Archive for February, 2014

OK well it’s not completely true to claim it’s a Zero Touch MDT solution however it is a fully automated Lite-Touch solution for upgrading your Windows XP computers to Windows 7 using MDT 2012 Update 1.

Some of you would be aware of the issue that occurred if you upgraded to Systems Centre Configuration Manager 2012 R2 – Basically the bootsect.exe included in the Windows ADK 8.1 isn’t compatible with Windows XP so you can’t stage a 2012 R2 boot file to a computer running a Windows XP Operating System. This basically meant no way to refresh XP systems with that version of Config Manager.

Microsoft has released a hotfix for this issue recently: http://support.microsoft.com/kb/2910552

However there is an alternative to applying this update. You can still fall back to using MDT 2012 Update 1 and have a fully automated solution for upgrading any Windows XP instances you still have out in the wild using USMT to migrate the user data as part of the refresh process.

Here are the steps I followed so I didn’t have to apply this hotfix. I have small environment, only 1500 seats, so going down this path made more sense than messing with my production Configuration Manager 2012 R2 instance just to get back support for XP.

  1. Build up a fully patched Windows Server 2012 R2 instance (or your preferred supported OS). This can be running on your choice of hypervisor if you prefer.
  2. Install the Windows ADK 8.1  (http://www.microsoft.com/en-au/download/details.aspx?id=39982) and install the Deployment Tools, User State Migration Tool (USMT) and the Windows Preinstallation Environment (Windows PE) options. Note there was a new version released so make sure you re-download if you have an older copy.
  3. Install MDT 2012 Update 1 (http://www.microsoft.com/en-au/download/details.aspx?id=25175). Note that you cannot use MDT 2013 as it doesn’t support Windows XP.
  4. Create your Deployment Share and import your drivers, any applications, packages, OS wim files etc.
  5. Update your boot images with any required drivers.
  6. Update your Unattend.xml if required (I just re-used my Config Manager copy which saves a fair amount of time).
  7. Enable MDT Monitoring and create your Log folder and share.
  8. Test your refresh process before attempting any automation to ensure the upgrade process runs smoothly without any base problems such as missing drivers.
  9. Once you have your refresh Task Sequence working as expected we can look at updating our CustomSettings.ini file to automate the refresh process.
  10. Update your ini file – you can use my ini file settings as a guide.

[Settings]
Priority=Default
Properties=MyCustomProperty, SavedJoinDomain

[Default]
OSInstall=Y
_SMSTSOrgName=%YOURORGNAME%
DeployRoot=\\%SERVERNAME%\DeploymentShare$
DoCapture=No
DisableTaskMgr=YES
HideShell=YES

SkipCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipBitLocker=YES
SkipFinalSummary=YES
SkipSummary=YES
SkipBDDWelcome=YES
SLShare=\\%SERVERNAME%\Logs$
SkipDeploymentType=YES
DeploymentType=REFRESH
SkipDomainMembership=YES
JoinDomain=%FQNDOMAINNAME%
DomainAdmin=%NetworkAccessAcountName%
DomainAdminDomain=%NetBiosDomainName%
DomainAdminPassword=%NetworkAccessAccountPassword%
SkipUserData=YES
UserDataLocation=AUTO
SkipComputerBackup=YES
USMTMIGFILES001=MigUser.xml
USMTMIGFILES002=MigApp.xml
USMTMIGFILES003=YourCustom.xml
USMTConfigFile=YourWindowsXPConfig.xml
ScanStateArgs=/v:5 /o /c /ue:administrator /ue:%yourdomain%\adm* /uel:45
LoadStateArgs=/v:5 /c /lac
SkipTaskSequence=YES
TaskSequenceID=%YourTaskSequenceIDNumber%
SkipComputerName=YES
OSDComputerName=%ComputerName%
SkipLocaleSelection=YES
UILanguage=en-AU
UserLocale=en-AU
KeyboardLocale=en-AU;0409:00000409

SkipTimeZone=YES
TimeZone=265
TimeZoneName=Tasmania Standard Time

SkipApplications=YES

UserID=%NetworkAccessAcountName%
UserPassword=%NetworkAccessAccountPassword%
UserDomain=%NetBiosDomainName%

EventService=http://%SERVERNAME%:9800

Test your fully automated MDT Refresh scenario by running litetouch.vbs from the MDT Deployment Share. If working you should see the upgrade to your OS progress without any dialogue box prompts.

There are quite a few ways of actually kicking off the execution of the litetouch.vbs script, however I will leave this mechanism up to you.

Here’s a video of the finished refresh process which shows MDT processing the answers provided by CustomSettings.ini. I have also shown that the USMT hard-linking process is working. The TS then stages the boot image and reboots into WinPE and begins to overlay my Windows 7 corporate wim.

http://youtu.be/9vJet3okIBw

Cheers

Damon

Advertisements

Last year I attended a Server 2012 course with a few of my work colleagues and there was a tiny section on creating Active Directory accounts with PowerShell. This was demonstrated using the Active Directory PowerShell Module and the New-ADUser command with a csv. The basic premise was that you had a csv file with all the account details which the script read, creating the AD accounts.

This is great for a scenario where you have to create a lot of AD account all at once, but what about the on-going process of creatingnew AD accounts as users start with an organisation?

We had quite an arduous manual process to follow so I’ve expanded on that demo in the training lab to produce a script that suits our requirements and automates everything. The script does the following:

  1. Checks for the presence of the Active Directory module and imports it if required.
  2. Sets the Organisation Unit for the AD account to be created in.
  3.  Sets the variables that are needed to create the account such as username, first name, last name, password etc. There is a built in check to make sure that the username isn’t already in use. The script also sets     variables for a few attributes that we are using for exchange mailbox and billing purposes.
  4. Creates the AD account.
  5. Adds specified AD groups to the account.
  6. Prompts if additional services are required like an Exchange mailbox or Lync account.
  7. Creates the users home directory and then sets permissions. We have fairly specific home directory paths and share names so you will most likely need to play with this and alter to your requirements.

The part of the script that actually creates the account is quite small

New-ADUser -Name $dplname -SamAccountName $samname -DisplayName $dplname `
-givenname $givname -surname $surname -userprincipalname $upname -emailaddress $email `
-Path $targetou -Enabled $true -ChangePasswordAtLogon $true -Department $department `
-OtherAttributes @{‘departmentNumber’=”$departmentnumber”} -HomeDrive “M” -HomeDirectory $homedir `
-Description $description -Office $office -ScriptPath $loginscript -AccountPassword $password `

I have used some snippets of code from Source Forge and few other sites, credit to those that posted these sections, in particular, the PowerShell script to set share permissions on a folder.

The script has been saved as a word document to allow it to be uploaded. Just copy the text into a text file and rename it to a the ps1 file format.

USE THIS SCRIPT AT YOUR OWN RISK, this script should be altered as needed and fully tested in your lab environment before any use in a production environment.

CreateADUSer

2014-02-11_102758

2014-02-11_103728

2014-02-11_103826

2014-02-11_103942

2014-02-11_104126

2014-02-11_104258

2014-02-11_104415

2014-02-11_104549

Cheers

Damon

Recently I’ve had to tweak our Windows 8.1 Group Policy following the deployment of some Surface Pro’s. I noticed that a few people were attempting to link their personal Microsoft Accounts with these devices, in addition to this we had a call from someone who had uninstalled the modern Camera Modern App (somehow). I’ve stripped pretty much all of the modern apps out of our corporate image but this one was left installed for obvious reasons. Someone else had also reported that they had a weird Internet Explorer browser, looking at this they had done a search in the new interface which returned Bing Internet search results, these opened up in the modern Internet Explorer App and not the desktop version even though I have a policy configured to load the desktop version.

I already have the Windows Store turned off with Group Policy.

These are the new policies I’ve adjusted with some screen shots of the corresponding results:

1. Prevent Users from uninstalling modern applications from the Start menu

User  Configuration\Policies\Administrative Templates\Start Menu and Task Bar\Prevent Users from uninstalling applications from Start (Enabled)

2. Prevent Internet Search Results from showing

Computer Configuration\Policies\Administrative Templates\Windows Components\Search\Don’t search the web or display web results in Search (Enabled)

2014-02-05_1

3. Block Microsoft Accounts from being used

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Users can’t add or log on with Microsoft accounts

2014-02-05_162057

2014-02-05_2

I’m using a WMI filter to target the Group Policy at Windows 8.1 Operating Systems only.

2014-02-05_3

Cheers

Damon

I thought I might do a quick blog about this particular tool that I have used a lot since upgrading to R2. I think it offers real value for the average Config Manager Administrator.

So you’ve just created that new Driver Package and have kicked off replication to all your Distribution Points, no doubt most have bandwidth throttling during business hours. Any idea how far its progressed? Nope. Any idea which DP’s have had content replicated and which ones haven’t? Not easily. Sound familiar? Want to test your OSD Task Sequence and at a glance see when the content is on the DP local to your Hyper V instance so you can start? This was one of many sources of frustration for me.

2014-02-05_162057

Well fear not, there is a new tool that comes with the latest Toolkit for Config Manager 2012 R2 which vastly improves on what I think it a pretty limited pane of information provided in the Console.

The latest toolkit is available here to download:

Once installed, open up the Distribution Point Job Queue Manager and we are met with the initial connection screen. Type in the Primary Site Server that your interested in and hit CONNECT, note you need to do this as an account with the ‘full administrator’ role assigned. I don’t bother typing the FQDN just the hostname.

Once connected you can start experiencing what its like to actually know what is happening with those DP’s of yours. No more opening up PkgXferMgr.log with CMTrace, which is what I was doing with 2012 Sp1 prior to the release of R2 and certainly no more hitting refresh on that console waiting for that yellow circle to turn green.

2014-02-05_154914

There are 3 others tabs which give you varying informational displays about the progress of your package or application distribution with a useful auto refresh function. If you are distributing a medium to large packages and its taking a while, the tool will give you the replication progress as a percentage. You can also change the order of each job if you want a package or application to replicate to one DP before another. This is particularly useful if for some reason a package starts replicating to a site with a slow link with only a small % of that available for Configuration Manager to use for distribution. It’s worth noting that Configuration Manager will remember which DP’s are fastest and then replicate content in that order – fastest to slowest in a classic DP structure.

2014-02-05_155237

2014-02-05_155455

2014-02-05_155540

I’m sure some of you are pretty happy with what’s in the console presently, however this tool has provided that increased level of awareness and time management that just wasn’t there for me due to the large number of DP’s I have with limited bandwidth.

Happy Replicating,

Cheers Damon