The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…


    Mikael Nystrom

    Mikael Nystrom

    OS Deployment Geek, Virtualization and System Center

    Mikael Nystrom is a Microsoft MVP and Principal Architect at TrueSec

  • Archives

  • Meta

Working in the Datacenter – Keeping WSUS Happy using PowerShell

Posted by Mikael Nystrom on February 3, 2016

We use WSUS in our own datacenter as well as customer sites, for many client based scenarios this is done using WSUS and ConfigMgr, but in the fabric it is either WSUS or WSUS and SCVMM. When WSUS is used for content and distribution (Nativly or with SCVMM) it needs a helping hand…

  • Someone need to deny all patches that are superseeded, this does not happen automatically.
  • Someone needs to cleanup old content, computers, patches and such, this does not happen automatically.
  • Someone needs to care for the database, this does not happen automatically.

So, over the years poeople around the globe has been providing scripts for this, and here is what we currently are using.

The script will do the following


Connect to a database

you might need to change this in the script.

#For Windows Internal Database, use $WSUSDB = ‘\\.\pipe\MICROSOFT##WID\tsql\query’
#For SQL Express, use $WSUSDB = ‘\\.\pipe\MSSQL$SQLEXPRESS\sql\query’

Get the Superseeded Updates

Here is the Posh that fixes that:

$SuperSeededUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -NE -Value ‘None’ -Verbose
$SuperSeededUpdates | Deny-WsusUpdate –Verbose

Cleanup WSUS

We run each step sepratly, however, you can change that and run everything in one line…

Cleanup the DB

Last part runs sqlcmd using a .SQL file from MSFT Gallery, and yes, you can download and install the PowerShell tools for SQL and use that instead. Most of your customers dont have thoose tools installed, so sqlcmd.exe it is.

Posted in Datacenter, Patching, PowerShell, WSUS | Tagged: , , , | 10 Comments »

OS Deployment – Allow PXE deployment to the same MAC Address by configure SMS_DISCOVERY_DATA_MANAGER in ConfigMgr, or How to deploy Windows to shared docking stations and usb network adapters

Posted by Mikael Nystrom on January 29, 2016

This is very simple, when you deploy a device uisng PXE, ConfigMgr will inventory the MAC address, but that will prevent that mac address from being used once more unless the hardware inventory is executed after the machine has been deployed and removed from the docking station (similar)

The fix:

  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Components \SMS_DISCOVERY_DATA_MANAGER on the primary site server
  • Add a MultiString entry called ExcludeMACAddress
  • Add all Mac Address to ExcludeMACAddress

For a complete story I strongly recommend you to read the following post:


Posted in OS Deployment, OSD, Windows 10 | Tagged: , , | 1 Comment »

Working in the Datacenter–Enable Virtual TPM in Hyper-V gives you the ability to test bitlocker in a VM

Posted by Mikael Nystrom on January 26, 2016

Last night a friend contaced me and said “-Did you ever post the vTPM thing?”, i did say yes, but i was wrong, so here it is…

Simple, without testing and verfication, a deployment solution will fail. One of the tasks that takes a lot of time to test and verify is BitLocker and that also includes TPM. Windows 10 and Windows Server 2016 gives you the ability to create Virtuial Machines with a Virtual TPM Chip 2.0.

A VM running Windows Server 2012 R2 with a vTPM chip, The VM is running on Windows Server 2016.

The How-To Part

You need to run Windows Server 2016 TP4 or Windows 10.

On the host, add Isolated UserMode, Hyper-V and Hostguardian Services, by running the following powershell command(elevated):

Add-WindowsFeature -Name “Isolated-UserMode”,”Hyper-V”,”HostGuardian” -IncludeAllSubFeature –IncludeManagementTools

If needed, restart the host.

Before you can enable the vTPM you need to have a Guardian Service guardian object and with that you can crerate a Key Protector.

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates
$Owner = Get-HgsGuardian -Name ‘Guardian’
$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Great, the last piece is to enable the vTPM

Set-VMKeyProtector -VMName ‘WSUS01’ -KeyProtector $KeyProtector.RawData
Enable-VMTPM -VMName ‘WSUS01’


Posted in Deployment, Hyper-V, OSD, Windows 10, Windows Server 2016, Windows Server vNext | Tagged: , , , , , | Leave a Comment »

Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit (and some PowerShell)

Posted by Mikael Nystrom on January 6, 2016

Yes, the book is finally done and it is up on Amazon. The book follows all the others by being a build-while-you-read book, it includes a complete set of PowerShell scripts that will build your entire lab environment (The script has been changed, so it will be easier to use them at customer sites or other test/lab environments if needed). The focus of the book is as you could guess by the title to deploy Windows 10 using MDT and LiteTouch. The versions we did use in the book are Windows 10 1511, MDT 2013 Update 2 and the new ADK. It has been hard work, late nights, but darn I still love writing books… You can find the book on as well as other sites. oh, btw, the book also includes a complete hydration kit that uses MDT and PowerShell to build your complete lab environment.


Happy reading and deploying


Posted in Deployment, MDT, Book | Tagged: , , , | 17 Comments »

OS Deployment – Creating a reference Image with Windows Server 2008 R2 Core could fail

Posted by Mikael Nystrom on December 28, 2015

The Issue:

There is an issue with KB3106614. The issue is that it should not be installed att all on a Windows Server 2008 R2 Core Server. That patch is a Security Update for Silverlight and it has nothing to do with the Core edition of Windows Server 2008 R2, this is what happens:

The never ending install of KB3106614 in Windows Server 2008 R2 Core.

The Solution:

We cannot change the settings on the patch(wich is in this case obvisily incorrect), but we can prevent the update process in LiteTouch to install it by adding WUMU_ExcludeKB. It is also possible to set this in customsettings.ini, but that will prevent this from being installed for other Operating System. So, IMHO, for a ref image creation the easiest way would be to block it by setting this in the Task Sequence.

Prevent the patch from ever being installed using WUMU_ExcludeKB.


Posted in OS Deployment, OSD, Patching, Windows Server 2008 R2 | Tagged: , | Leave a Comment »

Looking in the Mirror – The most viewed posts during 2015

Posted by Mikael Nystrom on December 27, 2015

Kind of fun, when i write a post i have no ide if it is going to be “hit” or a total fail, but here they are, the posts that have most views during 2015:

Number 1


Number 2


Number 3


Number 4


Number 5


Number 6


Number 7


Number 8


Number 9



Posted in Looking Back | Tagged: | Leave a Comment »

OS Deployment in the real World – I really Need a KMS key, but i cannot find it in the VLSC site?

Posted by Mikael Nystrom on December 18, 2015

No KMS Key in the VLSC for Windows 10 for OPEN License  ???

Turns out to be correct, you need to request that since MAK keys now are “prefferd” for Open License. It is possible to order one:

– Call: PA Call Center

– Email: KMSADD

There is ONE blog that i have found that explains this…

So, all credits goes to Steve Whitcher



Posted in OS Deployment, OSD, Windows 10 | Tagged: , , | Leave a Comment »

Working in the Datacenter – Add-DVDDrive does not work correctly in Windows Server 2016 TP4 (or in Windows 10)

Posted by Mikael Nystrom on December 17, 2015

Update 2015-12-17 : This is now a confirmed bug, and as soon as I know more I will update this post.

It seems to be a bug, hopefully it will be fixed soon. The issue is very simple. If you try to run Add-VMDvdDrive the –path must be specified, in previous version that could be left alone. This problem is more common when you create VM Gen 2, since it does not have a DVD by default, and yes when we build VM’s they usually have a empty DVD for various reasons. According to help in the command let, there is no differences in the cmdlet between 1.1 and 2.0, but in reality it is.

The Issue

The problem is that when using the command Add-VMDvdDrive -VMName $VMName it fails with Add-VMDvdDrive : Exception of type ‘System.ArgumentException’ was thrown because it does not have a path, so i have seen workarounds when you create a small ISO and mount that and then you can remove that, but that sucks. There are some other issues as well.

The issue.

The Workaround

Luckily there is 2 different PowerShell modules, 1.1 for older OS and 2.0 for Windows 10/Windows server 2016 TP4 so the only thing you need to do is unload the new PowerShell module for Hyper-V and load the old one, and when you are done, you can load the new module again.

(if you would like to know why there is 2 versions, here you go:

We run this in the beginning of the script to replace the module.

We run this in the end of the script to restore the module.


Here is the code on GHitHub

Posted in Datacenter, Hyper-V, PowerShell, Windows 10, Windows Server 2016 | Tagged: , , , | 1 Comment »

Working in the Datacenter – Creating a Reference Image of Windows Server 2016 TP4

Posted by Mikael Nystrom on December 2, 2015

Yes, you really need a reference Image, if not today, you will need it later. If you just deploy VM’s in an isolated environment, well in that case you might not, but for me testing is all about “Non Contoso” testing. What I mean is that I really need to play/test/learn how to run Windows Server 2016 in VM’s, as Hyper-V, with vendors software (like software from Dell, HP and such), so here it is, some kind of step by step guide to create a reference image for Windows Server 2016 TP4. There is a detailed description on how to create a reference image for Windows 10 on TechNet

MDT 2013 Update is not installed:

Download and Install the following:

ADK 10 –

MDT 2013 Update 1 –

I usually have a dedicated “image factory” server/machine, but you can do this on basically any Windows computer running Windows 7 or above. If you are looking for an image factory, here is the story:

MDT 2013 Update 1 is already installed:

Download the following:

Windows Server 2016 Technical Preview 4 –

Visual C++ –

Configure MDT

Mount the ISO and import the Operating System.

Import the VC++ runtimes as applications –

Create a new Task Sequence for Windows Server 2016 Technical Preview 4 and perform the following modifications:

Add the product key


The product key is located on the media in the folder \Sources\pid.txt (It works with the Datacenter Edition, NOT the standard, don’t use standard for TP4)

Disable the Maps Broker


This step is actually  an application that basically runs a PowerShell script that does disable the service, the reason for having a script is that it is easy to open script, modify, set conditions and similar things in a script, that way I don’t need to modify the task sequence when a change is needed. You can download the script here:

You then need to create an application in the workbench with the following settings:

Quit Install Command: PowerShell.exe -ExecutionPolicy Bypass -File Configure-DisableServicesforWindowsServer.ps1


The services currently makes no sense to have in a UI server and it does not start at all, so instead of having error in the Server Manager I rather disable the service. Of course you can disable the service in any other way, but I don’t like to have a long list of disable commands in the task sequence.

Add .NET framework 3.5.1 (includes 2.0)


A massive amount of server applications, toolkit, drivers does require .Net framework

Add VC++ runtimes


In the beginning of the post I explained how to download all VC++ and how to import an application that that installs all VC++

Basically every agent invented is written in C++ (it seams that way)

Cleanup before SysPrep


Currently the savings are not that great, but as a best practice I always try to make the image as small as possible to make it fast to deploy.

The story is here:

Add Updates


You can add updates by downloading the from, this works when the number of update are small and the update is a .CAB file, but you should configure MDT to use a WSUS server in customsetings.ini, like this:



Posted in Datacenter, Deployment, OS Deployment, OSD, Windows Server 2016 | Tagged: , , , | 3 Comments »

OSD Deployment – Deploying Intel NUC and getting drivers and settings assigned using the AliasUserExit.vbs – Converting Product into %ModelAlias%

Posted by Mikael Nystrom on November 24, 2015

I have been deploying the small and cool Intel NUC’s for a long time, they just have one problem, it is a small problem, but….

There is no Make/Model, actually, the entire SMBBios is empty, now that makes it a bit hard to figure what model we are deploying and therefore it is hard to determine what drivers that needs to be deployed. On some older  NUC’s there could be settings.

This is what we get from PowerShell – Win32_ComputerSystem,Win32_ComputerSystemProduct,Win32_BIOS and Win32_BaseBoard


As you can see Make and Model are kind of “nothing”, but SMBIOSBIOSVersion is RYBDWi35.86A.0350.2015.0812.1722 and that is basically the name of the motherboard, but slightly better, why don’t we use the Win32_BaseBoard and grab product, that seems just to be the perfect match here. And hold it… Win32_BaseBoard is already inventoried by the ZTIGather process, so the only thing we need to do is to set ModelAlias to Product, that seems pretty easy…

The “old” AliasUserExit to the rescue (once more)

The AliasUserExit script runs as a part of the ZTIGather process in MDT/ConfigMgr. This script has a section for Models where either Make is “Intel” or “”, in that case we grab the Product from the gather process and store that in %ModelAlias%.

Script can be found here: and inside the VBscript it explains how to use it

Verify that it works:

Running cscript ZTIGather.wsf /inifile:Customsettings.ini we get this on a DN2820FYK.
Note: In this case someone manually added/modified the SMBios using the Intel Toolkit to say that the Model is DN2820FYKH, but it is actually DN2820FYK
Running cscript ZTIGather.wsf /inifile:Customsettings.ini we get this on a NUC5i7RYB.
Note: In this case the BIOS is “normal”, that is it is totally blank
Running cscript ZTIGather.wsf /inifile:Customsettings.ini we get this on a D53427RKE.
Note: In this case the BIOS does contain vales, older NUC’s could have them set..

Posted in ConfigMgr, Drivers, MDT, OS Deployment, OSD, RealWorld | Tagged: , , , , , | 6 Comments »


Get every new post delivered to your Inbox.

Join 6,459 other followers