MDT 2010 USB Media for XP to Win7 REFRESH (fully automated)

To start an MDT 2010 LiteTouch Deployment REFRESH from USB Key follow these steps.

In this example my deployment server is DEVMDT2010. The deployment share is DeployWin7$.

1. In MDT 2010 create a Selection Profile under Advanced Configuration called USBRefresh. Assign the proper Applications, OS, Drivers, Packages, Task Sequence, etc.

2. Create New Media called USBRefresh under Advanced Configuration.

3. On DEVMDT2010, configure the Bootstrap.ini and Customsettings.ini files on the deployment share so the deployment is completely automated.

Bootstrap.ini

[Settings]
Priority=Default

[Default]
SkippBddWelcome=YES
TaskSequenceID=DeployBuild001

UserDomain=MDTLAB
UserID=servicesmdt
UserPassword=P@ssw0rd

CustomSettings.ini

[Settings]
Priority=Default, DeploymentType, ByDesktopType, ByLaptopType
Properties=MyCustomProperty

[ByDesktopType]
Subsection=Desktop-%IsDesktop%

[ByLaptopType]
Subsection=Laptop-%IsLaptop%

[Desktop-True]
ComputerName=DT%SerialNumber%

[Laptop-True]
ComputerName=LT%SerialNumber%
BDEInstall=TPM
BDERecoveryKey=AD
BDEKeyLocation=C:
BDEWaitForEncryption=False
BDEInstallSuppress=NO

[Default]
_SMSTSORGNAME =MDTLAB
OSInstall=Y
DeploymentType=REFRESH
UserDataLocation=AUTO
SKipDeploymentType=YES
SkipAdminPassword=YES
SkipProductKey=YES
SKipComputerName=YES
SkipDomainMembership=YES
SkipUserData=YES
UserDataLocation=AUTO
SkipLocaleSelection=YES
SkipTaskSequence=YES
SkipTimeZone=YES
SkipApplications=YES
SkipBitLocker=YES
SkipBDDWelcome=YES
SKipComputerBackup=YES
ComputerBackupLocation=NONE
SkipCapture=YES
SkipFinalSummary=YES
SkipSummary=YES
TimeZone=004
TimeZoneName=Pacific Standard Time
FinishAction=REBOOT
TaskSequenceID=DeployBuild001

JoinDomain=MDTLAB
DomainAdmin=servicesmdt
DomainAdminPassword=P@ssw0rd
MACHINEOBJECTOU=OU=COMPUTERS, DC=MDTLAB, DC=COM

4. Update Media Content on USBRefresh and copy the Content folder to a USB key.

5. Create a new shortcut on the root of the USB key called LiteTouch Refresh. Point the target location to:  D:\Content\Deploy\Scripts\LiteTouch.vbs

6. Insert the USB key into a Windows XP Client and copy the LiteTouch Refresh script to the desktop. Double-click on it and deploy Windows 7 via REFRESH.

Access to a redirected folder or home drive disconnects regularly on a computer running Windows 7

This is my first post back after a few months. I have been heads down with Windows 7 migrations. To date we have deployed over 1,100 seats of Windows 7 and FINALLY had a moment to come up for some air.

Back in December I blogged about setting up a folder redirection policy for Win7 clients. Interesting enough, we hit an issue when deploying Windows 7 using a folder redirection policy. From speaking to a number of people the issue we are seeing is where the My Documents folder shows offline even though the client machine (desktops and laptops) is connected to the network. There were a number of things we tried (rejoining the PC to the domain, undocking the laptops, disabling wireless, etc.), but none of these were permanent fixes.

One of the things you can do is investigate the OfflineFiles Operational logs (Eventvwr–>Application and services–>Logs–>Microsoft–>Offline Files–>Operational Logs.Check to make sure the OfflienFiles is enabled. If you right-click on the Operation logs under OfflineFiles, Properties, you should be able to check to see if they’re enabled. If not, enable them, reboot the machine and keep it running for 30 minutes. If you don’t find anything there, you might want to try this hotfix.

981872  Access to a redirected folder or a home drive disconnects regularly on a computer that is running Windows Server 2008 R2 and Windows 7

http://support.microsoft.com/default.aspx?scid=kb;EN-US;981872

Configuring Default User Settings – Full Update for Windows 7 and Windows Server 2008 R2

I’ve received some emails in my inbox lately about configuring Windows 7 Default User Settings on the Core Image. Instead of re-inventing the wheel, check out this blog posted by Michael Murgolo from the DeploymentGuys.

http://blogs.technet.com/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx

Windows 7 Deployment Useful Tip # 2 – Enabling the Standard User to delete Desktop Shortcuts from C:\Users\Public\Desktop

For thought, it is a general rule, set expectations with rationalization. If your environment consists of users running as administrators on their machines, this is something you really want to try and get away from.  Maintaining a well managed PC in the corporate environment goes out the Windows if you don’t lock and secure your systems. Destabilization of the desktop causes additional work for everyone, not to mention productivity down time for everyone.

User Account Control works by protecting access to administrative rights, and this involves elevation of privilege. One small challenge I came across recently was giving Standard Users the ability to delete desktop icons that are created during the installation of applications. Specifically, desktop icons stored in C:\Users\Public\Desktop. This happens because desktop icons were installed/created by a trusted install account (e.g. Administrator). Since the user is not the owner of the file, they cannot take ownership of the file. When a user attempts to delete a desktop shortcut, Windows 7 requests some kind of consent or credential to do so. Unfortunately, UAC won’t allow the standard user to execute this task.

The recommended solution would be creating a script to run against the desktop folder to modify the ACLs during post installation of the OS. Alternatively, you can add the following commands to your Task Sequence in StateRestore.

attrib -h c:\Users\Public\Desktop

Icacls c:\Users\Public\Desktop /grant “TEST.com\Domain Users”:M /T

attrib +h c:\Users\Public\Desktop

Remember to replace “TEST.com with the name of your domain. Also note, the reason for the attrib requirement is because the public desktop folder is hidden. In Windows 7 the public desktop is a reparse point of the folder known as desktop. Credit goes to Josh Brungardt,  my colleague, for countless testing scenarios to get this to work.

Cheers,

Rich

Folder Redirection Policy for Windows 7

Raise your hand if you’re using Windows XP in your corporate environment and make use of a VPN client to connect back to your network resources when you’re off campus. Does your company leverage any type of manual folder redirection for your My Documents folder to point to a network location? If so, how many of you struggle with accessing your home directory (e.g. My Documents) when you’re working away from the office. This is a very common complaint amongst the information worker. The issue is, when you go home, logon to your laptop, connect to the VPN, and click on your My Documents, you don’t have access to your data. My wife complains to me, “Why can’t I access my home drive?!” This is because when you logon to your machine, you’re not connected to the corporate network. A workaround is either knowing the UNC on the network you can browse to access your data. While this can be annoying for some, but an annoyance anyway, there are solutions out there that can help.

My first piece of advice is to eliminate the use of the VPN client altogether. There are technologies out there that can provide a more , Cisco’s AnyConnect or Microsoft’s Direct Access solution. Depending on customer requirements, you’ll need to examine the clientessVPN solutions that are out on the market.

As part of your Windows 7 Deployment Project, you may consider leveraging group policies to create a more secure and managed desktop environment. Folder redirection is one of the policies you might want to consider. Generally speaking most organizations have a User Data Policy, which dictates where user data should be stored. In the corporate environment it is a very good idea to backup user data to a network location such as  SharePoint, Network Share, Home Directory, etc. Alternatively, the use of external devices such as USB, external hard disk, etc. can be used. Folder redirection policy is a great way to ensure that as a user logs on, their documents are pointed to a network location.

When creating a new User Account in Active Directory Users & Computers (ADUC), you have the ability to create a Home Folder to point to a network location. One of the most common scenarios is to map a Drive Letter to point to a specific UNC on a filer where you would like to store the user’s My Documents folder.

Additionally, if your intention is to implement Windows RE into your deployment solution, Documents Folder Redirection is a critical piece of the ability to self restore a PC. If the user’s primary source data is not kept on a Network Share, when the System Image Restore process is initiated, there is some potential for the loss of all local data.

Configuring Folder Redirection Policy in Windows 7

Step by Step

1)      In the GPMC, right-click the OU on which you want to apply Folder Redirection (at the time of this writing the policy is configured on Test OU – Test – Users) , and choose “Create a GPO in this domain, and Link it here.”

2)      Name the GPO, say, “Win 7 Documents Folder Redirection

3)      Right-click on the policy and choose Edit.

4)      Drill down to Folder Redirection: Select User ConfigurationPoliciesWindows SettingsFolder Redirection

5)      Go to the Documents folder, right-click and choose Properties.

6)      On the Target tab make the Setting set to Basic – Redirect everyone’s folder to the same location.

7)      The Target folder location is set to Redirect to the following location

8)      The Root Path is set to %HomeShare%\My Documents

9)      Click Apply

Enjoy!

Rich

Windows 7 Deployment Useful Tip # 1 – Creating Read-only partitions during deployment with MDT 2010

Depending on your organization’s security policy, you may have the need to make a partition read-only. I have been working on a solution for the last 4 weeks to implement Windows RE into the build process with MDT 2010. Because of security requirements, this drives needs to be marked as read-only.

In MDT 2010 Task Sequence, you can do this by configuring two command lines during State Restore.

Task Sequence steps were created to run CACLS command line to make R: drive Read-Only for “Authenticated Users”.

ECHO Y| CACLS R:\ /S:O:BAG:SYD:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)

cacls R: /E /R “Authenticated Users”

Unattend.XML, Windows 7 Deployments, and PC naming

You may experienced an error when installing Windows 7, “Windows could not parse or process unattend answer file [C:\Windows\Panther\unattend.xml] for pass [specailize]. The answer file is invalid.”

There could be several reasons for this error and the best place to start looking is in the Windows Setup log file in C:\Windows\Panther. In this case, I found the following error in the setup log.

<ComputerName>MENDTVMware-50 0e 64 8d bd df 91 77-98 ee 3b a4 bb 58 7b b4</ComputerName>

Windows has a limit of 15 characters for the computer name. To resolve this issue, you may want to reconsider your PC naming convention strategy in your organization. 🙂