Tag: Deployment

Windows 10 upgrade breaks at 76% and present the logon screen while upgrade is still in progress in the background!

This problem is interesting as it is not easily discoverable if you do not stare at the screen during the entire upgrade process, and hey, who does that? However, this is a very interesting finding when it comes to Windows as a Service that I am certain will affect many more enterprise customers (see cause section below).

Problem

Initiate an upgrade of Windows 10 to another version of Windows 10 using an inplace-upgrade task sequence via System Center Configuration Manager. The upgrade runs smooth until it reaches 75% (of the Upgrade step) where setup reboots the machine and then continue the last step of the upgrade, which is the migration phase. However, at 76% the user is presented with the login screen and the user thinks “well, the upgrade is done, let’s login!” after which the user login only to see a reboot a few minutes later, and also a rollback to the previous version of Windows.

The upgrade process is still running although the logon screen is presented, and when the user login, the migration engine of Windows setup shows a bunch of MIG errors due to files becoming locked. At the same time a rollback to the previous version of Windows 10 is initiated. The rollback by the way works very well! 

Cause

The cause of this issue is the software Net iD, which is a very common smart card application/credential provider for governments and others, providing smart card logon capabilities for all types of smart cards. When that piece of software is installed it somehow (still not determined exactly what is going on) interfere with the upgrade and the consequence is that the login screen is displayed although the upgrade continue in the background.

Workaround

Uninstall the Net iD client before doing inplace-upgrade to another Windows 10 version, and then install it as one of the last steps during the upgrade.

A unique book on managing Windows clients in an enterprise environment

ECM-Cover-200wMost books written about Microsoft products are very focused on one single product. A book about Windows Server covers all you need about the server OS itself. A book about System Center Configuration Manager covers everything you need to know about ConfigMgr in its bubble and a book about a Windows client covers everything you need to know about the client itself.

The book Enterprise Client Management using Windows Server 2012 R2 and System Center 2012 R2 covers not only the Windows client (Windows 7 as well as 8.1) but how to manage it using Windows Server 2012 R2 and the System Center 2012 R2 products. So all in all a complete scenario on how to manage your Windows clients in the enterprise in a very effective way using Microsoft management tools available.

The book is now also available on Kindle as of mid April 2015!

HOWTO: Prevent deploying Windows over VPN

Doing Windows deployments over VPN is not a very good idea and it will work really bad. If you are using MDT to do Windows deployments you can easily prevent deploying Windows over VPN.

The easisest way is to modify the customsettings.ini to simply not install anything if the network card’s gateway is what we define as the VPN gateway. So lets look at the default customsettings.ini before we modify it.

[Settings]
Priority=Default

[Default]
OSInstall=Y
SkipCapture=NO
SkipAdminPassword=NO
...

Now let’s look at what we will do to modify it to fit our needs. We will add a check so that the first thing we do is to check if the machine is on a VPN connection and if so not install anything. In the example we have two default gateways defined.

[Settings]
Priority=DefaultGateway,Default

[DefaultGateway]
10.0.0.1=VPN
10.0.1.1=VPN

[VPN]
OSInstall=N

[Default]
OSInstall=Y
SkipCapture=NO
SkipAdminPassword=NO
...

Happy deploying (but not over VPN)!

ERROR: “LiteTouch is trying to install applications” in MDT 2012 Update 1

I came across a rather peculiar thing with MDT 2012 Update 1 recently. MDT 2012 is pretty good at detecting when there are leftovers from previous deployments but this time it failed, and it failed hard.

LiteTouch is trying to install applications. This cannot be performed in Windows PE.
If booting from a USB Flash Disk, please remove all drives before restarting. Otherwise, ensure the hard disk is selected first in the BIOS boot order.

Oh no, I was NOT trying to install applications in WinPE :) It was a pretty plain task sequence and even recreating it with a brand new standard one did not help. However the solution was to remove the MININT and _SMSTaskSequence folders using the good old rd command with the switches /q and /s. Unfortunately I did not save the logs but the point is that if anyone hits this, there is a real easy solution.

Creating the perfect and fully automated reference image for Windows operating systems

A perfect reference image for Windows is fast to deploy, contains all security updates and all other necessary patches and possibly also applications like Office and least but not last is fully automated to achieve the best possible stability and to avoid the potential of manual errors. This guide is intended to show you how to build the perfect reference image ever made!

NOTE: I have also posted this guide to TechNet Wiki where you find an improved version of this article (although the steps in the article found below is still valid): TechNet Wiki: HOW TO: Create the perfect and fully automated reference image for Windows operating systems

There is no need to invent the wheel again as this can be achieved very easy in Microsoft Deployment Toolkit. Start by downloading Microsoft Deployment Toolkit and in the components section make sure to download and install Windows Automated Installation Kit. Start Deployment Workbench and off we go!

Note: This guide applies to everyone regardless if you are deploying Window using SCCM, MDT or any third party deployment solution.

1. In Deployment workbench create a new share for creating the reference image so start by creating a new one and name it like “Reference image build and capture share” or something of your choice.

2. Add the OS install files (repeat for each OS you want to build for) into the operating systems folder. Always include the setup files so never install just a WIM file at this stage.

3. Create a task sequence based on the Standard client task sequence (repeat for each OS you want to build image for).

4. For each task sequence edit the task sequence to enable the existing but disabled “Windows Update” step(s).

5. Edit the rules of the share by right clicking it and choosing Properties. The rules (customsettings.ini) should look like below. Replace the variables BackupShare and BackupDir with whatever the share name and directory to store the images are.

[Settings]
Priority=Default
Properties=MyCustomProperty

[Default]
OSInstall=Y
SkipAppsOnUpgrade=YES
SkipCapture=YES
DoCapture=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipUserData=YES
SkipTimeZone=YES
SkipFinalSummary=YES
SkipSummary=YES
SkipLocaleSelection=YES
SkipDomainMembership=YES
SkipComputerName=YES
SkipBitlocker=YES
SkipApplications=YES
ComputerBackupLocation=NETWORK
BackupShare=\\server\share
BackupDir=Captures

6. Modify the bootstrap.ini to look like the below information. Replace the variables according to what applies to your configuration.

[Settings]
Priority=Default

[Default]
SkipBDDWelcome=YES
DeployRoot=\\server\share
UserDomain=CONTOSO.COM
UserID=username
UserPassword=password

7. Now add to the Rules (customsettings.ini) a section named like below. This sets that the Windows Update step will point to your WSUS server, where you are in control of everything that is released by Microsoft and thereby staying 100% in control of what is in your image.

WSUSServer=http://nameofwsusserver

8. To make sure that you get a separate name for each operating system you are building a reference image for edit each task sequence to contain a Task Sequence Variable named for instance:

BackupFile=Windows7Enterprisex64.wim

9. Update the deployment share to get boot ISO which you use to boot your virtual machine and start the build process.

Remember to always build the reference image on a virtual machine to avoid potential problems related to hardware.

You could also add the Office as an application in the Deployment Workbench and to all task sequences that require it to make sure that you have a rapid deployment image ready to go.

Done! Happy deploying!

HOW TO: Handle user group policy settings in multiple OS environments

This is a very common question and one that I would say all companies migrating to Windows 7 has experienced. The scenario is how do we handle user group policy settings when we have multiple operating systems such as Windows XP and Windows 7 or in the future also introduce Windows 8?

First I strongly recommend that you do not reuse the user configuration for Windows XP for Windows 7. Group policies tend to grow over time and at most customers I have encountered a lot of rubbish in the old configuration. Starting over and migrating only what is needed minimize the risk for problem and makes the configuration slicker and more easy to manage in the long run.

But how do we make sure that users get one configuration when they log in to for instance Windows XP and another configuration when they log in to a Windows 7 or Windows 8 machine? Well, let’s have a look at the options including pros and cons followed by recommendations from the field.

1. Security group filtering

  • Pros:
    – Require no change in OU structure/move of users.
  • Cons:
    – Requires a lot of management and make it hard to administer.

2. Separate users into a new and old OU

  • Pros:
    – Easy to do if you have very few users and no dependencies to other services or applications.
  • Cons:
    – Not a manageable solution in an environment with many users.
    – There are often apps or services that rely on the users being in a certain OU which is making it hard to move users without affecting other services.

3. WMI filters

  • Pros:
    – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
    – A longterm investment in making it easy to introduce new operating system versions.
    – Quick determination (WMI is often known to be real slow but this particular query is not performance intensive).
  • Cons:
    – Need changes for existing environment, i.e. for instance Windows XP user configuration.
    – Could make group policies not being applied due to problems with WMI repository or related services.

4. Loopback processing

  • Pros:
    – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
    – Very reliable solution.
  • Cons:
    – If not Replace mode is used you need to handle current configuration.
    – Might become a mess to troubleshoot and maintain if naming and config is not done consistent and clear.

Recommendations from the field

In my professional opinion the only real alternatives are WMI filters or loopback processing and sometimes I recommend WMI filters for separating user settings depending on what operating system they are logging in to and sometimes I recommend loopback processing. It depends on the environment and needs for the customer. Many times moving the user accounts around is not an alternative but consider that a very good alternative if possible to accomplish.

How do I implement it in my environment?

1. WMI filters

In the Group Policy console you create multiple WMI filters for for instance Windows XP and Windows 7. You then set each WMI filter respectively on each GPO containing user settings for each operating system. NOTE: Always test it out before applying this configuration to your existing environment. Also note that this does not affect performance to any noticeable amount of time.

Windows XP:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.2%" AND ProductType ="1"

Windows 7:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType ="1"

Windows 8:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.2%" AND ProductType ="1"

Basically the version is the OS version as we know it and the ProductType=1 means that it is a client operating system.

So you will end with for instance one GPO named “User Configuration – Windows 7” which have the WMI filter for Windows 7 machines set and one GPO named “User Configuration – Windows XP” which have the WMI filter for Windows XP set.

2. Loopback processing

A prerequisite for using loopback processing is that you keep computers in separate OUs, for instance XP computer accounts in one OU and Windows 7 computer accounts in another OU.

You then create GPO objects in the OU for Windows 7 in our example and configure the user settings there. As I think you should always separate Computer and User configuration GPO:s I would say that you in a Computer configuration policy in that same OU set this setting for the user settings to be applied when users log into Windows 7 machines:

Policies – Computer configuration – Administrative templates – System – Group Policy and there set “User Group Policy loopback processing mode” to Replace or Merge, depending on what you want to achieve and how you want to handle your current configuration. Replace mode is recommended as you will have a hard time maintaining and troubleshooting the configuration otherwise.

Done! When users log on to your Windows 7 machines they will get the user settings you have defined in the user configuration GPOs located in the Windows 7 machines OU in our example.

System Locale not set correctly causing SQL Server to fail installation with error “Performance counter registry hive consistency”

Hit an interesting issue when I was about to do a MAP (Microsoft Assessment and Planning Toolkit) scan at a customer. When installing SQL Server Express 2008 R2 I hit a problem  and got the error message “Performance counter registry hive consistency” = FAILED installation.

The problem was that the System Locale was not set properly for my Windows 7 box. Fix was to set it under Region and Language – Administrative tab and there set the system locale and restart the machine. After that the SQL Server installation went fine!

Microsoft Assessment and Planning Toolkit SQL limits and recommendations

When you are about to run MAP (Microsoft Assessment and Planning Toolkit) assessment it comes by default with a SQL Server 2008 R2 Express database. This has a limit of a database of 10GB. This is in many cases not a problem but in larger environments it can be.

My experience tells me that a 10GB database is good for keeping data for about up to 10 000 machines. If you hit the limit the best option is to use a fully licensed SQL Server which has no limits on the database size.

The second option is to divide the scans to say for instance different OUs and switch between multiple databases. This does not give a combined report in any way so it is definitely not the best option but it will get you there.

The latest version of MAP 6.5 can be downloaded from Microsoft Download Center.

Deployment Roadshow vNext and Windows 8 loadfest

Two events are coming up; Deployment Roadshow vNext featuring System Center Configuration Manager 2012 and Microsoft Deployment Toolkit 2012 and a Windows 8 loadfest.

Deployment Roadshow vNext will take place in Sweden’s four largest cities and it will be presented by myself and colleague Johan Arwidmark from Knowledge Factory, Wally Mead the SCCM guru from Microsoft Corp and Mikael Nyström from Truesec. More info about the event at http://www.deploymentevents.se.

The Windows 8 loadfest will take place in early December in Stockholm and it hosted by me, Johan Arwidmark, Lars Gustavsson and Tim Nilamaa. More info about the event at http://www.deploywindows8.se.

HOW TO: Find 16-bit applications in your ACT inventory

When companies deploy Windows 7 most of them are looking at the 64-bit version of Windows 7. This architecture of Windows does not support running 16-bit applications, which unfortunately still is widely in use. If you do an inventory with ACT (Application Compatibility Toolkit) it will inventory all executables as well as CMD files and some other stuff and it will contain information about 16-bit applications lying around and being used by the users in your business.

The trick is that the GUI does not provide a way to view these applications so you have to turn to doing a SQL query using for instance the SQL Management Studio Express tools. Use the SQL Query below to get information on any none 32- or 64-bit executable. The query (thanks to Chris Jackson) will return for instance WOW (Windows on Windows) or DOS applications and that will/might indicate a 16-bit app which you should prioritize to test and handle as necessary.

USE ACTDATABASE
GO

SELECT DISTINCT Applications.appName, Static_App_Properties.fileName, fileModuleType

FROM Static_App_Properties
INNER JOIN Application_Instance_Files
ON Static_App_Properties.identity_hash = Application_Instance_Files.filePropertyID
INNER JOIN Applications
ON Application_Instance_Files.appID = Applications.identity_hash

WHERE fileModuleType<>'32BIT' AND fileModuleType<>'64BIT' AND propertyType='File'

ORDER BY appName
GO

Happy hunting for 16-bit applications! :)