on Non-Persistent Instance Clone Golden Image

Now seal, snap, and deploy your image, and you’re good to go!

Aug 132022
 
Azure AD

Many of you may be not aware of the Azure AD Connect 1.x End of Life on August 31st, 2022. What this means is that as of August 31st, 2022 (later this month), you’ll no longer be able to use Azure AD Connect 1.4 or Azure AD Connect 1.6 to sync your on-premise Active Directory to Azure AD.

It’s time to plan your upgrade and/or migration!

This is catching a lot of System Administrators by surprise. In quite a few environments, Azure AD connect was implemented on older servers that haven’t been touched (except for Windows Updates) in the years that they’ve been running, because Azure AD Connect “just works”.

Azure AD Connect End of Life

Azure AD Connect has to major releases that are being used right now, being 1.x and 2.x.

Windows Server 2022 Logo

Version 1.x which is the release going end of life is the first release, generally seen installed on older Windows Server 2012 R2 systems (or even earlier versions).

Version 2.x which is the version you *should* be running, does not support Windows Server 2012. Azure AD Connect 2.x can only be deployed on Windows Server 2016 or higher.

Click here for more information on the Azure AD Connect: Version release history.

Azure AD Connect Upgrade and Migration

For a lot of you, there is no easy in-place upgrade unless you have 1.x installed on Windows Server 2016 or higher. If you are running 1.x on Server 2016 or higher, you can simply do an in-place upgrade!

If you’re running Windows Server 2012 R2 or earlier, because 2.x requires Server 2016 or higher, you will need to migrate to another system running a newer version of Windows Server.

However, the process to migrate to a newer server is simpler and cleaner than most would suspect. I highly recommend reviewing all the Microsoft documentation (see below), but a simplified overview of the process is as follows:

  1. Deploy new Windows Server (version 2016 or higher)
  2. Export Configuration (JSON file) from old Azure AD Connect 1.x server
  3. Install the latest version of Azure AD Connect 2.x on new server, load configuration file and place in staging mode.
  4. Enable Staging mode on old server (this stops syncing of old server)
  5. Disable Staging mode on new server (this starts syncing of new server)
  6. Decommission old server (uninstall Azure AD Connect, unjoin from domain)

I highly recommend reviewing Microsoft’s Azure AD Connect: Upgrade from a previous version to the latest for the full process, as well as Microsoft’s Import and export Azure AD Connect configuration settings.

As always, I highly recommend having an “Alternative Admin” account on your Azure AD. If you lose the ability to sync or authenticate against Azure AD, you’ll need a local Azure AD admin account to connect and manage and re-establish the synchronization.

Aug 092022
 
A Lenovo Thinkpad X13s on desk powered on with Red Lenovo logo

I purchased the new Lenovo X13s Windows on ARM laptop, and wanted to share my first impressions with the device. I plan on creating a full review in a later post, however I wanted to provide some insight on my initial first impressions, as these can be a game changer or deal breaker for most people considering purchasing this laptop.

I’m going to break this blog post up in to a few key sections that were the most important, and most noticeable when first getting my hands on this device.

A Lenovo Thinkpad X13s laptop on counter with screen open.
Lenovo Thinkpad X13s

I’ll be limiting this post to the first impressions as much as possible saving the rest for the full review.

Pre-purchase expectations and initial thoughts

With lots of travel approaching, and with an aging laptop (Lenovo X1 Carbon Gen-2013), I needed to purchase a new laptop that I could use that would fit my requirements:

  • WWAN (Preferably 5G)
  • Good Battery Life
  • Good Performance
  • Stylish
  • Application Use
    • VDI – VMware Horizon Client
    • Microsoft Office
    • IT Applications (Putty, WinSCP, RDP)
    • Microsoft Teams
    • Zoom

You can see that my usage is similar to the business road warrior professional, with an IT add-on. I’m usually always connected to a VDI session, and also spend 50-100% of the day on Zoom or Microsoft Teams meetings.

With full knowledge about ARM architecture, and the new laptops and devices that have been released, I decided to take a big risk and try one of the new Windows on ARM laptops, specially the Lenovo X13s.

ARM laptops generally provide great performance, really good battery life, and an “always on” ready to go environment.

Specifications

I’ll be saving the tech spec deep dive for the full review, however I wanted to provide some basic information on the specifications of the model I purchased.

Lenovo X13s Box shot
Lenovo X13s in Box
  • Part Number: 21BX0008US
  • CPU: Snapdragon® 8cx Gen 3 Compute Platform (3.00 GHz up to 3.00 GHz)
  • RAM: 16 GB LPDDR4X 4266MHz (Soldered)
  • Disk: 1 TB PCIe SSD Gen 4
  • WWAN: Qualcomm® Snapdragon™ X55 5G Sub 6
  • Display: 13.3″ WUXGA (1920 x 1200) IPS, anti-glare, touchscreen, 300 nits

I specifically wanted a large SSD, lots of RAM, and definitely the 5G WWAN modem built in. I purchased the highest configured model without going custom (to take advantage of special pricing and promotions).

First Impressions

Design

Receiving the laptop, the first things that really stick out are the size, texture (quality of materials), thinness, and no fan ports. It’s a very beautifully designed laptop.

Lenovo X13s

While it is smaller than I expected, it does not feel cheap. The materials used with this laptop give it the same quality and feel as the X1 Carbon.

Physical Size

For whatever reasons, I was expecting something the same size as my original X1 Carbon, however the X13s is thinner and has a slightly smaller width and height in comparison.

Originally I thought this was going to be a problem, but after using the laptop, I’m absolutely in love with the size of this. As far as portability and usability, based on first impressions, this thing has both!

Keyboard

Surprisngly, because of the smaller size of the laptop, I’ve actually found is very easy to type quickly. I’ve noticed that on all the of laptops I’ve owned, as well as desktop keyboards, I can type the fasted on the X13s, because of the size of the keyboard as well as the layout and feel.

Keystrokes feel and sounds amazing, with a perfectly built keyboard. I honestly have no complaints…

Display

The display is absolutely beautiful. Even though I thought there is an option for a 400-knit display, my model has the 300-knit because I wanted the touchscreen.

Visibility in my apartment with all the windows open on a sunny day, I can see everything crisply on this display.

The only thing I noticed is that when viewing black/gray scale content (most of my UI and apps are in dark mode), it looks like the backlight dims and sometimes text becomes faded. You can still see everything fine, however this causes for an odd effect when the screen content changes to something with white or color.

To fix this, uncheck “Help improved battery by optimizing the content shown and brightness” in settings:

Display auto-dimming for battery

After unchecking this option, everything is perfect!

Battery

The battery on this unit is absolutely blowing my mind. In 4 days of usage, I’ve never used a laptop that can hold up to this and barely use any battery.

Comparing this to my old X1 in 4 days of usage, I probably would have had to charge it 3-4 times. The X13s just keeps going and going and going.

Very impressed with this, as it’s going to help with travel and staying connected on the go.

Speakers and Sound

The sound is fantastic, and playing music sounds great. The laptop includes a sound system enhanced with Dolby.

I’m not much of an audiophile, but I have to say I was impressed with the volume and quality of audio that comes from the laptop.

Termperature

This laptop has no fans or air ducts. One would think this would make up for a laptop that runs up hot, but I have to say I haven’t really noticed any hot temperatures except for when I first booted it up and did Windows Updates, Lenovo Updates, Microsoft Office installer, and a bunch of other things.

Even under extremely heavy load during the installs, the heat generated was actually less than what I would have expected, or experienced with my old Lenovo X1 Carbon.

Windows 11 for ARM64 (Windows on ARM)

For the most part, if you didn’t understand what Windows on ARM was, processor architectures, or the difference between this laptop and others, you’d notice absolutely nothing different from a normal laptop (except maybe if you were gaming).

I have to say that Microsoft knocked it out of the park with the development of Windows 11 on ARM, and it’s definitely 100% ready for primetime use, both for regular users as well as enterprise/business users.

The one thing I can’t comment on is gaming. While I haven’t done any testing (as I don’t game much), there may be additional considerations as far as stability and performance, or even capabilities of gaming.

Applications

When it comes to applications, while the X13s does support x86 and x64 emulation, you should always try to run native ARM/ARM64 applications. Running applications native to the architecture will provide the best performance as well as battery life.

After getting going, I noticed the following applications had native ARM64 support:

  • Microsoft Office
  • Microsoft Teams
  • Zoom
  • Putty
  • Edge (built off Chromium)

I also loaded numerous applications that are x86/x64 and emulated:

  • VMware Horizon Client
  • Chrome
  • WinSCP

All the above applications, both ARM and x86/x64 run fantastic without any problems. I was concerned that the whole emulation error would be a mess but I’ve seriously had no problems.

Performance

I can’t say enough how snappy Windows 11 on ARM and the X13s is. I never thought I’d say it, but this is the fastest performing Windows 11 system I’ve used when it comes to responsiveness of the OS and applications.

Connectivity

The built-in 5G connectivity was super easy to setup. The laptop can use an eSIM or traditional physical SIM. I had the experience of using both at different points (because of issues with my cell phone provider).

The eSIM was super easy to setup and you can manage multiple different profiles. I simply purchased an eSIM, and scanned the QR code with the webcam.

When I had to switch to the physical SIM (because my provider doesn’t support 5G with eSIMs), I simply popped the SIM tray and install the card.

It’s very easy to not only switch between eSIM profiles, but also switch between the eSIM and normal SIM. This is great if you’re travelling to other countries as you can easily switch between your local providers eSIM, and install a foreign SIM to use local data.

You speed will vary depending on provider, but I was able to achieve full speed that was expected my provider, and I was pleasantly surprised with better than expected low latencies, which is great for VDI which I use regularly.

Always on

Because of the ARM processor, Windows is “always on”. There’s no resume from suspend time, just like your ARM based cell/mobile phone.

The laptop is virtually always on and ready to go when I need to work.

Overall First Impressions

Overall, my first impressions with this laptop have been fantastic and this laptop is exceeding my best expectations. Windows 11 on ARM is definitely a serious contender when it comes to choosing the right laptop/notebook.

Lenovo X13s Powered On

The OS is snappy, everything works the way you’d expect on Windows, and so far I’m very happy with the investment I made when purchasing this laptop. I can’t wait to do some travelling with this to start using it to it’s full potential.

Add in 5G always-on connectivity, and it feels like this thing is unstoppable…

Stay tuned for the full review!

Jul 172022
 
VMware vSphere ESXi with vTPM from NKP

It’s been coming for a while: The requirement to deploy VMs with a TPM module… Today I’ll be showing you the easiest and quickest way to create and deploy Virtual Machines with vTPM on VMware vSphere ESXi!

As most of you know, Windows 11 has a requirement for Secureboot as well as a TPM module. It’s with no doubt that we’ll also possibly see this requirement with future Microsoft Windows Server operating systems.

While users struggle to deploy TPM modules on their own workstations to be eligible for the Windows 11 upgrade, ESXi administrators are also struggling with deploying Virtual TPM modules, or vTPM modules on their virtualized infrastructure.

What is a TPM Module?

TPM stands for Trusted Platform Module. A Trusted Platform Module, is a piece of hardware (or chip) inside or outside of your computer that provides secured computing features to the computer, system, or server that it’s attached to.

This TPM modules provides things like a random number generator, storage of encryption keys and cryptographic information, as well as aiding in secure authentication of the host system.

In a virtualization environment, we need to emulate this physical device with a Virtual TPM module, or vTPM.

What is a Virtual TPM (vTPM) Module?

A vTPM module is a virtualized software instance of a traditional physical TPM module. A vTPM can be attached to Virtual Machines and provide the same features and functionality that a physical TPM module would provide to a physical system.

vTPM modules can be can be deployed with VMware vSphere ESXi, and can be used to deploy Windows 11 on ESXi.

Deployment of vTPM modules, require a Key Provider on the vCenter Server.

For more information on vTPM modules, see VMware’s “Virtual Trust Platform Module Overview” documentation.

Deploying vTPM (Virtual TPM Modules) on VMware vSphere ESXi

In order to deploy vTPM modules (and VM encryption, vSAN Encryption) on VMware vSphere ESXi, you need to configure a Key Provider on your vCenter Server.

Traditionally, this would be accomplished with a Standard Key Provider utilizing a Key Management Server (KMS), however this required a 3rd party KMS server and is what I would consider a complex deployment.

VMware has made this easy as of vSphere 7 Update 2 (7U2), with the Native Key Provider (NKP) on the vCenter Server.

The Native Key Provider, allows you to easily deploy technologies such as vTPM modules, VM encryption, vSAN encryption, and the best part is, it’s all built in to vCenter Server.

Enabling VMware Native Key Provider (NKP)

To enable NKP across your vSphere infrastructure:

  1. Log on to your vCenter Server
  2. Select your vCenter Server from the Inventory List
  3. Select “Key Providers”
  4. Click on “Add”, and select “Add Native Key Provider”
  5. Give the new NKP a friendly name
  6. De-select “Use key provider only with TPM protected ESXi hosts” to allow your ESXi hosts without a TPM to be able to use the native key provider.

In order to activate your new native key provider, you need to click on “Backup” to make sure you have it backed up. Keep this backup in a safe place. After the backup is complete, you NKP will be active and usable by your ESXi hosts.

Screenshot of VMware vCenter Server with Native Key Provider (NKP) Configured
VMware vCenter with Native Key Provider (NKP) Configured

There’s a few additional things to note:

  • Your ESXi hosts do NOT require a physical TPM module in order to use the Native Key Provider
    • Just make sure you disable the checkbox “Use key provider only with TPM protected ESXi hosts”
  • NKP can be used to enable vTPM modules on all editions of vSphere
  • If your ESXi hosts have a TPM module, using the Native Key Provider with your hosts TPM modules can provide enhanced security
    • Onboard TPM module allows keys to be stored and used if the vCenter server goes offline
  • If you delete the Native Key Provider, you are also deleting all the keys stored with it.
    • Make sure you have it backed up
    • Make sure you don’t have any hosts/VMs using the NKP before deleting

You can now deploy vTPM modules to virtual machines in your VMware environment.

Jan 212022
 
sconfig Server Configuration menu

We’re all used to updating our Windows Server operating systems with the Windows Update GUI, but did you know that you can update your server using command prompt and “sconfig”?

The past few years I’ve been managing quite a few Windows Server Core Instances that as we all know, do not have a GUI. In order to update those instances, you need to run Windows Update using the command line, but this method actually also works on normal Windows Server instances with the GUI as well!

Windows Update from CLI (Command Prompt)

Please enjoy this video or read on for why and how!

Why?

Using a GUI is great, however sometimes it’s not needed, and sometimes it even causes problems if it looses the backend connection where it’s pulling the data from. I’ve seen this true on newer Windows operating systems where the Windows Update GUI stops updating and you just sit there thinking the updates are running, when they are actually all complete.

The GUI also creates additional overhead and clutter. If there was an easier alternative to perform this function, wouldn’t it just make sense?

On Windows Server instances that have a GUI, I find it way faster and more responsive to just open an elevated (Administrative) command prompt, and kick off Windows Updates from there.

How

You can use this method on all modern Windows Server versions:

  • Windows Server (with a GUI)
  • Windows Server Core (without a GUI)

This also works with Windows Server Update Services so you can use this method either connecting to Windows Update (Microsoft Update) or Windows Server Update Services (WSUS).

Now lets get started!

  1. Open an Administrative (elevated) command prompt
  2. Run “sconfig” to launch the “Server Configuration” application
    command prompt launch sconfig
  3. Select option “6” to “Download and Install Windows Updates”
    sconfig Server Configuration menu
  4. Choose “A” for all updates, or “R” for recommended updates, and a scan will start
  5. After the available updates are shown, choose “A” for all updates, “N” for no updates, or “S” for single update selection

After performing the above, the updates will download and install.

sconfig Windows Update running
“sconfig” Windows Update downloading and installing

I find it so much easier to use this method when updating many/multiple servers instead of the GUI. Once the updates are complete and you’re back at the “Server Configuration” application, you can use option “13” to restart Windows.

Oct 112021
 
Windows Server 2022 Logo

Today we’re going to discuss and deploy Active Directory Certificate Services on a Windows Server 2022 Server. Additionally, we’ll also be generating a domain certificate request inside of IIS and then assign the resultant certificate to a WSUS Server.

This video will demonstrate and explain the process of deploying a Windows Server 2022 Certification Authority with AD CS.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Windows Server 2022: Active Directory Certificate Services Discussion and Installation Guide

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Discussion
    • SSL Certificates (Host verification)
    • Internal Root Certification Authorities (Root CAs)
    • Internal Root CA vs Public Trusted Root CAs
    • HTTPS Scanning (Web Filtering) and SSL Certificates
    • Intermediate Certificate Authorities
    • Why ADCS?
    • AD CS Certificate Templates
    • Encryption
    • Certificate Issuance
  • Demonstration
    • Server Manager Role Installation
    • MMC Snap-in for Certificates (Local Computer)
      • Root CAs
    • Install Active Directory Certificate Services (AD CS)
      • Add Server Role
      • Root CA Trust Discussion
      • AD CS Installation on Domain Controller Installation
      • AD CS Prerequisites
      • Web Enrollment Discussion
      • AD CS and IIS Discussion
    • Install Internet Information Services (IIS) as pre-requisite
    • Configure Active Directory Certificate Services (AD CS)
      • Credentials
      • Role Configuration
      • Enterprise CA vs Standalone CA
      • Root CA vs Subordinate CA
      • Private Key Creation and Cryptographic options
      • Root CA Naming
      • Validity Period
    • Certification Authority MMC Usage
    • Root CA Replication to Domain (“gpupdate /force” and restart)
    • AD CS Certificate Templates Overview
      • Certificate Templates MMC
      • Duplicate and Customize Web Server Certificate Template
      • Enable Auto-Enrollment for Certificate Template
    • Use IIS to request certificate from Active Directory Certification Authority
      • Create Domain Certificate
    • Enable SSL on WSUS Server using Active Directory Certificate Services Certificate
      • Bind new certificate to IIS Web Server
      • Update GPO to reflect SSL URL and port number
      • Run “iisreset” on elevated command prompt
    • Demonstration Summary

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall
Oct 092021
 
Windows 11 Logo

When attempting to do a fresh install of Windows 11 using the ISO, you may receive the message “This PC can’t run Windows 11”. Additionally, “This PC doesn’t meet the minimum system requirements to install this version of Windows.”

Windows 11 has a new set of minimum system requirements and these include certain CPUs as well as a TPM 2.0 (Trusted Platform Module Version 2.0) chip, Secure Boot, and 8GB of RAM.

If you’re trying to do an upgrade instead of a fresh install, please see Windows 11 Upgrade – This PC doesn’t currently meet Windows 11 system requirements.

Below you’ll find an explanation of the problem, and two different methods to workaround it.

The Problem

You’ll see this message while performing a fresh install if your system does not meet the minimum requirements.

Windows 11 Fresh Install - This PC can't run Windows 11
Windows 11 Fresh Install – This PC can’t run Windows 11

Just like my previous post on upgrading to Windows 11, you’ll encounter this when attempting a fresh install because some pre-requisite checks are failing:

  • CPU is not supported
  • Windows 11 Installer cannot find a TPM 2.0 chip
  • Secure Boot is not enabled
  • EFI or UEFI is Required

One thing to note is that you may see these messages even if your system has a TPM 2.0 chip.

Most computers purchased in the last 6 years probably have a TPM 2 chip that just needs to be enabled via the system UEFI/EFI. If you boot to your UEFI, you can attempt to enable the TPM 2.0 chip.

It may already be enabled, however it may be configured to run at version 1.2. If this is the case, change it to version 2.0. You’ll also need to make sure you have “Secure boot” enabled.

If this doesn’t work, please see below for multiple workarounds.

The Fix

At this point in time, there are two different methods to workaround the minimum system requirements:

  1. Method 1 – Use Rufus to create a modified Windows 11 Installer from ISO and disable the TPM 2.0, Secure Boot, and 8GB of RAM requirement.
  2. Method 2 – Use native Windows 11 installer and ISO to modify registry during Windows Setup.

You can either either method, depending on which one you may find easier or more convenient.

Method 1 – Use Rufus to create a modified Windows 11 Installer from ISO and disable the TPM 2.0, Secure Boot, and 8GB of RAM requirement.

You can use a utility called “Rufus” (Reliable USB Formatting Utility, with Source) to convert the Windows 11 ISO in to a bottable USB key to install Windows.

Using the latest version of Rufus, you can modify the Windows 11 Setup installer to bypass the requirements for TPM 2.0, Secure Boot, and 8GB of RAM.

To use this method, you’ll need the following files:

Please enjoy this video demonstrating the process:

Windows 11 Fresh Install – TPM and Secure Boot Bypass for “This PC can’t run Windows 11”

To use this method as a workaround:

  1. Download Rufus and place in a folder
  2. Download Windows 11 ISO and place in a folder
  3. Insert USB key that is larger than the size of the Windows 11 ISO (larger than 5.5GB)
  4. Open Rufus
  5. Select your USB key under “Device”
  6. Under “Boot Selection”, click on “SELECT”
  7. Navigate to and select the Windows 11 ISO file
  8. Under “Image option”, choose “Extended Windows 11 Installation (no TPM/no Secure Boot/8GB- RAM”
  9. Click “Start”.
    PLEASE NOTE: This will erase and repartition your USB drive. All existing data on the USB drive will be deleted.
Rufus – Windows 11 Fresh Install TPM, Secure Boot, and RAM bypass

Now simply wait for the USB key to be created. It can take 30-90 minutes depending on the speed of your USB drive.

Once you have created the USB key, make sure your computer is configured to use UEFI and make sure you disable Secure Boot in the UEFI.

Simply boot from the USB Key your created above, and install Windows 11.

Method 2 – Use native Windows 11 installer and ISO to modify registry during Windows Setup.

Bypass the check for TPM 2.0

If you don’t have TPM 2.0 or it’s not working, you can disable the TPM 2.0 check on the Windows 11 installer. Please note, you still require TPM 1.2 for this bypass to function. This workaround only disables the requiremnt for TPM 2.0. You still need to have Secure Boot enabled, and you must have a TPM 1.2 chip.

To do this, boot from the Windows 10 ISO:

Windows 11 Installer
Windows 11 – Installer

When you see the above screen, press “SHIFT + F10” and a Windows Command Prompt should open.

From the command prompt, type “regedit” and press enter.

Windows 11 Installer with command prompt and Registry Editor "regedit"
Windows 11 Installer – Registry Editor “regedit”

Now we must create a registry key called “MoSetup” and a DWORD Value to disable the TPM and CPU check.

  1. Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\Setup”
  2. Right click on “Setup”, select “New”, and choose “Key”, name it “MoSetup”
  3. Navigate to “MoSetup”
  4. On the right pane, right-click an empty space, select “New”, and select “DWORD (32-bit) Value”
  5. Name it: “AllowUpgradesWithUnsupportedTPMOrCPU” (without quotations)
  6. Set it to “1” (without quotations)

After performing the above, it should look like this.

Windows 11 Installer - MoSetup and AllowUpgradesWithUnsupportedTPMOrCPU
Windows 11 Installer – MoSetup and AllowUpgradesWithUnsupportedTPMOrCPU

Now simply close the Registry Editor, type “exit” to close out of the command prompt and continue with the Windows 11 Installer.

After performing the above, you should now be able to successfully perform a fresh install of Windows 11 with the TPM and CPU check disabled.

Oct 072021
 
Windows 11 Logo

When attempting to upgrade to Windows 11, you may receive the message “This PC doesn’t currently meet Windows 11 system requirements”.

Windows 11 has a new set of minimum system requirements and these include certain CPUs as well as a TPM 2.0 (Trusted Platform Module Version 2.0) chip.

I ran in to this issue on a Lenovo X1 Carbon as well as an HP Z240 Workstation. The Lenovo X1 Carbon does have a TPM 2 chip, however still would not install.

If you’re trying to a fresh installation instead of an upgrade, please see Windows 11 Fresh Install – This PC can’t run Windows 11 for instructions on performing a Fresh install with TPM and Secure Boot bypass.

The Problem

You’ll see this message if your system doesn’t meet the minimum requirements.

Windows 11 installer failing with "Windows 11 - This PC doesn't currently meet Windows 11 system requirements"
Windows 11 – This PC doesn’t currently meet Windows 11 system requirements

On most systems, you’ll see the following 2 prequisite checks fail:

  • “The processor isn’t supported for this version of Windows”
  • “The PC must support TPM 2.0.”

One thing to note is that you may see these messages even if your system has a TPM 2.0 chip.

You’ll also need to make sure your system has UEFI/EFI and has Secure Boot enabled.

The Fix

You have TPM 2.0 but can’t upgrade to Windows 11

Try to check and see if you have a TPM 2.0 chip. Most systems purchased in the last 6 years probably have a TPM 2 chip that just needs to be enabled via the system BIOS or UEFI.

If you boot to your BIOS/UEFI, you can attempt to enable the TPM 2.0 chip.

You may also already have it enabled, however it is configured to run at version 1.2. If this is the case, change it to version 2.0.

You’ll also need to make sure you have “Secure boot” enabled.

Bypass the check for TPM 2.0

If you don’t have TPM 2.0, you can disable the TPM 2.0 check on the Windows 11 installer. Please note, you still require TPM 1.2 for this bypass to function.

To do this, we must make a registry key.

  1. Start -> Run -> “regedit.exe” (without quotations)
  2. Navigate to “HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup”
  3. On the right pane, right-click an empty space, select “New”, and select “DWORD (32-bit) Value”
  4. Name it: “AllowUpgradesWithUnsupportedTPMOrCPU” (without quotations)
  5. Set it to “1” (without quotations)

After creating this, it should appear like so:

REG_DWORD: AllowUpgradesWithUnsupportedTPMOrCPU set to “1”

After setting this you should now be able re-launch the Windows 11 installer, and successfully install Windows 11. You’ll now notice the new message below:

Windows 11 – Bypass TPM and CPU Disclaimer

Simply “Accept” the warning and continue!

Please Note: Microsoft has warned that by using this TPM 2.0 bypass, you may run in to compatibility issues: “Your device might malfunction due to these compatibility or other issues. Devices that do not meet these system requirements will no longer be guaranteed to receive updates, including but not limited to security updates.”

You’ll see this disclaimer and warning on the Windows 11 installer after enabling the TPM 2.0 check bypass.

Additional Resources

Sep 252021
 
Windows Server 2022 Logo

Today, I will be showing you howto install, configure, and deploy Windows Server Update Services (WSUS) on Windows Server 2022. I’ll also show you how to use the WSUS MMC interface, approve/manage updates, and more!

This video will demonstrate the process of the WSUS role installation, post-installation tasks, first-time WSUS configuration wizard, and the WSUS MMC.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Server Manager
    • Windows Server Update Services Role Installation
  • WSUS Considerations and Requirements
    • WID (Windows Internal Database)
    • SQL Express
    • GPO Group Policy Objects
    • WSUS Maintenance
    • Upstream and Downstream WSUS Servers
    • Bandwidth Optimization
  • WSUS Usage and Platform
    • WSUS Infrastructure Design
    • WSUS Synchronization Schedule
    • WSUS Language, Products, and Classifications selections
    • WSUS MMC Overview
    • “gpupdate /force” command usage
    • WSUS Update Approval
    • WSUS Reporting

Additional Information

Please see below (click to enlarge) for a WSUS GPO Configuration Example.

GPO Settings for WSUS Configuration
WSUS GPO Configuration Example

Please Note: This example contains configuration to automatically install updates. This example should only be used for workstations and not servers. Please use this example as a guide for your own study.

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall

Blog Posts mentioned in this video

Sep 192021
 
Windows Server 2022 Logo

Today we’re deploying a Windows Server 2022 member server and joining it to the domain we created in previous videos. I’ll also be explaining the difference between Domain Credentials and Local Credentials on member servers.

This video will demonstrate and explain the process of deploying a Windows Server 2022 member server, network configuration, DHCP vs Static IPs, and domain credentials vs local credentials.

Check it out and feel free to leave a comment! Scroll down below for more information and details on the guide.

Who’s this guide for

This guide is perfect for a seasoned IT professional or a beginner who is looking at getting experience with Windows Server 2022.

What’s included in the video

In this guide I will walk you through the following:

  • Document a new Server deployment
  • Configure Networking
  • Join Windows Server 2022 Server to domain as member server
  • Discussion on time importance with Active Directory and Domains
  • Discussion on Domain Credentials vs Local Credentials

What’s required

To get started you’ll need:

  • 1 x Server (Virtual Machine or Physical Server)
  • Microsoft Windows Server 2022 Licensing
  • A running Windows Server 2022 Instance (OSE)
  • A network router and/or firewall

Hardware/Software used in this demonstration

  • VMware vSphere
  • HPE DL360p Gen8 Server
  • Microsoft Windows Server 2022
  • pfSense Firewall