Posts Tagged ‘Windows 7’

Lets assume that your using MDT 2013, WSUS and HyperV to build and capture your Windows 7 SP1 reference image.

Due to the large number of updates now required for Windows 7 SP1 (Over 200!) you may run into an issue where your VM runs out of memory. Specifically, the problem is caused by the process TrustedInstaller.exe. To avoid this, make sure you allocate at least 4GB of memory. In addition to this its worth adding an additional processor to improve performance.




Even with these settings it takes a very long time for the process to complete. Hopefully Microsoft will release a new ISO this year with updates included.





Recently we noticed some performance issues in laptops with shared graphics when the Windows 7 Basic Theme was being used (particularly with external monitors using display port cables) These issues were resolved when selecting the Windows 7 Aero Theme. We were even able to reproduce the problems on the manufacturers image.

I have asked on a few international Configuration Manager forums and apparently the Windows 7 Basic theme being used as a default is a well known issue / problem for people when you capture an image using a virtual platform such as Hyper V or VMWare. Some are deploying custom branded themes (which utilizes the aero technology) and others are setting the default Windows 7 Aero theme with Group Policy as we have done with this solution. Others are aware of the setting but have elected to do nothing and leave it as is with Windows 7 using the Basic Theme as the default.

We have applied two distinct actions.

1. Apply an additional step at the end of our build Task Sequences to run winsat.exe dwm which assesses the ability of a system to display the Aero desktop effects.


2. Created a new Group Policy which targets the Windows 7 OS version via a WMI query to set the Windows 7 Aero theme (Settings located at User Configuration \ Administrative Templates\ Control Panel \Personalization: Force a specific visual style or force Windows Classic & Load a specific theme file)



Our builds are now using Windows 7 Aero theme as the default upon login.



This is an interesting one with a useful fix to know about.

A few months ago I did a new MDT Build and Capture, the process was largely automated with the use of LTISuspend.wsf to check a few things before resuming.

Recently I noticed that the Windows 7 Firewall Service wasn’t running on some computers. Not all, but still quite a few. I traced the problem back to this particular build.

Digging a bit more into the error – I could see Event 7024 ID’s being logged – The Windows Firewall Service terminated with service-specific error Access is denied..



The following Microsoft KB article was useful in diagnosing the fault and confirmed that the problem was related to the “NT Authority\MpsSvc” account not having the correct permissions to some registry keys.

It would seem that somewhere during the build and capture process, the service account permissions were stripped out or not applied correctly, possibly during the WSUS patching phase of the build.

The following Blog discusses the specific, correct permissions required for the Windows Firewall Service to start under Windows 7.

There seems to be quite a few articles that describe the cause and how to fix the problem, however I was unable to find a script or automated solution to address the issue. To automatically set the correct registry permissions I wrote a simply batch file using SubinACL, then created a program with Configuration Manager 2012 and deployed it to all my affected Windows 7 instances. Here is the syntax of the script:

Please be aware that when copying and pasting from this blog, the inverted commas may need to be re-typed.

SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy” /grant=”NT Service\MpsSvc”=QSCEYDA
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch” /grant=”NT Service\MpsSvc”=QS
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2” /grant=”NT Service\MpsSvc”=QS
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” /grant=”NT Service\MpsSvc”=QSCEYDA
net start mpssvc


SUBINACL can be downloaded from here.

The script sets the correct permissions for the respective registry keys discussed in KB article 943996 and the Microsoft Technet Blog. Then starts the Windows Firewall Service and exits. Of course you can also simply just run the bat file from an elevated command prompt manually. The below screen shot show the keys that are changed.


Applying this change has resolved the problem and performing a new MDT Build and Capture and then deploying that WIM file with Configuration Manager 2012 R2 CU1 has not resulted in the problem re-occurring.

Use this script at your own risk, whilst it only restores permissions that should already be present, it should still be tested in a Lab environment before use.