A blog with focus on Windows 10 and cloud <solutions
RSS icon Email icon Home icon

  • A unique book on managing Windows clients in an enterprise environment

    Posted on April 27th, 2015 By Andreas Stenhall + No comments

    ECM-Cover-200wMost books written about Microsoft products are very focused on one single product. A book about Windows Server covers all you need about the server OS itself. A book about System Center Configuration Manager covers everything you need to know about ConfigMgr in its bubble and a book about a Windows client covers everything you need to know about the client itself.

    The book Enterprise Client Management using Windows Server 2012 R2 and System Center 2012 R2 covers not only the Windows client (Windows 7 as well as 8.1) but how to manage it using Windows Server 2012 R2 and the System Center 2012 R2 products. So all in all a complete scenario on how to manage your Windows clients in the enterprise in a very effective way using Microsoft management tools available.

    The book is now also available on Kindle as of mid April 2015!

  • Solution to Windows 8.1 stuck at “Getting ready” during deployment

    Posted on March 15th, 2014 By Andreas Stenhall + No comments

    I encountered a stuck deployment at the “Getting ready” stage when deploying Windows 8.1 at a customer site the other day. None of the logs produced by the task sequence gave any indications on the problem at that stage so to find the real problem I had to turn to the Windows setup log setupact.log which is found in C:\Windows\Panther\UnattendGC.

    In clear text it stated a few lines of this code. It kept on retrying to join the domain every ten seconds.

    2014-03-14 10:48:23, Warning                      [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 10 seconds...

    That particular problem was caused by the fact that the domain name to be joined was not entered as a FQDN in the task sequence. Note there are other causes of a failed domain join but remember that if your Windows 8.1 installation hang at “Getting ready”, examine the setupact.log and find the root cause and fix it.

    Interesting to say is that this behavior seems to be different in Windows 8.1 than in previous Windows versions (at least Windows 7), where a failed domain join would be skipped and the deployment would continue leaving the machine in a workgroup mode.

    UPDATE: It can also be caused by the network not having a connection at all. So check the network cable could also be a solution.

  • Killer features in Windows 8 – Dare to miss them on TechDays?

    Posted on April 23rd, 2012 By Andreas Stenhall + 4 comments

    TechDays Sweden takes place this week and as this year will be a very exiting one considering all the major releases with all from Windows 8, Windows Server 2012 to the System Center 2012 family products I can promise you a really interesting conference.

    My session will be about three of the very most interesting features in Windows 8; taking on the future with UEFI, making use of virtualization with client hyper-v and least but not last creating new possibilities for your entire business with Windows To Go. @ Wednesday 14:45 Room 6. Be a part of the future!

    Here are some friends from the MEET network, what they do and links to their blogs:

     

  • Creating the perfect and fully automated reference image for Windows operating systems

    Posted on January 14th, 2012 By Andreas Stenhall + No comments

    A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!

    NOTE: I have also posted this guide to TechNet Wiki where you find an improved version of this article (although the steps in the article found below is still valid): TechNet Wiki: HOW TO: Create the perfect and fully automated reference image for Windows operating systems

    There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!

    Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.

    1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.

    2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.

    3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).

    4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).

    5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.

    [Settings]
    Priority=Default
    Properties=MyCustomProperty

    [Default]
    OSInstall=Y
    SkipAppsOnUpgrade=YES
    SkipCapture=YES
    DoCapture=YES
    SkipAdminPassword=YES
    SkipProductKey=YES
    SkipUserData=YES
    SkipTimeZone=YES
    SkipFinalSummary=YES
    SkipSummary=YES
    SkipLocaleSelection=YES
    SkipDomainMembership=YES
    SkipComputerName=YES
    SkipBitlocker=YES
    SkipApplications=YES
    ComputerBackupLocation=NETWORK
    BackupShare=\\server\share
    BackupDir=Captures

    6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.

    [Settings]
    Priority=Default

    [Default]
    SkipBDDWelcome=YES
    DeployRoot=\\server\share
    UserDomain=CONTOSO.COM
    UserID=username
    UserPassword=password

    7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.

    WSUSServer=http://nameofwsusserver

    8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:

    BackupFile=Windows7Enterprisex64.wim

    9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.

    Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.

    You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.

    Done! Happy deploying!

  • HOW TO: Handle user group policy settings in multiple OS environments

    Posted on December 22nd, 2011 By Andreas Stenhall + 1 comment

    This is a very common question and one that I would say all companies migrating to Windows 7 has experienced. The scenario is how do we handle user group policy settings when we have multiple operating systems such as Windows XP and Windows 7 or in the future also introduce Windows 8?

    First I strongly recommend that you do not reuse the user configuration for Windows XP for Windows 7. Group policies tend to grow over time and at most customers I have encountered a lot of rubbish in the old configuration. Starting over and migrating only what is needed minimize the risk for problem and makes the configuration slicker and more easy to manage in the long run.

    But how do we make sure that users get one configuration when they log in to for instance Windows XP and another configuration when they log in to a Windows 7 or Windows 8 machine? Well, let’s have a look at the options including pros and cons followed by recommendations from the field.

    1. Security group filtering

    • Pros:
      – Require no change in OU structure/move of users.
    • Cons:
      – Requires a lot of management and make it hard to administer.

    2. Separate users into a new and old OU

    • Pros:
      – Easy to do if you have very few users and no dependencies to other services or applications.
    • Cons:
      – Not a manageable solution in an environment with many users.
      – There are often apps or services that rely on the users being in a certain OU which is making it hard to move users without affecting other services.

    3. WMI filters

    • Pros:
      – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
      – A longterm investment in making it easy to introduce new operating system versions.
      – Quick determination (WMI is often known to be real slow but this particular query is not performance intensive).
    • Cons:
      – Need changes for existing environment, i.e. for instance Windows XP user configuration.
      – Could make group policies not being applied due to problems with WMI repository or related services.

    4. Loopback processing

    • Pros:
      – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
      – Very reliable solution.
    • Cons:
      – If not Replace mode is used you need to handle current configuration.
      – Might become a mess to troubleshoot and maintain if naming and config is not done consistent and clear.

    Recommendations from the field

    In my professional opinion the only real alternatives are WMI filters or loopback processing and sometimes I recommend WMI filters for separating user settings depending on what operating system they are logging in to and sometimes I recommend loopback processing. It depends on the environment and needs for the customer. Many times moving the user accounts around is not an alternative but consider that a very good alternative if possible to accomplish.

    How do I implement it in my environment?

    1. WMI filters

    In the Group Policy console you create multiple WMI filters for for instance Windows XP and Windows 7. You then set each WMI filter respectively on each GPO containing user settings for each operating system. NOTE: Always test it out before applying this configuration to your existing environment. Also note that this does not affect performance to any noticeable amount of time.

    Windows XP:

    SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.2%" AND ProductType ="1"

    Windows 7:

    SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType ="1"

    Windows 8:

    SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.2%" AND ProductType ="1"

    Basically the version is the OS version as we know it and the ProductType=1 means that it is a client operating system.

    So you will end with for instance one GPO named “User Configuration – Windows 7” which have the WMI filter for Windows 7 machines set and one GPO named “User Configuration – Windows XP” which have the WMI filter for Windows XP set.

    2. Loopback processing

    A prerequisite for using loopback processing is that you keep computers in separate OUs, for instance XP computer accounts in one OU and Windows 7 computer accounts in another OU.

    You then create GPO objects in the OU for Windows 7 in our example and configure the user settings there. As I think you should always separate Computer and User configuration GPO:s I would say that you in a Computer configuration policy in that same OU set this setting for the user settings to be applied when users log into Windows 7 machines:

    Policies – Computer configuration – Administrative templates – System – Group Policy and there set “User Group Policy loopback processing mode” to Replace or Merge, depending on what you want to achieve and how you want to handle your current configuration. Replace mode is recommended as you will have a hard time maintaining and troubleshooting the configuration otherwise.

    Done! When users log on to your Windows 7 machines they will get the user settings you have defined in the user configuration GPOs located in the Windows 7 machines OU in our example.

  • Windows client security lockdown with nifty tool from Microsoft

    Posted on October 18th, 2010 By Andreas Stenhall + No comments

    It’s been around for some time and if you did not already know about it Microsoft provide the free tool called Security Compliance Manager. You can use it to very easily manage and export a set of pre-configured (or settings that you configure on your own) settings that improve security. You can then export these settings to for instance a group policy and import it into your domain.

    There are templates with pre-configured security lockdowns for Windows XP, Windows Vista and of course also Windows 7. The tool works great for creating a security baseline for your client machines but the only downside is that you cannot import nor in a convenient way compare the settings in the templates with what you currently have.

  • No more duplicate drivers in ConfigMgr, thanks to a patch!

    Posted on October 17th, 2010 By Andreas Stenhall + No comments

    So to end the pain of handling duplicate drivers in System Center Configuration Manager there has been a hotfix released that resolves the issue with “The selected driver has already been imported at this site”, at least partly, depening on what method your are using to apply drivers. Read more about the affected scenarios at the Mike Niehaus blog and download the hotfix from Microsoft.

  • Split services for troubleshooting purposes

    Posted on October 7th, 2010 By Andreas Stenhall + No comments

    In Windows you might know that a lot of services do not run as separate processes, instead many of them are actually run within the famous svchost.exe processes. To see this in action just go to a cmd.exe and type “tasklist /svc” and it will list all processes and subprocesses. It might look like:

    svchost.exe    AeLookupSvc, Appinfo, AppMgmt, BITS,
                   Browser, CertPropSvc, gpsvc, IKEEXT,
                   iphlpsvc, LanmanServer, MMCSS, ProfSvc,
                   Schedule, SENS, SessionEnv,
                   ShellHWDetection, Themes, Winmgmt, wuauserv

    If you need to do some troubleshooting or investigate something related to a certain process that is running with other services you can split this service to make in run in its own process. This is done by using the command:

    sc.exe config servicename wuauserv type= own

    Which in this case makes sure that the Windows Update service (wuauserv) will be run in its own process, for you to troubleshoot. Set it back to its original setting by changing “own” to “share” in the above command. You can find more information about this in KB934650.

  • Case of the CHM files which give you “Navigation to the webpage was canceled”

    Posted on August 23rd, 2010 By Andreas Stenhall + No comments

    Opening CHM (Windows Help Files) downloaded from the internet or from a network location will most likely give you “Navigation to the webpage was canceled” and it will refuse to display the contents of the help file. This is due to changes that were introduced some years ago by a security update, and this is the default behavior in Windows Vista and 7 (and their Windows server equivalents).

    I experienced this case at a customer site and to resolve the problem you can follow the steps in MS KB article KB896054. However adding the trusted UNC path caused some problems in this case, as the UNC path was sort of hidden because the CHM file was opened from an embedded link within an application.

    So to find the UNC path from where the CHM file was opened I had two choices, either to use the famous Sysinternals tool Process Monitor to trace the open file action, but I chose a quicker way. Opened CHM files are logged in a file called hh.dat which can be found at C:\users\\AppData\Roaming\Microsoft\HTML Help. This file, when opened with WordPad contains the path to the opened CHM file, which lead me to the key which was an important part of this solution.

  • Clearing the confusion on CopyProfile making default user profiles

    Posted on August 13th, 2010 By Andreas Stenhall + No comments

    Nowadays the only supported method of making changing to a user profile is to use an answer file to set the value CopyProfile to TRUE. The problem is that a lot of the documentation found is somewhat unclear on how to use this answer file. Fortunately Microsoft clears the confusion on this and I think this is worth mentioning to everybody as it has been causing a lot of confusion. They list scenarios for both MDT 2010 and ConfigMgr.