5

I am trying to master MDT deployment, which seems to be a very versatile tool.

The way I do it is:

  • install windows 7 on a reference PC, change screen saver and background and internet time settings.
  • run sysrep on the reference PC.
  • use imagex to capture image.wim
  • use MDT to create a deployment share and task sequence.
  • create a bootable USB pen drive, PXE boot the new PC, and install.

After that, login as a local admin, join the domain (or .leave it in the WORKGROUP)

After reboot, I noticed that the things like: firewall settings, Windows update settings etc are greyed out (control panel -> windows update -> change settings). There is a text message saying: Some settings are managed by your system administrator.

Well, I am logged in as local administrator. So why things are greyed out? Any thoughts?

PS: half of my users MUST be local administrator on his own PC/laptop, due to the nature of their work. So I must make sure local admin can change settings on their own PC.

-- to answer @WinOutreach4 questions --

  • I run the GUI version of sysprep, so only 3 options are used: OOBE, generalise, shutdown after sysprep.
  • I did not use audit mode to change anything.
  • We use samba domain, not windows active directory domain, so I cannot try WDS. However one reason I am trying out MDT is because it is likely we will be moved to windows AD domain, so I can NIC book the PCs and launch the imaging process.
  • I use MDT2012 to create deployment share, and use the LiteTouch_x64.iso to PE boot the PC, the install process will pick up the image etc from the deployment workbench PC. In order to save wasting many CD/DVDs, I created a bootable USB pen drive and copied the iso content in the pen drive.

Thanks for looking into this.

-- end --

-- to answer @WinOutreach4 questions --

  • I don't think I have 'copyprofile' on. The screen saver and background is done through local group policy. I used the local administrator account to make these changes. Then the local group policy is saved as part of the image.
  • I only create 1 local account to finish the installation of the reference PC. I will look into the audit mode.
  • PS: In my reference image, I only have a few things customised: screensaver/background, a few registry settings, that's all. I don't install any applications during imaging. Application installation is done as part of Deployment Share creation - I add Applications, and they are included in the Deployment Sequence. I also inject device drivers at this stage. So if I watch my deployment process, the first part is image deployment, then there is a page with a list of applications for me to choose which ones to install. In this way, I can keep 1 master image for all types of machines, all types of users.

In future when I have a windows domain, I will probably leave the screensaver/background to group policy, hence the reference image will be very very simple to maintain. Applications installation can either be done as provided by MDT, or using group policy installation.

The unatend.xml is uploaded to: http://www.mediafire.com/?ad56zq06kxkqssv (I cannot find a place to upload it in serverfault)

again, thx for your time!

-- end --

--Last Update: success-- Thanks to @WinOutreach4 (especially to you WinOutreach4 for taking out time testing) & MDT Guy, I got it working in the end!

3 things to do: 1) Add WillWipeDisk to unattend.xml 2) Add CopyProfile (=true) to unattend.xml 3) ApplyGPOPack=NO in the ini file

Thank you so much! I didn't see these settings in any of the tutorials/blogs/youtubes I went through, and you helped me out. Cannot thank you enough...

--end--

user1866880
  • 449
  • 5
  • 11
  • 20
  • 1
    Group policy settings? – Nathan C Jun 04 '13 at 13:21
  • @NathanC Could you be more specific? Do you mean I must go through group policy to change them? – user1866880 Jun 04 '13 at 13:25
  • If you have group policy enforcing windows update and firewall settings, you'd need to go through that to change those. Even when logged in as an administrator group policy overrides the settings unless allowed via group policy itself. – Nathan C Jun 04 '13 at 13:26
  • @NathanC No, we are in Linux Samba domain, not windows Active Directory domain. So no group policy in that sense. – user1866880 Jun 04 '13 at 13:27
  • Ah, interesting. Check the "Local Security Policy" on the machine too. Someone more familiar with MDT will probably give a more definitive answer. – Nathan C Jun 04 '13 at 13:30
  • Can you give more detail? For example, did you use audit mode to make the changes to the fresh install before sysprep? Did you use the /generalize switch during sysprep? Can we see your unattend.xml file (without product keys or other sensitive data)? You installed from a USB key, right? PXE boot is booting to a network server service like WDS (Windows Deployment Services), so I am just trying to clarify. – dwolters Jun 04 '13 at 15:15
  • @WinOutreach4 There is a lot of info to explain, so I am going to put the answers in the main post. – user1866880 Jun 04 '13 at 15:41
  • @user1866880 Thanks. Are you using an unattend file with the 'copyprofile' setting to try to save your changes to the screensaver, background etc? What account did you use to make those changes? The reason that I ask, is if there are multiple user profiles on the machine and you use the 'copyprofile' setting, this can cause problems. The proper method would be to use [Audit Mode](http://technet.microsoft.com/en-us/library/dd799305(v=ws.10).aspx) to customize the Administrator profile so that no other profiles are created, then use the 'copyprofile' setting in your unattend. – dwolters Jun 04 '13 at 16:29
  • @WinOutreach4 Oh God! I was going to inlcude the unattend.xml in the post but forgot. Now I am at home. I will include it tomorrow morning. I am going to answer you questions in the main post again. Many thx for your help. – user1866880 Jun 04 '13 at 17:09
  • @WinOutreach4 I just uploaded the unattend.xml to http://www.mediafire.com/?ad56zq06kxkqssv – user1866880 Jun 05 '13 at 07:53
  • @user1866880 Great, thanks. I am doing some testing, which takes time to setup but wanted to let you know I am still working on this. – dwolters Jun 05 '13 at 15:21
  • @WinOutreach4 Thanks a lot! I will test the copyprofile setting asap – user1866880 Jun 05 '13 at 17:52
  • @user1866880 (2 part comment) I installed Windows 7 Pro X64 (you didn’t specify which version of Windows 7 and I had this one ready to go) using your answer file after removing the ‘Offline Servicing’ section (MDT manages device drivers, so I don’t use this) and was unable to duplicate your issue. I tried in both a workgroup and a Windows domain (no Samba here, sorry). – dwolters Jun 06 '13 at 15:57
  • @user1866880 That said, I don’t believe that MDT or your answer file has anything to do with this issue. However, I notice that your answer file doesn’t have settings to wipe the hard drive before applying the image. WIM files are a file-based images, so remnants from previous installs could be causing problems. Are you wiping the drive in the task sequence? Also, what happens if you log into the machine with a domain login after joining it to the domain? Do you have access to those settings then? – dwolters Jun 06 '13 at 15:58
  • @WinOutreach4 Good that it didn't happen to u, which means I can still have hope! I use win7 enterprisex64. I think the difference is Pro version does not have local group policy in our case? In terms of wiping the hard drive: how do I add it in? I only edited CustomSettings and bootstrap.ini, and the xml was created by MDT. Would you be able explain a little or point a website to me? – user1866880 Jun 06 '13 at 16:10
  • @WinOutreach4 And I cannot login using a domain account after joining to the domain. I looked through so many webpages but found no luck in my case. I think I will not see this problem when I am in a Windows AD domain. But like you said, the machine is not 'clean', causing the trust relationship to fail.(?) – user1866880 Jun 06 '13 at 16:13
  • @I am experimenting another way of mass installation, which is to capture a customised WIM image; put a standard Win7 entx64 installation DVD content into a bootable USB pen drive; replace the install.wim with my new install.wim. Use the pen drives to image a few PCs at the same time...(just to let you know what i am doing..and you've been so nice to try to help me) – user1866880 Jun 06 '13 at 16:15
  • The ‘[WillWipeDisk](http://technet.microsoft.com/en-us/library/ff716466.aspx)’ page of the Unattended Windows Setup Reference has a great XML example for setting up the hard drive. According to this [wiki page](https://wiki.samba.org/index.php/Windows7), there are two registry settings that need to be changed in order to join a Samba domain. Please bear in mind that I have zero experience with Samba, so I cannot guarantee that this information is accurate. – dwolters Jun 06 '13 at 16:33
  • @WinOutreach4 OK, I will try wipe disk settings. And yes, the 2 registry settings have been included in the image. Many thx for your effort! – user1866880 Jun 06 '13 at 17:09
  • @WinOutreach4 Do you manually put WillWipeDisk in the xml file, or do you click on TaskSequence->OS tab->Edit unattend.xml? I'd like to use the GUI tool to ensure I don't make a mistake, but it seems so complex to use the GUI tool – user1866880 Jun 06 '13 at 18:42
  • @user1866880 Whichever method is more comfortable for you. Also, you can set it up in the task sequence, under the 'Preinstall' folder, find the 'New Computer only' folder and there is a 'Format and Partition Disk' task (using the standard client task sequence). Check the MDT help files for 'configure Format and Partition disk task sequence steps' and you don't have to edit the XML at all. – dwolters Jun 06 '13 at 20:10
  • @WinOutreach4 I tested within a home workgroup on Saturday, and just finished full testing in the domain at work today. All working now. Thank you so much for your time and effort. Cannot thank you enough. I've updated the main post in case it will be helpful for others. – user1866880 Jun 10 '13 at 10:34
  • Just a random afterthought, if you're really looking to "Master MDT" as you say, I highly, highly recommend some good reads: "Deployment Fundementals Vol: 1. and Deployment Fundementals Vol: 4. Both are excellent resources for those looking to get the most out of MDT. – MDT Guy Jun 10 '13 at 15:16
  • Ahh, this thread saved me. Did you notice you couldn't get on any network shares before you did your (1,2,3) ? – tladuke Sep 28 '13 at 05:17
  • @tladuke I am glad this helped you. I dont remember trouble getting on network shares, but I just could not join the PC to the domain at all. And the 3 'must change' steps suggested by others sorted it out. – user1866880 Oct 04 '13 at 14:15

1 Answers1

1

So why things are greyed out? Any thoughts?

Good point on MDT's versatility, its the single most powerful systems deployment tool I have ever had the privlidge of working with, you're getting close, but a few pointers here.

  1. ALWAYS, ALWAYS, ALWAYS, build your images in a Virtual Environment, this pays for itself in dividends as it effectively guarantees the image will run on anything down the road, laptops, desktops, whatever.
  2. Double check and make sure ApplyGPOPack=NO is set in your ini file.
  3. Copy Profile=True needs to be set in your unattend.xml file if you're trying to build a default user profile in 7.
MDT Guy
  • 295
  • 2
  • 10
  • 1
    +1 for item 2. Better yet disable the gpo step at the end of the deployment task sequence – Greg Bray Jun 08 '13 at 03:28
  • @MDT Guy Thanks for the tip on ApplyGPOPack! I got it all working now. PS: the reason I used a laptop is that our organisation don't have access to VMware workstation. WMware player seems no longer free for commercial use. I hence tried it in Oracle Virtual Box, then I could not boot from WinPE, which means I could not run imagex to capture WIM... I might try again in future when time permitting. – user1866880 Jun 10 '13 at 10:37
  • @GregBray I have local gpo included in the reference image which need to be deployed to new machines. Not sure if the gpo will get deployed to the new machines, if I disable gpo step under the State Restore section. I will try it out when time permitting. Thanks for your input! – user1866880 Jun 10 '13 at 10:51