ConfigMgr Firewall exceptions for Client deployment.

To enable ConfigMgr client deployment, create the following GPO (or update if you already have one):

Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
Windows Firewall: Allow inbound file and printer sharing exception: Enabled
Allow unsolicited incoming messages from these IP addresses: SCCM IP Address
Windows Firewall: Allow inbound remote administration exception Enabled
Allow unsolicited incoming messages from these IP addresses: SCCM IP Address

[UPDATED] Adobe Reader 9/X Clean Deployment

What I wrote about Adobe Reader MSI patching has a major flaw: you cannot under any circumstances update Adobe Reader after installing it with the modified MSI. I had to find another way…
Good news, it’s a lot easier now.
  • First of all obtain the latest Adobe Reader Installer from this page:
  • Extract the contents of the downloaded archive using the following command: InstallerName.exe -nos_ne which will extract the contents to: %userprofile%\AppData\Local\AdobeReader 9.0\Setup Files\READER9 for Reader 9 and C:\ProgramData\Adobe\Setup… for Reader X.
  • Optional for X (since Adobe seems to have caught up): download updates from this page, then add them to the default install by editing the setup.ini file with the following line in the [Product] section:
    This should allow you to install Adobe Reader in its most up to date version without too much headache.
  • Download the Adobe Customization Wizard for 9 or Adobe Customization Wizard for X and set the settings you like, make sure an AcroRead.mst file is created next to the MSI. That will enable you to run setup.exe without switches in a completely unattended mode.

How to install iTunes on Windows with MDT

I came across the need to deploy iTunes using MDT (2010 or 2012). Unfortunately, there is no way to run the usual setup file with switches.
The key is to expand the installer (using 7-zip) and then create hidden applications for each component (that also allows you to prevent Bonjour or Apple Software update from installing…).
Install the MSI files in this order:
Using this command: msiexec /i XXX.msi /qb REBOOT=ReallySuppress
(where xxx is the msi filename, of course)
It also works for the 64-bit version. Every time there is an update of iTunes, simply overwrite the files on your network share.

How to set the network adapter order from the command line.

You will notice that now matter how you install your operating system, the network adapters order is very likely to be wrong, usually with the wireless adapter at the top.

How to find out:
  • Open the Control Panel.
  • Open “Network and Sharing Center”.
  • On the left pane, click on “Change Adapter Settings”.
  • Press the Alt key on your keyboard then on the menu bar that appears, click Advanced > Advanced settings.
  • On the first tab, “Adapters and Bindings” check what connection is at the top.
Now, there’s a way to automate this for enterprise deployment: Hyper-V Network VSP Bind Application.
This utility is not intended to be used on client Operating Systems but indeed works great. All the info is here:
Simply copy the executable to a known location and execute the following command:
nvspbind /++ “Local Area Connection” *
Where /++ puts the adapter named “Local Area Connection” at the top for all protocols with *

Add a domain user as the local admin with a script.

If you need to automate the attribution of local admin rights, use the following script, that will save you quite a few clicks:

Dim DomainName
Dim UserAccount
Set net = WScript.CreateObject(“WScript.Network”)
local = net.ComputerName
DomainName = “CONTOSO”

set group = GetObject(“WinNT://”& local &”/Administrators”)

UserAccount = InputBox( “Please enter the username (first.last) of the local admin or cancel (the user must exist in AD)” )

on error resume next
group.Add “WinNT://”& DomainName &”/”& UserAccount &””

sub CheckError
if not err.number=0 then
set ole = CreateObject(“ole.err”)
MsgBox ole.oleError(err.Number), vbCritical
MsgBox “User added to the local Admin Group”
end if
end sub


MDT 2010 & 2012: Make the local admin password optional.

If you want to be able to set the local admin password but also leave the possibility to make it blank, edit the following file scripts\DeployWiz_Validation.vbs in MDT 2010 and scripts\DeployWiz_AdminPassword.vbs in MDT 2012:

Function ValidatePassword

ValidatePassword = ParseAllWarningLabels = "none" If Password1.Value <> "" then
If Password1.Value <> Password2.Value then
ValidatePassword = TRUE = "inline" 
End if
End if
ButtonNext.Disabled = not ValidatePassword 
End Function


Adding PXELinux option to WDS.

Deployment guru Johan Arwidmark has a pretty interesting article about adding a boot menu to WDS. But it’s about Windows Server 2008 R2. If, like me, you need info about Windows Server 2008, follow his step-by-step until step 7.

  • At step 7, open the Windows Deployment Services console, right click on your server, then click on Properties.
  • Go to the Boot tab.
  • Change the boot images to the following:
  • Go back to Johan’s step 8.