The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • Archives

  • Meta

Posts Tagged ‘Deployment’

Nice to Know – The hidden location for all HP servers drivers

Posted by Mikael Nystrom on November 9, 2016

The latest version of HP support pack was released recently, 2016.10.0 and we downloaded it to deploy it as usual, but Jorgen Brandelius at TrueSec could not resist the need of poking around on the media, and there is was, the hidden folder!!!

the magic folder.

What’s in the folder?

In the folder you will find the following structure, it is basically all drivers for Windows Server 2016 (and older supported OS as well) for all supported HP servers, it also includes agents for NANO server running on HP ProLiant.


What now?

Download, import and smile while you are deploying the HP server.



Posted in Deployment, Drivers, HP | Tagged: , , , , | 6 Comments »

Working in the Datacenter–Enable Virtual TPM in Hyper-V gives you the ability to test bitlocker in a VM

Posted by Mikael Nystrom on January 26, 2016

Last night a friend contaced me and said “-Did you ever post the vTPM thing?”, i did say yes, but i was wrong, so here it is…

Simple, without testing and verfication, a deployment solution will fail. One of the tasks that takes a lot of time to test and verify is BitLocker and that also includes TPM. Windows 10 and Windows Server 2016 gives you the ability to create Virtuial Machines with a Virtual TPM Chip 2.0.

A VM running Windows Server 2012 R2 with a vTPM chip, The VM is running on Windows Server 2016.

The How-To Part

You need to run Windows Server 2016 TP4 or Windows 10.

On the host, add Isolated UserMode, Hyper-V and Hostguardian Services, by running the following powershell command(elevated):

Add-WindowsFeature -Name “Isolated-UserMode”,”Hyper-V”,”HostGuardian” -IncludeAllSubFeature –IncludeManagementTools

If needed, restart the host.

Before you can enable the vTPM you need to have a Guardian Service guardian object and with that you can crerate a Key Protector.

New-HgsGuardian -Name ‘Guardian’ -GenerateCertificates
$Owner = Get-HgsGuardian -Name ‘Guardian’
$KeyProtector = New-HgsKeyProtector -Guardian $Owner -Owner $Owner –AllowUntrustedRoot

Great, the last piece is to enable the vTPM

Set-VMKeyProtector -VMName ‘WSUS01’ -KeyProtector $KeyProtector.RawData
Enable-VMTPM -VMName ‘WSUS01’


Posted in Deployment, Hyper-V, OSD, Windows 10, Windows Server 2016, Windows Server vNext | Tagged: , , , , , | 6 Comments »

OS Deployment – Windows 10 and OUs, Policies and LAPS

Posted by Mikael Nystrom on November 4, 2015

So, you are about to deploy Windows 10 in your organization, that sounds like a great plan. Before you start I do have some recommendations when it comes to joining them in your domain.

Create a separate OU for your Windows 10 computers

Yes, I strongly recommend you to do this. When working with customers I see a lot of “-We have 850 GPO settings that we used for XP, should we apply the same for Windows 10?” and the the answer is of course NO!!!! Instead you create a new OU and start over, this is your chance to cleanup that mess. For most customers it turns out that you need just a small number of settings for Windows 10 computers, since most is already correct. Also, you might use ConfigMgr and are starting use the policy in there instead or shifting into MDM. Just have a blank and blocked OU for your Windows 10 computers until you have figured out exactly what you need to have. after that, you might want to move computers back, use WMI filter or re-arrange your OU structure.

A separate OU has been created for Windows computers.

What policy’s should you have?

This is a discussion I have with every customer and over time I have learn to explain this. I usually divide all settings in to four different categories and the simple rule is that if you cant tag your policy in any of these four categories, don’t use it!

Group Policy Settings Reference for Windows 10:

Download Settings Ref.

Settings that will help the user to do the correct action

This could be to save documents in the correct place, to configure the Antivirus program to perform correctly and so on

Settings that brand the computer correctly

Branding is important from many aspects, one is that the user often sees  a non branded device as their “own”, while a branded computer belongs to the company and this also reflects they way people treat the device.

Settings that prevents the user from shooting them self in the foot

This is not security settings, this is more of the “Would you like to open Word Documents using Notepad instead of Word”, and that will prevent the user from working, kind of…

Real Security settings

As a first step, you need to have some kind of strategy around Security, there is not really any value in locking down a computer to insanity, while the user is a local admin anyway. As a first step use Security Compliance Manager 3.0 plus the draft for Windows 10 Security Settings (and final when that arrives) to determinate a baseline.

Windows 10 Security Compliance Manager Baselines:

Security Compliance Manager:

The new template files for SCM and Windows 10 (draft).

Implement Local Administrator Password Solution (LAPS)

With LAPS you have a solution that will on a regular basis change the password of the local admin account and store it in Active Directory, this is one of those “Just install it, don’t ask)


Download LAPS.

Update your ADMX and ADML files for Windows 10

Ok, so the basic is done, now you need to download the new ADMX and ADML files and store them in a Central Store

Download the ADMX and ADLM files

Tat is done here :

After download, run the installer to unzip the files. Open the folder and remove all languages folders you don’t need. I usually only keep the en-US. The only reason to have other languages is that you have administrators that don’t understand English, this has nothing to do with end users, they will hopefully never, ever create or modify GPO’s


Download the ADMX and ADML files for Windows 10.

Update your Central Store

This is very much recomened, but it will work if you use a local store as well. The reason to have a central store is that all policys modified/created will use the same base, otherwise there is huge risk that a policy is created on one machine, with different languaes, different versionas and that could lead in to all kinds of disaster. (In this case the server is named SRVDC01 and the domain name is network.local)

So, the easy way is to rename the folder called \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions.old

And copy the new policydefinitions from your unzipped folder to \\srvdc01\SYSVOL\network.local\Policies\PolicyDefinitions like this:

The PolicyDefinitions folder in the correct location.

If you hade any custom policy files, copy them from the PolicyDefinitions.old to PolicyDefinitions to get them back. The reason I do this is because there are some policy’s that has been changed and instead of picking them out, it is easier to just rename the old folder and upload a new folder with correct policy’s. Note: this does not change ANY existing policy’s at all.When you create anew policy the Policy Editor will start using the new templates, that’s all.

To verify that you have the correct policy’s in place, just open GPEdit and create a new policy and browse to a new setting you don’t have before.

Here you can see that the template is fetched from Central Store and that I can Configure Device Guard that is a feature of Windows 10.


Posted in Deployment, Windows 10 | Tagged: , | 2 Comments »

PowerShell is King – Running a PowerShell Demo Script in a Task Sequence

Posted by Mikael Nystrom on September 29, 2015

During the Management Master class today I did a demo of running a PowerShell script inside a Task Sequence that will gather information from both the task sequences as well as natively and writing the information in the Task Sequence dialog box, apparently I did not publish that, so here it is. To use it, put in the MDT Toolkit Script folder and run it using the Execute PowerShell Script activity.

PowerShell script action in Task Sequence






Posted in Deployment, PowerShell | Tagged: , , , | Leave a Comment »

PowerShell is King–Invoke-EXE could help you run .EXE using PowerShell

Posted by Mikael Nystrom on September 29, 2015

During today’s Management Masters I did a demo on how and why to use application wrappers, in one of the demos I showed a function called Invoke-Exe and I thought I did publish that long time ago, but I did not, so here it is. Actually, there is two versions of this. One that always return the exit code from the app and then you can use that for conditioning, the other one checks that the return code is what you told it to be and if not it throws an error.

Invoke-EXE – Version 1



Invoke-EXE – Version 2



How to use them?

You can import them as modules and then execute (since they have the same function name, you cannot run them at the same time. If you nned to just rename one of the functions, or just use the function as a part of your script)

For version 1:

Invoke-EXE –Executable setup.exe –Arguments “/silent” –SuccessfulReturnCode 0

For version 2

Invoke-EXE –Executable setup.exe –Arguments “/silent”


Invoke-EXE –Executable setup.exe


Posted in Deployment, PowerShell | Tagged: , | Leave a Comment »

Deployment Fundamentals Vol. 5: Building a Real-World Infrastructure with Windows Server 2012 R2 using MDT 2013 and a massive amount of PowerShell

Posted by Mikael Nystrom on September 29, 2015

My partner in crime, Johan Arwidmark and I wrote a book a year ago and this morning when I woke up I realized that we never did any commercials for it and that felt wrong, so here it is.

The book was written because we believe that a lot of IT Pros sometimes have the need to build a basic infrastructure, fast, using scripts. That is what the book is about. If you follow the steps in the book you will run a massive amount of PowerShell and in the end you will have a Domain Controller, Fileserver, WSUS server, Print Server, Work folder Server, Certificate Authority and some more. Everything is built using PowerShell. The scripts are written in a way that should be able to tweak, modify and steal with pride.

You can order it online from Amazon here:

If you bring it to the next conference we attend to, we will sign it for you.


Posted in Book, Deployment | Tagged: , | 1 Comment »

Nice to Know – Yes, it is possible to copy items between to Task Sequences as well as copy items between 2 different deployment shares

Posted by Mikael Nystrom on November 11, 2014

This is NOT a new feature, I cant even remember how long this has been working, but this morning I saw a Tweet when someone was happy about the possibility to copy items between deployment shares in MDT, so for thoose that knows all this, you do not need to read more, for the rest of you.

Yes, you can copy items between Task Sequences

(it also works copy items within a Task Sequence)

This works in both MDT as well as in ConfigMgr.




Yes, you can copy items between Deployment Shares (Only for MDT, Lite Touch)

In this case I have 3 deployment shares in the Deployment Workbench and it is possible to copy all kind of items between these 3 deployment shares


Let us copy some application from one deployment share to another.

Select Application, right click and select Copy.


Browse to new location, right-click, select Paste.


The application has been copied to the new deployment share.



Posted in ConfigMgr, Lite Touch, MDT, OSD, Zero Touch | Tagged: , , , , , , | 3 Comments »

PowerShell is King – Create a webpage containing LTI/ZTI Deployment issues with information and links to logs

Posted by Mikael Nystrom on December 29, 2013

Knowing is better than guessing, that is an indisputable fact as far as I know and since we try to automate more and more (someone wrote –automating the world, line by line and that is so darn correct) we now need to monitor much more. OS Deployment has been possible to automate for many years, but the level of monitoring to see if everything is working correctly is in place and there are many reasons for that, some solutions just takes forever to deploy and configure and some takes forever to understand how they work.

The Problem:

We need to be able to see if everything works as expect, we all work in the Service Sector, we are suppose to service our organizations and help our users so they can do whatever they are suppose to do (I know, working in IT is not that cool anymore). If you have MDT you could enable the monitoring feature, but it will only tell you ongoing deployments and if they went well or not, you cannot see the issues, only the number of issues. If you have SCCM it is far better, but, better could be better…

The Solution

In MDT there is a monitoring feature and what not so many know about is that it is actually writing to the event log.

$MDTevents = Get-EventLog -LogName Application -Source MDT_Monitor -EntryType Warning,Error
$MDTevents | Select Message

Output from running the commands above.

So, if we could create script that dumps that, split the message into 3 objects, machine name, type of error, and message, add the path to the logs for each machine we have a solution, right?

Issue Number one

The event log is fantastic, it has so many parameters to work with, but in this case it does not work, since all data is just a string in the event it self, so we need to extract that and “bend the rules a bit”, this is what we get if we don’t do anything at all

As you can see, it is all in the EventData, just as a dumb string.

With this little function we can now dump the data, turn the string into 3 objects, flip them around so that the computer name comes first (like to sort it on computer name), remove junk


Issue Number two

Converting to HTML with links to the logs, well that can be done rather easy using this part

Here you can see that we dump out the data running the Function Get-MDTIssues with a select statement that on the first position creates a new object called “link” and it will add a href tag on the computer name, so now we have a nice HTML page, well not really. there is another problem

Issue Number three

ConvertTo-HTML does not like HTML, it will of course convert everything to HTML, including HTML and the HTML we had is no HTML anymore…

But, Convertto-html is an object, so we can of course convert that on the fly using –replace and at the same time we can add the computer name correctly to the server we are running this on


Issue Number four

Now everything works, Yeah, well no, as soon as you have this “not-so-very-designed-web-page” you will be able to click the links and THAT works, you will end up in the log folders


So let us click one of them:

So far so good:


But you cannot click any of the links until you add a mime type for .log in IIS


Install and Configure

  • Download file from here:
  • Store it locally on the MDT server (The server with the Deployment workbench, it is possible to run the script from an other machine, but then you need to modify the script to read the log from another computer)
  • Make sure that MDT Monitoring is enabled


  • Make sure that CustomSettings.ini is correctly configured to store the logs and to enable to send monitor data
    • SLShare=\\SRVMGT01\Logs$
    • EventService=http://SRVMGT01:9800
  • Add the IIS Feature
  • Add two Web Applications


  • Enable Directory Browsing for Logs and MDT (If you call the file default.htm or similar you don’t need that)
  • Schedule the script to run (You could a be smart, schedule a task based on the MDT_Monitor to run the script for warnings and errors


  • Testing could be done in two ways, you could either deploy a machine and hope it fails or you could run this POSH command:

Write-EventLog -LogName Application -Source MDT_Monitor -EntryType Warning -EventId 2000 -Message "Error logged for computer TEST01: Application Install – HP Support Pack returned an unexpected return code: 1"


and if everything works correct, well you should be able to see that in the webpage


Happy “Warnings, errors and failures”


Posted in Deployment, MDT, SCCM | Tagged: , , | 13 Comments »

Nice to Know – Reduce the size of your Windows 8.1 WIM after patching and before doing a capture

Posted by Mikael Nystrom on December 23, 2013

Yes, finally it is doable, for real and it gets smaller too :-)

The Problem

Not really a problem maybe, but when the ref image gets bigger and bigger for every time you create one and you KNOW that it is just old patches and new code that consumes the space, you really want to get rid of all the junk. There has been some “do this, it works but it is not really sported”, but now we really have a solution for this.

The solution

Using dism with the new /resetbase it is now possible to cleanup the image and remove all the old patches, however, there is one downside here, when you cleanup, there is NO way to uninstall a patch, since that patch is now “base”. So you should only do this when your image is stable and have no issues at all.

Note: the /resetbase only works on a Windows 8.1 or Windows Server 2012 R2 image, there are other solutions for older legacy systems, like Windows 8 and such, and yes, I’m working on posts for that too.



Dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase


DISM /Image:C:\MyDir\Mount /Cleanup-Image /StartComponentCleanup /ResetBase

In the TaskSequence:


On TechNet:


Posted in Deployment, WIM, Windows 8.1 | Tagged: | 4 Comments »

Deployment Fundamentals, Vol. 2: Deploying Physical and Virtual Servers Using MDT 2010 and SCVMM 2008 R2

Posted by Mikael Nystrom on December 24, 2011


So finally, the new book is out. This book is about server deployment using MDT 20120 Update 1. In this book we show you how how to create ref images for Windows Server 2008 R2 and Windows Server 2003 and trust me, 2003 is not even close to be funny in this case. We also show you how to deploy them with real drivers and real applications. We have created plenty of task sequences so most of the different server roles are included. We also have something around SCVMM, it is basically an image in SCVMM, but then we use MDT 2010 as a task sequence engine to finalize the configuration. A very nice combo. Just a short note, even I you primary target is client, this book could give you some tips and tricks.
– If we have started the next book, Vol III?
– Yes, we have….

Technorati Tags: ,


Posted in Deployment, MDT, SCVMM | Tagged: | 7 Comments »