Tips for Installing ConfigMgr Apps during OSD

Posted on Updated on

Similar to a previous post on 10 Tips for a More Successful Windows Image Build & Capture, this post outlines tips to help you successfully deploy ConfigMgr 2012 R2 Applications during OS deployment for an image build/capture on a workgroup computer.

  1. First, review the top tips for OSD (10 Tips for a More Successful Windows Image Build & Capture)
  2. Second, if your DP is setup for HTTPS, skip to the last step in this sequence
  3. Enable anonymous authentication on the DP properties
  4. Install the latest CU for the ConfigMgr client with the PATCH property
  5. Ensure the Network Access Account (which is also used by workgroup computers to access resources) has been defined and has the appropriate access to the DP resources
  6. Install hotfix KB2522623 as a package – for Win7 SP1
  7. Install hotfix KB2775511 as a package – for Win7 SP1
  8. Command to enable SWDist Agent via command

WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName=”Enable SWDist”, Enabled=”true”, LockSettings=”TRUE”, PolicySource=”local”, PolicyVersion=”1.0″, SiteSettingsKey=”1″ /NOINTERACTIVE

  1. Command to enable PowerShell Scripts: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 1 /f

Command to enable PowerShell ExecutionPolicy: reg add reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v ExecutionPolicy /d Unrestricted /f

  1. Application deployment types: set Content > Deployment options – Download content from DP and run locally
  2. Ensure the property “Allow this application to be installed from the Install Application Task Sequence action” has been enabled (hint: it’s on the General tab for the application’s properties)
  3. Then if all else fails, ditch applications for doing a build and capture…

10 Tips for a More Successful Windows Image Build & Capture

Posted on Updated on

In a recent build and capture (b&c) task sequence for ConfigMgr 2012 R2 that I was helping a customer with, I decided it was worthwhile to list the top things that can be overlooked.  If these are done prior to beginning the process, then it can help to shorten and troubleshooting time involved.  Also, be sure to see my tips for installing apps during OSD.

  1. Create an IP address range for content boundaries.  When doing a b&c, it is a best practice to not join the system to the domain.  So if AD Sites are used for the boundaries, then content cannot be found.  To workaround this, add a IP address range boundary for the subnet of the virtual system.
  2. In task sequence step “Setup Windows and Configuration Manager”, include entry “SMSMP=SiteMPServerFQDN”.  Example FQDN: CM1.contoso.com.
  3. Include installation of the latest cumulative update that is installed on the primary site.  The easiest trick for ensuring the latest CU is installed during OSD is to do:
    1. Copy the hotfix install package from “C:\Program Files\Microsoft Configuration Manager\hotfix\KBxxxxxx\Client\” into “C:\Program Files\Microsoft Configuration Manager\Client\hotfix\KBxxxxxx\”.
    2. In the task sequence step “Setup Windows and Configuration Manager”, include the line “PATCH=’%_SMSTSMDataPath%\OSD\PkgID\hotfix\KBxxxxxx\x64\patchKBinstallname.msp’.  Note that the path x64/i386 will need to be updated based upon the target OS.
  4. ConfigMgr boot media (.iso, USB, etc.) has been configured to allow unknown computers.
  5. Use the offline servicing functionality to pre-inject / install any Windows and .NET Framework 3.5.x security updates. Doing this to the original Windows image that was imported into the primary site will reduce the deployment time for the b&c.  Note that if you are deploying Win7 Hotfix Rollup 1 (KB2775511), it can be helpful to add it into the list for Software Updates (see http://blogs.technet.com/b/brandonlinton/archive/2013/03/13/how-to-deploy-phantom-updates-with-system-center-configuration-manager.aspx).
  6. Prepare for Software Updates (e.g. MS security updates)
    1. Use multiple Install Software Updates steps.  I like to use one immediately after installing core MS software (newer versions of .NET, MSXML, PowerShell, etc.) and then use two more at the very end of the task sequence.
    2. Optional: Create a script to which associates Microsoft Office with the Windows update agent so that those patches can be installed.
  7. Implement fixes and workarounds for installing packages and applications.
    1. KB2716946 fix/workaround to enable the software distribution agent during execution of the task sequence.
    2. KB2522623 fix for Windows 7 to allow applications to be installed
  8. Set additional task sequence variables to prevent “Error 80070002”.  This is outlined in a TechNet support tip blog post, but impacts more than just MDT.
    1. SMSTSDownloadRetryCount = 5
    2. SMSTSDownloadRetryDelay = 15
  9. Configure the Windows image to be able to “run from the server”.  In this way, the image does not need to download to the disk then finally extract … thereby causing a longer delay and more fragmentation.  To do this:
    1. On the properties of the image, go to the Data Access tab and select the option to “copy the content in this package to a package share on distribution points”.
    2. In the task sequence’s step for Apply Operating System, go to the Options tab and select “Access content directly from the distribution point”.
  10. Configure the distribution point to allow anonymous connections.

In general the above items should help you to be more successful when doing an OSD image b&c.  So that it’s not left unsaid, the below items could also prove useful.

  • Setup the Network Access Account for the ConfigMgr primary site.  For security, ensure that the account is a low rights domain user with a complex password and not an account with extended access rights to any systems on the network.
  • Deploy the task sequence to All Unknown Computers.  In this way an record of the ConfigMgr client will not need to be created first and added into a special collection.

Workaround for OSD Stand-alone Media with Client Hotfix Installs

Posted on Updated on

When using stand-alone media to image a computer, you may potentially run into a failure with the Task Sequence with SMSTS.log message “Client installation failed, code 1 – The client GUID must be set in an environment variable”.  Checking further into the client.msi.log file, you could see the source problem similar to “Unable to create a temp copy of patch ‘C:\_SMSTASKSEQUENCE\PACKAGES\SMS00002\HOTFIXES\KB2854009\X64\CONFIGMGR2012AC-SP1-KB2854009-X64.MSP’.”

This issue can be caused if you’re installing ConfigMgr 2012 hotfixes (or cumulative updates) as part of the client installation during OSD, which stand-alone media may not be handling properly.


One workaround for this scenario is to create additional tasks which will only install the hotfixes when not running from media as follows:

  1. On step “Setup Windows and Configuration Manager”, add a condition on the Options where TS Variable “_SMSTSMediaType not equals FullMedia”
  2. Copy that step and rename as “Setup Windows and ConfigMgr – Standalone Media”, remove the Installation Properties for the hotfix install, then change TS Variable check as “_SMSTSMediaType equals FullMedia”

OSD Options Chooser v3

Posted on Updated on

The following custom HTA can be used during OSD when imaging computers with ConfigMgr.  It has been updated from my previous version and will do the following:

Remember to enable HTA support in your boot images – https://t3chn1ck.wordpress.com/2010/01/28/hta-support-in-sccm-boot-images/


Created by Nick Moseley https://t3chn1ck.wordpress.com
For this script to function, HTA support must have been added into the boot image
See for more information - http://technet.microsoft.com/en-us/library/dd799244.aspx

This HTA/VBscript is used to present a GUI during imaging of a corporate PC. It prompts for:
	1) PC name (automatically populated if the PC already exists in SCCM)
	2) Time zone (currently just PST, AZT, and MST)
	3) If the PC will be used as a VM parent image or as a physical PC
	4) One-off software
	5) Additional browsers
	6) Department selection
	7) Management selection
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>OSD Computer Details</title>

<script language="VBScript">
window.resizeTo 550,255
window.moveTo 3,3

' Hide the task sequence window
'On Error Resume Next

Dim oTaskSequence, oTSProgressUI
Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment")
Set oTSProgressUI = CreateObject("Microsoft.SMS.TsProgressUI")

Sub PreloadOptions
	Dim sTSMachineName, bPromptName
	sTSMachineName = ucase(oTaskSequence("_SMSTSMachineName"))

	If left(sTSMachineName,6) = "MININT" Then
		bPromptName = True
	ElseIf sTSMachineName = "MINWINPC" Then
		bPromptName = True
		bPromptName = False
	End If

	If bPromptName Then
		ComputerName.value = ""
		ComputerName.value = sTSMachineName
	End If
End Sub

Sub FinishClickTasks
	' Get/set computer name
	Dim sComputerName
	sComputerName = UCase(ComputerName.Value)

	' Check that a PC name was entered
		If sComputerName = "" Then
			MsgBox "Error: Computer name cannot be left empty!", vbCritical, "Error"
			sComputerName = InputBox ("Please enter a computer name to continue", "", , 30,30)
		End If
	Loop Until sComputerName <> ""

	oTaskSequence ("OSDComputerName") = sComputerName

	' Get/set department configuration
	For Each oSelection in DepartmentChooser.Options
		If oSelection.Selected Then
			oTaskSequence ("OSDDepartment") = lcase(oSelection.InnerText)
		End If

	' Get/set managerial position
	For Each oSelection in ManagerRole.Options
		If oSelection.Selected Then
			oTaskSequence ("ManagerRole") = lcase(oSelection.InnerText)
		End If

	' OSConfig selection
	For Each oSelection in OSConfig
		If oSelection.Checked Then
			oTaskSequence ("OSDOSConfig") = lcase(oSelection.value)
		End If

	' Get/set Other Apps
	If SevenZip.checked Then oTaskSequence ("OSD7zip") = "true" End If
	If Firefox.checked Then oTaskSequence ("OSDFirefox") = "true" End If
	If NotepadPlusPlus.checked Then oTaskSequence ("OSDNotepadPlusPlus") = "true" End If
	If GoogleChrome.checked Then oTaskSequence ("OSDGoogleChrome") = "true" End If
	If PaintNet.checked Then oTaskSequence ("OSDPaintNet") = "true" End If
	If Safari.checked Then oTaskSequence ("OSDAppleSafari") = "true" End If

	' Get/set Time Zone configuration
	For Each oSelection in TZChooser.Options
		If oSelection.Selected Then
			oTaskSequence ("OSDTimeZone") = oSelection.id
		End If

	' Terminate the HTA
End Sub


<!---------------- HTML goes here ---------------->
<body STYLE="font:12 pt arial; color:white; background-color:#006699" onload="PreloadOptions">
<table cellpadding="3" border=1>
	<tr valign=top>
			<b>Computer Name</b><br>
			<input type=text id="ComputerName" name=ComputerName size=22>
			<b>Time Zone</b><br>
			<select size="1" name="TZChooser">
				<option value="00" id="Mountain Standard Time">MST (US Mountain)<BR>
				<option value="01" id="Pacific Standard Time">PST (US West Coast)<BR>
				<option value="02" id="US Mountain Standard Time">AZT (US Arizona)<br>
				<!--<option value="03" id="Central Standard Time">CST (US Central)<BR>-->
				<!--<option value="04" id="Eastern Standard Time">EST (US East Coast)<BR>-->
			<b><u>OS Configuration</b></u><br>
			<input type="radio" value="standalone" name="OSConfig" checked="True"> Standalone PC/VM<br>
			<input type="radio" value="vmparent" name="OSConfig"> VM Parent
			<b><u>Software Options</b></u><br>
			<input type="checkbox" name="SevenZip"> 7-zip Utility<br>
			<input type="checkbox" name="NotepadPlusPlus"> Notepad++<br>
			<input type="checkbox" name="PaintNet"> Paint.Net<br>
			<b><u>Internet Browsers</b></u><br>
			<input type="checkbox" name="Safari"> Apple Safari<br>
			<input type="checkbox" name="Firefox"> Firefox Browser<br>
			<input type="checkbox" name="GoogleChrome"> Google Chrome<br>
			<b><u>Department Selection</b></u><br>
			<select size="1" name="DepartmentChooser">
				<option value="00"> Standard PC</option>
				<option value="01"> Accounting</option>
				<option value="02"> Human Resources</option>
				<option value="03"> Information Technology</option>
			<b><u>Management Role</b></u><br>
			<select size="1" name="ManagerRole">
				<option value="00"> n/a</option>
				<option value="01"> Supervisor</option>
				<option value="02"> Manager</option>
				<option value="03"> Director</option>
				<option value="03"> VP</option>
			<button accesskey=N type=submit id=buttonFinish onclick=FinishClickTasks>Finish</button>
<!------------------ End HTML -------------------->


BitLocker & BIOS Boot Order

Posted on Updated on

One of the “gotchas” of BitLocker security is that by not having the hard drive first in the boot order within BIOS, can cause BitLocker security to become enacted and thus needing manual entry of the 48-character key upon the next system restart.  This can be a frustration for users who have this happen to them, especially while travelling and unable to reach the help desk.  So, during an OS deployment, make efforts to change the boot order in BIOS.

To do this with HP

  • Obtain the BIOSConfigUtility in the Systems Software Manager
  • Create a text file named “BootOrder.REPSET”.  The text file contains the below content.  Note that I found it is necessary to define two devices to modify the boot order.
Boot Order
     Hard Drive(C:)
     Notebook Upgrade Bay
  • Run command
BiosConfigUtility.EXE /SetConfig:BootOrder.REPSET

To do this with Dell

cctk.exe bootorder --sequence=hdd

If you find yourself in a position that you did not do this during the initial deployment of the OS, never fear, SCCM is here!  Using task sequences, you can automate the process as to set the hard drive to be first in the boot order and re-seal the TPM by performing the following steps:

  1. Suspends BitLocker protection
  2. Reconfigure the boot order (for HP or Dell)
  3. Restarts Windows
  4. Resumes BitLocker protection

VBScript to Run SCCM Software Updates Scan

Posted on Updated on

A challenge with installing software updates during a task sequence is that it may occur where not all updates are applied on the first pass.   The workaround is run software updates, run a VB Script or PowerShell script to force another scan, then run a software updates task again.  Others have posted their scripts on this before, so it’s nothing new.  However, I failed trying to quickly locate those scripts.  So I’m just posting my own of what I use….

' AUTHOR: Nick Moseley , https://t3chn1ck.wordpress.com
' DATE  : 7/30/2010

' COMMENT: Initiates an SCCM client scan
' Script from http://msdn.microsoft.com/en-us/library/cc144313.aspx
' Updated 7/15/11 to include a sleep before exiting script
' Set the required variables. 
actionNameToRun = "Updates Source Scan Cycle"
' Create a CPAppletMgr instance.
Dim oCPAppletMgr
Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr")
' Get the available ClientActions object.
Dim oClientActions
Set oClientActions = oCPAppletMgr.GetClientActions()
' Loop through the available client actions. Run the matching client action when it is found.
Dim oClientAction
For Each oClientAction In oClientActions
 If oClientAction.Name = actionNameToRun Then
 End If
' Wait for 3 minutes for scan completion before exiting script

How to Add a Language Pack to Win7 OSD Without MDT

Posted on Updated on

For those whom need to add language packs to a Win7 image build/deployment, but only have SCCM infrastructure (without MDT integration), a TechNet forum posting gives the answer (which I’ve posted below).

  1. Create a package and copy each lp.cab file into the root (Just rename each cab so they can all exist in the same folder e.g. de-de.cab for German etc…)
  2. In your task sequence, after the Setup windows and ConfigMgr step and before you apply any updates (important) add a Run command line step with the following properties:
    1. Package: The package from step 1
    2. Disable 64-bit file system redirection: Enabled
    3. Command Line: cmd.exe /c dism.exe /online /add-package /PackagePath:”%CD%”

This will add all language packs that exist in the package directory to the installed OS. If you need to add more languages later, just drop a CAB file in the package and update it the command line stays the same. This also has the added benefit of only downloading the package once to install all the required languages. If you specify multiple tasks to do this in the task sequence it has to download each one separately which can add some additional overhead to the time to install.