The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • Archives

  • Meta

Archive for the ‘Deployment’ Category

Nice to Know – The hidden location for all HP servers drivers

Posted by Mikael Nystrom on November 9, 2016

The latest version of HP support pack was released recently, 2016.10.0 and we downloaded it to deploy it as usual, but Jorgen Brandelius at TrueSec could not resist the need of poking around on the media, and there is was, the hidden folder!!!

image
the magic folder.

What’s in the folder?

In the folder you will find the following structure, it is basically all drivers for Windows Server 2016 (and older supported OS as well) for all supported HP servers, it also includes agents for NANO server running on HP ProLiant.

image

What now?

Download, import and smile while you are deploying the HP server.

image

/mike

Posted in Deployment, Drivers, HP | Tagged: , , , , | 6 Comments »

Working in the Datacenter–Enable Virtual TPM in Hyper-V gives you the ability to test bitlocker in a VM

Posted by Mikael Nystrom on January 26, 2016

Last night a friend contaced me and said “-Did you ever post the vTPM thing?”, i did say yes, but i was wrong, so here it is…

Simple, without testing and verfication, a deployment solution will fail. One of the tasks that takes a lot of time to test and verify is BitLocker and that also includes TPM. Windows 10 and Windows Server 2016 gives you the ability to create Virtuial Machines with a Virtual TPM Chip 2.0.

image
A VM running Windows Server 2012 R2 with a vTPM chip, The VM is running on Windows Server 2016.

The How-To Part

You need to run Windows Server 2016 TP4 or Windows 10.

On the host, add Isolated UserMode, Hyper-V and Hostguardian Services, by running the following powershell command(elevated):

Add-WindowsFeature -Name “Isolated-UserMode”,”Hyper-V”,”HostGuardian” -IncludeAllSubFeature –IncludeManagementTools

If needed, restart the host.

Before you can enable the vTPM you need to have a Guardian Service guardian object and with that you can crerate a Key Protector.

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates
$Owner = Get-HgsGuardian -Name ‘Guardian’
$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Great, the last piece is to enable the vTPM

Set-VMKeyProtector -VMName ‘WSUS01’ -KeyProtector $KeyProtector.RawData
Enable-VMTPM -VMName ‘WSUS01’

/Mike

Posted in Deployment, Hyper-V, OSD, Windows 10, Windows Server 2016, Windows Server vNext | Tagged: , , , , , | 6 Comments »

Deployment Fundamentals, Vol. 6: Deploying Windows 10 Using Microsoft Deployment Toolkit (and some PowerShell)

Posted by Mikael Nystrom on January 6, 2016

Yes, the book is finally done and it is up on Amazon. The book follows all the others by being a build-while-you-read book, it includes a complete set of PowerShell scripts that will build your entire lab environment (The script has been changed, so it will be easier to use them at customer sites or other test/lab environments if needed). The focus of the book is as you could guess by the title to deploy Windows 10 using MDT and LiteTouch. The versions we did use in the book are Windows 10 1511, MDT 2013 Update 2 and the new ADK. It has been hard work, late nights, but darn I still love writing books… You can find the book on Amazon.com as well as other sites. oh, btw, the book also includes a complete hydration kit that uses MDT and PowerShell to build your complete lab environment.

image

Happy reading and deploying

/mike

Posted in Book, Deployment, MDT | Tagged: , , , | 17 Comments »

Working in the Datacenter – Creating a Reference Image of Windows Server 2016 TP4

Posted by Mikael Nystrom on December 2, 2015

Yes, you really need a reference Image, if not today, you will need it later. If you just deploy VM’s in an isolated environment, well in that case you might not, but for me testing is all about “Non Contoso” testing. What I mean is that I really need to play/test/learn how to run Windows Server 2016 in VM’s, as Hyper-V, with vendors software (like software from Dell, HP and such), so here it is, some kind of step by step guide to create a reference image for Windows Server 2016 TP4. There is a detailed description on how to create a reference image for Windows 10 on TechNet https://technet.microsoft.com/en-us/library/mt297533(v=vs.85).aspx.

MDT 2013 Update is not installed:

Download and Install the following:

ADK 10 – http://go.microsoft.com/fwlink/p/?LinkId=526740

MDT 2013 Update 1 – https://www.microsoft.com/en-us/download/details.aspx?id=48595

I usually have a dedicated “image factory” server/machine, but you can do this on basically any Windows computer running Windows 7 or above. If you are looking for an image factory, here is the story:https://deploymentbunny.com/2014/01/06/powershell-is-king-building-a-reference-image-factory/

MDT 2013 Update 1 is already installed:

Download the following:

Windows Server 2016 Technical Preview 4 – https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Visual C++ – https://deploymentbunny.com/2014/08/05/powershell-is-king-download-all-vc-runtimes-using-a-script/

Configure MDT

Mount the ISO and import the Operating System.

Import the VC++ runtimes as applications – https://deploymentbunny.com/2014/09/25/nice-to-havevb-script-wrapper-for-all-vc-installers-to-be-used-in-mdt/

Create a new Task Sequence for Windows Server 2016 Technical Preview 4 and perform the following modifications:

Add the product key

image

The product key is located on the media in the folder \Sources\pid.txt (It works with the Datacenter Edition, NOT the standard, don’t use standard for TP4)

Disable the Maps Broker

image

This step is actually  an application that basically runs a PowerShell script that does disable the service, the reason for having a script is that it is easy to open script, modify, set conditions and similar things in a script, that way I don’t need to modify the task sequence when a change is needed. You can download the script here: https://github.com/DeploymentBunny/Files/blob/master/Tools/Configure%20-%20Disable%20Services%20for%20Windows%20Server/Configure-DisableServicesforWindowsServer.ps1

You then need to create an application in the workbench with the following settings:

Quit Install Command: PowerShell.exe -ExecutionPolicy Bypass -File Configure-DisableServicesforWindowsServer.ps1

image

The services currently makes no sense to have in a UI server and it does not start at all, so instead of having error in the Server Manager I rather disable the service. Of course you can disable the service in any other way, but I don’t like to have a long list of disable commands in the task sequence.

Add .NET framework 3.5.1 (includes 2.0)

image

A massive amount of server applications, toolkit, drivers does require .Net framework

Add VC++ runtimes

image

In the beginning of the post I explained how to download all VC++ and how to import an application that that installs all VC++

Basically every agent invented is written in C++ (it seams that way)

Cleanup before SysPrep

image

Currently the savings are not that great, but as a best practice I always try to make the image as small as possible to make it fast to deploy.

The story is here: https://deploymentbunny.com/2014/06/05/nice-to-know-get-rid-of-all-junk-before-sysprep-and-capture-when-creating-a-reference-image-in-mdt/:

Add Updates

image

You can add updates by downloading the from http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3118754, this works when the number of update are small and the update is a .CAB file, but you should configure MDT to use a WSUS server in customsetings.ini, like this:

image

/Mike

Posted in Datacenter, Deployment, OS Deployment, OSD, Windows Server 2016 | Tagged: , , , | 5 Comments »

OS Deployment – Windows 10 and OUs, Policies and LAPS

Posted by Mikael Nystrom on November 4, 2015

So, you are about to deploy Windows 10 in your organization, that sounds like a great plan. Before you start I do have some recommendations when it comes to joining them in your domain.

Create a separate OU for your Windows 10 computers

Yes, I strongly recommend you to do this. When working with customers I see a lot of “-We have 850 GPO settings that we used for XP, should we apply the same for Windows 10?” and the the answer is of course NO!!!! Instead you create a new OU and start over, this is your chance to cleanup that mess. For most customers it turns out that you need just a small number of settings for Windows 10 computers, since most is already correct. Also, you might use ConfigMgr and are starting use the policy in there instead or shifting into MDM. Just have a blank and blocked OU for your Windows 10 computers until you have figured out exactly what you need to have. after that, you might want to move computers back, use WMI filter or re-arrange your OU structure.

image
A separate OU has been created for Windows computers.

What policy’s should you have?

This is a discussion I have with every customer and over time I have learn to explain this. I usually divide all settings in to four different categories and the simple rule is that if you cant tag your policy in any of these four categories, don’t use it!

Group Policy Settings Reference for Windows 10: http://www.microsoft.com/en-us/download/details.aspx?id=25250

image
Download Settings Ref.

Settings that will help the user to do the correct action

This could be to save documents in the correct place, to configure the Antivirus program to perform correctly and so on

Settings that brand the computer correctly

Branding is important from many aspects, one is that the user often sees  a non branded device as their “own”, while a branded computer belongs to the company and this also reflects they way people treat the device.

Settings that prevents the user from shooting them self in the foot

This is not security settings, this is more of the “Would you like to open Word Documents using Notepad instead of Word”, and that will prevent the user from working, kind of…

Real Security settings

As a first step, you need to have some kind of strategy around Security, there is not really any value in locking down a computer to insanity, while the user is a local admin anyway. As a first step use Security Compliance Manager 3.0 plus the draft for Windows 10 Security Settings (and final when that arrives) to determinate a baseline.

Windows 10 Security Compliance Manager Baselines: http://blogs.technet.com/b/secguide/archive/2015/10/08/security-baseline-for-windows-10-draft.aspx

Security Compliance Manager: http://www.microsoft.com/en-us/download/details.aspx?id=16776

image
The new template files for SCM and Windows 10 (draft).

Implement Local Administrator Password Solution (LAPS)

With LAPS you have a solution that will on a regular basis change the password of the local admin account and store it in Active Directory, this is one of those “Just install it, don’t ask)

LAPS: https://www.microsoft.com/en-us/download/details.aspx?id=46899

image
Download LAPS.

Update your ADMX and ADML files for Windows 10

Ok, so the basic is done, now you need to download the new ADMX and ADML files and store them in a Central Store

Download the ADMX and ADLM files

Tat is done here : http://www.microsoft.com/en-US/download/details.aspx?id=48257

After download, run the installer to unzip the files. Open the folder and remove all languages folders you don’t need. I usually only keep the en-US. The only reason to have other languages is that you have administrators that don’t understand English, this has nothing to do with end users, they will hopefully never, ever create or modify GPO’s

 

image
Download the ADMX and ADML files for Windows 10.

Update your Central Store

This is very much recomened, but it will work if you use a local store as well. The reason to have a central store is that all policys modified/created will use the same base, otherwise there is huge risk that a policy is created on one machine, with different languaes, different versionas and that could lead in to all kinds of disaster. (In this case the server is named SRVDC01 and the domain name is network.local)

So, the easy way is to rename the folder called \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions.old

And copy the new policydefinitions from your unzipped folder to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions like this:

image
The PolicyDefinitions folder in the correct location.

If you hade any custom policy files, copy them from the PolicyDefinitions.old to PolicyDefinitions to get them back. The reason I do this is because there are some policy’s that has been changed and instead of picking them out, it is easier to just rename the old folder and upload a new folder with correct policy’s. Note: this does not change ANY existing policy’s at all.When you create anew policy the Policy Editor will start using the new templates, that’s all.

To verify that you have the correct policy’s in place, just open GPEdit and create a new policy and browse to a new setting you don’t have before.

image
Here you can see that the template is fetched from Central Store and that I can Configure Device Guard that is a feature of Windows 10.

/mike

Posted in Deployment, Windows 10 | Tagged: , | 2 Comments »

PowerShell is King – Running a PowerShell Demo Script in a Task Sequence

Posted by Mikael Nystrom on September 29, 2015

During the Management Master class today I did a demo of running a PowerShell script inside a Task Sequence that will gather information from both the task sequences as well as natively and writing the information in the Task Sequence dialog box, apparently I did not publish that, so here it is. To use it, put in the MDT Toolkit Script folder and run it using the Execute PowerShell Script activity.

PowerShell script action in Task Sequence

image

DemoPowerShellScript.ps1

Download

image

/mike

Posted in Deployment, PowerShell | Tagged: , , , | Leave a Comment »

PowerShell is King–Invoke-EXE could help you run .EXE using PowerShell

Posted by Mikael Nystrom on September 29, 2015

During today’s Management Masters I did a demo on how and why to use application wrappers, in one of the demos I showed a function called Invoke-Exe and I thought I did publish that long time ago, but I did not, so here it is. Actually, there is two versions of this. One that always return the exit code from the app and then you can use that for conditioning, the other one checks that the return code is what you told it to be and if not it throws an error.

Invoke-EXE – Version 1

Download

image

Invoke-EXE – Version 2

Download

image

How to use them?

You can import them as modules and then execute (since they have the same function name, you cannot run them at the same time. If you nned to just rename one of the functions, or just use the function as a part of your script)

For version 1:

Invoke-EXE –Executable setup.exe –Arguments “/silent” –SuccessfulReturnCode 0

For version 2

Invoke-EXE –Executable setup.exe –Arguments “/silent”

or

Invoke-EXE –Executable setup.exe

/mike

Posted in Deployment, PowerShell | Tagged: , | Leave a Comment »

Deployment Fundamentals Vol. 5: Building a Real-World Infrastructure with Windows Server 2012 R2 using MDT 2013 and a massive amount of PowerShell

Posted by Mikael Nystrom on September 29, 2015

My partner in crime, Johan Arwidmark and I wrote a book a year ago and this morning when I woke up I realized that we never did any commercials for it and that felt wrong, so here it is.

The book was written because we believe that a lot of IT Pros sometimes have the need to build a basic infrastructure, fast, using scripts. That is what the book is about. If you follow the steps in the book you will run a massive amount of PowerShell and in the end you will have a Domain Controller, Fileserver, WSUS server, Print Server, Work folder Server, Certificate Authority and some more. Everything is built using PowerShell. The scripts are written in a way that should be able to tweak, modify and steal with pride.

You can order it online from Amazon here:

If you bring it to the next conference we attend to, we will sign it for you.

/mike

Posted in Book, Deployment | Tagged: , | 1 Comment »

My Sessions at Microsoft Ignite 2015

Posted by Mikael Nystrom on May 1, 2015

Banner for Ignite 2015

Hands-on Windows 10 Enterprise Deployment

Want to know how to prepare for Windows 10, or how to upgrade from Windows 7, 8, or 8.1 to Windows 10? Maybe you want to know how to build, customize, and deploy your own Windows 10 image? In this pre-day session we explore all of those areas, with hands-on labs to ensure that you’ll be ready for Windows 10 in your organization.

Sunday, May 3rd  – 9:00 am to 5:00 pm

Troubleshooting Windows 10 Deployment: Top 10 Tips and Tricks

Need help with troubleshooting Windows deployment issues? Johan and Mikael share lessons learned around handling device drivers in the deployment process, common deployment issues and their workarounds, parsing log files, WinPE and PXE troubleshooting, UEFI deployments. As a foundation, Microsoft Deployment Toolkit and Microsoft System Center Configuration Manager will be used. You can expect a lot of live demos, tips, and tricks in this session.

Wednesday, May 6th – 10:45 am to 12:00 pm

Expert-Level Windows 10 Deployment

Join us for a live demo on how to build a Windows deployment solution, based on Microsoft System Center Configuration Manager. In the session we are taking OS Deployment in Microsoft Deployment Toolkit and System Center Configuration Manager to its outer limits. Deployment tips, tricks, and hard core debugging in a single session. You can expect a lot of live demos in this session.

Thursday, May 7 7th – 9:00 pm to 10:15 pm

Windows 10 Deployment: Ask the Experts

Still have questions about Windows deployment, even after all the other sessions this week? For this session, we gather as many experts as we can find for a roundtable Q&A session, with plenty of “official” and “real-world” answers for everyone, troubleshooting and implementation advice, and probably a fair number of opinions and “it depends” answers as well.

Thursday, May 7 7th – 3:15 pm to 10:15 pm

Book signing in the Bookstore

If you for any reason would like to have a book written by me signed, I’ll be there and I will happily sign it for you:

Wednesday, May 6th – 12:30 pm

Posted in ConfigMgr, Deployment, Event, Ignite, MDT | Tagged: , , , , , , , | Leave a Comment »

PowerShell is King – Bulk import applications I MDT

Posted by Mikael Nystrom on September 3, 2014

Often I need to import applications into the Deployment workbench and that is fine. The process is easy and fast, but it is boring and if you have more then 5 apps it is really boring. Based on the fact that almost all my apps in MDT is deployed using VB or PowerShell wrappers its is just one file in a folder and then there is a subfolder with the content. You don’t need to be a genius to figure out that 90% of all the apps pretty much have the same folder and file structure in the root of the application folder, so why don’t we use PowerShell to import all the apps based on some guessing?

The Logic:

This parts can be modified, edit, or you can add your own. Basically it reads the from the folder structure you specify and the script will then scan the folder structure for folders, assuming that every folder is an application. If it finds .msi, .msu, exe, .bat, .wsf, or .ps1 files it will then import them as applications. The important thing is that it will import the first “hit”. That means that you should store the real setup files in a subfolder, I usually use .\Source as the source folder. Here you can see the .WSF part logic

image
Part of the script.

The command line:

This is the tricky part, since there is no way to know that it will be a guessing game and the command line might need to be modified after import, but I rather modify 2-3 applications instead of importing all of them manually.

The default cmdline for all imported apps will be:

.EXE "$Install /q"
.MSI "msiexec.exe /i $Install /qn"
.MSU "wusa.exe $Install /Quiet /NoRestart"
.PS1 "PowerShell.exe -ExecutionPolicy ByPass -File $Install"
.WSF "cscript.exe $Install"

The Script:

The script is rather easy, it takes 2 parameters. The folder from where to import and the deployment share. You need to have MDT installed since it is using PowerShell cmdlets from MDT. The syntax for the script looks like this:

.\Import-MDTApps.ps1 -ImportFolder C:\Script\AppFolder -MDTFolder C:\MDTBuildLab

you could also add –Verbose if you like lots of text on the screen.

image
Output when using –Verbose during import.

You can download the script here: http://1drv.ms/1pGTvkA

/mike

Posted in Deployment, MDT | Tagged: | 4 Comments »