Category Archives: Windows

Quick MDT 2012 facts

I’ve been quite busy lately so I’ll try to be quick… I would like to share my discoveries on MDT 2012 and the information I gathered while I was migrating from MDT 2010.

  • Mikael Nystrom’s step by step on how to update BIOS in MDT still works perfectly.
  • Andrew Barnes’ how to integrate BGInfo into WinPE still works, and even better, MDT 2012 comes with a 64-bit version of BGInfo (located at %deploymentshare%\Tools\x64).
  • It is no longer needed to have a custom pane to set local administrators in MDT 2012. Instead use the “SkipAdminAccounts=NO” property in CustomSettings.ini. Please note that the administrators accounts page only appears if you selected “Join a domain” as I mention on the TechNet Forums.
  • Thanks to Michael Niehaus, DaRT integration is now fully supported in MDT 2012. I talked about this earlier but it’s always good to reiterate the benefits of software assurance.
  • A very interesting new feature of MDT 2012 is monitoring. It can be enabled in a few simple steps: Navigate to your deployment share properties, go to the last tab called “Monitoring”, check the box called “Enable monitoring for this deployment share”. Then click OK. It should work right away… A good way to check is to look at your CustomSettings.ini for a new line called “EventService=http://myserver.corp/“. Is you run into issues there is always this good troubleshooting article. Used in conjonction with DaRT, you can remotely control deployments from a central location.
  • Another feature that might not be actually that new but still useful is the “SLSHARE=” property. It allows you to set a network share where the logs are written during the deployment. This is particularly useful when your helpdesk people forget to capture logs if a deployment fails. A good security practice it to set a sticky bit, using the user directory technique on that particular folder since logs may contain sensitive information.
  • You are now able to use only one (32-bit) boot image to initiate both 32-bit and 64-bit deployments. A word of caution, though, if you need to use DaRT to repair an install you will need to boot the appropriate architecture.


Target an advertisement based on the software version in SCCM

Let’s say we want to advertise an update to Adobe Reader only to clients with outdated versions (anything older than 10.0.1).

  • Create a new collection.
  • Edit the membership rules.
  • Click on Edit Query Statement.
  • At the bottom press “Show Query Language”.
  • Paste the following:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Adobe Reader %" and SMS_G_System_ADD_REMOVE_PROGRAMS.Version != "10.0.1"

Make edits to match the DisplayName and Version according to the results you want.
You’re good to go.


ConfigMgr Firewall exceptions for Client deployment.

To enable ConfigMgr client deployment, create the following GPO (or update if you already have one):

Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
Windows Firewall: Allow inbound file and printer sharing exception: Enabled
Allow unsolicited incoming messages from these IP addresses: SCCM IP Address
Windows Firewall: Allow inbound remote administration exception Enabled
Allow unsolicited incoming messages from these IP addresses: SCCM IP Address

[UPDATED] Adobe Reader 9/X Clean Deployment

What I wrote about Adobe Reader MSI patching has a major flaw: you cannot under any circumstances update Adobe Reader after installing it with the modified MSI. I had to find another way…
Good news, it’s a lot easier now.
  • First of all obtain the latest Adobe Reader Installer from this page:
  • Extract the contents of the downloaded archive using the following command: InstallerName.exe -nos_ne which will extract the contents to: %userprofile%\AppData\Local\AdobeReader 9.0\Setup Files\READER9 for Reader 9 and C:\ProgramData\Adobe\Setup… for Reader X.
  • Optional for X (since Adobe seems to have caught up): download updates from this page, then add them to the default install by editing the setup.ini file with the following line in the [Product] section:
    This should allow you to install Adobe Reader in its most up to date version without too much headache.
  • Download the Adobe Customization Wizard for 9 or Adobe Customization Wizard for X and set the settings you like, make sure an AcroRead.mst file is created next to the MSI. That will enable you to run setup.exe without switches in a completely unattended mode.

How to install iTunes on Windows with MDT

I came across the need to deploy iTunes using MDT (2010 or 2012). Unfortunately, there is no way to run the usual setup file with switches.
The key is to expand the installer (using 7-zip) and then create hidden applications for each component (that also allows you to prevent Bonjour or Apple Software update from installing…).
Install the MSI files in this order:
Using this command: msiexec /i XXX.msi /qb REBOOT=ReallySuppress
(where xxx is the msi filename, of course)
It also works for the 64-bit version. Every time there is an update of iTunes, simply overwrite the files on your network share.

Add a domain user as the local admin with a script.

If you need to automate the attribution of local admin rights, use the following script, that will save you quite a few clicks:

Dim DomainName
Dim UserAccount
Set net = WScript.CreateObject(“WScript.Network”)
local = net.ComputerName
DomainName = “CONTOSO”

set group = GetObject(“WinNT://”& local &”/Administrators”)

UserAccount = InputBox( “Please enter the username (first.last) of the local admin or cancel (the user must exist in AD)” )

on error resume next
group.Add “WinNT://”& DomainName &”/”& UserAccount &””

sub CheckError
if not err.number=0 then
set ole = CreateObject(“ole.err”)
MsgBox ole.oleError(err.Number), vbCritical
MsgBox “User added to the local Admin Group”
end if
end sub


MDT 2010 & 2012: Make the local admin password optional.

If you want to be able to set the local admin password but also leave the possibility to make it blank, edit the following file scripts\DeployWiz_Validation.vbs in MDT 2010 and scripts\DeployWiz_AdminPassword.vbs in MDT 2012:

Function ValidatePassword

ValidatePassword = ParseAllWarningLabels = "none" If Password1.Value <> "" then
If Password1.Value <> Password2.Value then
ValidatePassword = TRUE = "inline" 
End if
End if
ButtonNext.Disabled = not ValidatePassword 
End Function


Deploy Windows on Macs using MDT.

[Edited for Mac OSX Lion, thanks to Ted.]

Deploying Windows on Macs is a bit complicated since they don’t support standard PC features like PXE. Considering you have one-and-only one Mac OS partition (usually Macintosh HD), running the Boot Camp installer creates a fourth partition on Disk0 (Disk0\Partition3 or Disk 0\Partition4 if you’re running Lion/Mountain Lion).

MDT lets you generate boot CDs for unsupported hardware. Make sure you include BroadcomMarvell and Nvidia Ethernet drivers into your driver repository.

  1. Go into your deployment share (Deployment$\Scripts) and create a file named DiskPartMac.txt then insert the following contents into it:
    SELECT disk 0
    SELECT partition 3 or SELECT partition 4 if you’re running Lion or Mountain Lion
  2. Create a standard Task Sequence in the Deployment Workbench, chose the OS you want to install.
  3. Under PreinstallNew Computer Only, delete “Format and Partition Disk”.
  4. Still under New Computer Only, create a command line action by clicking “Add” at the top then “General”, then “Run Command Line”. Rename it to “Custom Mac Format” and input the following command:
    diskpart /s “%scriptroot%\DiskPartMac.txt”
  5. Move it between “Validate” and “Copy scripts”.
  6. Click on “Install Operating System” under “Install” and configure the target partition as Disk 0 Partition 3 or 4 if you’re running Lion:
You’re done.