A blog with focus on experiences with the Windows Client operating systems…
RSS icon Email icon Home icon

  • Restoring Internet Explorer favorites from an invalid UE-V package

    Posted on March 2nd, 2017 By Andreas Stenhall + No comments

    Those of you who know me know that I am somewhat stubborn and I never give up. This case could easily have gotten anyone to crack! This blog post shows a way to restore favorites from within a UE-V (User Experience Virtualization) package that UE-V cannot use to roam the favorites, as the package is considered invalid.

    Problem

    A user has created some 2346(!) favorites in Internet Explorer over the years. UE-V is used to roam favorites. After the user reinstalled the machine from Windows 7 to Windows 10, the favorites went missing.

    Investigation

    To start with, the package supposedly containing the favorites (MicrosoftInternetExplorer.common.pkgx) could still be found in the SettingsPackages folder and the size was 1,24MB and dated just a week ago. Those of you that have worked with UE-V know that a package that large signals that it contains a rather large amount data. Therefore, with that indication I assumed that the favorites is still lurking in there.

    First thing to try was to just force the read of the package using via the UE-V agent as is the case whenever IE is started or closed, however Event Viewer revealed that UE-V thinks there is some kind of problem with the package.

    The initial settings package for settings location template "MicrosoftInternetExplorer.common" is invalid. The initial settings package will be replaced with a new copy.

    Now it is time to analyze the package itself. Note: This took quite some time to process by the cmdlet and it seems that the UE-V agents takes the same amount of time to process this large amount of favorites (~30 seconds).

    Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx | out-file C:\temp\ MicrosoftInternetExplorer.common.txt

    Reading the output text file revealed that the user had 2346 favorites, data in the following format:

    <SettingsDocument>
    <file>
    <Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 1.url" Action="Update">FEBB399A-8DF5-4B3D-B73D-A8167F61EB6B.pkgdat</Setting>
    <Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder1\Name of site 2.url" Action="Update">9FA223F9-F065-4269-B02C-E467A6B26459.pkgdat</Setting>
    <Setting Type="VT_FILE" Name="file://{1777F761-68AD-4D8A-87BD-30B759FA33DD}\Folder2\Name of site 3.url" Action="Update">2393C0D8-AEDE-4D11-9CE3-E7E1E4B039CA.pkgdat</Setting>
    ...

    Next up, rename the MicrosoftInternetExplorer.common.pkgx to MicrosoftInternetExplorer.common.zip and open it up. Note that you probably also would want to unblock the ZIP file before extracting the contents, choosing Properties and Unblock. Opening the PKGX as a ZIP shows us all the PKGDAT files listed in the output from Export-UevPackage. Extract the PKGDAT files to a folder, in my example c:\Temp\PKGDAT.

    With these data sources, we have everything we need to recreate the URLs and their structure. Basically, what we need from the output from Export-UevPackage is the folder where the URL file is stored, the name of the URL file and the name of the PKGDAT filename.

    Solution

    With the aforementioned pieces of data, we can automate and match this to rebuild the Favorites entirely, using this PowerShell script:

    $urls = (Export-UevPackage c:\temp\MicrosoftInternetExplorer.common.pkgx).split(“`n”) | select-string VT_FILE

    foreach ($extracted in $urls)
    {

    $hash1 = $extracted -split ‘<Setting Type=|Name=|Action=|</Setting>’
    $folder = $hash1[2].split(“\”)[1]
    $urlname = $hash1[2].split(“\”)[-1].Replace(‘”‘,“”)
    $pkgdat= $hash1[3].Split(“>”)[1]

    New-Item c:\temp\RestoredURLs\$folder -type directory

    if ($folder -match ‘”‘)
    {
    Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$urlname
    } else {
    Copy-Item c:\temp\PKGDAT\$pkgdat c:\temp\RestoredURLs\$folder\$urlname
    }
    }

    This recreated the favorites and in the same structure as it was! The user was indeed very happy!

    Thanks goes to my colleague Jimmy Benandex who helped in making the above PowerShell command. As he mentioned there are better ways of doing the matching but I consider what we produced as a good enough solution :)

  • Smart card removal does not lock the machine in Windows 10 nor previous Windows versions

    Posted on April 14th, 2016 By Andreas Stenhall + No comments

    Anyone who has worked with smart card and Windows clients have probably seen that on rare occasions users can pull their smart card from the smart card reader and the machine will not be locked although it should be locked instantly. As this typically only occur very rarely it is extremely hard to troubleshoot. However, things are coming together with a cause that makes sense and also shed some light on this elusive problem.

    Scenario

    A smart card is enforced to be used to login to machines in Windows 7 or Windows 10. GPO settings declare that when the smart card is removed from the smart card reader, the machine will be locked.

    Problem

    When the user removes the smart card from the smart card reader, the machine is not locked (rarely). Most of the times the machine is locked but occasionally the machine is not locked and the user can continue to work inside Windows with the card in their hands.

    Cause

    The Smart Card Removal Policy service has been restarted and when it restarts, the session to keep control over when the smart card is pulled from the card reader is lost and therefore the machine is not locked. The cause of Smart Card Removal Policy service being restarted is when new Windows patches are released and installed on the machines, specifically many of the latest Cumulative Updates for Windows 10 causes the problem. The issue is more rarely seen in Windows 7, likely due to the changes in updating/patching strategy in Windows 7 vs Windows 10 which differs quite a lot.

    Resolution

    None by Microsoft as this is by design (bad design I might add). A solution is to use a third party smart card tool that provides its own service to lock the machines.

    Additional notes

    The restart of this service does not trigger any events in the Event Viewer so we cannot trigger on anything. By design the machine should be locked whenever the Smart Card Removal Policy service is restarted but that does not happen. Could there be problems with that design? Probably, otherwise I suppose it would work that way already Microsoft!? :)

  • A unique book on managing Windows clients in an enterprise environment

    Posted on April 27th, 2015 By Andreas Stenhall + No comments

    ECM-Cover-200wMost books written about Microsoft products are very focused on one single product. A book about Windows Server covers all you need about the server OS itself. A book about System Center Configuration Manager covers everything you need to know about ConfigMgr in its bubble and a book about a Windows client covers everything you need to know about the client itself.

    The book Enterprise Client Management using Windows Server 2012 R2 and System Center 2012 R2 covers not only the Windows client (Windows 7 as well as 8.1) but how to manage it using Windows Server 2012 R2 and the System Center 2012 R2 products. So all in all a complete scenario on how to manage your Windows clients in the enterprise in a very effective way using Microsoft management tools available.

    The book is now also available on Kindle as of mid April 2015!

  • Memory usage comparison Windows 7 (32 and 64 bit) and Windows 8.1 (64-bit)

    Posted on February 17th, 2015 By Andreas Stenhall + No comments

    To demonstrate how Windows is being optimized over time (i.e. from Windows 7 x86/x64 to Windows 8.1 x64) I have made a very fundamental performance benchmarking of the Windows memory consumption. The benchmarking has been done in a virtualized environment. Before measuring the below numbers the clean installation of Windows has been left idle for 5 minutes, then had a reboot. This was been repeated three times after which the below numbers were gathered:

    windows-memory

    The conclusion is that Windows 8.1 in its x64 edition is basically consuming as much memory as the 32-bit version of Windows 7 and running smoother with fewer processes running. Windows 7 64-bit is consuming some 100 megabytes+ compared to Windows 7 32-bit.

  • Resources from my TechDays Sweden 2014 session on preparing for Windows 10

    Posted on November 20th, 2014 By Andreas Stenhall + No comments

    Many thanks to all of you who attended my session yesterday. So here is a summary of the key takeaways from my session “Preparing for Windows 10” at TechDays Sweden 2014 November 19th. Consider this an action list in what you can do today to prepare yourself form Windows 10.

    Cleaning up

    Yeah, it is so boooooring, but still a golden opportunity to make your client environment more standardized and less complex. Make sure to remove GPOs and GPO settings that are not necessary, remove or replace scripts, applications or components that are not needed. Also, if you have a Premier support agreement with Microsoft, do use the RAP as a Service for Windows Desktop to let Microsoft do an analysis of your environment and suggesting remediation.

    Application compatibility

    App compat when moving from Windows 7 to Windows 8.1 or 10 is practically 99%+ success in terms of regular Win32 based applications. Still actual testing of applications needs to be done for business critical applications.

    New way of doing inventory in Windows 10

    There are new WMI classes in Windows 10 that can be used to collect software inventory. The information can be displayed using PowerShell. Also, there is a feature that inventories what framework or runtime an application is dependent on, for instance which version of .NET Framework or Visual C++ Runtime and it can even see if there are dependencies for OpenSSL. Imagine having these feature in place when the HeartBleed bug appeared earlier this year.

    Display all installed applications on a Windows 10 machine:

    Get-WMIObject Win32_InstalledProgram | select Name,  Version, ProgramID | out-GridView

    Display all apps and dependent frameworks on a Windows 10 machine for a specific application (replace the ProgramID in the filter section with another one from the above example):

    Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '00000b9c648fd31856f33503b3647b005e740000ffff'" | select ProgramID, FrameworkName, FrameworkVersion | out-GridView

    or to bake them together to get both the application name and associated frameworks:

    $Programs = Get-WMIObject Win32_InstalledProgram | select Name, ProgramID
    $result = foreach ($Program in $Programs) {
    $ProgramID = $program.programID
    $Name = $program.Name
    $FMapp = Get-WMIObject Win32_InstalledProgramFramework -Filter "ProgramID = '$programID'"
    foreach ($FM in $FMapp) {
    $out = new-object psobject
    $out | add-member noteproperty Name $name
    $out | add-member noteproperty ProgramID $ProgramID
    $out | add-member noteproperty FrameworkPublisher $FM.FrameworkPublisher
    $out | add-member noteproperty FrameworkName $FM.FrameworkName
    $out | add-member noteproperty FrameworkVersion $FM.FrameworkVersion
    $out
    }
    }
    $result | out-gridView

    What I forgot to mention in yesterday’s session was that these feature are being back ported to previous Windows versions, as that is where you’d typically want to run the inventory, but much of the feature regarding this new way of doing inventory is still work in progress.

    Applications in a mobile world

    With Windows 8.1 and Windows 10 and the new types of devices that make users more mobile gives other challenges. It is one thing that the OS and devices are great at supporting a mobile work scenario, but without apps that also adhere to this environment you will have challenges. Make sure that the technology to deliver the user experience is evaluated, upgrade the user interfaces where necessary or port them (or parts of them) to modern apps.

    Internet Explorer

    In terms of moving to Windows 8.1 or Windows 10 you will face the most application compatibility challenges with IE11 and web apps. After the summer Microsoft announced that from January 2016 only the latest version of IE will be supported on the currently supported OS’s.

    Are you running your intranet sites in IE7 mode?

    Regardless if you run IE8, IE9, IE10 or IE11 you are very likely to (without knowing it) running all or many your internal web apps in IE7 mode, due to this nasty little settings still being default in Windows 10 and IE in Windows 10.

    That is the setting that you will find by going go Tools menu and then Compatibility View settings. The setting which I strongly recommend to uncheck (set it via Group Policies) is called “Display intranet sites in Compatibility View”. I have seen this setting causing problems with web apps because modern web apps and systems stop supporting IE7 and thereby not working in IE11.

    The Display intranet sites in Compatibility View should be turned off / unchecked!

    The Display intranet sites in Compatibility View should be turned off / unchecked!

    Deploy Internet Explorer 11 today!

    Well, deploy IE11 today and start working with compatibility testing your web apps!

    IE11 Enterprise Mode

    Enterprise Mode in IE11 is a compatibility mode that runs web apps in IE8 mode to make them work on IE11. With the November 2014 CU update for IE11 you will be able to not only set web apps to run in IE8 mode but also any document mode such as IE10, IE9, IE7 or even IE5.

    More on IE11 Enterprise Mode and Enterprise Mode Site List Manager.

    For those of you already running IE11 – inventory tool!

    Not long ago Microsoft released a little tool that will inventory all the web sites a user visits to provide means to get a grip on web app compatibility. The inventory is activated on specific clients (or all if that is OK in terms of integrity etc) and is collected via WMI to for instance System Center Configuration Manager. There are pre-made reports that can be used. More on Enterprise Site Discovery Toolkit for Internet Explorer 11.

    IESITEDIS

    You get detailed information on which IE document mode or compatibility mode is used on sites and specific pages. You will also see which pages are causing IE11 to hang or crash!

    Taming the user interface for Windows 8.1 enterprise users

    A good thing to prepare for Windows 10 is to deploy Windows 8.1. Some time ago I wrote a blog post on how to customize the user interface in Windows 8.1 to make it work as expected and make it easier for the end users. Read the blog post Taming the user interface for Windows 8.1 enterprise users.

    Install Windows 10 Technical Preview

    Of course you can and should install Windows 10 Technical Preview for a number of reasons. Test applications, test in-place upgrade and last but not least, provide Microsoft with feedback either using the built in Windows Feedback app or via UserVoice. This is a unique opportunity to still influence how and what Windows 10 will be!

    UEFI

    Windows 8.1 and Windows 10 have a security feature that is dependent on that a machine is installed in UEFI mode, that is Secure Boot. UEFI replaces the 30 year old BIOS that has “always” been around. Note that Microsoft talks very much about in-place-upgrades from previous versions to Windows 10. However, as switching to UEFI demands that you reinstall your OS you will not be able to get the full benefit of Windows 8.1 or Windows 10 if you are running your machines in legacy boot mode.

    Figure out if your machines are running in UEFI and if not, make sure that you have an infrastructure that supports it and that you switch to UEFI mode in your client machines BIOSs’.

    The easiest way to determine if you are running in UEFI mode is to run msinfo32.exe (only in Windows 8/8.1 and Windows 10). There is a new line that clearly displays that.

    Using msinfo32 in Windows 8, 8.1 or 10 will give you straight info on if you are running in UEFI or Legacy (BIOS) mode.

    Using msinfo32 in Windows 8, 8.1 or 10 will give you straight info on if you are running in UEFI or Legacy (BIOS) mode.

    If running Windows 7 (or later) you can determine if running in UEFI mode by starting diskmgmt.msc and note if you have an EFI system partition. If you do, you are running in UEFI mode.

    In Disk Management you can determine if running in UEFI mode or Legacy (BIOS) mode. If you do NOT have an EFI System partition you are running in Legacy/BIOS mode.

    In Disk Management you can determine if running in UEFI mode or Legacy (BIOS) mode. If you do NOT have an EFI System partition you are running in Legacy/BIOS mode.

    If you have Configuration Manager you can look at the pre-made report Hardware – Disk > Disk information for a specific computer – Partitions to see if you have machines that either are running in Legacy/BIOS mode which will have partitions named “Installable File System” or UEFI machines that will have GPT partitions and in particular a GPT System partition.

    In Configuration Manager reports you can determine if running UEFI machines by looking at the inventory of partitions. GPT System disk means that the machine is a UEFI machine.

    In Configuration Manager reports you can determine if running UEFI machines by looking at the inventory of partitions. GPT System disk means that the machine is a UEFI machine.

    Cloud connections

    If you haven’t already done so look into Azure AD and what is has to offer. The cloud connections in Windows 10 will be significant!

    Summary

    There are quite a few things you can do to prepare yourself for Windows 10 so that you are ready when Windows 10 is released sometime next year. Happy Windows 10’ing!

  • UAC settings when remote controlling Windows clients to prevent screen freezing

    Posted on April 13th, 2014 By Andreas Stenhall + No comments

    One very common problem that I encounter every now and then with customers and when doing Windows training is the fact that remote controlling computers causes a freeze in the remote session when UAC kicks in. By default, UAC prompts for elevation on something called the secure desktop, and that effectively blocks any remote input.

    This problem can be fixed by changing the necessary UAC settings. Just as a note; Never ever turn off UAC!

    Configure UAC to allow for remote support by setting the following GPO settings under Computer Configuration / Policies / Administrative Templates / Windows settings / Security settings / Local policies / Security Options node:

    User Account Control: Switch to the secure desktop when prompting for elevation policy = Disabled
    User Account Control: Allow UIAccess application to prompt for elevation without using the secure desktop policy = Enabled

  • Follow-up to TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows Client

    Posted on June 27th, 2012 By Andreas Stenhall + No comments

    So to summarize the key areas which you can look into when optimizing performance from an infrastructure point of view here is a summary of the key takeaways from TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows Client.

    1. Slow machine boot and login / GPOs and scripts

    Use Windows Performance Toolkit (part of Windows 7 SDK) to troubleshoot what is happening during boot. Specifically narrow in one Group Policy in the section in the Generic events and look for and enable only the Group Policy provider to see what’s going on with group policies. Group policies and scripts are most often the bad guys when having performance problems with boot and login.

    Also use Event Viewer > Applications and Services > Windows > Group Policy > Operational log to look for instance events with id 5326, 8000, 8001or 5016. In particular the last one is of interest as this will quickly show you which Group policy extension is taking most of the time to finish.

    Cleanup, remove unnecessary settings and GPO objects. Convert scripts to Group Policy Preferences as necessary or make scripts running scheduled after startup or login to minimize the boot and login times.

    2. Optimizations for RDP

    Activate asynchronous login for users to speed up login for Remote Desktop Services and RemoteApp. Go to Administrative templates > Policies > System > Group Policy and set the setting for “Allow asynchronous user Group Policy processing when logging in to Remote Desktop Services”.

    Three other really great tweaks found in Administrative templates > Policies > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment:

    Do not allow font smoothing = Enabled
    Limit maximum color depth =  Enabled, set it to 32-bit
    Set compression algorithm for RDP data = Enabled, set it to Optimized to use less network bandwidth

    3. SMB 2.1

    To get full use of performance improvements in SMB2.1 protocol you need file servers that are running Windows Server 2008 R2 or if you are running a third party storage solution to activate SMB2.x support as that is not always activated by default and sometimes a firmware upgraded is needed.

    Performance increases based on my own performance measuring are varying from 10-80% performance increase.

    4. BranchCache

    Activate BranchCache feature from Server Manager on the content servers you want to use with BranchCache. Require windows Server 2008 R2 on the content server. For file shares make sure to enable the BranchCache feature on the share(s) you want to use with BranchCache. Also set the group policy “Hash Publication for BranchCache” on the file server(s) found in Administrative templates > Policies > Network > Lanman Server.

    To activate BranchCache on the Windows 7 client look in Administrative templates > Policies > Network > BranchCache and activate the required GPO settings.

    5. Upgrade key servers to Windows Server 2008 R2

    To gain use of RDP improvements, SMB2.1 improvements and actually make performance better for file handling the simple thing to do is to migrate to Windows Server 2008 R2.

    BONUS 1. Microsoft tool to measure performance:

    WDRAP (Risk and health Assessment Program for Windows Desktop) is a tool designed for enterprise customers that verifies overall performance, including bad drivers, apps that are causing the machine to start slowly etc. Contact your Technical Account Manager at Microsoft to get more information and analyzing the results with this tool. Microsoft themselves used this tool some time ago to improve performance in their environment, more on this in the Microsoft IT Case Study.

    BONUS 2. Hotfixes related to infrastructure and performance, Windows 7 Post-SP1:

    You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
    http://support.microsoft.com/kb/2561285

    Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7 (WMI issue)
    http://support.microsoft.com/kb/2617858

    Slow performance when you browse the My Documents folder in the document library in Windows 7 or in Windows Server 2008 R2
    http://support.microsoft.com/kb/2690528

    Improved interoperability between the BranchCache feature and the Offline Files feature in Windows 7 or in Windows Server 2008 R2
    http://support.microsoft.com/kb/2675611

    General Q and A

    Q: Can I use this tool to measure performance and troubleshoot on Windows XP?
    A: You can run the tool on Windows XP by copying xbootmgr and xperfctrl.dll to an XP machine. You can then analyse the results on a Windows 7 machine. However do not expect the same amount of detailed data as Windows 7 has introduced new features that are not available in Windows XP.

    Any further questions around the session or the topics, feel free to leave a comment to the article or send me an email on andreas.stenhall@knowledgefactory.se.

    SLIDES: Download the slides from the session WCL326

     

  • Busting a myth: AppLocker do not magically allow standard users to install applications or updates

    Posted on May 10th, 2012 By Andreas Stenhall + No comments

    The one most common misconception around AppLocker is the fact that it could be used to allow standard users to install stuff that in any normal case would require administrator privileges. This is absolutely 100% incorrect.

    What AppLocker does is set a number of rules on what can be run and executed on a machine. It is important to note that if you allow something to run or be executed via AppLocker rules the user will still need the appropriate privileges if the setup or application itself require administrative privileges at some point in time such as when doing automatic updating for instance.

  • Follow up: User profile and user data changes in Windows 8 vs primary computers

    Posted on April 13th, 2012 By Andreas Stenhall + No comments

    Windows 8 will allow you to set roaming user profiles and/or folder redirection to be applied only if the user login to his or her primary computer. During the Windows 8 roadshow I got a question if there is an opposite action I can take to use roaming profiles on all machines except some machines or one particular machine.

    The answer is yes, you can do this. As good as all organizations set the profile path on each user object in Active Directory, but as of Windows Vista and later there is a new group policy setting where you can set the roaming user profile path using GPOs instead.

    What this basically means is that you can apply a GPO with a roaming user profile path on certain computers where you want user profiles to be roamed, and keep for instance conference room computers out of this OU to make sure that users do not get their roamed profile on these machines.

    The GPO setting is found in Computer configuration\Administrative templates\System\User profile and is called “Set the roaming profile path for all users logging into this computer”. So if you have the profile path set on the user objects you need to remove those and make sure that you have the GPOs linked to the right OUs.

  • Creating the perfect and fully automated reference image for Windows operating systems

    Posted on January 14th, 2012 By Andreas Stenhall + No comments

    A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!

    NOTE: I have also posted this guide to TechNet Wiki where you find an improved version of this article (although the steps in the article found below is still valid): TechNet Wiki: HOW TO: Create the perfect and fully automated reference image for Windows operating systems

    There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!

    Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.

    1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.

    2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.

    3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).

    4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).

    5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.

    [Settings]
    Priority=Default
    Properties=MyCustomProperty

    [Default]
    OSInstall=Y
    SkipAppsOnUpgrade=YES
    SkipCapture=YES
    DoCapture=YES
    SkipAdminPassword=YES
    SkipProductKey=YES
    SkipUserData=YES
    SkipTimeZone=YES
    SkipFinalSummary=YES
    SkipSummary=YES
    SkipLocaleSelection=YES
    SkipDomainMembership=YES
    SkipComputerName=YES
    SkipBitlocker=YES
    SkipApplications=YES
    ComputerBackupLocation=NETWORK
    BackupShare=\\server\share
    BackupDir=Captures

    6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.

    [Settings]
    Priority=Default

    [Default]
    SkipBDDWelcome=YES
    DeployRoot=\\server\share
    UserDomain=CONTOSO.COM
    UserID=username
    UserPassword=password

    7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.

    WSUSServer=http://nameofwsusserver

    8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:

    BackupFile=Windows7Enterprisex64.wim

    9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.

    Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.

    You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.

    Done! Happy deploying!