Similar to a previous post on 10 Tips for a More Successful Windows Image Build & Capture, this post outlines tips to help you successfully deploy ConfigMgr 2012 R2 Applications during OS deployment for an image build/capture on a workgroup computer.
- First, review the top tips for OSD (10 Tips for a More Successful Windows Image Build & Capture)
- Second, if your DP is setup for HTTPS, skip to the last step in this sequence
- Enable anonymous authentication on the DP properties
- Install the latest CU for the ConfigMgr client with the PATCH property
- Ensure the Network Access Account (which is also used by workgroup computers to access resources) has been defined and has the appropriate access to the DP resources
- Install hotfix KB2522623 as a package – for Win7 SP1
- Install hotfix KB2775511 as a package – for Win7 SP1
- Command to enable SWDist Agent via command
WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName=”Enable SWDist”, Enabled=”true”, LockSettings=”TRUE”, PolicySource=”local”, PolicyVersion=”1.0″, SiteSettingsKey=”1″ /NOINTERACTIVE
- Command to enable PowerShell Scripts: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 1 /f
Command to enable PowerShell ExecutionPolicy: reg add reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell /v ExecutionPolicy /d Unrestricted /f
- Application deployment types: set Content > Deployment options – Download content from DP and run locally
- Ensure the property “Allow this application to be installed from the Install Application Task Sequence action” has been enabled (hint: it’s on the General tab for the application’s properties)
- Then if all else fails, ditch applications for doing a build and capture…
In a recent build and capture (b&c) task sequence for ConfigMgr 2012 R2 that I was helping a customer with, I decided it was worthwhile to list the top things that can be overlooked. If these are done prior to beginning the process, then it can help to shorten and troubleshooting time involved. Also, be sure to see my tips for installing apps during OSD.
- Create an IP address range for content boundaries. When doing a b&c, it is a best practice to not join the system to the domain. So if AD Sites are used for the boundaries, then content cannot be found. To workaround this, add a IP address range boundary for the subnet of the virtual system.
- In task sequence step “Setup Windows and Configuration Manager”, include entry “SMSMP=SiteMPServerFQDN”. Example FQDN: CM1.contoso.com.
- Include installation of the latest cumulative update that is installed on the primary site. The easiest trick for ensuring the latest CU is installed during OSD is to do:
- Copy the hotfix install package from “C:\Program Files\Microsoft Configuration Manager\hotfix\KBxxxxxx\Client\” into “C:\Program Files\Microsoft Configuration Manager\Client\hotfix\KBxxxxxx\”.
- In the task sequence step “Setup Windows and Configuration Manager”, include the line “PATCH=’%_SMSTSMDataPath%\OSD\PkgID\hotfix\KBxxxxxx\x64\patchKBinstallname.msp’. Note that the path x64/i386 will need to be updated based upon the target OS.
- ConfigMgr boot media (.iso, USB, etc.) has been configured to allow unknown computers.
- Use the offline servicing functionality to pre-inject / install any Windows and .NET Framework 3.5.x security updates. Doing this to the original Windows image that was imported into the primary site will reduce the deployment time for the b&c. Note that if you are deploying Win7 Hotfix Rollup 1 (KB2775511), it can be helpful to add it into the list for Software Updates (see http://blogs.technet.com/b/brandonlinton/archive/2013/03/13/how-to-deploy-phantom-updates-with-system-center-configuration-manager.aspx).
- Prepare for Software Updates (e.g. MS security updates)
- Use multiple Install Software Updates steps. I like to use one immediately after installing core MS software (newer versions of .NET, MSXML, PowerShell, etc.) and then use two more at the very end of the task sequence.
- Optional: Create a script to which associates Microsoft Office with the Windows update agent so that those patches can be installed.
- Implement fixes and workarounds for installing packages and applications.
- Set additional task sequence variables to prevent “Error 80070002”. This is outlined in a TechNet support tip blog post, but impacts more than just MDT.
- SMSTSDownloadRetryCount = 5
- SMSTSDownloadRetryDelay = 15
- Configure the Windows image to be able to “run from the server”. In this way, the image does not need to download to the disk then finally extract … thereby causing a longer delay and more fragmentation. To do this:
- On the properties of the image, go to the Data Access tab and select the option to “copy the content in this package to a package share on distribution points”.
- In the task sequence’s step for Apply Operating System, go to the Options tab and select “Access content directly from the distribution point”.
- Configure the distribution point to allow anonymous connections.
In general the above items should help you to be more successful when doing an OSD image b&c. So that it’s not left unsaid, the below items could also prove useful.
- Setup the Network Access Account for the ConfigMgr primary site. For security, ensure that the account is a low rights domain user with a complex password and not an account with extended access rights to any systems on the network.
- Deploy the task sequence to All Unknown Computers. In this way an record of the ConfigMgr client will not need to be created first and added into a special collection.
When using stand-alone media to image a computer, you may potentially run into a failure with the Task Sequence with SMSTS.log message “Client installation failed, code 1 – The client GUID must be set in an environment variable”. Checking further into the client.msi.log file, you could see the source problem similar to “Unable to create a temp copy of patch ‘C:\_SMSTASKSEQUENCE\PACKAGES\SMS00002\HOTFIXES\KB2854009\X64\CONFIGMGR2012AC-SP1-KB2854009-X64.MSP’.”
This issue can be caused if you’re installing ConfigMgr 2012 hotfixes (or cumulative updates) as part of the client installation during OSD, which stand-alone media may not be handling properly.
One workaround for this scenario is to create additional tasks which will only install the hotfixes when not running from media as follows:
- On step “Setup Windows and Configuration Manager”, add a condition on the Options where TS Variable “_SMSTSMediaType not equals FullMedia”
- Copy that step and rename as “Setup Windows and ConfigMgr – Standalone Media”, remove the Installation Properties for the hotfix install, then change TS Variable check as “_SMSTSMediaType equals FullMedia”
The following custom HTA can be used during OSD when imaging computers with ConfigMgr. It has been updated from my previous version and will do the following:
- Utilizes a table with 3 columns to go across
- Has examples for text entry, drop-down selections, radial buttons, and checkboxes
- Removed the traditional X close button to prevent incidental closure via mouse (to close app, use Alt-F4)
- Contains the two lines of VBScript code to automatically hide the ConfigMgr Task Sequence progress bar interface
Remember to enable HTA support in your boot images – https://t3chn1ck.wordpress.com/2010/01/28/hta-support-in-sccm-boot-images/
<!-- Created by Nick Moseley https://t3chn1ck.wordpress.com For this script to function, HTA support must have been added into the boot image See for more information - http://technet.microsoft.com/en-us/library/dd799244.aspx This HTA/VBscript is used to present a GUI during imaging of a corporate PC. It prompts for: 1) PC name (automatically populated if the PC already exists in SCCM) 2) Time zone (currently just PST, AZT, and MST) 3) If the PC will be used as a VM parent image or as a physical PC 4) One-off software 5) Additional browsers 6) Department selection 7) Management selection --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>OSD Computer Details</title> <HTA:APPLICATION ID="objNoTitleBar" APPLICATIONNAME="OSD Computer Details" SCROLL="auto" SINGLEINSTANCE="yes" CAPTION="no"> <script language="VBScript"> window.resizeTo 550,255 window.moveTo 3,3 ' Hide the task sequence window 'On Error Resume Next Dim oTaskSequence, oTSProgressUI Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment") Set oTSProgressUI = CreateObject("Microsoft.SMS.TsProgressUI") oTSProgressUI.CloseProgressDialog Sub PreloadOptions Dim sTSMachineName, bPromptName sTSMachineName = ucase(oTaskSequence("_SMSTSMachineName")) If left(sTSMachineName,6) = "MININT" Then bPromptName = True ElseIf sTSMachineName = "MINWINPC" Then bPromptName = True Else bPromptName = False End If If bPromptName Then ComputerName.value = "" Else ComputerName.value = sTSMachineName End If End Sub Sub FinishClickTasks '==================================== ' Get/set computer name '==================================== Dim sComputerName sComputerName = UCase(ComputerName.Value) ' Check that a PC name was entered Do If sComputerName = "" Then MsgBox "Error: Computer name cannot be left empty!", vbCritical, "Error" sComputerName = InputBox ("Please enter a computer name to continue", "", , 30,30) End If Loop Until sComputerName <> "" oTaskSequence ("OSDComputerName") = sComputerName '==================================== ' Get/set department configuration '==================================== For Each oSelection in DepartmentChooser.Options If oSelection.Selected Then oTaskSequence ("OSDDepartment") = lcase(oSelection.InnerText) End If Next '==================================== ' Get/set managerial position '==================================== For Each oSelection in ManagerRole.Options If oSelection.Selected Then oTaskSequence ("ManagerRole") = lcase(oSelection.InnerText) End If Next '==================================== ' OSConfig selection '==================================== For Each oSelection in OSConfig If oSelection.Checked Then oTaskSequence ("OSDOSConfig") = lcase(oSelection.value) End If Next '==================================== ' Get/set Other Apps '==================================== If SevenZip.checked Then oTaskSequence ("OSD7zip") = "true" End If If Firefox.checked Then oTaskSequence ("OSDFirefox") = "true" End If If NotepadPlusPlus.checked Then oTaskSequence ("OSDNotepadPlusPlus") = "true" End If If GoogleChrome.checked Then oTaskSequence ("OSDGoogleChrome") = "true" End If If PaintNet.checked Then oTaskSequence ("OSDPaintNet") = "true" End If If Safari.checked Then oTaskSequence ("OSDAppleSafari") = "true" End If '==================================== ' Get/set Time Zone configuration '==================================== For Each oSelection in TZChooser.Options If oSelection.Selected Then oTaskSequence ("OSDTimeZone") = oSelection.id End If Next '==================================== ' Terminate the HTA '==================================== window.close End Sub </script> </head> <!------------------------------------------------> <!---------------- HTML goes here ----------------> <!------------------------------------------------> <body STYLE="font:12 pt arial; color:white; background-color:#006699" onload="PreloadOptions"> <table cellpadding="3" border=1> <tr valign=top> <td> <p> <b>Computer Name</b><br> <input type=text id="ComputerName" name=ComputerName size=22> <p> <b>Time Zone</b><br> <select size="1" name="TZChooser"> <option value="00" id="Mountain Standard Time">MST (US Mountain)<BR> <option value="01" id="Pacific Standard Time">PST (US West Coast)<BR> <option value="02" id="US Mountain Standard Time">AZT (US Arizona)<br> <!--<option value="03" id="Central Standard Time">CST (US Central)<BR>--> <!--<option value="04" id="Eastern Standard Time">EST (US East Coast)<BR>--> </select> <p> <b><u>OS Configuration</b></u><br> <input type="radio" value="standalone" name="OSConfig" checked="True"> Standalone PC/VM<br> <input type="radio" value="vmparent" name="OSConfig"> VM Parent </td> <td> <b><u>Software Options</b></u><br> <input type="checkbox" name="SevenZip"> 7-zip Utility<br> <input type="checkbox" name="NotepadPlusPlus"> Notepad++<br> <input type="checkbox" name="PaintNet"> Paint.Net<br> <p> <b><u>Internet Browsers</b></u><br> <input type="checkbox" name="Safari"> Apple Safari<br> <input type="checkbox" name="Firefox"> Firefox Browser<br> <input type="checkbox" name="GoogleChrome"> Google Chrome<br> </td> <td> <p> <b><u>Department Selection</b></u><br> <select size="1" name="DepartmentChooser"> <option value="00"> Standard PC</option> <option value="01"> Accounting</option> <option value="02"> Human Resources</option> <option value="03"> Information Technology</option> </select> <p> <b><u>Management Role</b></u><br> <select size="1" name="ManagerRole"> <option value="00"> n/a</option> <option value="01"> Supervisor</option> <option value="02"> Manager</option> <option value="03"> Director</option> <option value="03"> VP</option> </select> <p> <button accesskey=N type=submit id=buttonFinish onclick=FinishClickTasks>Finish</button> </td> </tr> </table> <!------------------------------------------------> <!------------------ End HTML --------------------> <!------------------------------------------------> </body> </html>
One of the “gotchas” of BitLocker security is that by not having the hard drive first in the boot order within BIOS, can cause BitLocker security to become enacted and thus needing manual entry of the 48-character key upon the next system restart. This can be a frustration for users who have this happen to them, especially while travelling and unable to reach the help desk. So, during an OS deployment, make efforts to change the boot order in BIOS.
To do this with HP
- Obtain the BIOSConfigUtility in the Systems Software Manager
- Create a text file named “BootOrder.REPSET”. The text file contains the below content. Note that I found it is necessary to define two devices to modify the boot order.
English Boot Order Hard Drive(C:) Notebook Upgrade Bay
- Run command
To do this with Dell
- Obtain the Client Configuration Toolkit
- Run command
cctk.exe bootorder --sequence=hdd
If you find yourself in a position that you did not do this during the initial deployment of the OS, never fear, SCCM is here! Using task sequences, you can automate the process as to set the hard drive to be first in the boot order and re-seal the TPM by performing the following steps:
A challenge with installing software updates during a task sequence is that it may occur where not all updates are applied on the first pass. The workaround is run software updates, run a VB Script or PowerShell script to force another scan, then run a software updates task again. Others have posted their scripts on this before, so it’s nothing new. However, I failed trying to quickly locate those scripts. So I’m just posting my own of what I use….
'========================================================================== ' AUTHOR: Nick Moseley , https://t3chn1ck.wordpress.com ' DATE : 7/30/2010 ' COMMENT: Initiates an SCCM client scan ' Script from http://msdn.microsoft.com/en-us/library/cc144313.aspx ' Updated 7/15/11 to include a sleep before exiting script '========================================================================== ' Set the required variables. actionNameToRun = "Updates Source Scan Cycle" ' Create a CPAppletMgr instance. Dim oCPAppletMgr Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr") ' Get the available ClientActions object. Dim oClientActions Set oClientActions = oCPAppletMgr.GetClientActions() ' Loop through the available client actions. Run the matching client action when it is found. Dim oClientAction For Each oClientAction In oClientActions If oClientAction.Name = actionNameToRun Then oClientAction.PerformAction End If Next ' Wait for 3 minutes for scan completion before exiting script wscript.sleep(180000)
For those whom need to add language packs to a Win7 image build/deployment, but only have SCCM infrastructure (without MDT integration), a TechNet forum posting gives the answer (which I’ve posted below).
- Create a package and copy each lp.cab file into the root (Just rename each cab so they can all exist in the same folder e.g. de-de.cab for German etc…)
- In your task sequence, after the Setup windows and ConfigMgr step and before you apply any updates (important) add a Run command line step with the following properties:
- Package: The package from step 1
- Disable 64-bit file system redirection: Enabled
- Command Line: cmd.exe /c dism.exe /online /add-package /PackagePath:”%CD%”
This will add all language packs that exist in the package directory to the installed OS. If you need to add more languages later, just drop a CAB file in the package and update it the command line stays the same. This also has the added benefit of only downloading the package once to install all the required languages. If you specify multiple tasks to do this in the task sequence it has to download each one separately which can add some additional overhead to the time to install.
We purchase and use Dell all-in-ones (Vostro line) as the primary desktop in our organization. The difficulty is that, as consumer hardware, the model can be modified or discontinued at any time without prior notice. Needless to say it creates headaches from time-to-time. Recently the Vostro 360 hardware was changed, resulting in the need for new drivers. Within my SCCM task sequences, I have the install of drivers (within the full OS) limited based upon the name of the model. The challenge with the Vostro 360 is that they maintained the same exact model name, but had different hardware configurations. What I found was a main difference between the two types was the Bluetooth hardware ID. So in addition to querying the model, I added a new query for the Bluetooth hardware.
The point of this post isn’t so much about the Vostro, but more about how I used Win32_PnPEntity to differentiate the two models so that the old config would get one set of drivers and the new config would get the other set of drivers. In the driver install package step for the task sequence, simply click on the Options tab and add a WMI Query action with the following code:
Select * from Win32_PnPEntity where DeviceID like 'USB\\VID_0CF3&PID_3002%'
Ran into an interesting situation with an image build. I created a custom Office 2010 SP1 install using the OCT. During execution of my image build task sequence, Software Updates was not detecting any of the updates for Office. Further diagnosis revealed that the OCT-built install did not put its “hooks” into the Windows Update Agent, therefore neither the SUP or Microsoft Updates could detect for Office updates. (Side note: once the image was sysprepped, captured, and added into a deployment task sequence, the updates were suddenly available and installed.)
While the cause as to why an OCT-built Office 2010 SP1 install prohibits installation of updates has not been found yet, there is a workaround to run a script that forces Microsoft Update (e.g. WUA) to receive updates for “other products”. By executing the following VBScript after installing Office, SCCM Software Updates will then be able to install the updates during the image build task sequence. The original code is from a TechNet blog post, I just added some extra logging for troubleshooting. Also, if your TS advertisement is configured to “run from server”, then the script will cause the TS to fail. To get past this, simply copy the script locally first then execute it from that location.
Const ForAppending = 8 Set oFSO = CreateObject ("Scripting.FileSystemObject") Set oLogFile = oFSO.OpenTextFile ("C:\ConfigOfficeUpdates.txt", ForAppending, True) oLogFile.WriteLine "Starting execution of VBScript to configure Office to use Microsoft Updates" Set ServiceManager = CreateObject("Microsoft.Update.ServiceManager") ServiceManager.ClientApplicationID = "My App" ' add the Microsoft Update Service by GUID Set NewUpdateService = ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d",7,"") oLogFile.WriteLine "Script completed successfully" wscript.Quit(oLogFile.Close)
I’ve often heard the phrase “MDT solves problems to issues you didn’t even know you had.” And it’s certainly true in this case!!
I was looking for a process or procedure that would allow me to present my current custom OSD front end HTA to an active end-user who is logged into Windows. Unfortunately, standard SCCM task sequences don’t allow this to happen. To workaround this, my first consideration was to run the HTA as a prerequisite of the task sequence, but therein lay another issue with SCCM task sequences – since the HTA was run as a prerequisite Program, it was not technically within the Task Sequence environment and therefore I could not set task sequence variables, etc.
Fortunately the good folks on the MyITForum discussion list were able to steer me in the right direction. MDT 2010 Update 1 contains a standalone executable (ServiceUI.exe) that allows execution of anything (not just an HTA) within a task sequence and enables the end-user to interact with it. To utilize ServiceUI without integrating MDT with SCCM, perform the following:
- Install MDT 2010 Update 1 on your local computer
- Find ServiceUI.exe (for the appropriate target architecture) and put it into the same directory as your HTA front end script(s)
- Create a script that will
a) Make a copy of the HTA on the local executing computer (only if your advertisement is set to “run from server”)
b) Run command: ServiceUI.exe -session:1 %WINDIR%\system32\mshta.exe C:\CustomSystemOptions.hta
- Note 1: it’s important to know that the options “-session:1” will only work if the user logged into Windows has local admin rights. My suggestion is to restart Windows and login as the local Administrator account.
- Note 2: Thanks to Ryan for feedback that when running on a 64-bit system, use %WINDIR%\SYSWOW64\mshta.exe
The exception to this note is if you’re using SCCM 2012 … then it must use mshta.exe from System32.
- Update your task sequence to include a “Run Command Line” as the very first item in the task sequence
a) Name it something like “Service UI – Custom System Options”
b) Set the command line as “TheNameOfYourScript.vbs”
c) Use the package which contains your scripts
d) CRITICAL: Do not set option “Time-out (minutes)” as this will cause ServiceUI to error!
e) On the Options tab, add a condition to check that TS variable “_SMSTSInWinPE” = false
In short, this should be all that you need to get going to display the HTA to end-user. However, the thing that I do not yet have resolved in this all this is that when connected to a system through RDP, ServiceUI will launch the HTA, but it’s not displayed. Still gotta figure that one out….and then update this post of course ;-)