Converting Windows 10 Media Creation tool to install.wim

When creating media with the Microsoft Windows 10 media creation tool, the USB drive or ISO file will not have install.wim included.  Therefore, you are not able to import an operating system into MDT.  There must be a install.wim in the “sources” in the media.  By default, the media creation tool creates a “install.esd” file.

 

To convert install.esd into install.wim, you can you use dism.

Open the Deployment and Imaging Tools Environment CMD prompt as admin, and browse to your folder location of install.esd

type:  dism /Get-WimInfo /WimFile:install.esd

 

 

 

 

We are looking for the index of the version we want to convert.  For example, if you want Windows 10 PRO, use index 1.

then type:  dism /export-image /SourceImageFile:install.esd /SourceIndex:1 /DestinationImageFile:install.wim /Compress:max /CheckIntegrity

 

 

 

 

This will convert your install.wim file and can now delete install.esd.  This should now import into MDT.

Posted in dism, MDT, MDT 2010, Windows 10 | Tagged , , , | Leave a comment

Remove all Windows 10 Metro Apps, except the Store

As you probably already know, sysprep will usually fail if the Windows 10 store metro style apps aren’t removed.  Most of my customers want these apps removed anyway.  I did have a request today to have all apps removed, but keep the Windows store just in case something wanted to be added in the future.

 

The normal method of removing the apps also removes the store.  I just tested the following Powershell commands that remove every app, except the store.  This may be useful as it’s difficult to add the store after the fact.

 

Get-appxprovisionedpackage –online | where-object {$_.packagename –notlike “*store*”} | Remove-AppxProvisionedPackage –online

 

Get-AppxPackage -AllUsers | where-object {$_.name –notlike “*store*”} | Remove-AppxPackage

Posted in MDT, MDT 2010, Microsoft Deployment Toolkit, Windows 10 | Tagged , , | Leave a comment

Remove all Windows 10 “Metro” style Apps from Reference Image

Many times Windows 10 sysprep will fail when the built-in Windows 10 apps are present.  The reasons can vary, however most times I just remove them anyway in my reference image.

This will remove most of the junk apps in the Windows 10 start menu, but may not remove the shortcuts themselves.

Use these 2 lines in your reference image task sequence, or run them manually before sysprep.

Get-AppxProvisionedPackage –online | Remove-AppxProvisionedPackage -online

Get-AppxPackage –AllUsers | Remove-AppxPackage

 

While we’re at it, we may as well remove Candy Crush, Twitter, etc… the Consumer Experience apps.  Add this to your task sequence or just edit the base reference image.

Import this registry entry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent]
“DisableWindowsConsumerFeatures”=dword:00000001

Posted in MDT, MDT 2010, Powershell, SCCM 2012 | Tagged , , , | Leave a comment

Using WMIC to Find Computer Model for SCCM or MDT

A quick tip that I use quite a bit.  If you like to query WMI to get the computer model for drivers in MDT or SCCM, one little nagging challenge is getting the exact name of the model in WMI.

Here’s a quick command line that you could also script if needed.

From an elevated command prompt, type:

wmic csproduct get name

The result should give you the exact name returned by WMI in your task sequence query. 

 wmic

 

 Then, just plug in your model you are targeting into a SCCM task sequence condition.  For example:

SELECT * FROM Win32_ComputerSystem WHERE Model LIKE “%HP Compaq Elite 8300 SFF%”

 

 

 

 

 

 

Posted in MDT, MDT 2010, SCCM 2007, SCCM 2012 | 1 Comment

MDT 2012 New Features – Monitoring

A big complaint of mine and many colleagues was the lack of monitoring in MDT 2010.  You never really knew what the status of a job was if it failed halfway thru. 

MDT 2012 now comes with a moniting section to view the progress of your task sequences. 

You can find monitoring in the bottom of your Deployment Workbench.  By default, this is turned off.  But very easy to turn on.

 mdt monitoring

mdt monitoring2

 

When you enable MDT 2012 monitoring, two things happen:

From Michael Neihuas Blog at Microsoft

  1. A new service, the “Microsoft Deployment Toolkit Monitor Service” (short name MDT_Monitor), is installed on the computer.  This service receives events from the computers being monitored, tracking each computer and how far it is in the deployment process.  It also provides this tracking data to Deployment Workbench for you, the administrator, to see.
  2. The CustomSettings.ini file is modified to add a new entry specifying the URL (a combination of the host name and port specified in the deployment share settings) to be used for monitoring.  This is how clients know where to send information.  The MDT scripts (through their use of ZTIUtility.vbs) will automatically send events to this URL.

A few other details:

  • The computers will be automatically removed after three days, to keep the database from getting too big.
  • If the monitoring service doesn’t hear from a computer for more than four hours, it considers the machine “unresponsive” – so if you see that status in the Workbench list, that’s why.
  • Every time a deployment task sequence starts, completes, or fails, an event log message will be written by the service.  So if you want to trigger some activity based on these events, you can easily do so.
  • You might think that IIS would be required for the MDT_Monitor service, but it’s not.  It’s leveraging features of the .NET Framework to run a “mini web server” as part of the service itself.
  • You might also think that a SQL database would be required to store the details.  Well, there is one, but you don’t need to install SQL Server to use it.  MDT uses a SQL Compact database; all the files needed are installed as part of MDT (and only used if monitoring is enabled).

Fairly easy to turn this one.  Also don’t need to worry about SQL either.  Just a compact SQL install included in the MDT install files. 

 

Posted in MDT, MDT 2010 | Leave a comment

Restarting a Hung MDT 2010 or 2012 Task Sequence

I’ve been asked a few times about the easiest way to restart a hung task sequence.  Hung meaning – for some reason the task sequence you kicked off doesn’t complete during or after imaging.  Most cases I see are hung after the image is down on the machine and waiting for the applications to load.   MDT basically tries to start where it leaves off and fail.

You try to reboot off the boot media and you see a message stating you can’t restart the task sequence becuase its waiting for applications to load.

If it’s a chronic problem – this probably isn’t the fix.  This is just for the one-off scenarios for when MDT decides to break.

To stop these errors from re-occuring

  • Boot to the OS
  • Delete these 2 folders from root of C:  _smstasksequence & minint
  • reboot and boot off MDT disk or PXE.  The MDT deployment share should start from scratch.

Also, can do the same thing winthin WinPE

  • diskpart 
  • select disk 0 
  • clean
  • then, restart the deployment
Posted in MDT, MDT 2010 | Leave a comment

Java 1.7 Auto-Update Deployment with SCCM/MDT

10/18/2013 Update – From a comment below.  I haven’t tested this as I’ve given up on Java completely. 

I just wanted to leave a note with how i got this working (there was lots of info in this thread but it was hard to find a clear step by step with success).

– Run the Java exe on a test machine, digg out the MSI + files from the %userprofile%\Appdata\…. area
– Create an MST using ORCA, set the update settings to not update etc.
– Create a blank “deployment.properties” file and have the “deployment.expiration.check.enabled=false” inside it.
– Install the MSI + MST
– Copy the deployment.properties to C:\Windows\Sun\Java\deployment
– Launch IE, browse to http://javatester.org
– Test the version with the button on the site
– Accept the security prompt (in our org. we are leaving this security level HIGH)
– Wait for any pop-up about an out of date version?
– Open up REGEDIT
– Browse to HKCU\Software\AppDataLow\Software\JavaSoft\DeploymentProperties
– You should see “deployment.expiration.check.enabled” REG_SZ false
– Retest by re-loading the Javatester.org website
– Retest by closing / reopening browser and hitting Javatester.org again
– Log off and on as a new user, repeat test to make sure the HKCU is being populated under the new user.
– Package up
– Have a beer

 

**Update 7/25/2013**  Sorry all, haven’t been as active with this as I’d like.  Unfortuntely we had to bite the bullet and get everyone upgraded to the latest and greatest.  It does seem that Oracle FINALLY sees this is massive issue and has released some patched versions for this.  Check all of the comments for the download link.  I personally haven’t even looked at the patches yet, so use at your own risk.  Please also look thru all the comments.  There any many different ways to look at resolving this at least temporarily.

 **Update 6/19/2013**  JAVA 7 UPDATE 25 RELEASED.   It appears a path was released for update 21, nothing that I can see for 25 yet.  From the comments

**Update 5/16/2013 **** PLEASE read all comments before implementing this.  Java has yet again changed the game and made the expiration date unavoidable.  There’s a lot of good info for temporary workarounds in the comments.  Key word … TEMPORARY. 

 

Unfortunately, you need a login on My Oracle Support (MSO). As I don’t have a login I cannot provide you a deep link to this particular patch.

If you have a login, you can sign-in on http://support.oracle.com, click “Patches and Updates”, then search for patch ID 16758419.

BTW: I have applied this interim patch on my PC today and changed the system date to August 10 (which is beyond the expiration date for the official public JRE 1.7.0_21). The infamous update popup did not occur, so the patch seems to work.

Oracle released an interim patch, 16758419, for JRE and JDK 1.7.0_21 (32bit only) with Auto-update Off and Insecure Java Version Message suppressed:

README for 16758419

Patch Details

Bug Number: 16758419

Product Name: Oracle JDK and JRE 1.7.0_21-fcs-b14
with Auto-update Off and Insecure Java Version Message suppressed
– Interim Patch

Platform: Windows-i586

 

some notes from Joe in the comments …

Got some bad news. If you start messing with your system date and set it to 5/16/13, even if you use the suggestions here of baseline.versions folder instead of files, you’ll get prompted. This all appears to be due to the JRE_EXPIRATION_DATE value that is hard coded to that date in 7.17. I tested it with 7.21 which has the variable set to 7/18/13 and it starts prompting you on 7/18 as expected (I mispoke in my post above 7/18 is correct). So I don’t know of any way to beat this.

I’m using this to push anyone with a JRE related app to demand from the vendor to move away from it. What a joke. 3 billion devices and counting … we’ll see about that Oracle.

Java, I do not like you!

 

Well, I am sure almost everyone is aware of the (in)famous Java updating mechanism within Java 1.7. 

Here’s the scenario if you haven’t already witnessed the madness with Java 1.7.x.  At the time of this writing, Java 1.7 update 15 was the latest version.  We package it up just like any other version, disabling auto-updates, and everything looks fine.  Then, we fast forward a few months and update 17 comes out.  No big deal, right?  Our package was set to turn Java auto-update off.  I wish it were so.  Once a user hits a webpage that uses Java, they will most likely see the following prompt.  The scary part – you’d never even know this was a problem until it’s too late.  If you deployed the latest version you wouldn’t see any error messages at all.  It’s only when a new version of Java is released that the messages start arriving. 

Your Java version is insecure.  Click Update to install the recommended secure version.  Click Block to stop Java content in your browser or Later to continue and be reminded again later.

 

error1

 

Unreal.  So let’s go thru the options here. 

Update:  Since 90% of corporate users are not local admins – that won’t work.  Result:  Service Desk Call

Block:  Block the app from running?  That’s why they are at this webpage to start with.  Result:  Service Desk Call

Later:  Well, this one kind of works.  This will at least get rid of the warning but only bring you to another!  Result:  Service Desk Call

Let’s assume a user clicks “later”  They will then see this additional popup message.  

Do you want to run this application?  Your version of Java is insecure and an application from the location below is requesting permission to run. 

 This particular site is just a Java tester site

 

error2

 So here’s our new options.

Run:  This will actually run the Java app.  Result:  No Service Desk Call (hopefully)

Update:  Another attempt to update Java to the latest version (remember, Java auto-update is turned off, right??)  Again, no local admin on most corporate machines.  Result:  Service Desk Call

Cancel:  Stops the app from running.  Result:  Service Desk Call

 

As you can see, sending this to an enterprise-wide distribution is not an option.  This would generate enormous amounts of Service Desk calls and very unhappy users.  This completely blows my mind.  I thought Adobe Flash was bad but now Oracle has topped the list.  I could go on for hours on why Oracle should disable this “feature”.  Until they do, we need a workaround.  Here’s my solution.  Not perfect by any means.  It seems to get rid of *most* of the popups.

You may have to tweak some things depending on your corporate policy/application requirements/etc. 

Remove all older versions of Java (at least 1.7 versions).  My testing with 1.6.x version has been a little strange but I realize application requirement may prevent this from happening. 

  • Verify C:\WINDOWS\sun\java\deployment directory is empty.  If not, have your install script delete this full directory.
  • You need to now create 2 text files, deployment.config and deployment.properties.  These files basically replace the command line switches in the java install.  Here are the contents of deployment.config

deployment.system.config=file\:C\:/WINDOWS/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true

The top line basically tells the system where your deployment.properties file is located.  For simplicity I just stuck it in the default location but could also reside on the network.  The second line tells the system if this is mandatory.  I don’t know much more about this setting.  Just set it to “true”.

Here are the contents to put into deployment.properties

deployment.expiration.decision=NEVER
deployment.expiration.decision.suppression=TRUE
deployment.version=7.0
deployment.security.level=MEDIUM
deployment.security.mixcode=DISABLE
deployment.insecure.jres=ALWAYS
deployment.javaws.autodownload=NEVER

The key settings above are: 

deployment.expiration.decision=NEVER 

deployment.expiration.decision.suppression=TRUE

These settings suppresses the “Later” button so you are never prompted. 

deployment.security.level=MEDIUM

This is a big one also.  Still not 100% on this one yet.  The default in the Java install is “HIGH” so I hate to set this lower.  The MEDIUM setting seems to get rid of most of the popups.  The only setting I could find that completely suppresses all warning popup is “LOW” but I can’t imagine security departments allowing this.  May as well stick with the older versions of Java.

deployment.insecure.jres=ALWAYS

This setting suppresses the second popup that warns about running the Java application.  Set to ALWAYS

These 2 files need to be copied to the C:\WINDOWS\sun\java\deployment directory.  Have your script create the directory after you delete it. 

Update 3/8/2013 – NEW STEP

  • Create the folder C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\security before installing Java
  • Create 2 files – baseline.timestamp and baseline.versions

Contents of baseline.timestamp is just a period ( . )

Contents of baseline.versions shows up like this.  I believe this is telling Java what the current version is for each (1.8, 1.7, 1.6, etc).  I figured out that when you are prompted it creates this file and the registry shown below.  It defaults to 1.7.0_17.  I changed that setting to 1.7.0_13 to trick it into thinking its current.   Another option to get this file is to break it intentionally and go edit this file.  Crossing my fingers…. seems to work! 

baselline.versions

It also shows up in the registy like this.

registrychangesmall

 

To automate this, you’ll need to create a script to walk the directory tree and add this to each users profile.   You can also use group policy which may be a bit easier. 

 

**Make sure these 2 files are present before installing Java. **

  • Install Java 1.7 with only a /qb or /qn switch.  No need to add any other switches since your files are now in the correct place. 
  • TEST TEST TEST!  Again, this is a far from perfect solution and differences will apply between corporations.  I am not a Java expert by any means – so let’s discuss any other options or repercussions! 

Also, a tip on locking the Java settings after deployment from the comments of Rafal below

Just a comment about config and properties file
if you want to prevent users from changing Java control properties you will need to place .locked on property you are changing in the properties mark
therefore
deployment.security.level=MEDIUM
deployment.security.level.locked
will effectivelly lockout/greyout the setting for the user

Hope this helps!

 

**Update 4/24***

Well, I managed to blow up my environment when Update 21 was released.  My group policy workaround for the files was set to update, not replace.  So if the files were already there and Java overwrote them, group policy didn’t care and saw it as compliant.  TONS of calls.  Ugh Java.

Read thru all the comments below as there are some other ideas that may work.  I think I may have thrown the white flag up and may just do some extensive end user training.  Just don’t hit the “update” button!!!

This is obviously a HUGE issue.  The blog has seen 25K hits just on this page since written.  Hopefully we can still figure it out eventually

 

Possible workaround – from Morgan in comments.  Worth trying.  Update 5/17

I created the following until Oracle gets there act together. It’s an AutoIT script that looks for the update window and then selects the ideal combination for the user. You can deploy it in the startup folder for users and there is very little CPU impact. Feel free to use and modify as you like.

http://www.autoitscript.com/site/autoit/

 

CODE HERE—- javafix.txt

 

Posted in Application Packaging, MDT, Patch Management, SCCM 2007, SCCM 2012 | Tagged , , | 220 Comments

MDT 2010 Lite Touch Training Page 3

MDT 2010 Lite Touch Training Page 3

Part 17 – USMT 4.0 Troubleshooting

– Reviewing log files
– Configure USMT 4.0 Log files

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 18 – Using the MDT 2010 database


– Creating the MDT database
– Add computer entries
– Configuring roles in the database
– Setting location based settings
– Using Make and Model based settings

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 19 – Extending the MDT 2010 Database

– Create additional tables
– Create additional stored procedures
– Configure MDT to use stored procedures

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 20 – Extending MDT 2010 with user exits

– Create User Exit scripts
– Configure MDT 2010 to use user exits

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 21 – Extending MDT 2010 with web services

– Resources for web services in MDT 2010
– Configure MDT 2010 to use web services
– Tools for editing the MDT wizard

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 22 – Speeding up development time in MDT 2010

– Tips and tricks for speeding up development time
– Create a test environment

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 23 – Scaling MDT 2010 Lite Touch in a distributed environment

– Recommendations around Linked Deployment Shares
– Configuring bootstrap.ini to connect to local deployment server
– Replicating the deployment share

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 24 – Troubleshooting – Following a Windows 7 Setup

– The Windows 7 Setup Engine
– Logfiles and troubleshooting
– Debugging

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 25 – Using Windows System Image Manager (WSIM)

– Create unattend.xml files using WSIM
– Understanding configuration passes

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 26 – Component Based Servicing (CBS)

– Resources for understanding CBS
– Windows 7 Deployment resources

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 27 – Windows 7 and Device Drivers

– The Windows 7 Driver Store
– Using pnputil and DISM
– Using Group Policies to control device drivers
– How MDT integrates with the driver store
– Driver signing and ranking

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Posted in MDT, MDT 2010, Microsoft Deployment Toolkit | Leave a comment

MDT 2010 Lite Touch Training Page 2

MDT 2010 Lite Touch Training Page 2

 

Part 8 – ntegrating WDS with MDT 2010

– Adding boot images from MDT to WDS

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 9- Using Multicast for MDT 2010

– Configuring MDT for Multicast
– The WDS multicast namespace
– Deploying Windows 7 using multicast

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 10 – Troubleshooting MDT 2010 Lite Touch

– Debugging MDT
– Solving network connection issues
– Verifying storage controller drivers
– Log files

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 11 – Locating drivers for MDT

– Third party vendor resources and utilities
– Microsoft Catalog site for drivers
– Locating PNPIDs

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 12 – MDT 2010 Lite Touch Driver Management

– Boot image drivers
– Windows Operating system drivers
– Out-of-box drivers repoistory in MDT 2010 Lite Touch
– Using folders
– Using selection profiles to filter drivers
– Using DriverGroups to filter drivers based on computer make and model

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 13 – MDT 2010 Lite Touch Drivers Tips and Tricks

– Configuring WinPE Scratchspace
– Dealing with drivers that are applications and,or services

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 14 – USMT 4.0 in action

– USMT command lines

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 15 – MDT 2010 Lite Touch – Refresh and Replace scenarios

– Configuring Refresh and Replace in MDT 2010 Lite Touch
– Starting a Refresh Deployment
– Creating a Replace Task Sequence
– Starting a Replace Deployment

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Part 16 – Customizing USMT 4.0 migrations

– Customizing profile capture using command line switches
– Customizing data and settings using XML templates
– Create customized templates
– Configure rules in MDT 2010 Lite Touch for USMT 4.0

<=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=><=>

Posted in MDT, MDT 2010, Microsoft Deployment Toolkit | Leave a comment

MDT Lite Touch in VMWare Workstation for your test lab

So I came across a little but pretty tricky issue when trying to create a new MDT 2010 test lab in VMWare Workstation.

When trying to image up a bare metal VMware XP workstation I came across this error

When you create a new VM and use the XP VMWare profile it defaulted to and AMD PCNet NIC.

None of the MDT Lite Touch boot PE images have the AMD driver.  Took a little digging – but here it is.  AMD PCNet NIC

Import these drivers into your drivers into MDT, update your deployment share, and update the PXE boot image and you are set!

A quick and easy fix – hopefully this helps!  Its been awhile since I’ve had to use this exact setup!

 

Posted in MDT, MDT 2010, Microsoft Deployment Toolkit, VMWare | Leave a comment
« Older