When building a master image for a XenDesktop VDI environment, you have the choice to start a ConfigMgr prep. Within ConfigMgr 2007 this was needed all the time, within ConfigMgr 2012 this is not for sure. When looking at a recent Microsoft TechNet post however, it seems this is still needed. Let's have a look at a part of this blogpost:
Once install completes you will need to make the following changes to the master image prior to snapshot.
1. Stop the SMS Host Service – to do this run the command net stop ccmexec as an administrator
2. Delete the SMSCFG.ini file from the Windows folder – to do this run the command del %WINDIR%\smscfg.ini
3. Delete the SMS certificates – to do this run the following line in PowerShell – Remove-Item -Path HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\* -Force or from DOS using powershell -command "HKLM:\Software\Microsoft\SystemCertificates\SMS\Certificates\* -Force"
4. Remove the Inventory Action ID 1 in WMI – to do this run the command wmic /namespace:\\root\ccm\invagt path inventoryActionStatus where InventoryActionID=”{00000000-0000-0000-0000-000000000001}” DELETE /NOINTERACTIVE
Do not follow the advice from the Citrix Team Blog which is to install the client and forget about it. This approach will generate bad mifs in your environment. See my post on the subject here.
Just have a look at my other blogpost about "Prepare ConfigMgr client for Sysprep or Master Image" for more information on this.
I'm still convinced to prepare the ConfigMgr client for sure!
Showing posts with label VDI template. Show all posts
Showing posts with label VDI template. Show all posts
Friday, September 19, 2014
Friday, July 19, 2013
Prepare ConfigMgr client for Sysprep or Master Image
When building and deploying a master image with ConfigMgr for VDI usage, it's needed that a ConfigMgr client is installed. I did this multiple times in Citrix and VMware environments. Before the image is used for production usage, it's needed to prepare the ConfigMgr client first. Here are the steps that must be followed to do this.
1) Install the ConfigMgr client on the reference system during task sequence deployment or using local installation;
- CCMsetup.exe SMSSITECODE=<Site code>
2) Stop the SCCM client service;
- Start > Run - CMD.exe
- Type > Net stop "SMS Agent Host"
3) Remove the 2 SMS certificates in the local certificate store;
- Start > Run - MMC.exe
- Select Add/Remove Snap-In
- Select Certificates > Add
- Select Computer account > Next
- Select Local computer > Finish > OK
- Expand Certificates > SMS
- Delete both certificates
4) Delete the %SystemRoot%\SMSCFG.ini file;
Additional steps that can be taken to the Endpoint Protection client:
- For VDI, verify a Full Scan has been run on the Master Host Image, and that persistent cache has been populated;
- You can check the value in HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\SFCState (if it’s 7 then it’s complete, on initial install it will be 0);
- To force the persistent cache to generate, RUN (from an elevated CMD):
- CD C:\Program Files\Microsoft Security Client
- Start > MpCmdRun.exe -buildSFC
Just for information:
- You can export the SCEP policy used and change DisableCatchupFullScan and DisableCatchupQuickScan from 0 to 1. After that the policy can be imported again. Not sure if this is needed all times, but it will surely help;
- The policy name in SCEP will be named "Antimalware policy" by default. All SCEP policies applied can be found in registry: "HKLM\Software\Microsoft\CCM\EPAgent\LastAppliedPolicy";
- During buildSFC a logfile (MpCmdRun.log) can be monitored in: "C:\Users\<username>\AppData\Local\Temp". It's possible that buildSFC must be started multiple times because of a timeout 2400 error. Just start it again till it shows "Service stopped. Exiting Idle TaskEnd";
- The cache file created can be found in: "C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\CacheManager". In my case the file was 1,820 KB in size;
- After buildSFC is finished, the SFCState can be found in registry again: "HKLM\Software\Microsoft\Microsoft Antimalware\Scan". The SFCState key should be changed from 0 to 7 then!
After that shutdown the reference image, create a snapshot (optional) and use it for your environment. This prevents multiple objects (with the same name) in ConfigMgr and duplicate hardware ID's (as we had in 2007 version). Hope it helps!
Source: Premier Field Engineering
Update 22-7-2013: Running the buildSFC command is something different then running a full scan on the master image. With a full scan the SCEP client can still start another full scan after using it in VDI. With the buildSFC command it will stop doing that.
Update 13-5-2014: During or after OS deployment the MpCmdRun.log can be found in: C:\Windows\Temp (because no one is logged in during deployment).
1) Install the ConfigMgr client on the reference system during task sequence deployment or using local installation;
- CCMsetup.exe SMSSITECODE=<Site code>
2) Stop the SCCM client service;
- Start > Run - CMD.exe
- Type > Net stop "SMS Agent Host"
3) Remove the 2 SMS certificates in the local certificate store;
- Start > Run - MMC.exe
- Select Add/Remove Snap-In
- Select Certificates > Add
- Select Computer account > Next
- Select Local computer > Finish > OK
- Expand Certificates > SMS
- Delete both certificates
4) Delete the %SystemRoot%\SMSCFG.ini file;
Additional steps that can be taken to the Endpoint Protection client:
- For VDI, verify a Full Scan has been run on the Master Host Image, and that persistent cache has been populated;
- You can check the value in HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Scan\SFCState (if it’s 7 then it’s complete, on initial install it will be 0);
- To force the persistent cache to generate, RUN (from an elevated CMD):
- CD C:\Program Files\Microsoft Security Client
- Start > MpCmdRun.exe -buildSFC
Just for information:
- You can export the SCEP policy used and change DisableCatchupFullScan and DisableCatchupQuickScan from 0 to 1. After that the policy can be imported again. Not sure if this is needed all times, but it will surely help;
- The policy name in SCEP will be named "Antimalware policy" by default. All SCEP policies applied can be found in registry: "HKLM\Software\Microsoft\CCM\EPAgent\LastAppliedPolicy";
- During buildSFC a logfile (MpCmdRun.log) can be monitored in: "C:\Users\<username>\AppData\Local\Temp". It's possible that buildSFC must be started multiple times because of a timeout 2400 error. Just start it again till it shows "Service stopped. Exiting Idle TaskEnd";
- The cache file created can be found in: "C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\CacheManager". In my case the file was 1,820 KB in size;
- After buildSFC is finished, the SFCState can be found in registry again: "HKLM\Software\Microsoft\Microsoft Antimalware\Scan". The SFCState key should be changed from 0 to 7 then!
After that shutdown the reference image, create a snapshot (optional) and use it for your environment. This prevents multiple objects (with the same name) in ConfigMgr and duplicate hardware ID's (as we had in 2007 version). Hope it helps!
Source: Premier Field Engineering
Update 22-7-2013: Running the buildSFC command is something different then running a full scan on the master image. With a full scan the SCEP client can still start another full scan after using it in VDI. With the buildSFC command it will stop doing that.
Update 13-5-2014: During or after OS deployment the MpCmdRun.log can be found in: C:\Windows\Temp (because no one is logged in during deployment).
Thursday, February 14, 2013
How to create a Windows 7 VDI template
With ConfigMgr it's possible to build a Windows 7 VDI template. You can build it manually or even better, in a task sequence. That way the VDI template can be updated at a later time. For VMware View the following (default) script can be used:
================================
Setting Default HKCU values by loading and modifying the default user registry hive
reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /f
reg unload "hku\temp"
rem Making modifications to the HKLM hive
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t
REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /f
reg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f
rem Using Powershell to perform Windows Services modifications
Powershell Set-Service 'BDESVC' -startuptype "disabled"
Powershell Set-Service 'wbengine' -startuptype "disabled"
Powershell Set-Service 'DPS' -startuptype "disabled"
Powershell Set-Service 'UxSms' -startuptype "disabled"
Powershell Set-Service 'Defragsvc' -startuptype "disabled"
Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"
Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"
Powershell Set-Service 'iphlpsvc' -startuptype "disabled"
Powershell Set-Service 'MSiSCSI' -startuptype "disabled"
Powershell Set-Service 'swprv' -startuptype "disabled"
Powershell Set-Service 'CscService' -startuptype "disabled"
Powershell Set-Service 'SstpSvc' -startuptype "disabled"
Powershell Set-Service 'wscsvc' -startuptype "disabled"
Powershell Set-Service 'SSDPSRV' -startuptype "disabled"
Powershell Set-Service 'SysMain' -startuptype "disabled"
Powershell Set-Service 'TabletInputService' -startuptype "disabled"
Powershell Set-Service 'Themes' -startuptype "disabled"
Powershell Set-Service 'upnphost' -startuptype "disabled"
Powershell Set-Service 'VSS' -startuptype "disabled"
Powershell Set-Service 'SDRSVC' -startuptype "disabled"
Powershell Set-Service 'WinDefend' -startuptype "disabled"
Powershell Set-Service 'WerSvc' -startuptype "disabled"
Powershell Set-Service 'MpsSvc' -startuptype "disabled"
Powershell Set-Service 'ehRecvr' -startuptype "disabled"
Powershell Set-Service 'ehSched' -startuptype "disabled"
Powershell Set-Service 'WSearch' -startuptype "disabled"
Powershell Set-Service 'wuauserv' -startuptype "disabled"
Powershell Set-Service 'Wlansvc' -startuptype "disabled"
Powershell Set-Service 'WwanSvc' -startuptype "disabled"
rem Making miscellaneous modifications
bcdedit /set BOOTUX disabled
vssadmin delete shadows /All /Quiet
Powershell disable-computerrestore -drive c:\
netsh advfirewall set allprofiles state off
powercfg -H OFF
net stop "sysmain"
fsutil behavior set DisableLastAccess 1
rem Making modifications to Scheduled Tasks
schtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
schtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disable
schtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disable
schtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable
================================
Just save above settings into a CMD file and put in the task sequence. Add a Run Command Line step and start it with CMD /C ***.cmd and you are fine. Just nice to have scripts like these!
Source: VMware.com
================================
Setting Default HKCU values by loading and modifying the default user registry hive
reg load "hku\temp" "%USERPROFILE%\..\Default User\NTUSER.DAT"
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v SCRNSAVE.EXE /d "%windir%\system32\scrnsave.scr" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /d "600" /f
reg ADD "hku\temp\Software\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaverIsSecure /d "1" /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /d " " /f
reg ADD "hku\temp\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" /v Persistent /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\Feeds" /v SyncStatus /t REG_DWORD /d 0x0 /f
reg ADD "hku\temp\Software\Microsoft\WIndows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 0x1 /f
reg unload "hku\temp"
rem Making modifications to the HKLM hive
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v DisableFirstRunCustomize /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnableSuperfetch /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk" /v TimeOutValue /t REG_DWORD /d 200 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Revision /t REG_SZ /d 1.0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Image" /v Virtual /t REG_SZ /d Yes /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Network\NewNetworkWindowOff" /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t
REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x100000 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl" /v CrashDumpEnabled /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoRecycleFiles /t REG_DWORD /d 0x1 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x0 /f
reg ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0x0 /f
reg Add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Sideshow" /v Disabled /t REG_DWORD /d 0x1 /f
rem Using Powershell to perform Windows Services modifications
Powershell Set-Service 'BDESVC' -startuptype "disabled"
Powershell Set-Service 'wbengine' -startuptype "disabled"
Powershell Set-Service 'DPS' -startuptype "disabled"
Powershell Set-Service 'UxSms' -startuptype "disabled"
Powershell Set-Service 'Defragsvc' -startuptype "disabled"
Powershell Set-Service 'HomeGroupListener' -startuptype "disabled"
Powershell Set-Service 'HomeGroupProvider' -startuptype "disabled"
Powershell Set-Service 'iphlpsvc' -startuptype "disabled"
Powershell Set-Service 'MSiSCSI' -startuptype "disabled"
Powershell Set-Service 'swprv' -startuptype "disabled"
Powershell Set-Service 'CscService' -startuptype "disabled"
Powershell Set-Service 'SstpSvc' -startuptype "disabled"
Powershell Set-Service 'wscsvc' -startuptype "disabled"
Powershell Set-Service 'SSDPSRV' -startuptype "disabled"
Powershell Set-Service 'SysMain' -startuptype "disabled"
Powershell Set-Service 'TabletInputService' -startuptype "disabled"
Powershell Set-Service 'Themes' -startuptype "disabled"
Powershell Set-Service 'upnphost' -startuptype "disabled"
Powershell Set-Service 'VSS' -startuptype "disabled"
Powershell Set-Service 'SDRSVC' -startuptype "disabled"
Powershell Set-Service 'WinDefend' -startuptype "disabled"
Powershell Set-Service 'WerSvc' -startuptype "disabled"
Powershell Set-Service 'MpsSvc' -startuptype "disabled"
Powershell Set-Service 'ehRecvr' -startuptype "disabled"
Powershell Set-Service 'ehSched' -startuptype "disabled"
Powershell Set-Service 'WSearch' -startuptype "disabled"
Powershell Set-Service 'wuauserv' -startuptype "disabled"
Powershell Set-Service 'Wlansvc' -startuptype "disabled"
Powershell Set-Service 'WwanSvc' -startuptype "disabled"
rem Making miscellaneous modifications
bcdedit /set BOOTUX disabled
vssadmin delete shadows /All /Quiet
Powershell disable-computerrestore -drive c:\
netsh advfirewall set allprofiles state off
powercfg -H OFF
net stop "sysmain"
fsutil behavior set DisableLastAccess 1
rem Making modifications to Scheduled Tasks
schtasks /change /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
schtasks /change /TN "\Microsoft\Windows\SystemRestore\SR" /Disable
schtasks /change /TN "\Microsoft\Windows\Registry\RegIdleBackup" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MPIdleTask" /Disable
schtasks /change /TN "\Microsoft\Windows Defender\MP Scheduled Scan" /Disable
schtasks /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /Disable
================================
Just save above settings into a CMD file and put in the task sequence. Add a Run Command Line step and start it with CMD /C ***.cmd and you are fine. Just nice to have scripts like these!
Source: VMware.com
Subscribe to:
Posts (Atom)