Task Sequence

10 Tips for a More Successful Windows Image Build & Capture

Posted on Updated on

In a recent build and capture (b&c) task sequence for ConfigMgr 2012 R2 that I was helping a customer with, I decided it was worthwhile to list the top things that can be overlooked.  If these are done prior to beginning the process, then it can help to shorten and troubleshooting time involved.  Also, be sure to see my tips for installing apps during OSD.

  1. Create an IP address range for content boundaries.  When doing a b&c, it is a best practice to not join the system to the domain.  So if AD Sites are used for the boundaries, then content cannot be found.  To workaround this, add a IP address range boundary for the subnet of the virtual system.
  2. In task sequence step “Setup Windows and Configuration Manager”, include entry “SMSMP=SiteMPServerFQDN”.  Example FQDN: CM1.contoso.com.
  3. Include installation of the latest cumulative update that is installed on the primary site.  The easiest trick for ensuring the latest CU is installed during OSD is to do:
    1. Copy the hotfix install package from “C:\Program Files\Microsoft Configuration Manager\hotfix\KBxxxxxx\Client\” into “C:\Program Files\Microsoft Configuration Manager\Client\hotfix\KBxxxxxx\”.
    2. In the task sequence step “Setup Windows and Configuration Manager”, include the line “PATCH=’%_SMSTSMDataPath%\OSD\PkgID\hotfix\KBxxxxxx\x64\patchKBinstallname.msp’.  Note that the path x64/i386 will need to be updated based upon the target OS.
  4. ConfigMgr boot media (.iso, USB, etc.) has been configured to allow unknown computers.
  5. Use the offline servicing functionality to pre-inject / install any Windows and .NET Framework 3.5.x security updates. Doing this to the original Windows image that was imported into the primary site will reduce the deployment time for the b&c.  Note that if you are deploying Win7 Hotfix Rollup 1 (KB2775511), it can be helpful to add it into the list for Software Updates (see http://blogs.technet.com/b/brandonlinton/archive/2013/03/13/how-to-deploy-phantom-updates-with-system-center-configuration-manager.aspx).
  6. Prepare for Software Updates (e.g. MS security updates)
    1. Use multiple Install Software Updates steps.  I like to use one immediately after installing core MS software (newer versions of .NET, MSXML, PowerShell, etc.) and then use two more at the very end of the task sequence.
    2. Optional: Create a script to which associates Microsoft Office with the Windows update agent so that those patches can be installed.
  7. Implement fixes and workarounds for installing packages and applications.
    1. KB2716946 fix/workaround to enable the software distribution agent during execution of the task sequence.
    2. KB2522623 fix for Windows 7 to allow applications to be installed
  8. Set additional task sequence variables to prevent “Error 80070002”.  This is outlined in a TechNet support tip blog post, but impacts more than just MDT.
    1. SMSTSDownloadRetryCount = 5
    2. SMSTSDownloadRetryDelay = 15
  9. Configure the Windows image to be able to “run from the server”.  In this way, the image does not need to download to the disk then finally extract … thereby causing a longer delay and more fragmentation.  To do this:
    1. On the properties of the image, go to the Data Access tab and select the option to “copy the content in this package to a package share on distribution points”.
    2. In the task sequence’s step for Apply Operating System, go to the Options tab and select “Access content directly from the distribution point”.
  10. Configure the distribution point to allow anonymous connections.

In general the above items should help you to be more successful when doing an OSD image b&c.  So that it’s not left unsaid, the below items could also prove useful.

  • Setup the Network Access Account for the ConfigMgr primary site.  For security, ensure that the account is a low rights domain user with a complex password and not an account with extended access rights to any systems on the network.
  • Deploy the task sequence to All Unknown Computers.  In this way an record of the ConfigMgr client will not need to be created first and added into a special collection.

Workaround for OSD Stand-alone Media with Client Hotfix Installs

Posted on Updated on

When using stand-alone media to image a computer, you may potentially run into a failure with the Task Sequence with SMSTS.log message “Client installation failed, code 1 – The client GUID must be set in an environment variable”.  Checking further into the client.msi.log file, you could see the source problem similar to “Unable to create a temp copy of patch ‘C:\_SMSTASKSEQUENCE\PACKAGES\SMS00002\HOTFIXES\KB2854009\X64\CONFIGMGR2012AC-SP1-KB2854009-X64.MSP’.”

This issue can be caused if you’re installing ConfigMgr 2012 hotfixes (or cumulative updates) as part of the client installation during OSD, which stand-alone media may not be handling properly.


One workaround for this scenario is to create additional tasks which will only install the hotfixes when not running from media as follows:

  1. On step “Setup Windows and Configuration Manager”, add a condition on the Options where TS Variable “_SMSTSMediaType not equals FullMedia”
  2. Copy that step and rename as “Setup Windows and ConfigMgr – Standalone Media”, remove the Installation Properties for the hotfix install, then change TS Variable check as “_SMSTSMediaType equals FullMedia”

OSD Options Chooser v3

Posted on Updated on

The following custom HTA can be used during OSD when imaging computers with ConfigMgr.  It has been updated from my previous version and will do the following:

Remember to enable HTA support in your boot images – https://t3chn1ck.wordpress.com/2010/01/28/hta-support-in-sccm-boot-images/


Created by Nick Moseley https://t3chn1ck.wordpress.com
For this script to function, HTA support must have been added into the boot image
See for more information - http://technet.microsoft.com/en-us/library/dd799244.aspx

This HTA/VBscript is used to present a GUI during imaging of a corporate PC. It prompts for:
	1) PC name (automatically populated if the PC already exists in SCCM)
	2) Time zone (currently just PST, AZT, and MST)
	3) If the PC will be used as a VM parent image or as a physical PC
	4) One-off software
	5) Additional browsers
	6) Department selection
	7) Management selection
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>OSD Computer Details</title>

<script language="VBScript">
window.resizeTo 550,255
window.moveTo 3,3

' Hide the task sequence window
'On Error Resume Next

Dim oTaskSequence, oTSProgressUI
Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment")
Set oTSProgressUI = CreateObject("Microsoft.SMS.TsProgressUI")

Sub PreloadOptions
	Dim sTSMachineName, bPromptName
	sTSMachineName = ucase(oTaskSequence("_SMSTSMachineName"))

	If left(sTSMachineName,6) = "MININT" Then
		bPromptName = True
	ElseIf sTSMachineName = "MINWINPC" Then
		bPromptName = True
		bPromptName = False
	End If

	If bPromptName Then
		ComputerName.value = ""
		ComputerName.value = sTSMachineName
	End If
End Sub

Sub FinishClickTasks
	' Get/set computer name
	Dim sComputerName
	sComputerName = UCase(ComputerName.Value)

	' Check that a PC name was entered
		If sComputerName = "" Then
			MsgBox "Error: Computer name cannot be left empty!", vbCritical, "Error"
			sComputerName = InputBox ("Please enter a computer name to continue", "", , 30,30)
		End If
	Loop Until sComputerName <> ""

	oTaskSequence ("OSDComputerName") = sComputerName

	' Get/set department configuration
	For Each oSelection in DepartmentChooser.Options
		If oSelection.Selected Then
			oTaskSequence ("OSDDepartment") = lcase(oSelection.InnerText)
		End If

	' Get/set managerial position
	For Each oSelection in ManagerRole.Options
		If oSelection.Selected Then
			oTaskSequence ("ManagerRole") = lcase(oSelection.InnerText)
		End If

	' OSConfig selection
	For Each oSelection in OSConfig
		If oSelection.Checked Then
			oTaskSequence ("OSDOSConfig") = lcase(oSelection.value)
		End If

	' Get/set Other Apps
	If SevenZip.checked Then oTaskSequence ("OSD7zip") = "true" End If
	If Firefox.checked Then oTaskSequence ("OSDFirefox") = "true" End If
	If NotepadPlusPlus.checked Then oTaskSequence ("OSDNotepadPlusPlus") = "true" End If
	If GoogleChrome.checked Then oTaskSequence ("OSDGoogleChrome") = "true" End If
	If PaintNet.checked Then oTaskSequence ("OSDPaintNet") = "true" End If
	If Safari.checked Then oTaskSequence ("OSDAppleSafari") = "true" End If

	' Get/set Time Zone configuration
	For Each oSelection in TZChooser.Options
		If oSelection.Selected Then
			oTaskSequence ("OSDTimeZone") = oSelection.id
		End If

	' Terminate the HTA
End Sub


<!---------------- HTML goes here ---------------->
<body STYLE="font:12 pt arial; color:white; background-color:#006699" onload="PreloadOptions">
<table cellpadding="3" border=1>
	<tr valign=top>
			<b>Computer Name</b><br>
			<input type=text id="ComputerName" name=ComputerName size=22>
			<b>Time Zone</b><br>
			<select size="1" name="TZChooser">
				<option value="00" id="Mountain Standard Time">MST (US Mountain)<BR>
				<option value="01" id="Pacific Standard Time">PST (US West Coast)<BR>
				<option value="02" id="US Mountain Standard Time">AZT (US Arizona)<br>
				<!--<option value="03" id="Central Standard Time">CST (US Central)<BR>-->
				<!--<option value="04" id="Eastern Standard Time">EST (US East Coast)<BR>-->
			<b><u>OS Configuration</b></u><br>
			<input type="radio" value="standalone" name="OSConfig" checked="True"> Standalone PC/VM<br>
			<input type="radio" value="vmparent" name="OSConfig"> VM Parent
			<b><u>Software Options</b></u><br>
			<input type="checkbox" name="SevenZip"> 7-zip Utility<br>
			<input type="checkbox" name="NotepadPlusPlus"> Notepad++<br>
			<input type="checkbox" name="PaintNet"> Paint.Net<br>
			<b><u>Internet Browsers</b></u><br>
			<input type="checkbox" name="Safari"> Apple Safari<br>
			<input type="checkbox" name="Firefox"> Firefox Browser<br>
			<input type="checkbox" name="GoogleChrome"> Google Chrome<br>
			<b><u>Department Selection</b></u><br>
			<select size="1" name="DepartmentChooser">
				<option value="00"> Standard PC</option>
				<option value="01"> Accounting</option>
				<option value="02"> Human Resources</option>
				<option value="03"> Information Technology</option>
			<b><u>Management Role</b></u><br>
			<select size="1" name="ManagerRole">
				<option value="00"> n/a</option>
				<option value="01"> Supervisor</option>
				<option value="02"> Manager</option>
				<option value="03"> Director</option>
				<option value="03"> VP</option>
			<button accesskey=N type=submit id=buttonFinish onclick=FinishClickTasks>Finish</button>
<!------------------ End HTML -------------------->


Script to Rename Computer During OSD

Posted on Updated on

In assisting a recent customer implement an upgrade from WinXP to Win7, they requested that the names be changed to fit a new standard as part of the in-place imaging process.  In this particular case, all of the computers had a name that ended with a sequential number (1, 2, 3, …) plus an “A” tacked on at the end.  They wanted the “A” removed and for the PC name just to end with the sequential number.

This was a pretty easy fix to accomplish through a VBScript which

  1. Retrieves the active OSDComputerName task sequence variable
  2. Detects if the last letter is an “A”
  3. Truncates the name to remove the “A”
  4. Re-sets OSDComputerName to the new value

' NAME: PCNameStandardization.vbs
' AUTHOR: Nick Moseley, <a href="https://t3chn1ck.wordpress.com">https://t3chn1ck.wordpress.com</a>
' COMMENT: This script will detect if the current computer name ends with ' the letter 'A' so that it can be removed.
Option Explicit
Dim oTaskSequence, sComputerName, iNameLength
Set oTaskSequence = CreateObject ("Microsoft.SMS.TSEnvironment")

sComputerName = ucase(oTaskSequence("OSDComputerName")) iNameLength = Len(sComputerName)

If right(sComputerName,1) = "A" Then
oTaskSequence("OSDComputerName") = left(sComputerName, iNameLength-1)
  ' The echo statement is not displayed, but rather registered in SMSTS.log
wscript.echo ">>>> Set OSDComputerName from " & sComputerName & " to " & oTaskSequence("OSDComputerName")
End If

To add this into your task sequence:

  1. Put this script into a package for your general OSD Scripts
  2. Ensure you have the step to capture the computer name
  3. Immediately after the capture windows settings, run the PC Standardization Script
  4. On whatever step you have that prompts for the PC Name, add a condition to not execute if variable OSDComputerName does not exist.  This is so that task sequence will not be held up on the other end waiting for someone to enter a PC name for one you’ve already set.
  5. Finally – ensure ConfigMgr environment is configured to automatically resolve conflicting records!  See this as to why https://t3chn1ck.wordpress.com/2013/02/14/error-initializing-client-registration-0x80040222/

How To Execute Scripts in a Task Sequence Without a Local Disk

Posted on Updated on

A common practice for OSD task sequences is set the advertisement to “run from server”.  Recently there was a situation in which the advertisement needed to be set as “download content locally”.  But there were scripts which needed to be executed BEFORE a disk partition existed, so the task sequence would fail with error code 0x800700a1 because there wasn’t a local disk in which to save the files.

There are a few ways to workaround this situation.

1.  If possible, have the advertisement/deployment configured to run from server

2.  Use DISM.exe to add the scripts into the boot image(s) (or use GImageX), then have a Run Command Line task to execute the scripts.
Note: the challenge with this method is it’s a bit tedious to maintain those scripts.

3.  Use the “Connect To Network” task to map to a network drive, then have a Run Command Line task to execute the scripts.
Note: the challenge with this method is the possibility of scripts running across the WAN, which could be less than ideal if the scripts or installers are large or if the network files are not available.



BitLocker & BIOS Boot Order

Posted on Updated on

One of the “gotchas” of BitLocker security is that by not having the hard drive first in the boot order within BIOS, can cause BitLocker security to become enacted and thus needing manual entry of the 48-character key upon the next system restart.  This can be a frustration for users who have this happen to them, especially while travelling and unable to reach the help desk.  So, during an OS deployment, make efforts to change the boot order in BIOS.

To do this with HP

  • Obtain the BIOSConfigUtility in the Systems Software Manager
  • Create a text file named “BootOrder.REPSET”.  The text file contains the below content.  Note that I found it is necessary to define two devices to modify the boot order.
Boot Order
     Hard Drive(C:)
     Notebook Upgrade Bay
  • Run command
BiosConfigUtility.EXE /SetConfig:BootOrder.REPSET

To do this with Dell

cctk.exe bootorder --sequence=hdd

If you find yourself in a position that you did not do this during the initial deployment of the OS, never fear, SCCM is here!  Using task sequences, you can automate the process as to set the hard drive to be first in the boot order and re-seal the TPM by performing the following steps:

  1. Suspends BitLocker protection
  2. Reconfigure the boot order (for HP or Dell)
  3. Restarts Windows
  4. Resumes BitLocker protection

HP BIOSConfigUtility Command Line in a Task Sequence

Posted on

First, let me start by saying there is already a good blog post which outlines how to use HP’s BIOSConfigUtility in an MDT task sequence (which can be easily translated into an SCCM task sequence).

I recently implemented this tool for a client to enable the TPM feature in BIOS in preparation for BitLocker.  The utility was being run from a task sequence with command line such as:

cmd.exe /c c:\temp\BIOSConfigUtility.exe /SetConfig:TPMEnable.REPSET /NewAdminPassword:"P@55word!"

In my testing, the BIOS password was being set properly, but the TPM enable would not get enabled.  BIOSConfigUtility.exe would terminate with error code 10, which essentially meant it was trying to enable TPM but the provided password is incorrect.  What I found to fix the problem was to instead specify the full path to TPMEnable.REPSET file.  So instead, the switch would instead be: