Deployment Research - Johan Arwidmark

This is the third Microsoft MVP category shift in my career, first I was a Setup & Deployment MVP, then a Enterprise Client Management MVP, and now I’m a System Center Cloud & Datacenter Management (SCCDM) MVP. If I get re-awarded next year it will mark my 11th year as a Microsoft MVP which is very cool.

Hybrid is the future of IT

I strongly believe that Hybrid scenarios, having part of your IT resources on-premise, and part of the IT resources in the Cloud, is the future of IT. I’ve been deploying and managing clients and servers for years, will continue to do that, but will work more with PowerShell, private, hybrid and public cloud solutions than previously. I’m very excited to see where this road leads to!

Am I giving up MDT and ConfigMgr?

Hell no, but you can expect to see more posts on integrating them with other System Center products, more posts on using them for building datacenter infrastructures, and more posts for deploying and manage private, hybrid and public cloud solutions.

/ Johan

More ...

The Windows 8.1 ISOs are not what they used to be, for example depending on when you download the Windows 8.1 Enterprise with Update from MSDN you get different content.

When downloading it today (Dec 21, 2014) the file included the November 2014 updates. Here is a plain deployment, with no extra updates installed.

Note: The Windows Server 2012 R2 ISO is also updated.

Please use this one for your build and capture processes, it will be faster.

The Windows 8.1 Enterprise ISO including November Updates.

/ Johan

More ...

Twas the night before Christmas, in the year 2014, Project Plex finally begun.

For years I have been using a Windows 7 box with Media Center as my main Media PC. It had 6 TB of storage, mainly ISO’s (DVD and Blu-ray), and I had it connected to my Samsung 55” TV. This Christmas it was finally time for an upgrade. Since all other family members had smart-phones, iPads, and PCs I decided on using the Plex Media Server which has a rich set of client applications.

Media Server

As Plex Media Server I decided on using my trustworthy HP MicroServer, 16 GB of RAM, one 480 GB SSD for OS and Program Files volume, and 4 x 4 TB of SATA drives configured in a fault tolerant storage pool (parity).

The HP MicroServer with 1 SSD + 4 x 4 TB SATA disks.

The Storage Pool, 10.9 TB Available.

Main Client

As I mentioned, Plex has clients for most hardware, but as my main Media PC, connected to my TV, I selected the Intel NUC device. I actually wrote a piece about that machine almost a year ago, on how to install it with Windows 8.1.

The Intel NUC PC (Next to my Apple TV).

Converting Media

Since Plex prefer MKV over ISO files, my next task is to convert my ISO’s into MKV files (containers). Will add more info on that as I go along…

Happy holidays to all of you!

/ Johan

More ...

I was surprised to see that the good old domain administrator reset password trick from Windows Server 2008 still works in Windows Server 2012 R2.

Thanks to Martijn Brant for reminding me of this.

Note: If using Windows Server Technical Preview Build 9841 you have to replace sethc.exe instead, and launch it via Ease of Access / High Contrast. Thanks Mr. Diagg for this tip!

Step-by-Step guide

To reset the Domain Admin password in Windows Server 2012 R2 you do the following.

Shutdown the domain controller (VM most likely).
Boot on the Windows Server 2012 R2 installation media or any other WinPE boot media.
Open a command prompt; Shift + F10 if using the installation media.
Rename the C:\Windows\System32\utilman.exe file to utilman.bak.
Copy the C:\Windows\System32\cmd.exe to utilman.exe.
Start the domain controller again.
At the login screen, press Windows + U or click the “Easy of Access” button.
Type in: net user administrator newpass123!
Exit the command prompt, and login with the new password.

For Windows Server Technical Preview:

/ Johan

More ...

Had a great chat today with my good old “friend” Google Analytics :)

After some research (Google), I realized I was not alone

The fix turned out to be easy. Find a command prompt, navigate to the C:\Windows\Microsoft.NET\Framework\v4.0.30319 folder, run the following command:

ngen.exe executequeueditems

Then have some coffee (ok, it was wine, it’s Dec 30 after all and quite late in the afternoon). Once the command completes reboot the server.

Fixing the issue at hand.

More ...

Every now and then you need to give a set of lab VMs access to Internet but still keep them on a separate, isolated network.

In this scenario, instead of relying on the physical host platform (Hyper-V / VMware), you use a virtual machine with multiple network adapters to do the routing. One benefit of doing that is that this works the same no matter what virtual platform you are using, and obviously that you don’t need to change the host network configuration (something that can be challenging/scary when remoting into a lab server in another city, like I do :) ).

Back in 2012 I wrote a guide on how to set up either a Linux-based router (still the most stable one) as well as with a Windows Server 2012 router, manually. That post is available via the below, together with video.

Using a virtual router for your lab and test environment
http://www.deploymentresearch.comhttp://www.deploymentresearch.com/Research/tabid/62/EntryId/81/Using-a-virtual-router-for-your-lab-and-test-environment.aspx

PowerShell cmdlets for Routing and Remote Access in Windows Server 2012 and Windows Server 2012 R2

Installing a router manually may be fun, but doing it using PowerShell is much more fun (and smarter too). Anyway, I though it was about time to write a post on how to setup a virtual router using PowerShell. The prerequisites for this guide is that you have a Windows Server 2012 R2 VM installed with at least two network cars. One connected to the External network (Internet), and one to the internal network where you have your VMs. On both networks there are DHCP servers, but you will obviously set a static IP address on the internal NIC. You don’t want that address to change :)

Note: In this guide I’m using Hyper-V is the virtual platform, but this works equally great on VMware as well. Again, I’m not using any gateway features on the host, only in the VM acting as a router.

The VM used for virtual router is named GW01, Windows Server 2012 R2 is installed and is configured in a workgroup, even though it’s perfectly fine to join it to a domain. The reason for using a workgroup machine is that I just wanted a generic router, without any dependencies.

The GW01 virtual machine, running Windows Server 2012 R2, and having two network cards configured.

The configuration

Setting up Routing and Remote Access is done in three steps:

Configuring the internal NIC
Install the Routing and Remote Access role
Configure the Routing and Remote Access role

Step1 - Configure the internal network adapter

On my GW01 server I have named the network interfaces External and Internal, listed by running:

Get-NetAdapter | Select Name,MacAddress

Listing the network adapters.

To set a static IP address on the internal network adapter you run the following commands:

Get-NetAdapter -Name Internal | New-NetIPAddress -IPAddress 192.168.1.1 -AddressFamily IPv4 -PrefixLength 24

Step 2 - Install the Routing and Remote Access role

Once the network adapter is configured it’s time to add the Install the Routing and Remote Access role, as well as its PowerShell cmdlets, by running the following command:

Install-WindowsFeature Routing -IncludeManagementTools

Step 3 - Install the Routing and Remote Access role

Once the Routing and Remote Access role and its PowerShell cmdlets are added, you can now configure it. In this scenario you set up a simple NAT gateway.

To configure the NAT gateway, run the following commands:

Install-RemoteAccess -VpnType Vpn

$ExternalInterface="External"
$InternalInterface="Internal"

cmd.exe /c "netsh routing ip nat install"
cmd.exe /c "netsh routing ip nat add interface $ExternalInterface"
cmd.exe /c "netsh routing ip nat set interface $ExternalInterface mode=full"
cmd.exe /c "netsh routing ip nat add interface $InternalInterface"

If you want to verify the setup you can open the Routing and Remote Access management tool.

Done!

Happy Deployment, Johan

More ...

Duplicating, or copying task sequences within the same deployment share in MDT 2013 Lite Touch works is quite different compared with doing the same with ConfigMgr 2012 (SCCM 2012). When you copy a task sequence in ConfigMgr, you get a true duplicate. When you copy a task sequence in MDT 2013 Lite Touch within the same deployment share, using the Deployment Workbench, you only get a link to the original task sequence.

This means of you if you change the copied task sequence, you will also change the source task sequence.

Modifying the copied task sequence in the test folder, like removing the Silverlight app, will also remove Silverlight from the source task sequence.

Duplicating a Task Sequence

So how can you create a duplicate of a task sequence? You have two options:

Create a new task sequence in the Deployment Workbench, go the control folder, and copy the content of the task sequence folder you want to copy in to the new task sequence folder. Example: You have an old task sequence with an ID of REFW81X64-001, and you have created a new task sequence with an ID of REFW81X64-002. To have REFW81X64-002 being a duplicate of REFW81X64-001, simply copy the content of the REFW81X64-001 folder to REFW81X64-002.
User PowerShell, the following PowerShell code will duplicate a task sequence.

Add-PSSnapIn Microsoft.BDD.PSSnapIn
New-PSDrive -Name "MDT" -PSProvider MDTProvider -Root "E:\MDTBuildLab"

# Duplicating the REFW81X64-002 task sequence into a new a task sequence with with ID REFW81X64-003
# Note: Grave accent (backtick) is used on th next line to wrap the line for readibility.
Import-MDTTaskSequence -Template client.xml -name 'Windows 8.1 Copy' -ID REFW81X64-003 -OperatingSystemPath `
    'MDT:\Operating Systems\Windows 8.1\Windows 8.1 Enterprise x64' -Path 'MDT:\Task Sequences\Windows 8.1' -Version 1.0
Copy-Item -Path E:\MDTBuildLab\Control\REFW81X64-002\ts.xml -Destination 'E:\MDTBuildLab\Control\REFW81X64-003' -Force

The manual option, copying a task sequence via the file system

Copying Task Sequences between deployment shares

The behavior when copying items within a deployment share is different from when copy between deployment shares. When you copy between deployment shares, you get a true copy

Good friend and Microsoft MVP Mikael Nystrom recently posted a nice article on copying items between deployment shares.

Note: Copying between deployment share will fail if an object with the same name already exist, but if you copy a task sequence with a different name, but the same task sequence ID, deployment workbench will simply replace the existing task sequence without any questions.

Copying task sequences between deployment shares with the same name is prevented, copying with the same Task Sequence ID is not…

More ...

Last week I was debugging a task sequence that failed with errors 80070002 and 80190191 when it was trying to download the first package used by the task sequence. The first package the task sequence tried do download was the MDT 2013 package, use by the “Use Toolkit Package” action in the task sequence. There are typically three reasons for these errors to happen:

Network Access Account not configured properly
Crappy (or just slow) Network
Missing IIS components on the site server

Network Access Account not configured properly

Most times the 80070002 and 80190191 errors happens because the network access account is not configured correctly. When it’s not you see the following in the log:

First a few 401 errors, which are IIS (web) errors meaning authentication errors.

Second, a line where you clearly see the text: “Network access account credentials not supplied”

Obvious fix when this happens: Configure the network access account, use the “Test Connection” feature to verify you typed the password correct. Verify that you can do a net use to a share with that account, and in rare cases after upgrading to R2, remove the network access account from software distribution, delete the account from Security / Accounts, and then add it back again.

Task Sequence failing because of network access account not configured in software distribution settings.

Slow network causing issues

When the network is slow, like when having poor bandwidth and/or high latency issues, that can cause 80070002 errors as well.

Fixing this issue: Simply give the task sequence more time to find packages by adding these two task sequence variables in the beginning of the task sequence:

SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

Adding task sequence variables to allow for more time getting packages.

Missing IIS components on the site server

The final, and fortunately quite rare reason for 80070002 and 80190191 errors are that you are missing the “Windows Authentication” component on the site server.

If that’s the case you get the following in the smsts.log:

401 - Unsuccessful with anonymous access. Retrying with context credentials.
401 - Unsuccessful with context credentials. Retrying with supplied credentials.
401 - Unsuccessful with supplied credentials.
401 - Unsuccessful on all retries.
SendResourceRequest() failed. 80190191
Download() failed. 80190191.
DownloadContentAndVerifyHash() failed. 80070002.

if you open the IIS logs on the Management Point you see the following “401” errors:

192.168.1.214 PROPFIND /SMS_DP_SMSPKG$/P010000D - 80 - 192.168.1.100 SMS+CCM+5.0+TS - 401 2 5 1433 2
192.168.1.214 PROPFIND /SMS_DP_SMSPKG$/P010000D - 80 - 192.168.1.100 SMS+CCM+5.0+TS - 401 2 5 1452 0
192.168.1.214 PROPFIND /SMS_DP_SMSPKG$/P010000D - 80 - 192.168.1.100 SMS+CCM+5.0+TS - 401 2 5 1433 0

Obvious fix: Add the missing Windows Authentication” component on the site server.

Windows Authentication IIS feature added.

IIS logs showing the error.

More ...

Earlier today I got a question on how to nest sections in CustomSettings.ini to create a computer name. Here is how!

Note: For the record, I don’t recommend generating complex computer names based on site,laptop etc. Keep the computer names to a syntax PC+sequence or something like that (example PC00075). Easy to read, easy to keep track of etc. However, the nesting technique demonstrated here can be used for many things.

Multiple Sections

In this example you see multiple settings, and a few custom values, coming together to form a computer name based on location, computertype and serialnumber. As usual when playing around with rules in CustomSettings.ini, use this PowerShell script to simulate the settings. Save time (and avoid pain) - Create a MDT simulation environment

The important part in the below script is the priorities, a custom variable must be set in once section, before it can be used in another. That’s why the OSDComputerName variable is set in the Default section, which is last in the order (what order the section has within the file itself is irrelevant, it’s the priority line that controls it).

[Settings]
Priority=DefaultGateway, ByLaptopType, ByDesktopType, Default
Properties=ComputerLocationName,ComputerTypeName

[Default]
OSDComputerName=%ComputerLocationName%-%ComputerTypeName%-%SerialNumber%

[DefaultGateway]
192.168.10.1=Stockholm

[Stockholm]
ComputerLocationName=S

[ByLaptopType]
Subsection=Laptop-%IsLaptop%

[ByDesktopType]
Subsection=Desktop-%IsDesktop%

[Laptop-True]
ComputerTypeName=L

[Desktop-True]
ComputerTypeName=D

Happy deployment

/ Johan

More ...

Still the development of MDT 2013 is hopelessly behind the technical preview releases of Windows. Until that happens you can still apply some custom hacks to the current version.

In Windows 10 Build 9926 you still need to add updated DISM files to the boot image (until the Windows 10 ADK is released), and due to the new “10.0.9926.0” version number, many of the MDT scripts, especially the LTIApply.wsf and ZTIUserStafe.wsf scripts has quite many string checks for “6.X” versions.

The problem is however that “10.0” is not higher than “6.2” when you do a string comparison. That means if you have a snippet that says:

If Left(oEnvironment.Item("OSCurrentVersion"), 3) >= "6.2"

Windows 10 will not fall into that If statement (since “10.0” is lower than “6.2” in a string comparison”).

The fix

First, this is not supported so don’t blame me if something is not working.

Update 2015-01-29: This post is only for plain bare metal deployment, to build a reference image see this post: Create a Windows 10 reference image using MDT 2013

In addition to have the the task sequence copy the right servicing stack to the WinPE 5.0 boot image you also need to use updated versions of some MDT 2013 scripts (click the link for download).

On your MDT server, copy the updated scripts to the scripts folder of your deployment share, replace existing files.

Also, copy the dism.exe and DISM folder from a x64 WTP boot.wim file to your deployment share, in my case E:\MDTProduction\Tools\x64.

The dism.exe file and DISM folder are found in the X:\Windows\System32 on your boot image (once booted), or E:\Mount\Windows\System32 if you just mounted the boot.wim.

The needed files, copied to the deployment share.

After copying the files, add two run command line actions to your Windows Technical Preview task sequence (and only this task sequence).

Copy WTP dism.exe
cmd /c copy %deployroot%\tools\%architecture%\dism.exe x:\windows\system32\ /y

Copy WTP DISM subsystem
cmd /c copy %deployroot%\tools\%architecture%\dism\* x:\windows\system32\dism /y

The additional actions in the task sequence.

Deployment completed.

More ...

Turns out that Sysprep is broken in Windows 10 Build 9926, but there is a workaround…

When trying to run Sysprep on a virtual machine with Windows 10 build 9926 installed you may be greeted with the following error message:

A fatal error occurred while trying to sysprep the machine.

Background info

This only happens if the virtual machine is connected to Internet during setup.

If you open setuperr.log found in C:\Windows\System32\Sysprep\Panther you see the following:

Error SYSPRP Package Microsoft.InsiderHub_1.1.0.400_x64__8wekyb3d8bbwe was installed for a user, but not provisioned for all users.
This package will not function properly in the sysprep image.
Error SYSPRP Failed to remove apps for the current user: 0x80073cf2.

Workaround

There are two workarounds:

Make sure the virtual machine you are using for reference images never connects to Internet.
Prior to run sysprep, have the task sequence delete all uppdated packages using PowerShell

To delete a package, use the following PowerShell command:

# Delete a package
Get-AppxPackage –Name *Insider* | Remove-AppxPackage

/ Johan

More ...

Like the MDT 2013 Lite Touch post from yesterday, here is the same info but for ConfigMgr 2012 R2. In this post you find step-by-step guidance on how to deploy the Windows 10 Enterprise x64 build 9926, including driver injection support, with ConfigMgr 2012 R2 (integrated with MDT 2013 of course).

Step-by-step guide

First, this is not supported so don’t blame me if something is not working.

Second, to make ConfigMgr 2012 R2 (integrated with MDT 2013) work with Windows 10 build 9226 image, including driver injection, you need to make sure WinPE 5.0 is updated with the new dism.exe and sub-components required to do offline servicing (otherwise driver injection fails). The trick is to simply have the the task sequence copy the right servicing stack to the WinPE 5.0 boot image, when deploying Windows 10 operating systems.

On your file share you use for your MDT 2013 package source files, copy the dism.exe and DISM folder from the Windows 10 build 9926 boot.wim file to MDT 2013 package, in my case \\CM01\Sources\MDT\MDT 2013\Tools\x64. The dism.exe file and DISM folder are found in the X:\Windows\System32 on your boot image (once booted), or E:\Mount\Windows\System32 if you just mounted the boot.wim.

The needed files, copied to the MDT 2013 package.

After copying the files, add two run command line actions to your Windows Technical Preview task sequence (and only this task sequence).

Copy WTP dism.exe
cmd /c copy %deployroot%\tools\%architecture%\dism.exe x:\windows\system32\ /y

Copy WTP DISM subsystem
cmd /c copy %deployroot%\tools\%architecture%\dism\* x:\windows\system32\dism /y

The additional actions in the task sequence.

Driver injection is now successful for Windows Technical Preview deployments

Here is the resulting deployment, with the ConfigMgr 2012 R2 CU3 client installed.

Happy deployment,

/ Johan

More ...

Earlier today I migrated my production machine to Windows 10 build 9926, and also recorded the entire process (video available here).

On this blog post I will write about my day-to-day findings of using the new platform.

January 26

Note #1: Camtasia Studio 8.3 went from 4 – 5 crashes a day, to 4 – 5 crashes per hour.

Note #2: My Rode Podcast USB microphone no longer works (found as USB Audio device, but does not work).

Note #3: Device Manager flickering like crazy (Windows 8.1 “feature” carried over).

Note #4: Can not unblock downloaded word-document in File Explorer (workaround, use the Streams application, Sysinternals/Microsoft)

January 29

Note #5: When connecting the Epiphan DVI2USB 3.0 capture card, and start the Epiphan Capture software, the machine blue screens. Tested three times.

Note #6: OneDrive crashed, had to resync all files, and manually delete the leftover SkyDrive folder.

Clicking Unblock does not work ion my machine with Windows 10 Build 9926.

The Rode Podcaster Microphone, not working.

/ Johan

More ...

While in-place upgrades are nice, there are quite a few scenarios when you need to use the old-school deployment scenarios (new computer, refresh computer and replace compute).

Side note:Check out my live production upgrade to Windows 10 video

The Windows 10 Setup Upgrade process

When using the /Auto:Upgrade switch to upgrade Windows 7/8/8.1 to Windows 10 (which migrates data, settings and apps) it does NOT support the following:

Use a custom reference image
Change from BIOS to UEFI or do other disk layout changes (partitioning)
Upgrade when having third party disk encryption (for now, may change depending on vendor)
Upgrade when third party antivirus software installed (for now, may change depending on vendor)
Upgrade between architecture (e.g. x86 to x64)
Change the language (base OS language)
Change disk layout (partitioning)
Change to a lower SKU (the /Auto:Upgrade can only upgrade to the same or higher SKUs)
Upgrade a "boot from VHD" system
Upgrade WIMBoot/Compressed OS
Upgrade Windows To Go USB sticks

The conclusion is that even though upgrades works quite well, because of the limitations, we still need to have deployment solutions around a while longer :)

/ Johan

More ...

The Intel NUC devices have turned out to be a great machine for a small but efficient Hyper-V host. The challenge is that Intel doesn’t get that, and in fact block their network adapter device drivers for Windows Server 2012 R2 (with some exceptions). In this post you learn how to fix this properly:

When it comes to solving the Windows Server 2012 R2 network drivers issues for the Intel NUC device, you have three options:

By one of the few (well two) Intel NUC models that actually does have a network driver for Windows Server 2012 R2.
Fix the driver yourself and sign it like a boss
Fix the driver yourself, go cheap, disable driver enforcement in Windows Server 2012 R2, install the driver (semi-manually), and enable driver enforcement again.

This post is focusing on the real deal, doing what you should be doing, for a real world production environment. e.g. Option 2 :)

Option 1 – Buy the special Intel NUC models

Not much to say about, buy one of the DC53427HYE or NUC5i5MYHE Intel NUC kits, download the LAN_Server2012R2_64_19.5.exe driver, and import as usual into MDT 2013.

Option 2 – Sign the Driver Like a Boss!

This is where you want to be, and for this you need get a real driver certificate that is cross-signed with Microsoft. I ended up buying Kernel-Mode Code Signing Certificates from Digicert for 223 USD (1 year) but I have seen deals as low as 178 USD / year. I just happen to like Digicert because they are awesome. Here are the steps for fixing and signing the Intel network drivers for Windows Server 2012 R2. In these steps I assume you have bought a certificate:

Download the Intel NUC network driver for Windows 8.1 (LAN_Win8.1_64_19.5.exe) from https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=24198&lang=eng&ProdId=3744 and extract to a folder.
The driver you want to modify is in the lan_win8.1_64_19.5\PRO1000\Winx64\NDIS64 folder. In this guide I created a new folder, C:\Drivers\IntelNUC, and copied the copied the NDIS64 folder to it.

The NDIS64 folder copied from lan_win8.1_64_19.5\PRO1000\Winx64.
Modify the e1d64x64.inf file per Jay-R Barrios instructions in his post: Intel NUC D54250WYKH: Installing LAN Driver on Windows Hyper-V Server 2012 R2
Download and install Windows Driver Kit 8.1 Update 1 from http://www.microsoft.com/en-us/download/details.aspx?id=42273 . Don’t worry about the notes saying you must have Visual Studio 2013 installed, because you don’t.

Installing Windows Driver Kit 8.1 Update 1.
Since you modified the e1d64x64.inf file you have broken the signing. To fix this you generate new catalog files, and sign them with your certificate.
Generate the new CAT files by starting an elevated command prompt and run the following commands:

Cd "C:\Program Files (x86)\Windows Kits\8.1\bin\x86"

inf2cat.exe /driver:"C:\Drivers\IntelNUC\NDIS64" /os:Server6_3_X64

Generating the catalog files.
Next up is to sign the catalog files, you can either do that using the Signtool.exe utility, or if you are using Digicert, you can use digicert util to do this. If you are doing the command line route, download the "DigiCert High Assurance EV Root CA.crt" from digicert to the folder where you have signtool.exe, and run the following command:

signtool.exe sign /v /ac "DigiCert High Assurance EV Root CA.crt" /s My /n "Deployment Artist AB" /t http://timestamp.digicert.com /sha1 12210EDE21C48E90511476F35B18671665EEC14A "C:\Drivers\IntelNUC\NDIS64\e1d64x64.cat"

Note: You need to replace the above command with your certificate name and SHA1 value (If you only have once certificate with that name you can skip the /sha1 switch).
If you use the DigiCert utility, just add the CAT files to sign, don’t forget to check “Kernel Mode Signing”, and click Sign.
Now the drivers are signed and you simply add them to MDT 2013. The Intel NUC tested with this guide was D54250WY, and since I always use the Total Control approach (click for details), I have that logical folder in my Deployment Workbench as well.

”Fixed” network driver added to the workbench.
You are Done! MDT 2013 will no happily inject the driver into the driver store during deployment! During deployment, during the WinPE phase you can verify the injection into the driver store by pressing F8, and open the X:\Windows\Logs\DISM\Dism.log file.

Dism.log file showing successful install of the modified driver.

Option 3 – Go cheap and trick the system

If you want to cheap, and don’t mind having a manual task in the deployment (brr), you can disable driver enforcement in Windows Server 2012 R2, install the driver, and enable driver enforcement again. This post by Jay-R Barrios show you how: Intel NUC D54250WYKH: Installing LAN Driver on Windows Hyper-V Server 2012 R2

Happy Deployment

/ Johan

More ...

The development of MDT 2013 is still hopelessly behind the technical preview releases of Windows. Until that happens you can still apply some custom hacks to the current version.

Like the previous Windows 10 preview builds, in Windows 10 build 9926 you still need to add updated DISM files to the boot image (until the Windows 10 ADK is released, and MDT is updated to support that version). However, a new issue was introduced in build 9926 due to the new “10.0.9926.0” version number: Many of the MDT scripts, especially the LTIApply.wsf and ZTIUserStafe.wsf scripts, breaks because they have quite many string checks for “6.X” versions. As an example. when you do string comparison in VBScript, “10.0” is not higher than “6.3”.

This post is focusing on what you need to change in MDT 2013 to use for build and capture of a Windows 10 Enterprise x64 build 9926 reference image, the high-level steps are:

Add three Windows 10 build 9926 hotfixes to MDT
Add dism files to MDT 2013
Update some scripts in MDT 2013
Modify the task sequence (four modifications required)
Prevent the virtual machine from accessing Internet during build and capture

Fixing MDT 2013 Build and Capture for Windows 10 build 9926

First, this is not supported so don’t blame me if something is not working. It works fine in my testing, but I haven’t tested every possible scenario.

Step 1 - Add three Windows 10 build 9926 hotfixes to MDT

Using the Windows Catalog site: http://catalog.update.microsoft.com search for “Technical Preview 2 x64” and download the KB3035129, KB3034229 and KB3035034 updates.

The most critical fix is Start menu registration, but it’s not bulletproof yet.

In the Deployment Workbench, in your deployment share, create a folder named Windows 10 build 9926 x64, and import the packages.

Create a selection profile named Windows 10 build 9926 x64, and configure the Packages / Windows 10 build 9926 x64 folder in it.

Step 2 - Add updated dism files

Copy the dism.exe and DISM folder from a x64 WTP boot.wim file to your deployment share, in my case E:\MDTProduction\Tools\x64.

The dism.exe file and DISM folder are found in the X:\Windows\System32 on your boot image (once booted), or E:\Mount\Windows\System32 if you just mounted the boot.wim.

The needed files, copied to the deployment share.

Step 3 – Update MDT 2013 scripts

Download the updated MDT 2013 scripts from this location: MDT 2013 Update scripts, and copy them to your deployment share, replace existing files.

Step 4 – Modify the task sequence

There are a few things you need to modify in the task sequence.

Configure the Apply Patches action
Add actions that copies the dism files
Add an extra restart action
Remove a condition on one of the built in actions

Configure the Apply Patches action to use the Windows 10 build 9926 x64 selection profile.

Add two run command line actions to your Windows 10 build 9926 task sequence.

Copy WTP dism.exe
cmd /c copy %deployroot%\tools\%architecture%\dism.exe x:\windows\system32\ /y

Copy WTP DISM subsystem
cmd /c copy %deployroot%\tools\%architecture%\dism\* x:\windows\system32\dism /y

The additional actions in the task sequence.

Then add a extra Restart Computer action before the Apply Windows PE action.

Extra restart action added for build and capture.

Then, remove the condition on the Apply Windows PE (BCD) entry in the task sequence.

Default condition removed on the Apply Windows PE (BCD) action.

Step 5 – Prevent the virtual machine from accessing Internet

If the virtual machine is allowed to connect to Internet, it will update some of the built-in apps, and that will break sysprep.

Simply make sure it does not have Internet Access.

WIM Capture in progress.

More ...

Earlier this morning the technical preview of Windows 10 ADK was released. A nice little 6 GB install if you install features or 2.7 GB you only download the bits (Yes I know the UI says 3.6 GB, but no… The download is only 2.7 GB :)

Here is the download: Windows 10 ADK Technical Preview

Note: Before you even try, this version is NOT compatible with MDT 2013 (6.2.5019.0) or ConfigMgr 2012 R2.

Summary

In this post you learn about the following features in Windows ADK 10 (January Technical Preview)

The Windows ADK 10 Installer and help file
Windows PE 10.0.9933
Windows Imaging and Configuration Designer (Windows ICD)
New features in DISM 10.0.9933

Installing Windows ADK 10

The new Windows ADK installer is pretty much the same as the previous versions. It still support the /features switch to install features unattended, and the /layout switch to specify a folder for offline download. In addition to the adksetup.exe, there is also a new documentation file, the ADK.chm file.

Note: If you don’t see any content when opening the ADK.chm file, make sure to unblock it (right-click, select Properties, click Unblock, and OK. Or use the streams utility from Sysinternals if you are running Windows 10 build 9926 where the unblock features is broken (The syntax is streams –d ).

Unblocking the ADK.chm file.

The Windows 10 ADK installer.

The downloaded content, all of it.

Windows PE 10.0.9933

The Windows 10 ADK (January 2015) includes a new WinPE version, build 9933 (10.0.9933), and includes the same optional components as you are used to have in Windows ADK 8.1 (WinPE 5.x).

Creating a custom boot image follows the same process as in Windows 8.1 ADK, you start an elevated Deployment and Imaging Tools Environment command prompt, and type the following:

copype and64 C:\WinPE10_x64

Creating a custom WinPE 10 boot image.

Booting on the Windows 10 WinPE image.

WinPE seems to have same components as Windows ADK 8.1

Windows Imaging and Configuration Designer

Windows ICD can be used to build a customized Windows image, as well as provisioning packages for customizing Windows machines with re-imaging. The provisioning package can be install either from a normal file-share, USB media etc. or embedded in the operating system image. For most folks this utility will be used to create provisioning packages that are then deployed using deployment solutions like MDT 2013 and/or ConfigMgr 2012 R2.

Note: If you even remotely think about using WICD as a deployment solution, think again. It would be about as intelligent as climbing with scissors. WICD is primarily a configuration tool, that happens to know about imaging. It’s like WDS which also knows about imaging, but never ever should be used for imaging (unless you really like to waste your time).

The provisioning packages you create, the PPKG files, are really just WIM files with a few XML files in them. For example this XML file:

Answer file from a provisioning package.

Anyway, examples on what you can configure / customize using Windows ICD are:

First run experience
Applications (both Windows Store apps as well as normal Windows Desktop apps)
Enterprise policies (Security Settings etc.)
Enterprise profiles (WiFi, VPN and email)
Certificates
Offline content
Create Images (please don’t)

Creating a provisioning package

Creating provisioning packages can be done either using Windows ICD (UI) or the Windows ICD command-line interface (icd.exe).

The Windows ICD command-line interface.

If you want to do it via the UI, simply create a new project, select to create a provisioning package, and then select the Windows version.

Note: Make sure to select the right version since that will control the settings available in the project.

In this example I’m setting the wallpaper in Windows.

Setting wallpaper in my provisioning package.

Note: Still debugging an issue of actually deploying these packages, will update post when I know more.

DISM 10.0.9933

There are indeed some new cool features to DISM in this release:

Support for the Full Flash Update (FFU) which captures and deploys an entire drive, including partition information. This for Windows Phone deployments.

Support for capabilities, a new package type that allows you to request components like .NET or languages without specifying the version. DISM can search multiple sources like Windows Update or your own servers to find and install the latest version.

Compressed OS support, you can run Windows from a compressed file (replaces the WIMBoot features from Windows 8.1).

/ Johan

More ...