Most Popular Posts

Wednesday, 29 January 2014

How to automatically clean your disk at the start of your task sequence

As you may know cleaning an encrypted disk is often required before starting an image via ConfigMgr.  This presents problems in that the disk is not accessible for a package to be stored upon it and often means we have to manually run diskpart to clean the disk.
I wasn't happy with this and with the current 8.1 deployment I am working I thought there must be a way around it....

So I came up with the following powershell 1 liner to handle this issue:

Powershell.exe Get-Disk | % {Clear-Disk -Number $_.Number -RemoveData -RemoveOEM -Confirm:$False}

Shown below in the screenshot

The only downside with this is that you have to add the following optional components to your boot images so they will become around 100mb larger:

WinPE-StorageWMI
WinPE-NetFx
WinPE-PowerShell

Cheers
Wayne

*Please be aware, this will clean ALL disks in the machine*

Wednesday, 22 January 2014

Windows 7 Restarts at Capture step ConfigMgr 2012 R2

The title says it all, I am currently building and capturing a Windows 7 Enterprise x64 image at a customer site using ConfigMgr 2012 R2.
When the Task sequences gets up to the capture step it spontaneously reboots and I end up with a 0kb .wim file, not much use...

The logs however show the following:



See the reboot pending?. Add a reboot in between your Prepare OS and Capture the reference machine steps and you may find you have a bit more luck with it ;)

(Also despite what it may look like I had full network connectivity at this point)

Possibly a bug with R2, I'm not sure but either way its a suitable workaround

Cheers
Wayne

Monday, 13 January 2014

SCCM 2012 - Auto Create Software Update Group from MBSA results

I am trying to solve a few problems with this post, these being:

1) How can I incorporate the latest updates into my gold image & thereby increase the security of my gold image?
2) How do I install updates that are not serviceable offline?
3) How can I speed up a build and capture?
4) How can I Save time when creating Software update groups?

Now most of you at this point are probably thinking "Does he not know about the variable PreserveDriveLetter? and offline servicing", well yes I do and don't get me wrong both of these serve a great purpose and can be invaluable at times. However I have built far too many windows images to know that offline servicing, as great as it is doesn't always work 100% of the time and requires manual effort to check through the OfflineServicingEngine log and also to know that no matter how much you tell yourself its OK you really should have put .Net x into that image because now that its complete you have a long wait whilst your "fully patched wim" installs 20+ .NET updates, I could go on....

Anyway, I am a big believer in running MBSA scans on a "gold" image for a number of reasons:

1) To ensure it is as secure as possible the second that the image is applied to the disk
2) To capture any updates that are not serviceable offline (more on this later)
3) Peace of mind

As you may or may not know, when you run MBSA (link here) it generates you a nice report that you can save as a text file. The report will tell you which updates are missing/ recommended.

So what I usually do is install windows inside a virtual machine (The exact version the customer requires), install the ConfigMgr client (as this has certain prereqs that need to be patched) and then run the MBSA to tell me what is missing.

I  then create a software update group containing only those updates, create a build and capture task sequence and throw updates such as KB2533552 or KB2538243 in there, along with .NET.

What this gives me is a lean build and capture process that includes all security updates for the OS, .NET etc and also some updates that cannot be serviced offline such as KB2533552 or that are not available via WSUS such as KB2538243. See MS Article here for more information.

It also gives the customer a bunch of updates they can use to patch their existing estate to this baseline and gives them a place to start with patching moving forward

To make this a little more automatic I wrote a script that will analyse the output from MBSA and create a software update group containing all of the missing updates for that particular architecture. Call it version 0.1 as it has only had limited testing, but it has saved me a lot of time, I do intend to make it a lot slicker with logging if I get the chance.

Be aware this will add ALL missing updates to the new group, I recommend manually checking and removing things like Internet Explorer version X if not required.

The script can be found on my skydrive here

EDIT: V0.2 of the script is up now, still needs some work.....

Thanks for reading
Wayne