Creating the perfect and fully automated reference image for Windows operating systems

A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!

There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!

Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.

1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.

2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.

3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).

4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).

5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.

[Settings]
Priority=Default
Properties=MyCustomProperty

[Default]
OSInstall=Y
SkipAppsOnUpgrade=YES
SkipCapture=YES
DoCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipUserData=YES
SkipTimeZone=YES
SkipFinalSummary=YES
SkipSummary=YES
SkipLocaleSelection=YES
SkipDomainMembership=YES
SkipComputerName=YES
SkipBitlocker=YES
SkipApplications=YES
ComputerBackupLocation=NETWORK
BackupShare=\\server\share
BackupDir=Captures

6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.

[Settings]
Priority=Default

[Default]
SkipBDDWelcome=YES
DeployRoot=\\server\share
UserDomain=CONTOSO.COM
UserID=username
UserPassword=password

7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.

WSUSServer=http://nameofwsusserver

8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:

BackupFile=Windows7Enterprisex64.wim

9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.

Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.

You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.

Done! Happy deploying!

Event id 6404 when changing drive letter for a DFS replicating folder on the drive

When setting up a DFS replication group and later changing the drive letter of a drive for where DFS is replicating content you will see event id 6404 in the event log on Windows Server 2008 R2. The error in specific is:

The DFS Replication service failed to replicate the replicated folder at local path E:\DeploymentShare because the local path is not the fully qualified path name of an existing, accessible local folder.

Additional Information:
Replicated Folder Name: OsDeployment
Replicated Folder ID: C6E9C901-D6AE-47CA-A853-EE414186050A
Replication Group Name: OsDeploy-server1.contoso.com
Replication Group ID: C45CAA1D-0037-496F-881D-EC5DF596DF7B
Member ID: BF168723-6399-4229-9695-57E0352D43F9

To solve this make sure you show hidden files and folders and then delete the DfsrPrivate folder located in the root of the folder being replicated via DFS-R and then restart the DFS-R service and you are back in business.

Busting the myths: Windows 7 require Windows Server 2008/2008 R2 domain controllers and raised functional levels

It seems a fairly common misconception is that to be able to use Windows 7 in a Windows or should I say Active Directory environment one need to have either Windows Server 2008 or Windows Server 2008 R2 domain controllers. There are also misconceptions about the need to raise the forest and domain functional levels to be able to use the full power of Windows 7. Neither of these are true.

You can get all the same features if you are using Windows Server 2003 domain controllers and that is also regardless of which forest or domain functional levels you are running with. The most common misconceptions are:

• Group Policy Preferences. Work very well in a 2003 domain. However you need to manage the group policies from a Windows 7 or Windows Server 2008 R2 machine using Group Policy Management Console found in the Remote Server Administration Tools.
• BitLocker. To store recovery keys in AD you need to extend the schema. If you have a domain controller that is running Windows Server 2008 or later you have what it takes, if you are running Windows Server 2003 on your domain controllers you simply extend the schema.

I must add that you get stronger encryption for Kerberos by using Windows Server 2008 domain functional level though but the bottom line is that the functionality of the Windows 7 client is the same regardless of forest or domain functional levels.

KB article now available for 20+ processors issue

Not long ago I posted about the interesting issue of Windows Deployment Server services not starting when having more than 20 logical processors on the machine. Now Microsoft have published the KB article for the problem regarding Windows Deployment Server service but  it also seems to affect ntdsutil as well. Again, running a deployment server or a domain controller on a server which has more than 20 logical processors is not very likely but still it’s kind of an interesting issue.

RemoteApps integrated in Windows 7 – does not need 2008 R2 fully

Just a quick tip that you do not need to have your entire RDS environment at the Windows Server 2008 R2 level to be able to utilize the nice integration features of RemoteApps in Windows 7. I am referring to the feature of subscribing to a feed of applications and thereby have a dynamic publishing of RemoteApps for the ends users, in the users start menu.

To get this working all you need is a Windows Server 2008 R2 to host the RDS Web Access role, which then can include and publish RemoteApp sources that are based on Windows Server 2008 hosts (no R2 requirements there).

WDS service refuse to start with error 0xFFFFFBB3 when using more than 20 logical cpus

The other week I stumbled across a very interesting fact, a fact that the Windows Deployment Server service refused to start on a clean installed Windows Server 2008 R2. After troubleshooting for a whole day, even reinstalling the OS, reproducing the error even without any patches seemed very strange. The WDS service is a service that normally just works. The following error was logged:

Log Name: Application
Source: WDSServer
Date: 2010-10-04 17:14:23
Event ID: 257
Task Category: WDSServer
Level: Error
Keywords: Classic
User: N/A
Computer: wds.contoso.com
Description:
An error occurred while trying to start the Windows Deployment Services server.
Error Information: 0xFFFFFBB3

An important fact is that the server to be used for deployments was a retired yet powerful TS/RDS server with two six core processors using hyper threading, making it 24 logical processors.  Not likely to be the hardware specs of a regular deployment server but hey, it can obviously be scenarios where this might be an issue. Thanks goes to a colleague (Jeanette) who figured out that we could try to set the number of logical processors being used to two. Guess what, after a reboot the WDS service started just fine!

To change the number of used processors we used:

bcdedit /set {current} numproc 2

To revert this change you could use:

bcdedit /deletevalue {current} numproc

After some work with Microsoft Product Services and Support it appears to be a bug nevertheless. The limit for the number of logical processors you can have for the WDS service to start is 20. Bear this in mind…

HOW TO: Cleanup pre-SP1 components in Windows 7 and Windows Server 2008 R2

Many of you surely remember the tools “vsp1clean” and “compcln” which was used after service pack 1 and service pack 2 installation to remove older Windows packages which was superseded by the service pack. These tools freed some disk space and as it removed all previous Windows components it made the service pack installation permanent, meaning it was not uninstallable after running the tools.

Anyway enough with history, when you have installed SP1 for Windows 7 or Windows Server 2008 R2 you can make it permanent by using the below command.

%windir%\system32\dism.exe /Online /Cleanup-Image /spsuperseded

You can also use Disk Cleanup to accomplish this, choose to clean your system disk and then choose “Clean up system files”, choose your system disk once again and then make sure that you select “Backup files required to uninstall service pack”.

NOTE 1: As SP1 is in beta at the time of this writing, I must warn you that running the above command will make it impossible to uninstall the SP1 beta, in practice meaning you will have to reinstall your machine once SP1 final release is made available.

Bug with PXE booting pre-staged machines for deployment returns event 519

There is a bug in Windows Deployment Services (WDS) in Windows Server 2008 R2 which prevents your pre-staged computers from booting via PXE. In the Event logs on the WDS server you can find event 519 stating that there are duplicate machines with the same GUID or MAC address, even though this is not true. There is a hotfix for this problem which is available from http://support.microsoft.com/kb/2028840/en-us.

The event looks like:

Log Name: Application
Source: BINLSVC
Date: 2010-09-24 10:29:04
Event ID: 519
Task Category: BINLSVC
Level: Error
Keywords: Classic
User: N/A
Computer: wds1.contoso.local
Description:
Multiple machine accounts with the same GUID or MAC address were found in Active Directory Domain Services. The Windows Deployment Services server will use the first listed machine account.

List of matching machines: CN=DEPLOYTEST1,OU=CONTOSO,DC=stenis,DC=local

Killing the myths: Group Policy Preferences for everyone!

There is a very common misconception out there that Group Policy Preferences can only be created, managed and applied to your Windows machines if you are running your domain controllers with Windows Server 2008 or later. This is so NOT true.

What you have to do if you are stuck on domain controllers running Windows Server 2003 is to install the Remote Server Administration Tools on a Windows 7 (or Vista) client machine, add the feature Group Policy Management and then create a GPO in the domain and edit it, configuring the Group Policy Preferences of your choice. Voilà!

I do not know where this myth is coming from actually but the fact that GPO Preferences were introduced in Windows Server 2008 is the major reason I would assume.

Case of the mysterious issues with UAC in Windows 7 and Windows Server 2008 R2

At the TechNet/MSDN after work I attended last week I got an interesting question on why a user (domain admin) gets a UAC popup on trying to access folders via Explorer which he knows for sure he is supposed to be able to access looking at the ACLs of the folder. Instead, when clicking OK on the UAC popup the ACL is populated with his account.

My first thought to this behavior was Explorer.exe not being able to elevate and the “split personality” i.e. the two security tokens involved when UAC is in effect. Here comes a more detailed explanation that I think is of interest to more. Note that this problem also covers some other scenarios such as AppLocker rules not appearing to work as intended for administrators. Read on to learn what is causing this.

First when UAC is enabled you get two security tokens when you log in, easily explained as one which contains the administrator privilege information and one which does not. Most of the times you run everything using the standard security token. When you for instance want to install software or change some system settings, then the security token containing the administrator privileges information is used.

If you do not explicitly request an application to launch with higher privileges, or the applications itself request higher privileges, all processes and applications run in the user context with the standard security token. Virtually all applications including Windows applications and processes are possible to elevate by right clicking and choosing “Run as administrator”. This is not true for Explorer.EXE though as all your attempts to elevate it will not result in any actual elevation. There are a few caveats with this and let us continue with the example of access certain files and folders.

So let’s have a look at what the ACL of the folder D:\Share looks like:

We can clearly see that there are no user accounts in this list. Under normal circumstances any user which is a member of the domain admins group should be able to access that folder but instead is presented with the UAC dialogue:

What happens when the user “stenis” in this case clicks “Continue” to that UAC dialogue box questions is that the ACL is populated with the user account in questions:

This happens because the fact that Explorer.exe cannot be elevated the normal Windows Explorer does not see that the user account should be able to access that folder. It is easy to verify as you can actually run Explorer.EXE elevated by changing the registry setting “RunAs” to “_RunAs” in HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}. Thanks goes to Andre Ziegler for this finding.

So what does this tell us? It is a somewhat strange problem but still by design. The fact is that this “problem” is not applicable to the folder and file access as described in this blog but also for AppLocker rules for instance, as many domain administrators must choose “Run as administrator” to be able to run software which they think they should be able to run without this little procedure.