When it comes to setting up a good configuration for an App-V 5.0 SP2 (or later) sequencer, the items below are typically what I like to establish. This list may not be fully complete and could be added to over time. Optionally, if you have any recommendations, please feel free to leave a comment below!
- Added a file named “ccmsetup” (no file extension) in C:\Windows, which helps prevent the ConfigMgr client from being installed
- Turn off or disable: Windows Defender, Windows Update checks, Windows Firewall, Action Center notifications, restore points, auto restart on BSOD, highlight newly installed programs, and Windows indexing/search also needs to be turned off (disable the service “Windows Search”)
- Turn on or enable: remote desktop, set the display to “best performance”, add the “Run” box on the start menu, set IE to open with a blank page (and not MSN.com), set the system tray to show all icons, task manager to hide when minimized, desktop background to solid white color (makes for cleaner screen snips), and change the IE taskbar shortcut from the x64 app version to instead use the x86 app
- Install additional software KB2775511 (for Win7 SP1), WMF 4.0, KB2533623, Microsoft Office, the latest version of Hyper-V integration services, and the current supported version (in the business) of Internet Explorer*
- Install all Windows updates
- Ensure there was no random startup software either in the Run/RunOnce registry keys and the Startup folder
* Note that as of January 12, 2016, IE 11 will be the minimum supported browser version for Win7 and newer operating systems. So if you haven’t started planning yet, it’s a good idea to begin soon.
In a recent build and capture (b&c) task sequence for ConfigMgr 2012 R2 that I was helping a customer with, I decided it was worthwhile to list the top things that can be overlooked. If these are done prior to beginning the process, then it can help to shorten and troubleshooting time involved. Also, be sure to see my tips for installing apps during OSD.
- Create an IP address range for content boundaries. When doing a b&c, it is a best practice to not join the system to the domain. So if AD Sites are used for the boundaries, then content cannot be found. To workaround this, add a IP address range boundary for the subnet of the virtual system.
- In task sequence step “Setup Windows and Configuration Manager”, include entry “SMSMP=SiteMPServerFQDN”. Example FQDN: CM1.contoso.com.
- Include installation of the latest cumulative update that is installed on the primary site. The easiest trick for ensuring the latest CU is installed during OSD is to do:
- Copy the hotfix install package from “C:\Program Files\Microsoft Configuration Manager\hotfix\KBxxxxxx\Client\” into “C:\Program Files\Microsoft Configuration Manager\Client\hotfix\KBxxxxxx\”.
- In the task sequence step “Setup Windows and Configuration Manager”, include the line “PATCH=’%_SMSTSMDataPath%\OSD\PkgID\hotfix\KBxxxxxx\x64\patchKBinstallname.msp’. Note that the path x64/i386 will need to be updated based upon the target OS.
- ConfigMgr boot media (.iso, USB, etc.) has been configured to allow unknown computers.
- Use the offline servicing functionality to pre-inject / install any Windows and .NET Framework 3.5.x security updates. Doing this to the original Windows image that was imported into the primary site will reduce the deployment time for the b&c. Note that if you are deploying Win7 Hotfix Rollup 1 (KB2775511), it can be helpful to add it into the list for Software Updates (see http://blogs.technet.com/b/brandonlinton/archive/2013/03/13/how-to-deploy-phantom-updates-with-system-center-configuration-manager.aspx).
- Prepare for Software Updates (e.g. MS security updates)
- Use multiple Install Software Updates steps. I like to use one immediately after installing core MS software (newer versions of .NET, MSXML, PowerShell, etc.) and then use two more at the very end of the task sequence.
- Optional: Create a script to which associates Microsoft Office with the Windows update agent so that those patches can be installed.
- Implement fixes and workarounds for installing packages and applications.
- Set additional task sequence variables to prevent “Error 80070002”. This is outlined in a TechNet support tip blog post, but impacts more than just MDT.
- SMSTSDownloadRetryCount = 5
- SMSTSDownloadRetryDelay = 15
- Configure the Windows image to be able to “run from the server”. In this way, the image does not need to download to the disk then finally extract … thereby causing a longer delay and more fragmentation. To do this:
- On the properties of the image, go to the Data Access tab and select the option to “copy the content in this package to a package share on distribution points”.
- In the task sequence’s step for Apply Operating System, go to the Options tab and select “Access content directly from the distribution point”.
- Configure the distribution point to allow anonymous connections.
In general the above items should help you to be more successful when doing an OSD image b&c. So that it’s not left unsaid, the below items could also prove useful.
- Setup the Network Access Account for the ConfigMgr primary site. For security, ensure that the account is a low rights domain user with a complex password and not an account with extended access rights to any systems on the network.
- Deploy the task sequence to All Unknown Computers. In this way an record of the ConfigMgr client will not need to be created first and added into a special collection.
I’ve been in a situation a couple of times where a client was going to use a third-party vendor to image hardware offsite, but didn’t have Microsoft deployment tools (WAIK, WDS, MDT, SCCM, etc.) for deploying the standard WIM image that was created. To work with this scenario, I developed an unattended answer file with WSIM that can be used to sysprep a computer for an image where the disk can be cloned. This sysprep file essentially does the following items below. Many of the items may seem “unnecessary”, but they are necessary in order to automate the majority of the deployment.
- enables the local admin account
- removes the “copy profile” functionality
- removes the “Get Windows Live” shortcuts
- sets the time zone to MST
- enables RDP
- disables firewall notifications
- disables the domain firewall
- disables Windows Defender
- disables IE accelerators
- disables the IE first run wizard
- enables IE compatibility mode
- disables IE suggested sites
- sets Windows to skip auto activation
- disables system restore
- sets the local language to English
- sets the registered owner/org
- sets Windows to automatically login as Administrator one time
- sets the screen resolution to 1024×768
- sets the first logon command to execute a script in C:\CompanyName
- Hides the Windows EULA Hides the wireless network setup wizard
- sets the default network location to “Work”
- sets the recommended level of protection for Windows Update
- creates taskbar links to Outlook and Word
Next, the overall process looks like such:
- Automate driver installation using HP SoftPaqs and script to copy the files into C:\CompanyName\ModelName\
- Optionally, automate and script BIOS updates
- Create script named “ImageConfigTasks.vbs” (code below) to do the following items (this will run post sysprep). Script should be copied into C:\CompanyName. You can use the attached script as a starting point.
- Prompt for PC name
- Detect PC model and install drivers (do this next to ensure the NIC driver gets installed for the domain join)
- Join to domain and OU
- Install SCCM client
- Install SCEP client
- Restart Window
- Create sysprep.xml file with x64 bits which essentially allows the PC to auto logon into Windows with the admin account and launches ImageConfigTasks. You can use the attached sample as guidance, but do not actually use this file as it was compiled for the x86 components and you need it for x64.
- Create a “build” task sequence which installs Windows, software, security updates, copy of the drivers into the CompanyName folder, copy of the ImageConfigTasks script, copy the sysprep.xml file
- Run the task sequence on a VM
- After completion, login to Windows and run %SYS32%\sysprep\sysprep.exe /generalize /oobe /shutdown /unattend:C:\CompanyName\sysprep.xml
- This will sysprep the PC’s disk for cloning. Do not power on the PC once its shutdown!
- Optionally, you can creatively automate this process so that you do not need to actually login to the PC
- Once the PC with the cloned disk has been delivered onsite, power on the PC. Windows will go through mini-setup to install generic devices. Then Windows will auto logon to run the script and complete the setup process.
Run on physical hardware
To build-out this custom solution for the vendor, do the following.
- Complete and “certify” the newly captured image (note: this is still in progress as of 12:15 PM today, but is looking good to complete successfully).
- Use the deployment task to install this image AND the hardware drivers AND any other software/configurations that did not make it into the image. You may also want to change the task sequence to NOT join to the domain for this model so that it does not receive [junky] group policies.
- Once that task sequence is done, login to Windows as the local admin account.
- Ensure the two script files live in C:\CompanyName
- Run %SYS32%\sysprep\sysprep.exe /generalize /oobe /shutdown /unattend:C:\CompanyName\sysprep.xml
- DO NOT TURN THE COMPUTER ON. Remove the hard drive and give to vendor. Once a cloned PC is onsite and connected to the network, only then should the PC be turned on. A prompt for the computer name will appear and then the custom script will execute.
While you’re in the process of testing/development, you can of course turn it on to validate the scripts execute, drivers are installed, etc.
For those whom need to add language packs to a Win7 image build/deployment, but only have SCCM infrastructure (without MDT integration), a TechNet forum posting gives the answer (which I’ve posted below).
- Create a package and copy each lp.cab file into the root (Just rename each cab so they can all exist in the same folder e.g. de-de.cab for German etc…)
- In your task sequence, after the Setup windows and ConfigMgr step and before you apply any updates (important) add a Run command line step with the following properties:
- Package: The package from step 1
- Disable 64-bit file system redirection: Enabled
- Command Line: cmd.exe /c dism.exe /online /add-package /PackagePath:”%CD%”
This will add all language packs that exist in the package directory to the installed OS. If you need to add more languages later, just drop a CAB file in the package and update it the command line stays the same. This also has the added benefit of only downloading the package once to install all the required languages. If you specify multiple tasks to do this in the task sequence it has to download each one separately which can add some additional overhead to the time to install.
We have implemented Microsoft Lync in our environment and are preparing to “federate” our domain. When this happens, users whom have set up a Windows Live ID using their company email address, will no longer be able to use Messenger. I created the following script which will get the login email address from Messenger as well as the last login time then output the information to a text file on a file share.
'========================================================================== ' AUTHOR: Nick Moseley, https://t3chn1ck.wordpress.com ' DATE : 10/20/2011 '========================================================================== Option Explicit Const ForAppending = 8 On Error Resume Next Dim oShell, oFSO, oUserDir, colSubFolders Dim strProfileFolder, strAppFolder Set oShell = CreateObject ("wscript.shell") Set oFSO = CreateObject ("Scripting.FileSystemObject") If oFSO.FolderExists ("c:\users") Then strProfileFolder = "c:\users" strAppFolder = "\AppData\Local\Microsoft\Messenger" Else strProfileFolder = "c:\Documents and Settings" strAppFolder = "\Local Settings\Application Data\Microsoft\Messenger" End If Set oUserDir = oFSO.GetFolder (strProfileFolder) Set colSubFolders = oUserDir.SubFolders ' Open log file Dim sFileName, oLogFile sFileName = "\\engsvr01\pstlogs\SCCM\" & oshell.ExpandEnvironmentStrings("%COMPUTERNAME%") & ".txt" If not oFSO.FileExists (sFileName) Then oFSO.CreateTextFile sFileName End If Set oLogFile = oFSO.OpenTextFile (sFileName, ForAppending, True) oLogFile.WriteLine "====Started: " & Date & "====" oLogFile.WriteLine " " ' For User folders, check for Windows Dim oFldr, oFldr2, oWLMfolders, colWLMusers, oConfigFile, sFolderPath For Each oFldr In colSubFolders sFolderPath = strProfileFolder & "\" & oFldr.Name & strAppFolder ' if the Messenger folder exists, then do the following If oFSO.FolderExists (sFolderPath) Then Set oWLMfolders = oFSO.GetFolder (sFolderPath) Set colWLMusers = oWLMfolders.SubFolders ' if the subfolders contains the config.cache file, then it was signed into on WLM For Each oFldr2 In colWLMusers oLogFile.WriteLine "User: " & oFldr.Name oLogFile.WriteLine "Email: " & oFldr2.Name If oFSO.FileExists (sFolderPath & "\" & oFldr2.Name & "\config.cache.xml") Then ' Set oConfigFile to get file's timestamp Set oConfigFile = oFSO.GetFile (sFolderPath & "\" & oFldr2.Name & "\config.cache.xml") 'oLogFile.WriteLine "User: " & oFldr.Name 'oLogFile.WriteLine "Email: " & oFldr2.Name oLogFile.WriteLine "Last signin: " & oConfigFile.DateLastModified Else oLogFile.WriteLine "Last signin: UNKNOWN" End If oLogFile.WriteLine " " Next End If Next ' end logging oLogFile.WriteLine "====Ended====" oLogFile.WriteLine " " WScript.Quit (oLogFile.Close)
Since not all computers will have used Messenger, let alone a person having logged into Messenger, create a collection that will be limited to just computers that have recently executed “msnmsgr.exe”. You can use the below query to determine those systems for your collection.
select distinct SMS_R_System.Name from SMS_R_System inner join SMS_G_System_CCM_RECENTLY_USED_APPS on SMS_G_System_CCM_RECENTLY_USED_APPS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_CCM_RECENTLY_USED_APPS.ExplorerFileName = "msnmsgr.exe" order by SMS_R_System.Name
When our company first implemented Windows 7, the performance was quite good and we were impressed. However, now that Win7 has been in our organization for the last 1 1/2 years, we’re beginning to see a significant performance degradation in boot times. What was a 1 minute boot time can now be anywhere from 4 to 10 minutes for Windows to get to Ctrl-Alt-Del screen.
In performing analysis on extremely slow boot/login times, I identified both the cause and a Win7 hotfix to correct the issue. If you are having a similar problem, check out KB2505348 – High CPU usage or a lengthy startup process occurs during WMI repository verification when a large WMI repository exists in Windows 7 or in Windows Server 2008 R2.
One has to chuckle at Microsoft’s titled description on the issue as “lengthy startup process” which in the real world means “so slow that you never want ever EVER shut off your computer because every time you do, you consider making a switch to Linux”.
** Update 10/2/12: there is a newer version for Windows 7 SP1 at http://support.microsoft.com/kb/2617858 **