Category: Windows client

Solution to Windows 8.1 stuck at “Getting ready” during deployment

I encountered a stuck deployment at the “Getting ready” stage when deploying Windows 8.1 at a customer site the other day. None of the logs produced by the task sequence gave any indications on the problem at that stage so to find the real problem I had to turn to the Windows setup log setupact.log which is found in C:\Windows\Panther\UnattendGC.

In clear text it stated a few lines of this code. It kept on retrying to join the domain every ten seconds.

2014-03-14 10:48:23, Warning                      [DJOIN.EXE] Unattended Join: DsGetDcName failed: 0x54b, last error is 0x0, will retry in 10 seconds...

That particular problem was caused by the fact that the domain name to be joined was not entered as a FQDN in the task sequence. Note there are other causes of a failed domain join but remember that if your Windows 8.1 installation hang at “Getting ready”, examine the setupact.log and find the root cause and fix it.

Interesting to say is that this behavior seems to be different in Windows 8.1 than in previous Windows versions (at least Windows 7), where a failed domain join would be skipped and the deployment would continue leaving the machine in a workgroup mode.

UPDATE: It can also be caused by the network not having a connection at all. So check the network cable could also be a solution.

Killer features in Windows 8 – Dare to miss them on TechDays?

TechDays Sweden takes place this week and as this year will be a very exiting one considering all the major releases with all from Windows 8, Windows Server 2012 to the System Center 2012 family products I can promise you a really interesting conference.

My session will be about three of the very most interesting features in Windows 8; taking on the future with UEFI, making use of virtualization with client hyper-v and least but not last creating new possibilities for your entire business with Windows To Go. @ Wednesday 14:45 Room 6. Be a part of the future!

Here are some friends from the MEET network, what they do and links to their blogs:


Creating the perfect and fully automated reference image for Windows operating systems

A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!

NOTE: I have also posted this guide to TechNet Wiki where you find an improved version of this article (although the steps in the article found below is still valid): TechNet Wiki: HOW TO: Create the perfect and fully automated reference image for Windows operating systems

There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!

Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.

1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.

2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.

3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).

4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).

5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.



6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.



7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.


8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:


9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.

Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.

You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.

Done! Happy deploying!

HOW TO: Handle user group policy settings in multiple OS environments

This is a very common question and one that I would say all companies migrating to Windows 7 has experienced. The scenario is how do we handle user group policy settings when we have multiple operating systems such as Windows XP and Windows 7 or in the future also introduce Windows 8?

First I strongly recommend that you do not reuse the user configuration for Windows XP for Windows 7. Group policies tend to grow over time and at most customers I have encountered a lot of rubbish in the old configuration. Starting over and migrating only what is needed minimize the risk for problem and makes the configuration slicker and more easy to manage in the long run.

But how do we make sure that users get one configuration when they log in to for instance Windows XP and another configuration when they log in to a Windows 7 or Windows 8 machine? Well, let’s have a look at the options including pros and cons followed by recommendations from the field.

1. Security group filtering

  • Pros:
    – Require no change in OU structure/move of users.
  • Cons:
    – Requires a lot of management and make it hard to administer.

2. Separate users into a new and old OU

  • Pros:
    – Easy to do if you have very few users and no dependencies to other services or applications.
  • Cons:
    – Not a manageable solution in an environment with many users.
    – There are often apps or services that rely on the users being in a certain OU which is making it hard to move users without affecting other services.

3. WMI filters

  • Pros:
    – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
    – A longterm investment in making it easy to introduce new operating system versions.
    – Quick determination (WMI is often known to be real slow but this particular query is not performance intensive).
  • Cons:
    – Need changes for existing environment, i.e. for instance Windows XP user configuration.
    – Could make group policies not being applied due to problems with WMI repository or related services.

4. Loopback processing

  • Pros:
    – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
    – Very reliable solution.
  • Cons:
    – If not Replace mode is used you need to handle current configuration.
    – Might become a mess to troubleshoot and maintain if naming and config is not done consistent and clear.

Recommendations from the field

In my professional opinion the only real alternatives are WMI filters or loopback processing and sometimes I recommend WMI filters for separating user settings depending on what operating system they are logging in to and sometimes I recommend loopback processing. It depends on the environment and needs for the customer. Many times moving the user accounts around is not an alternative but consider that a very good alternative if possible to accomplish.

How do I implement it in my environment?

1. WMI filters

In the Group Policy console you create multiple WMI filters for for instance Windows XP and Windows 7. You then set each WMI filter respectively on each GPO containing user settings for each operating system. NOTE: Always test it out before applying this configuration to your existing environment. Also note that this does not affect performance to any noticeable amount of time.

Windows XP:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.2%" AND ProductType ="1"

Windows 7:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType ="1"

Windows 8:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.2%" AND ProductType ="1"

Basically the version is the OS version as we know it and the ProductType=1 means that it is a client operating system.

So you will end with for instance one GPO named “User Configuration – Windows 7” which have the WMI filter for Windows 7 machines set and one GPO named “User Configuration – Windows XP” which have the WMI filter for Windows XP set.

2. Loopback processing

A prerequisite for using loopback processing is that you keep computers in separate OUs, for instance XP computer accounts in one OU and Windows 7 computer accounts in another OU.

You then create GPO objects in the OU for Windows 7 in our example and configure the user settings there. As I think you should always separate Computer and User configuration GPO:s I would say that you in a Computer configuration policy in that same OU set this setting for the user settings to be applied when users log into Windows 7 machines:

Policies – Computer configuration – Administrative templates – System – Group Policy and there set “User Group Policy loopback processing mode” to Replace or Merge, depending on what you want to achieve and how you want to handle your current configuration. Replace mode is recommended as you will have a hard time maintaining and troubleshooting the configuration otherwise.

Done! When users log on to your Windows 7 machines they will get the user settings you have defined in the user configuration GPOs located in the Windows 7 machines OU in our example.

Windows client security lockdown with nifty tool from Microsoft

It’s been around for some time and if you did not already know about it Microsoft provide the free tool called Security Compliance Manager. You can use it to very easily manage and export a set of pre-configured (or settings that you configure on your own) settings that improve security. You can then export these settings to for instance a group policy and import it into your domain.

There are templates with pre-configured security lockdowns for Windows XP, Windows Vista and of course also Windows 7. The tool works great for creating a security baseline for your client machines but the only downside is that you cannot import nor in a convenient way compare the settings in the templates with what you currently have.

No more duplicate drivers in ConfigMgr, thanks to a patch!

So to end the pain of handling duplicate drivers in System Center Configuration Manager there has been a hotfix released that resolves the issue with “The selected driver has already been imported at this site”, at least partly, depening on what method your are using to apply drivers. Read more about the affected scenarios at the Mike Niehaus blog and download the hotfix from Microsoft.

Split services for troubleshooting purposes

In Windows you might know that a lot of services do not run as separate processes, instead many of them are actually run within the famous svchost.exe processes. To see this in action just go to a cmd.exe and type “tasklist /svc” and it will list all processes and subprocesses. It might look like:

svchost.exe    AeLookupSvc, Appinfo, AppMgmt, BITS,
               Browser, CertPropSvc, gpsvc, IKEEXT,
               iphlpsvc, LanmanServer, MMCSS, ProfSvc,
               Schedule, SENS, SessionEnv,
               ShellHWDetection, Themes, Winmgmt, wuauserv

If you need to do some troubleshooting or investigate something related to a certain process that is running with other services you can split this service to make in run in its own process. This is done by using the command:

sc.exe config servicename wuauserv type= own

Which in this case makes sure that the Windows Update service (wuauserv) will be run in its own process, for you to troubleshoot. Set it back to its original setting by changing “own” to “share” in the above command. You can find more information about this in KB934650.

Case of the CHM files which give you “Navigation to the webpage was canceled”

Opening CHM (Windows Help Files) downloaded from the internet or from a network location will most likely give you “Navigation to the webpage was canceled” and it will refuse to display the contents of the help file. This is due to changes that were introduced some years ago by a security update, and this is the default behavior in Windows Vista and 7 (and their Windows server equivalents).

I experienced this case at a customer site and to resolve the problem you can follow the steps in MS KB article KB896054. However adding the trusted UNC path caused some problems in this case, as the UNC path was sort of hidden because the CHM file was opened from an embedded link within an application.

So to find the UNC path from where the CHM file was opened I had two choices, either to use the famous Sysinternals tool Process Monitor to trace the open file action, but I chose a quicker way. Opened CHM files are logged in a file called hh.dat which can be found at C:\users\\AppData\Roaming\Microsoft\HTML Help. This file, when opened with WordPad contains the path to the opened CHM file, which lead me to the key which was an important part of this solution.

Clearing the confusion on CopyProfile making default user profiles

Nowadays the only supported method of making changing to a user profile is to use an answer file to set the value CopyProfile to TRUE. The problem is that a lot of the documentation found is somewhat unclear on how to use this answer file. Fortunately Microsoft clears the confusion on this and I think this is worth mentioning to everybody as it has been causing a lot of confusion. They list scenarios for both MDT 2010 and ConfigMgr.

Beware of saved credentials

Saved credentials can be a good thing, but many times they are not. The last couple of weeks I have become involved in a couple of cases where saved credentials in all from Windows XP to Windows 7 have been the cause of strange problems, primarily accessing file servers.

The problems have been with accessing mapped network drives or browsing file servers, with various error messages. Even though Windows 7 sports the “new” credential manager, this feature has been there even in Windows XP. This means that you can add credentials for servers so that you won’t have to provide them when accessing resources on the network.

The cause of the problem is for instance when a user change his or her password and the saved credential become obsolete, causing the user to have serious problems authenticating to the network resources.

The settings for these saved credentials are as follows:

Windows XP: Start “User Accounts” control panel, choose an account and then go to “Manage my network passwords”.
Windows Vista: Start “User Accounts” control panel, choose an account and then go to “Manage your network passwords”.
Windows 7: Search for and start the “Credential Manager” control panel.”

Solve the problems accessing network resources by deleting the saved credentials once and for all!