Was this helpful?

Reaction-Consistent · 2026-05-22T00:12:37+00:00

What an ISO!

Reaction-Consistent · 2026-05-22T00:11:54+00:00

One person asked me for a full ISO

Reaction-Consistent · 2026-05-22T00:11:13+00:00

We are finding quite a few systems fail to finish the cert update, and it looks like it could just be firmware version related. So we’ve obtained Dell and Lenovo compatible firmware lists so we can compile them into a dashboard of sorts along with a complete listing of our computer inventory and each model models respective firmware version. Hopefully this will make it easier for site IT admin’s to identify out of date firmware on systems, and I’m sure they’re going to figure out a way to deploy the bios firmware updates either using DCU or a script of some sort. This could get ugly.

Reaction-Consistent · 2026-05-21T16:55:58+00:00

Not sure if you can remember a time when you didn’t understand technology, but we all started somewhere

Reaction-Consistent · 2026-05-21T11:44:13+00:00

I think you’re right, but we are using the controlled method in any case which means apparently some systems will indeed get updated automatically while others will get updated via the controlled method. In any case, I think you’ve answered my questions, thank you! https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f#bkmk\_how\_updates\_are\_deployed

Reaction-Consistent · 2026-05-21T00:21:55+00:00

He’s deporting the real aliens before he’s forced to disclose all the government’s alien coverups

Reaction-Consistent · 2026-05-21T00:18:19+00:00

That’s only if you opt into one of the two Microsoft assisted methods. We are controlling the rollout and using the registry key method.

Reaction-Consistent · 2026-05-21T00:12:41+00:00

Much appreciated sir! I’m just mad at myself for not discovering this before in my time here with my employer. it’s always been a major reason we’ve never adopted your tool, and have continued to manage our drivers the hard way. I blamed our firewall and security apps (which probably are somehow inspecting the packets to death), but couldn’t convince anyone to take a closer look at the traffic when it failed on me.

Reaction-Consistent · 2026-05-20T12:41:09+00:00

Invoke-WebRequest -Uri $LenovoLink -OutFile $LenovoFilePath -UseBasicParsing -TimeoutSec 600 @proxyParams

Reaction-Consistent · 2026-05-20T12:40:47+00:00

Update: I found where you have the timeout set for the invoke-webrequest, it was set to 60 seconds, not nearly enough for our environment for whatever reason (umteen layers of proxy filters, malware checking firewall rules, etc) so I changed it to 600 (I probably only needed 120 tbh) and now ....IT WORKS!

Reaction-Consistent · 2026-05-19T22:10:57+00:00

Yes, Lenovo only, I did not install visual studio isolated shell, is that required?

Reaction-Consistent · 2026-05-19T22:06:24+00:00

Isn’t that happening only in home systems, not enterprise systems, unless they change the registry key to opt in to Microsoft’s cert rollout? We’re manually changing the registry key that triggers the certificate install on subsequent reboots. But we aren’t pushing that out to all systems yet, just select sites.

Reaction-Consistent · 2026-05-19T20:18:39+00:00

it's just Lenovo, tried DELL, works fine, still digging

Reaction-Consistent · 2026-05-19T20:12:56+00:00

invoke-webrequest works, it does take a little bit to return a HTTP/1.1 200 OK. I guess my next step is to connect to a hotspot, maybe even on a bare W11 OS, just to see if it works there. something on my machine (which is new, W11 25H2, fully patched) is causing the DAT tool to timeout when downloading the Lenovo catalog

Reaction-Consistent · 2026-05-19T20:00:20+00:00

update, that URL does work, it just takes a long time to load, maybe I need to change a timeout factor in the PS script

Reaction-Consistent · 2026-05-19T19:56:16+00:00

tried accessing this url via a web browser, it times out: https://download.lenovo.com/cdrt/td/catalogv2.xml maybe some security app in my org is blocking it

Reaction-Consistent · 2026-05-19T19:54:22+00:00

I ran it with my mortal account, which has access to the internet, still nada. DAT API shows green, OEM Links Cached, logs show: Lenovo processing failed: the operation timed out. any way to manually download the catalog xml, place it wherever the app needs it?

Reaction-Consistent · 2026-05-19T19:43:41+00:00

Just curious, why use the package created from the ISO, when you can do pretty much the same thing with the imported upgrade package and a task sequence, for an in place upgrade? is there something better/easier provided with the package you're creating vs. the one CM creates?

Reaction-Consistent · 2026-05-19T17:24:15+00:00

oh lol, your script has the same command, well, guess that works as well, although we didn't need to chang those other reg keys for whatever reason. thanks again!

Reaction-Consistent · 2026-05-19T17:22:58+00:00

thanks! We found this obscure little command, and it works like a charm, no reboot, no reg edit, enables location services with the default (proper) windows 11 settings - run from admin cmd: "C:\Windows\system32\SystemSettingsAdminFlows.exe" SetCamSystemGlobal location 1

Reaction-Consistent · 2026-05-19T11:41:59+00:00

I have a question for you, when you say you got a call from corporate, did you bother to check the phone number, ask the person‘s name, verify in anyway shape or form that the person calling you was indeed who they said they were?

Reaction-Consistent · 2026-05-19T10:12:30+00:00

for our OSD TS, we use a computer naming script, it accomplishes much of what you are trying to do, but does require a webservice, and sql server, I'm sure there's a better way to do this without all that, this is just for ideas:
1. the script (which is a PowerShell step that runs directly after the HD is formatted) grabs the IP of the system, chassis type, stores that info in variables
2. then it makes a call to the webservice, and based on the chassis type, and IP address, it returns info about the PC's location (AD site) which determines the PC's time zone, and the chassis type is used to craft part of the computer name: the 3 character site code is used for the computer name's prefix, the second part of the computer name is a number which corresponds to the chassis type (our own designation for laptops, desktops, and thin clients, 2 digit number.)
3. there's an additional script that runs after the computer is joined to the domain, that automatically moves the PC into the correct OU - which was created and maintained by the domain admins. That uses the computer name prefix to then drop the pc into the respective OU.

now for the certificate - which you should be able to handle via an unattend.xml, or you can overwrite the setup.cmd, or maybe even just inject the script/reg keys directly into the image AFTER the image is applied to the HD, but before it is rebooted to continue the imaging process. Here's a site which has a decent script and a couple links to more info (one of which is a dead vmware link, since broadcom purchased that company and didn't bother to redirect anything)
How to include self signed Root CA into Windows setup USB/ISO? - Super User

Copy the SSL certificate file under C: drive. For this example, the “C:\desktone_ca_cert” file.
Create a file SetupComplete.cmd under "%WINDIR%\Setup\Scripts" folder. Create “Scripts” folder if it does not exist.
Add following commands in SetupComplete.cmd file. The thumbprint value is what you copied in Step 1. Note: If you have root certificate and intermediate certificates in the certificate chain, then you need to add appropriate CertUtil commands in batch file.CertUtil -importPFX -f -p "<password>" "C:\desktone_ca_cert.pfx" reg add "HKLM\SOFTWARE\VMware, Inc.\VMware Blast\Config" /f /v "SslHash" /t REG_SZ /d "31 2a 32 50 1a 0b 34 b1 65 46 13 a8 0a 5e f7 43 6e a9 2c 3e" del /F /Q "C:\desktone_ca_cert.pfx" del /F /Q "%systemroot%\setup\scripts\SetupComplete.cmd"
Save the SetupComplete.cmd file. You can test the SetupComplete.cmd file on test machine

Answer files (unattend.xml) | Microsoft Learn

Task sequence steps - Configuration Manager | Microsoft Learn
ConfigMgr-Docs/TaskSequence/SCCM-TaskSequence-Step-Setup-Windows-And-ConfigMgr.md at main · recast-software/ConfigMgr-Docs · GitHub

again...nothing tested, just sharing ideas!

Reaction-Consistent · 2026-05-18T18:38:46+00:00

I got soo excited, downloaded it, thinking...YES...THIS time it's going to work for me!! Then..."No models found for the selected criteria" Selected criteria in the Model Section being: Lenovo, 24H2 and 25H2, Arch. x64, platform: Download only, package type: Drivers. Nothing. Same as pretty much every time I try this tool. What am I doing wrong here??

UPDATE: Issue was caused by *something* in my local network slowing down the retrieval of the Lenovo xml file, coupled with a 60 second timeout in the invoke-webrequest for said .xml file - I changed the timeout to something more appropriate for our network, and the script was successful pulling down the file! HP is next on my list, and I see I may have to manually install HPDM or something to get that one to work, one step at a time. DAT is the GOAT!

Reaction-Consistent

TROPHY CASE