MDT 2010 USB Media for XP to Win7 REFRESH (fully automated)

To start an MDT 2010 LiteTouch Deployment REFRESH from USB Key follow these steps.

In this example my deployment server is DEVMDT2010. The deployment share is DeployWin7$.

1. In MDT 2010 create a Selection Profile under Advanced Configuration called USBRefresh. Assign the proper Applications, OS, Drivers, Packages, Task Sequence, etc.

2. Create New Media called USBRefresh under Advanced Configuration.

3. On DEVMDT2010, configure the Bootstrap.ini and Customsettings.ini files on the deployment share so the deployment is completely automated.

Bootstrap.ini

[Settings]
Priority=Default

[Default]
SkippBddWelcome=YES
TaskSequenceID=DeployBuild001

UserDomain=MDTLAB
UserID=servicesmdt
UserPassword=P@ssw0rd

CustomSettings.ini

[Settings]
Priority=Default, DeploymentType, ByDesktopType, ByLaptopType
Properties=MyCustomProperty

[ByDesktopType]
Subsection=Desktop-%IsDesktop%

[ByLaptopType]
Subsection=Laptop-%IsLaptop%

[Desktop-True]
ComputerName=DT%SerialNumber%

[Laptop-True]
ComputerName=LT%SerialNumber%
BDEInstall=TPM
BDERecoveryKey=AD
BDEKeyLocation=C:
BDEWaitForEncryption=False
BDEInstallSuppress=NO

[Default]
_SMSTSORGNAME =MDTLAB
OSInstall=Y
DeploymentType=REFRESH
UserDataLocation=AUTO
SKipDeploymentType=YES
SkipAdminPassword=YES
SkipProductKey=YES
SKipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
UserDataLocation=AUTO
SkipLocaleSelection=YES
SkipTaskSequence=YES
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipBDDWelcome=YES
SKipComputerBackup=YES
ComputerBackupLocation=NONE
SkipCapture=YES
SkipFinalSummary=YES
SkipSummary=YES
TimeZone=004
TimeZoneName=Pacific Standard Time
FinishAction=REBOOT
TaskSequenceID=DeployBuild001

JoinDomain=MDTLAB
DomainAdmin=servicesmdt
DomainAdminPassword=P@ssw0rd
MACHINEOBJECTOU=OU=COMPUTERS, DC=MDTLAB, DC=COM

4. Update Media Content on USBRefresh and copy the Content folder to a USB key.

5. Create a new shortcut on the root of the USB key called LiteTouch Refresh. Point the target location to:  D:\Content\Deploy\Scripts\LiteTouch.vbs

6. Insert the USB key into a Windows XP Client and copy the LiteTouch Refresh script to the desktop. Double-click on it and deploy Windows 7 via REFRESH.

Advertisements

MDT 2010 and USTMT 4.0 Hard Link Migration

One of the most exciting features for deploying a Windows XP client to Windows 7,sits around the ability to create a hardlink during a REFRESH scenario with MDT 2010.

In order to leverage USMT 4.0 in MDT 2010, you must first install the latest Windows Automated Installation Kit for Windows 7.

For more information on the Windows Automated Installation Kit, go here: http://technet.microsoft.com/en-us/library/dd349343(WS.10).aspx

Jeremy Chapman has an excellent video demonstrating how this works: http://edge.technet.com/Media/User-State-Migration-with-Windows-7/

What I really like about hardlinks it doesn’t migrate the user’s data out to the Network, meaning faster deployment times. So, instead of moving files to a protected location on the hard disk, the files aren’t transferred at all, just the paths to them are updated. This is a very cool feature that Microsoft has to offer us to help us facilitate our migration efforts from Windows XP to Windows 7.

This means the install and settings transfer happens much faster, because the files aren’t transferred at all, just the paths to them are updated.  It’s really cool, and means you can have a fresh install of Win7, with all your XP files and settings, completed in short amount of time. Of course, you still need to install the OS. But still…very cool…

So, how do I get USMT hardlinks to work in MDT Lite Touch Installation Environment? When you install MDT 2010 and create your Deployment Share, MDT will create a folder called USMT and copy the necessary USMT files into that folder. If you refresh the machine (by starting Litetouch.vbs from the running OS), MDT 2010 by default uses hardlinks.

I suggest the following read on USMT with MDT 2010 by Tim Minter.

http://deployment.xtremeconsulting.com/2009/11/20/understanding-usmt-with-mdt-2010/

Additionally, MDT 2010 Documentation:

http://www.microsoft.com/downloads/details.aspx?FamilyId=3BD8561F-77AC-4400-A0C1-FE871C461A89&displaylang=en

VMware E1000 Nic Drivers, WinPE, and Adding NIC Drivers with DISM

DISM.exe is a new command line tool included in the Windows Automated Installation Kit (Windows AIK) 2.0. You can use DISM to service Windows images, both WIM and VHD files. This is a useful tool that can be used to add/remove device drivers, OS Packages, hotfixes, etc.

I recently came across an occurrence where I needed to add VMWare NIC drivers to my WinPE image. The new Windows 7 WAIK no longer has the PEIMG tool, which was used with the WAIK’s predecessor to inject drivers into the boot image. We now use the DISM.

When PXE booting to my VM, I realized my WinPE did not have the correct NIC drivers installed.

DISM Tool Notes

  • Multiple drivers can be added on one command line if you specify a folder instead of an .inf file.  Use the /recurse option.
  • The command to inject drivers into WinPE w/ DISM are demonstrated below:
  • To install an unsigned driver, use the /ForceUnsigned to override the requirement that drivers installed on x64 based computers must have a digital signature.
  • Dism.exe /unmount-WIM /MountDir:C:\Mount /Commit  (Note – The /commit option is very important!)

Here is what the WinPE Image will look like after the NIC drivers are injected with DISM.

For those using the new VMWare NIC model e1000, WinPE 2.1 supports the new VMWare NIC model e1000. It is recommended to use this NIC Model with your virtual machine. http://h18000.www1.hp.com/products/servers/management/rdp/knowledgebase/00000192.html

Configuring Default User Settings – Full Update for Windows 7 and Windows Server 2008 R2

I’ve received some emails in my inbox lately about configuring Windows 7 Default User Settings on the Core Image. Instead of re-inventing the wheel, check out this blog posted by Michael Murgolo from the DeploymentGuys.

http://blogs.technet.com/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx

Windows 7 Deployment Useful Tip # 2 – Enabling the Standard User to delete Desktop Shortcuts from C:\Users\Public\Desktop

For thought, it is a general rule, set expectations with rationalization. If your environment consists of users running as administrators on their machines, this is something you really want to try and get away from.  Maintaining a well managed PC in the corporate environment goes out the Windows if you don’t lock and secure your systems. Destabilization of the desktop causes additional work for everyone, not to mention productivity down time for everyone.

User Account Control works by protecting access to administrative rights, and this involves elevation of privilege. One small challenge I came across recently was giving Standard Users the ability to delete desktop icons that are created during the installation of applications. Specifically, desktop icons stored in C:\Users\Public\Desktop. This happens because desktop icons were installed/created by a trusted install account (e.g. Administrator). Since the user is not the owner of the file, they cannot take ownership of the file. When a user attempts to delete a desktop shortcut, Windows 7 requests some kind of consent or credential to do so. Unfortunately, UAC won’t allow the standard user to execute this task.

The recommended solution would be creating a script to run against the desktop folder to modify the ACLs during post installation of the OS. Alternatively, you can add the following commands to your Task Sequence in StateRestore.

attrib -h c:\Users\Public\Desktop

Icacls c:\Users\Public\Desktop /grant “TEST.com\Domain Users”:M /T

attrib +h c:\Users\Public\Desktop

Remember to replace “TEST.com with the name of your domain. Also note, the reason for the attrib requirement is because the public desktop folder is hidden. In Windows 7 the public desktop is a reparse point of the folder known as desktop. Credit goes to Josh Brungardt,  my colleague, for countless testing scenarios to get this to work.

Cheers,

Rich

Windows 7 Deployment Useful Tip # 1 – Creating Read-only partitions during deployment with MDT 2010

Depending on your organization’s security policy, you may have the need to make a partition read-only. I have been working on a solution for the last 4 weeks to implement Windows RE into the build process with MDT 2010. Because of security requirements, this drives needs to be marked as read-only.

In MDT 2010 Task Sequence, you can do this by configuring two command lines during State Restore.

Task Sequence steps were created to run CACLS command line to make R: drive Read-Only for “Authenticated Users”.

ECHO Y| CACLS R:\ /S:O:BAG:SYD:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)

cacls R: /E /R “Authenticated Users”