10 Tips for a More Successful Windows Image Build & Capture
In a recent build and capture (b&c) task sequence for ConfigMgr 2012 R2 that I was helping a customer with, I decided it was worthwhile to list the top things that can be overlooked. If these are done prior to beginning the process, then it can help to shorten and troubleshooting time involved. Also, be sure to see my tips for installing apps during OSD.
- Create an IP address range for content boundaries. When doing a b&c, it is a best practice to not join the system to the domain. So if AD Sites are used for the boundaries, then content cannot be found. To workaround this, add a IP address range boundary for the subnet of the virtual system.
- In task sequence step “Setup Windows and Configuration Manager”, include entry “SMSMP=SiteMPServerFQDN”. Example FQDN: CM1.contoso.com.
- Include installation of the latest cumulative update that is installed on the primary site. The easiest trick for ensuring the latest CU is installed during OSD is to do:
- Copy the hotfix install package from “C:\Program Files\Microsoft Configuration Manager\hotfix\KBxxxxxx\Client\” into “C:\Program Files\Microsoft Configuration Manager\Client\hotfix\KBxxxxxx\”.
- In the task sequence step “Setup Windows and Configuration Manager”, include the line “PATCH=’%_SMSTSMDataPath%\OSD\PkgID\hotfix\KBxxxxxx\x64\patchKBinstallname.msp’. Note that the path x64/i386 will need to be updated based upon the target OS.
- ConfigMgr boot media (.iso, USB, etc.) has been configured to allow unknown computers.
- Use the offline servicing functionality to pre-inject / install any Windows and .NET Framework 3.5.x security updates. Doing this to the original Windows image that was imported into the primary site will reduce the deployment time for the b&c. Note that if you are deploying Win7 Hotfix Rollup 1 (KB2775511), it can be helpful to add it into the list for Software Updates (see http://blogs.technet.com/b/brandonlinton/archive/2013/03/13/how-to-deploy-phantom-updates-with-system-center-configuration-manager.aspx).
- Prepare for Software Updates (e.g. MS security updates)
- Use multiple Install Software Updates steps. I like to use one immediately after installing core MS software (newer versions of .NET, MSXML, PowerShell, etc.) and then use two more at the very end of the task sequence.
- Optional: Create a script to which associates Microsoft Office with the Windows update agent so that those patches can be installed.
- Implement fixes and workarounds for installing packages and applications.
- Set additional task sequence variables to prevent “Error 80070002”. This is outlined in a TechNet support tip blog post, but impacts more than just MDT.
- SMSTSDownloadRetryCount = 5
- SMSTSDownloadRetryDelay = 15
- Configure the Windows image to be able to “run from the server”. In this way, the image does not need to download to the disk then finally extract … thereby causing a longer delay and more fragmentation. To do this:
- On the properties of the image, go to the Data Access tab and select the option to “copy the content in this package to a package share on distribution points”.
- In the task sequence’s step for Apply Operating System, go to the Options tab and select “Access content directly from the distribution point”.
- Configure the distribution point to allow anonymous connections.
In general the above items should help you to be more successful when doing an OSD image b&c. So that it’s not left unsaid, the below items could also prove useful.
- Setup the Network Access Account for the ConfigMgr primary site. For security, ensure that the account is a low rights domain user with a complex password and not an account with extended access rights to any systems on the network.
- Deploy the task sequence to All Unknown Computers. In this way an record of the ConfigMgr client will not need to be created first and added into a special collection.
Workaround for OSD Stand-alone Media with Client Hotfix Installs
When using stand-alone media to image a computer, you may potentially run into a failure with the Task Sequence with SMSTS.log message “Client installation failed, code 1 – The client GUID must be set in an environment variable”. Checking further into the client.msi.log file, you could see the source problem similar to “Unable to create a temp copy of patch ‘C:\_SMSTASKSEQUENCE\PACKAGES\SMS00002\HOTFIXES\KB2854009\X64\CONFIGMGR2012AC-SP1-KB2854009-X64.MSP’.”
This issue can be caused if you’re installing ConfigMgr 2012 hotfixes (or cumulative updates) as part of the client installation during OSD, which stand-alone media may not be handling properly.
One workaround for this scenario is to create additional tasks which will only install the hotfixes when not running from media as follows:
- On step “Setup Windows and Configuration Manager”, add a condition on the Options where TS Variable “_SMSTSMediaType not equals FullMedia”
- Copy that step and rename as “Setup Windows and ConfigMgr – Standalone Media”, remove the Installation Properties for the hotfix install, then change TS Variable check as “_SMSTSMediaType equals FullMedia”
OSD Options Chooser v3
The following custom HTA can be used during OSD when imaging computers with ConfigMgr. It has been updated from my previous version and will do the following:
- Utilizes a table with 3 columns to go across
- Has examples for text entry, drop-down selections, radial buttons, and checkboxes
- Removed the traditional X close button to prevent incidental closure via mouse (to close app, use Alt-F4)
- Contains the two lines of VBScript code to automatically hide the ConfigMgr Task Sequence progress bar interface
Remember to enable HTA support in your boot images – https://t3chn1ck.wordpress.com/2010/01/28/hta-support-in-sccm-boot-images/
<!-- Created by Nick Moseley https://t3chn1ck.wordpress.com For this script to function, HTA support must have been added into the boot image See for more information - http://technet.microsoft.com/en-us/library/dd799244.aspx This HTA/VBscript is used to present a GUI during imaging of a corporate PC. It prompts for: 1) PC name (automatically populated if the PC already exists in SCCM) 2) Time zone (currently just PST, AZT, and MST) 3) If the PC will be used as a VM parent image or as a physical PC 4) One-off software 5) Additional browsers 6) Department selection 7) Management selection --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>OSD Computer Details</title> <HTA:APPLICATION ID="objNoTitleBar" APPLICATIONNAME="OSD Computer Details" SCROLL="auto" SINGLEINSTANCE="yes" CAPTION="no"> <script language="VBScript"> window.resizeTo 550,255 window.moveTo 3,3 ' Hide the task sequence window 'On Error Resume Next Dim oTaskSequence, oTSProgressUI Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment") Set oTSProgressUI = CreateObject("Microsoft.SMS.TsProgressUI") oTSProgressUI.CloseProgressDialog Sub PreloadOptions Dim sTSMachineName, bPromptName sTSMachineName = ucase(oTaskSequence("_SMSTSMachineName")) If left(sTSMachineName,6) = "MININT" Then bPromptName = True ElseIf sTSMachineName = "MINWINPC" Then bPromptName = True Else bPromptName = False End If If bPromptName Then ComputerName.value = "" Else ComputerName.value = sTSMachineName End If End Sub Sub FinishClickTasks '==================================== ' Get/set computer name '==================================== Dim sComputerName sComputerName = UCase(ComputerName.Value) ' Check that a PC name was entered Do If sComputerName = "" Then MsgBox "Error: Computer name cannot be left empty!", vbCritical, "Error" sComputerName = InputBox ("Please enter a computer name to continue", "", , 30,30) End If Loop Until sComputerName <> "" oTaskSequence ("OSDComputerName") = sComputerName '==================================== ' Get/set department configuration '==================================== For Each oSelection in DepartmentChooser.Options If oSelection.Selected Then oTaskSequence ("OSDDepartment") = lcase(oSelection.InnerText) End If Next '==================================== ' Get/set managerial position '==================================== For Each oSelection in ManagerRole.Options If oSelection.Selected Then oTaskSequence ("ManagerRole") = lcase(oSelection.InnerText) End If Next '==================================== ' OSConfig selection '==================================== For Each oSelection in OSConfig If oSelection.Checked Then oTaskSequence ("OSDOSConfig") = lcase(oSelection.value) End If Next '==================================== ' Get/set Other Apps '==================================== If SevenZip.checked Then oTaskSequence ("OSD7zip") = "true" End If If Firefox.checked Then oTaskSequence ("OSDFirefox") = "true" End If If NotepadPlusPlus.checked Then oTaskSequence ("OSDNotepadPlusPlus") = "true" End If If GoogleChrome.checked Then oTaskSequence ("OSDGoogleChrome") = "true" End If If PaintNet.checked Then oTaskSequence ("OSDPaintNet") = "true" End If If Safari.checked Then oTaskSequence ("OSDAppleSafari") = "true" End If '==================================== ' Get/set Time Zone configuration '==================================== For Each oSelection in TZChooser.Options If oSelection.Selected Then oTaskSequence ("OSDTimeZone") = oSelection.id End If Next '==================================== ' Terminate the HTA '==================================== window.close End Sub </script> </head> <!------------------------------------------------> <!---------------- HTML goes here ----------------> <!------------------------------------------------> <body STYLE="font:12 pt arial; color:white; background-color:#006699" onload="PreloadOptions"> <table cellpadding="3" border=1> <tr valign=top> <td> <p> <b>Computer Name</b><br> <input type=text id="ComputerName" name=ComputerName size=22> <p> <b>Time Zone</b><br> <select size="1" name="TZChooser"> <option value="00" id="Mountain Standard Time">MST (US Mountain)<BR> <option value="01" id="Pacific Standard Time">PST (US West Coast)<BR> <option value="02" id="US Mountain Standard Time">AZT (US Arizona)<br> <!--<option value="03" id="Central Standard Time">CST (US Central)<BR>--> <!--<option value="04" id="Eastern Standard Time">EST (US East Coast)<BR>--> </select> <p> <b><u>OS Configuration</b></u><br> <input type="radio" value="standalone" name="OSConfig" checked="True"> Standalone PC/VM<br> <input type="radio" value="vmparent" name="OSConfig"> VM Parent </td> <td> <b><u>Software Options</b></u><br> <input type="checkbox" name="SevenZip"> 7-zip Utility<br> <input type="checkbox" name="NotepadPlusPlus"> Notepad++<br> <input type="checkbox" name="PaintNet"> Paint.Net<br> <p> <b><u>Internet Browsers</b></u><br> <input type="checkbox" name="Safari"> Apple Safari<br> <input type="checkbox" name="Firefox"> Firefox Browser<br> <input type="checkbox" name="GoogleChrome"> Google Chrome<br> </td> <td> <p> <b><u>Department Selection</b></u><br> <select size="1" name="DepartmentChooser"> <option value="00"> Standard PC</option> <option value="01"> Accounting</option> <option value="02"> Human Resources</option> <option value="03"> Information Technology</option> </select> <p> <b><u>Management Role</b></u><br> <select size="1" name="ManagerRole"> <option value="00"> n/a</option> <option value="01"> Supervisor</option> <option value="02"> Manager</option> <option value="03"> Director</option> <option value="03"> VP</option> </select> <p> <button accesskey=N type=submit id=buttonFinish onclick=FinishClickTasks>Finish</button> </td> </tr> </table> <!------------------------------------------------> <!------------------ End HTML --------------------> <!------------------------------------------------> </body> </html>
Script to Rename Computer During OSD
In assisting a recent customer implement an upgrade from WinXP to Win7, they requested that the names be changed to fit a new standard as part of the in-place imaging process. In this particular case, all of the computers had a name that ended with a sequential number (1, 2, 3, …) plus an “A” tacked on at the end. They wanted the “A” removed and for the PC name just to end with the sequential number.
This was a pretty easy fix to accomplish through a VBScript which
- Retrieves the active OSDComputerName task sequence variable
- Detects if the last letter is an “A”
- Truncates the name to remove the “A”
- Re-sets OSDComputerName to the new value
'========================================================================== ' NAME: PCNameStandardization.vbs ' AUTHOR: Nick Moseley, <a href="https://t3chn1ck.wordpress.com">https://t3chn1ck.wordpress.com</a> ' COMMENT: This script will detect if the current computer name ends with ' the letter 'A' so that it can be removed. '========================================================================== Option Explicit Dim oTaskSequence, sComputerName, iNameLength Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment") sComputerName = ucase(oTaskSequence("OSDComputerName")) iNameLength = Len(sComputerName) If right(sComputerName,1) = "A" Then oTaskSequence("OSDComputerName") = left(sComputerName, iNameLength-1) ' The echo statement is not displayed, but rather registered in SMSTS.log wscript.echo ">>>> Set OSDComputerName from " & sComputerName & " to " & oTaskSequence("OSDComputerName") End If
To add this into your task sequence:
- Put this script into a package for your general OSD Scripts
- Ensure you have the step to capture the computer name
- Immediately after the capture windows settings, run the PC Standardization Script
- On whatever step you have that prompts for the PC Name, add a condition to not execute if variable OSDComputerName does not exist. This is so that task sequence will not be held up on the other end waiting for someone to enter a PC name for one you’ve already set.
- Finally – ensure ConfigMgr environment is configured to automatically resolve conflicting records! See this as to why https://t3chn1ck.wordpress.com/2013/02/14/error-initializing-client-registration-0x80040222/
How To Execute Scripts in a Task Sequence Without a Local Disk
A common practice for OSD task sequences is set the advertisement to “run from server”. Recently there was a situation in which the advertisement needed to be set as “download content locally”. But there were scripts which needed to be executed BEFORE a disk partition existed, so the task sequence would fail with error code 0x800700a1 because there wasn’t a local disk in which to save the files.
There are a few ways to workaround this situation.
1. If possible, have the advertisement/deployment configured to run from server
2. Use DISM.exe to add the scripts into the boot image(s) (or use GImageX), then have a Run Command Line task to execute the scripts.
Note: the challenge with this method is it’s a bit tedious to maintain those scripts.
3. Use the “Connect To Network” task to map to a network drive, then have a Run Command Line task to execute the scripts.
Note: the challenge with this method is the possibility of scripts running across the WAN, which could be less than ideal if the scripts or installers are large or if the network files are not available.
BitLocker & BIOS Boot Order
One of the “gotchas” of BitLocker security is that by not having the hard drive first in the boot order within BIOS, can cause BitLocker security to become enacted and thus needing manual entry of the 48-character key upon the next system restart. This can be a frustration for users who have this happen to them, especially while travelling and unable to reach the help desk. So, during an OS deployment, make efforts to change the boot order in BIOS.
To do this with HP
- Obtain the BIOSConfigUtility in the Systems Software Manager
- Create a text file named “BootOrder.REPSET”. The text file contains the below content. Note that I found it is necessary to define two devices to modify the boot order.
English Boot Order Hard Drive(C:) Notebook Upgrade Bay
- Run command
To do this with Dell
- Obtain the Client Configuration Toolkit
- Run command
cctk.exe bootorder --sequence=hdd
If you find yourself in a position that you did not do this during the initial deployment of the OS, never fear, SCCM is here! Using task sequences, you can automate the process as to set the hard drive to be first in the boot order and re-seal the TPM by performing the following steps:
HP BIOSConfigUtility Command Line in a Task Sequence
First, let me start by saying there is already a good blog post which outlines how to use HP’s BIOSConfigUtility in an MDT task sequence (which can be easily translated into an SCCM task sequence).
I recently implemented this tool for a client to enable the TPM feature in BIOS in preparation for BitLocker. The utility was being run from a task sequence with command line such as:
cmd.exe /c c:\temp\BIOSConfigUtility.exe /SetConfig:TPMEnable.REPSET /NewAdminPassword:"P@55word!"
In my testing, the BIOS password was being set properly, but the TPM enable would not get enabled. BIOSConfigUtility.exe would terminate with error code 10, which essentially meant it was trying to enable TPM but the provided password is incorrect. What I found to fix the problem was to instead specify the full path to TPMEnable.REPSET file. So instead, the switch would instead be:
Hiding a task sequence progress UI
If you have a custom HTA or dialog box as part of a task sequence, the dialog box could get in the way. And it’s quite annoying to manually drag it out-of-the-way every time. A workaround to this is to hide that task sequence dialog box altogether with the following VBScript. So run this bit of code before you launch the HTA
On Error Resume Next ' Hide the task sequence window Set ProgressUI = CreateObject("Microsoft.SMS.TsProgressUI") ProgressUI.CloseProgressDialog
VBScript to Run SCCM Software Updates Scan
A challenge with installing software updates during a task sequence is that it may occur where not all updates are applied on the first pass. The workaround is run software updates, run a VB Script or PowerShell script to force another scan, then run a software updates task again. Others have posted their scripts on this before, so it’s nothing new. However, I failed trying to quickly locate those scripts. So I’m just posting my own of what I use….
'========================================================================== ' AUTHOR: Nick Moseley , https://t3chn1ck.wordpress.com ' DATE : 7/30/2010 ' COMMENT: Initiates an SCCM client scan ' Script from http://msdn.microsoft.com/en-us/library/cc144313.aspx ' Updated 7/15/11 to include a sleep before exiting script '========================================================================== ' Set the required variables. actionNameToRun = "Updates Source Scan Cycle" ' Create a CPAppletMgr instance. Dim oCPAppletMgr Set oCPAppletMgr = CreateObject("CPApplet.CPAppletMgr") ' Get the available ClientActions object. Dim oClientActions Set oClientActions = oCPAppletMgr.GetClientActions() ' Loop through the available client actions. Run the matching client action when it is found. Dim oClientAction For Each oClientAction In oClientActions If oClientAction.Name = actionNameToRun Then oClientAction.PerformAction End If Next ' Wait for 3 minutes for scan completion before exiting script wscript.sleep(180000)
Workaround for Installing Office Updates During an Image Build
Ran into an interesting situation with an image build. I created a custom Office 2010 SP1 install using the OCT. During execution of my image build task sequence, Software Updates was not detecting any of the updates for Office. Further diagnosis revealed that the OCT-built install did not put its “hooks” into the Windows Update Agent, therefore neither the SUP or Microsoft Updates could detect for Office updates. (Side note: once the image was sysprepped, captured, and added into a deployment task sequence, the updates were suddenly available and installed.)
While the cause as to why an OCT-built Office 2010 SP1 install prohibits installation of updates has not been found yet, there is a workaround to run a script that forces Microsoft Update (e.g. WUA) to receive updates for “other products”. By executing the following VBScript after installing Office, SCCM Software Updates will then be able to install the updates during the image build task sequence. The original code is from a TechNet blog post, I just added some extra logging for troubleshooting. Also, if your TS advertisement is configured to “run from server”, then the script will cause the TS to fail. To get past this, simply copy the script locally first then execute it from that location.
Const ForAppending = 8 Set oFSO = CreateObject ("Scripting.FileSystemObject") Set oLogFile = oFSO.OpenTextFile ("C:\ConfigOfficeUpdates.txt", ForAppending, True) oLogFile.WriteLine "Starting execution of VBScript to configure Office to use Microsoft Updates" Set ServiceManager = CreateObject("Microsoft.Update.ServiceManager") ServiceManager.ClientApplicationID = "My App" ' add the Microsoft Update Service by GUID Set NewUpdateService = ServiceManager.AddService2("7971f918-a847-4430-9279-4a52d1efe18d",7,"") oLogFile.WriteLine "Script completed successfully" wscript.Quit(oLogFile.Close)