When creating a Build and Capture image, the system will be most of time in a WORKGROUP and not in a domain. On the image used for this, you can make usage on Offline Servicing for integrating Windows updates in the image. On Windows 7 SP1 this will be around 100+ updates already! When installing applications during Build and Capture however, additional updates are needed. This for applications like Internet Explorer, DotNet Framework and Microsoft Office. You can add a "Install Software Updates" step for that in the task sequence, but error 0x80070005 will be showed in the smsts.log probably. This because the system isn't allowed to download the updates (access denied). Let's have a look on that.
Before installing updates it's needed to install a hotfix first. This is KB2522623, which is needed because: "InitializeSecurityContext function might not fall back to NTLM authentication in Windows 7 or in Windows Server 2008 R2 when Kerberos fails and has the STATUS_NO_LOGON_SERVERS status". After installing the hotfix, additional updates will be installed without a problem. On above applications there will be almost 50 updates more installed! Just great to have around 160/170 updates in your image that way ;)
Hotfix installation: wusa <file>.msu /quiet /norestart
Source: A guide to Microsoft Products
Download: KB2522623
Thursday, June 26, 2014
Wednesday, June 25, 2014
Have you heard yet what our solution can do for you?
Sponsor post
Join us this Friday, June 27th for our Quick- Xian SNMP Device Simulator demo at 9 AM EST (New York)/ 15:00 PM CET (Zurich/Amsterdam) / 18:30 AM IST (New Dehli).
Prize: Participants can join our raffle to win a small bundle license. This license allows you to simulate up to 50 devices!
What you’ll learn in this demo:
Join us this Friday, June 27th for our Quick- Xian SNMP Device Simulator demo at 9 AM EST (New York)/ 15:00 PM CET (Zurich/Amsterdam) / 18:30 AM IST (New Dehli).
Prize: Participants can join our raffle to win a small bundle license. This license allows you to simulate up to 50 devices!
What you’ll learn in this demo:
- Add several IP addresses for simulation automatically with our IP Manager.
- Capture the exact same behavior of a real device with our Device Recorder and test systems without any risks.
- Learn the basic procedure to simulate SNMP based devices.
- Simulate changes on different device components and understand how systems interacting with these components react.
- Learn how to simulate a specific dynamic behavior over and over again with the Historical simulation feature.
- Learn how to export/import devices configurations and information for backup purposes or to reuse them later on.
- Perform several operations like simulating devices and importing configurations through the command prompt or a script.
Tuesday, June 24, 2014
Windows Phone 8.1 Preview experiences
Almost 2 months ago I did an upgrade from Windows Phone 8.0 to Windows Phone 8.1 Preview. More about that can be found HERE. At the moment there are multiple updates installed after the upgrade (which is 8.10.12397.895 now), but still there are issues left. In my case on a Samsung ATIV S device. Beside of the issues I'm still very satisfied with the new features. Let's have a look at issues solved already and issues left.
Issues solved:
-Battery drain, I'm doing over 30 hours per battery load now.
-Reboot when using Bing Music or Vision, seems to be working now.
-Share blogposts to Facebook, but Twitter cannot be found.
Issues left:
-When switching from camera to video and start video capture. Switch back to camera after that and the screen will be black. The device must be rebooted to have camera working again.
-Also camera is taken photos with Flash while disabled in photo settings. Oops!
-Multiple unexpected reboots when using my Phone in the car connected with bluetooth. Also during the day when not connected with bluetooth.
-Share blogposts to multiple apps like Twitter isn't working anymore.
-No Cortana can be used because I'm living outsite of US. (pity)
Overall experience
I really like the new start screen with way more Live Tiles then before. Also the Action Center, Notifications (per app), Agenda (advanced), and Background on start screen are all great. When using swiping for keyboard you can create messages way faster then typing it. No way I go back to Windows Phone 8.0 ever. Microsoft did a great job on new features in the Windows Phone 8.1 Preview!
Issues solved:
-Battery drain, I'm doing over 30 hours per battery load now.
-Reboot when using Bing Music or Vision, seems to be working now.
-Share blogposts to Facebook, but Twitter cannot be found.
Issues left:
-When switching from camera to video and start video capture. Switch back to camera after that and the screen will be black. The device must be rebooted to have camera working again.
-Also camera is taken photos with Flash while disabled in photo settings. Oops!
-Multiple unexpected reboots when using my Phone in the car connected with bluetooth. Also during the day when not connected with bluetooth.
-Share blogposts to multiple apps like Twitter isn't working anymore.
-No Cortana can be used because I'm living outsite of US. (pity)
Overall experience
I really like the new start screen with way more Live Tiles then before. Also the Action Center, Notifications (per app), Agenda (advanced), and Background on start screen are all great. When using swiping for keyboard you can create messages way faster then typing it. No way I go back to Windows Phone 8.0 ever. Microsoft did a great job on new features in the Windows Phone 8.1 Preview!
Friday, June 20, 2014
Soccer World Cup Promotion
Sponsor post
The Soccer World Cup emotion got to us! Just for its duration enjoy a 30% discount on our products:
Offer does not include software maintenance renewals!
Place your order on or before Sunday, July 13th and score with a top solution!
The Soccer World Cup emotion got to us! Just for its duration enjoy a 30% discount on our products:
Offer does not include software maintenance renewals!
Place your order on or before Sunday, July 13th and score with a top solution!
Thursday, June 19, 2014
WSUS Role failed on Windows server 2012 because of restart needed
Last week I did a new WSUS installation on a Windows Server 2012 R2 system. During installation however the WSUS Role failed and a restart was needed. After restart installing WSUS again it was still failed and restart was needed again. The error message shown was: "The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart."
After looking in Event Viewer the following message was seen:
The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
The solution for this is to assign the "Log on as a service" user right to the "NT SERVICE\ALL SERVICES" account. This can be done in Group Policy or Local Policy as well: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. When doing an GPUPDATE / FORCE on the server WSUS installation went fine on first try. Just great it worked!
Source: ESwar KNOeti
After looking in Event Viewer the following message was seen:
The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
The solution for this is to assign the "Log on as a service" user right to the "NT SERVICE\ALL SERVICES" account. This can be done in Group Policy or Local Policy as well: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment. When doing an GPUPDATE / FORCE on the server WSUS installation went fine on first try. Just great it worked!
Source: ESwar KNOeti
Friday, June 13, 2014
BitLocker fails in task sequence because of false condition
Last week I did a deployment on notebooks with BitLocker support. In my earlier posts I explained how to enable and activate TPM during a task sequence and how to save a recovery key to Active Directory. That way there's no need to configure BIOS settings and/or back-up recovery keys manually. During deployment however the task sequence failed on almost last step, which is "Enable BitLocker" in my case. Looking in settings TPM was enabled and activated, pre-provisioning was done, all seems okay. But no recovery key was set in Active Directory on the computerobject.
Looking at the deployment log (in monitoring) it was mentioning the condition on "Enable BitLocker" was false. Looking at the condition on this step (which is there by default when creating a new task sequence, but not when adding this step in an existing task sequence?) it was like "SMSTSWTG - Not equals - True".
Looking at Microsoft TechNet explains wat SMSTSWTG is doing: "Specifies if the computer is running as a Windows To Go device". In my case I was doing an deployment on a notebook, which is (as far as I know) not a Windows To Go device?
With Manage-BDE -status in command prompt you can see that encryption is 100% done but not active. Long story short, I removed the condition on the "Enable BitLocker" step, and voila, BitLocker was running fine again and the recovery key was set in Active Directory as well. Next time I remove it immediately after creating the task sequence I guess. Still strange the condition is not set when adding this step in an existing task sequence?
Other posts on BitLocker:
How to Enable BitLocker, Automatically save Keys to Active Directory
Enable TPM for BitLocker usage during OS deployment on endpoints
Hope it helps!
Looking at the deployment log (in monitoring) it was mentioning the condition on "Enable BitLocker" was false. Looking at the condition on this step (which is there by default when creating a new task sequence, but not when adding this step in an existing task sequence?) it was like "SMSTSWTG - Not equals - True".
Looking at Microsoft TechNet explains wat SMSTSWTG is doing: "Specifies if the computer is running as a Windows To Go device". In my case I was doing an deployment on a notebook, which is (as far as I know) not a Windows To Go device?
With Manage-BDE -status in command prompt you can see that encryption is 100% done but not active. Long story short, I removed the condition on the "Enable BitLocker" step, and voila, BitLocker was running fine again and the recovery key was set in Active Directory as well. Next time I remove it immediately after creating the task sequence I guess. Still strange the condition is not set when adding this step in an existing task sequence?
Other posts on BitLocker:
How to Enable BitLocker, Automatically save Keys to Active Directory
Enable TPM for BitLocker usage during OS deployment on endpoints
Hope it helps!
Free Study Guide for the Microsoft 74-409 exam
Sponsor post
Today I received a message from Veeam that a Free Study Guide for the Microsoft 74-409 exam on Server Virtualization with Windows Server Hyper-V and System Center is available!
With this new study guide you can learn how to create and configure virtual machine settings, virtual machine storage and virtual networks. This guide covers each of the Microsoft exam objectives.
Just great if you ask me so use it to your advantage!
Today I received a message from Veeam that a Free Study Guide for the Microsoft 74-409 exam on Server Virtualization with Windows Server Hyper-V and System Center is available!
With this new study guide you can learn how to create and configure virtual machine settings, virtual machine storage and virtual networks. This guide covers each of the Microsoft exam objectives.
Just great if you ask me so use it to your advantage!
Tuesday, June 3, 2014
Reboot needed after automatic update of Endpoint Protection
Yesterday I did some troubleshooting on Endpoint Protection (SCEP). This because SCEP was out-of-date (more then 30 days) on multiple servers. ConfigMgr has downloaded updates by Automatic Deployment Rule (ADR), but no updates were installed. No monitoring messages were seen on the SCEP dashboard, so strange issue indeed. Nothing to see in the different logfiles either..
Long story short, there was an "Update for System Center Endpoint Protection 2012 Client" installed last month, and because a reboot was suppressed in ADR, definition updates couldn't be installed anymore. After reboot of servers everything was working fine again. Pity that this couldn't be seen on the SCEP dashboard!
Note: Doing a repair on the ConfigMgr client (Console Extensions) did the trick also, so no need to reboot every server.
Source: Microsoft TechNet
- C:\Windows\WindowsUpdate.log
- C:\Windows\CCM\Logs\UpdatesDeployment.log
- C:\Windows\CCM\Logs\UpdatesHandler.log
- C:\Windows\CCM\Logs\UpdatesStore.log
- C:\Windows\CCM\Logs\WUAHandler.log
Long story short, there was an "Update for System Center Endpoint Protection 2012 Client" installed last month, and because a reboot was suppressed in ADR, definition updates couldn't be installed anymore. After reboot of servers everything was working fine again. Pity that this couldn't be seen on the SCEP dashboard!
Note: Doing a repair on the ConfigMgr client (Console Extensions) did the trick also, so no need to reboot every server.
Source: Microsoft TechNet
Monday, June 2, 2014
WES8 deployment with ConfigMgr 2012 SP1 or R2 (part 2)
A few months ago I did a blogpost about WES8 deployment with ConfigMgr 2012 SP1 or R2. Nothing special you can say? But the point is Microsoft changed something in ADK8.x and WES8.x, so deployment with ConfigMgr isn't working as expected anymore. This because of OSDSetupHook. After the "Setup Windows and ConfigMgr" task sequence step deployment ends. No error message, no additional packages installed, nothing. This is not the case on WES7, which is still deploying fine. Let's have a look.
The reason for this can be found on Microsoft TechNet.
Windows ADK Release Notes mentions: Changes in Out-Of-Box (OOBE) Experience.
Oobe.cmd and Setupcomplete.cmd are disabled if an OEM product key is used. This is to ensure that end-users reach Start as quickly as possible. If you have any tools or services that use this infrastructure, these must be changed to tasks that occur after the OOBE.
Add a Custom Script to Windows Setup mentions: In Windows 8, oobe.cmd and Setupcomplete.cmd are disabled if an OEM product key is used. This is to ensure that end users reach Start as quickly as possible. Any tools or services that use this infrastructure need to be moved to post Out-Of-Box Experience (OOBE) tasks.
FirstLogonCommands mentions: In Windows 8 and Windows 8.1, oobe.cmd and Setupcomplete.cmd are disabled if an OEM product key is used. This is to ensure that end users reach Start as quickly as possible. Any tools or services that use this infrastructure need to be moved to post Out-Of-Box Experience (OOBE) tasks.
Run a Custom Script after Windows Setup Completes:
You can make additional customizations after Windows Setup completes by adding commands to the %WINDIR%\Setup\Scripts\SetupComplete.cmd file. This file enables you to install additional applications, run custom Windows scripts (cscript/wscript), or make other modifications to the system before a user logs on. Setupcomplete.cmd functionality differs from the RunSynchronous and RunAsynchronous commands in the following way: Setupcomplete.cmd runs after Windows Setup completes, whereas the RunSynchronous and RunAsynchronous commands run during Windows Setup. Commands in the Setupcomplete.cmd file are executed with local system permission.
To understand the order of operations when adding a custom script after Setup:
1. After Windows is installed but before the logon screen appears, Windows Setup searches for the SetupComplete.cmd file in the %WINDIR%\Setup\Scripts\ directory.
2. If a SetupComplete.cmd file is found, the file is executed. Otherwise, installation continues in the standard manner. Windows Setup logs the action in the Setupact.log file. Setup does not verify any exit codes or error levels in the script after it executes SetupComplete.cmd.
Note: You cannot reboot the system and resume running SetupComplete.cmd. When a computer joins a domain during installation, the Group Policy that is defined in the domain is not applied to the computer until Setupcomplete.cmd is finished. This is to make sure that the Group Policy configuration activity does not interfere with the script.
Looking in the setupact.log file you will see the following:
[msoobe.exe] OEM license detected, will not run SetupComplete.cmd
[msoobe.exe] TASK: End successfully running task RunSetupFinalTask
Solutions for above changes are:
1. Use a Windows 8.x KMS GVLK Client Setup Key for Win8.x Enterprise x86/x64 and all Progs in Setupcomplete.cmd are installed. Source: KMS Client Setup Keys
2. Rename the SetupComplete.cmd file to FirstLogon.cmd and replace the Sysprep.xml file by the following one. That way FirstLogon.cmd will start OSDSetupHook again.
=========================
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="generalize">
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
<DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>
</component>
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
<DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<Order>1</Order>
<CommandLine>C:\Windows\Setup\Scripts\FirstLogon.cmd</CommandLine>
</SynchronousCommand>
</FirstLogonCommands>
</component>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<Order>1</Order>
<CommandLine>C:\Windows\Setup\Scripts\FirstLogon.cmd</CommandLine>
</SynchronousCommand>
</FirstLogonCommands>
</component>
</settings>
</unattend>
=========================
Source: My Digital Life Forums
3. Use another tooling besides of ConfigMgr to start SetupComplete.cmd after deployment, like ThinKiosk which can be downloaded for free usage (Community Edition only).
Source: ThinScale Technology
To be continued till doing another project with ConfigMgr and Thin client deployment.
The reason for this can be found on Microsoft TechNet.
Windows ADK Release Notes mentions: Changes in Out-Of-Box (OOBE) Experience.
Oobe.cmd and Setupcomplete.cmd are disabled if an OEM product key is used. This is to ensure that end-users reach Start as quickly as possible. If you have any tools or services that use this infrastructure, these must be changed to tasks that occur after the OOBE.
Add a Custom Script to Windows Setup mentions: In Windows 8, oobe.cmd and Setupcomplete.cmd are disabled if an OEM product key is used. This is to ensure that end users reach Start as quickly as possible. Any tools or services that use this infrastructure need to be moved to post Out-Of-Box Experience (OOBE) tasks.
FirstLogonCommands mentions: In Windows 8 and Windows 8.1, oobe.cmd and Setupcomplete.cmd are disabled if an OEM product key is used. This is to ensure that end users reach Start as quickly as possible. Any tools or services that use this infrastructure need to be moved to post Out-Of-Box Experience (OOBE) tasks.
Run a Custom Script after Windows Setup Completes:
You can make additional customizations after Windows Setup completes by adding commands to the %WINDIR%\Setup\Scripts\SetupComplete.cmd file. This file enables you to install additional applications, run custom Windows scripts (cscript/wscript), or make other modifications to the system before a user logs on. Setupcomplete.cmd functionality differs from the RunSynchronous and RunAsynchronous commands in the following way: Setupcomplete.cmd runs after Windows Setup completes, whereas the RunSynchronous and RunAsynchronous commands run during Windows Setup. Commands in the Setupcomplete.cmd file are executed with local system permission.
To understand the order of operations when adding a custom script after Setup:
1. After Windows is installed but before the logon screen appears, Windows Setup searches for the SetupComplete.cmd file in the %WINDIR%\Setup\Scripts\ directory.
2. If a SetupComplete.cmd file is found, the file is executed. Otherwise, installation continues in the standard manner. Windows Setup logs the action in the Setupact.log file. Setup does not verify any exit codes or error levels in the script after it executes SetupComplete.cmd.
Note: You cannot reboot the system and resume running SetupComplete.cmd. When a computer joins a domain during installation, the Group Policy that is defined in the domain is not applied to the computer until Setupcomplete.cmd is finished. This is to make sure that the Group Policy configuration activity does not interfere with the script.
Looking in the setupact.log file you will see the following:
[msoobe.exe] OEM license detected, will not run SetupComplete.cmd
[msoobe.exe] TASK: End successfully running task RunSetupFinalTask
Solutions for above changes are:
1. Use a Windows 8.x KMS GVLK Client Setup Key for Win8.x Enterprise x86/x64 and all Progs in Setupcomplete.cmd are installed. Source: KMS Client Setup Keys
2. Rename the SetupComplete.cmd file to FirstLogon.cmd and replace the Sysprep.xml file by the following one. That way FirstLogon.cmd will start OSDSetupHook again.
=========================
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="generalize">
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
<DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>
</component>
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
<DoNotCleanUpNonPresentDevices>true</DoNotCleanUpNonPresentDevices>
</component>
</settings>
<settings pass="oobeSystem">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<Order>1</Order>
<CommandLine>C:\Windows\Setup\Scripts\FirstLogon.cmd</CommandLine>
</SynchronousCommand>
</FirstLogonCommands>
</component>
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<Order>1</Order>
<CommandLine>C:\Windows\Setup\Scripts\FirstLogon.cmd</CommandLine>
</SynchronousCommand>
</FirstLogonCommands>
</component>
</settings>
</unattend>
=========================
Source: My Digital Life Forums
3. Use another tooling besides of ConfigMgr to start SetupComplete.cmd after deployment, like ThinKiosk which can be downloaded for free usage (Community Edition only).
Source: ThinScale Technology
To be continued till doing another project with ConfigMgr and Thin client deployment.