Network Installation with the Microsoft Deployment Toolkit – Part 3: Creating Task Sequences

- Diesen Artikel auf Deutsch lesen. -
Advertisements

This is the penultimate part of the article series. Part 1 is “Network Installation with the Microsoft Deployment Toolkit – Part 1: Notes, Preparation and Setup” and Part 2 is “Network Installation with the Microsoft Deployment Toolkit – Part 2: Service Account, Drivers, Software, Base Image Considerations

669b67c8abed414887f4bd1096fda3e5 Network Installation with the Microsoft Deployment Toolkit - Part 3: Creating Task Sequences 1

Creating Task Sequences

There are several templates of task sequences at the MDT. These can be used for their respective purposes and usually require only minor adjustments. These templates are:

  • Sysprep and Capture
  • Standard Client Task Sequence (Standard Client Task Sequence)
  • Standard Client Replace Task Sequence (Standard Client Replace Task Sequence)
  • Standard Client Upgrade Task Sequence (Standard Client Upgrade Task Sequence)
  • Custom Task Sequence (Custom Task Sequence)
  • OEM Task Sequence with Minimal Input (Litetouche OEM Task Sequence)
  • Standard Server Task Sequence (Standard Server Task Sequence)
  • Standard Server Upgrade Task Sequence (Standard Server Upgrade Task Sequence)
  • Post OS Installation Task Sequence (Post OS Installation Task Sequence)
  • VHD Creation for Clients Task Sequence (Deploy to VHD Client Task Sequence)
  • VHD Creation for Server Task Sequence (Deploy to VHD Server Task Sequence)

Most companies use the “Standard Client Task Sequence” for operating system installations. For an in-place upgrade as part of a Windows-as-a-Service (WaaS) strategy, the “Standard Client Upgrade Task Sequence” template can be used. You can find out more about Windows-as-a-Service (WaaS) in the article “Strategies for Windows as a Service – A Process-Oriented View

Creating a Generic Task Sequence

First, we create a task sequence for the installation. In the first step, I use the previously imported image of Microsoft Windows 10 for this

The names are important, especially for error analysis. Labels or names like “Tasksequence1” are rather bad. If you plan to create different task sequences, for example for servers, it can be useful to create a folder structure beforehand. Then create a new task sequence.

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - General Settings

For the installation, I use the “Standard client Task Sequence”.

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - Select Template

When selecting the operating system, we use the added operating system.

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - Select OS

The next step is to store the licence key for Windows 10. If you are using a Key Management Server (KMS) or Active Directory Based Activation (ADBA) to activate your Windows licenses, Find the appropriate KMS client keys in the post “Key Management Service (KMS) Client Serial Numbers [Updated 2019]“. If you are using “Multiple Activation Keys” (MAK), you can also enter it here. Otherwise, Windows 10 will be inactivated and run as a trial version for 90 days. I use this setting here to save my MAK key during my multiple tests. A note about MAK keys, the number of activations of a MAK key is finite and depends on your licence. If it is possible for you, you should think about implementing a KMS server to activate Windows. You can find more on this topic in the article “Key Management Service (KMS) – An Overview“. An alternative to this is Active Directory-based activation. Whichever of the methods you choose, the serial numbers for the respective clients are the same and you can find them in the article post “Key Management Service (KMS) Client Serial Numbers [Updated 2019]

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - Specify Product Key

Now you can set the Full Name, Organisation and IE Home Page.

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - OS Settings

Now the Local Administrator Password must be set. If it is not set here, it will be requested during installation. Generally, the local administrator password should be different everywhere. I recommend the Microsoft solution “Local Administrative Password Solution” (LAPS). We will include the required client later as a software installation in the task sequence. If you use LAPS, you can first assign a generic password here. If you implement LAPS, I recommend you also take a look at the article “Using and auditing PowerShell scripts with Local Administrator Password Solution (LAPS)”

Advertisements
Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - Admin Password

The next step is again the summary, followed by the actual creation of the task sequence.

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - Summary

After confirmation, the task sequence is created.

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - Confirmation

Now the example must be adapted a little.

Screenshot: MDT Deployment Workbench - Erstellung einer Tasksequenz - Umbenennung der Tasksequenz

Including the drivers in the generic task sequence

When including drivers, I take a different approach than the usual one in the template. The task sequence template uses Plug-n-Play to select the correct driver. This is not actually wrong, but it uses the latest version of the driver. This does not always have to be the right one for the hardware

It is possible that different OEMs have different versions of a driver. OEM B has used a higher version number so that its network card driver, which is optimised for its hardware, is used instead of the generic chipset driver of the network component manufacturer. Unfortunately, OEM A keeps the versioning of the original and passes the driver through without modification. Due to the optimisation of OEM B’s driver, it unfortunately runs unstably with OEM A’s hardware

Advertisements

It is also possible that certain hardware is no longer supported with current versions of a driver.

Therefore, I only install the driver package that is intended for the device. This also saves me the problem of having to install the manufacturer’s drivers first and reproducing the problem in the event of an error.

To do this, modify the “Preinstall” phase of the task sequence. Since you will probably have more than a few driver packages in the course of time, I recommend creating a folder in the place where the “Inject Drivers” step is now.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen

You can deactivate or delete the “Inject Driver” step.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen

Click on the folder you have created and then select the items “General” > “Inject Drivers” under the drop-down “Add”.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen

Now assign a suitable name, for example the model drawing of the unit. Select the “Selection Profile” that you have created for the appropriate drivers. Select the option “Install all drivers from the selection profile”. Then switch to the “Options” tab.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen - Profil Auswahl

Now select the entry “If statement” in the drop-down “Add” and then select “Any conditions”. This way you can also use a driver package like a family pack for several models.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen - Abfrage einrichten

Then add the item “Query WMI” via the “Add” menu. Enter a WMI query suitable for your hardware model. Here in the example a Dell XPS 13 9365, the query for this is

SELECT * FROM Win32_ComputerSystem WHERE Model LIKE "XPS 13 9365"
Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen - WMI Abfrage einrichten

Now you have added the drivers for the first model

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen

Repeat the step for all models. If you like to have some generic drivers in hand, you can also make a selection with corresponding WMI queries that contain a “NOTLIKE” instead of “LIKE”. But then you have to maintain 2 entries for each new model.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Treiber einfügen

Including Software in the Task Sequence

The next step is to include basic software that should always be installed.

To do this, we must switch to the “State Restore” branch in the task sequence. There you will find an entry “Install Application”. Here, the applications are installed that you can select in the LTI after booting, if you do not suppress this. We are interested in as few steps as possible, so we make a preselection here. I always use the option “Install a single application” for this. Importantly, you can do this with any application except LAPS. I explain that in the following.

Deactivate or delete the original entry again. Unless you want to use the query function.

To add the application, select the menu “Add” and then the entries “General” > “Install Application”

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Install Application

Enter a suitable name and select “Install a single application” and then click on “Browse”

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Install Application - Single application

Select the appropriate application and click “OK”.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Install Application

And your first application is ready for installation in the task sequence.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Install Application

Tip: If you want to install certain software only on certain hardware models, you can again work with WMI filters, just as with the driver installation in the task sequence.

You can also work with variables and other parameters. This gives you many possibilities to make the installation of software dependent on other options.

After you have added the desired software packages, you should activate the two Windows Update loops. This way, the operating system and the Microsoft applications are directly updated during the installation. If you want to define the configuration for Windows updates beforehand, it is best to do this via suitable group policies or registry entries that you set in the task sequence.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Install Application

Including Local Administrator Password Solution (LAPS) in the Task Sequence

Why is Local Administrator Password Solution (LAPS) different from other applications, you may ask? Installing LAPS is no different, but LAPS changes the local administrator password. And this is required by the MDT until after the last reboot. Especially due to Windows updates or other steps, a few restarts are necessary in the task sequence.

Insert LAPS before the item “Apply Local GPO Package” in the task sequence, as you did with the other programmes.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Install LAPS

Then, as this time, select LAPS as the application.

Screenshot: MDT Deployment Workbench - Bearbeitung der Tasksequenz - Install LAPS

The task sequence is finished

Configuring the Deployment Share Rules

Before you can start, we should make a few settings to the rules for the deployment share. If you do not change anything here, the “Lite-Touch” will ask so many questions that you will be busy for a while. We answer these questions in advance in the rules. Freshly installed, they look like this:

[Settings]
Priority=Default
Properties=MyCustomProperty
[Default]
OSInstall=Y
SkipCapture=NO
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerBackup=NO
SkipBitLocker=NO

We change these a little for our needs

[Settings]
Priority=MacAddress,SerialNumber,Default
[Default]
_SMSTSORGNAME=InfrastructureHero
OSDComputerName=Win10-#Left("%SerialNumber%",9)#
OSInstall=YES
UserDataLocation=AUTO
TimeZoneName=W. Europe Standard Time
AdminPassword=*****
UserDomain=ADIFH
UserID=SRV-MDT-BA
UserPassword=******
MachineObjectOU=OU=Clients,DC=ad,DC=infrastrukturhelden,DC=de
DomainAdminPassword=*******
DomainAdmin=SRV-MDT-BA
DomainAdminDomain=ad.infrastrukturhelden.de
JoinDomain=ad.infrastrukturhelden.de
FinishAction=REBOOT
SkipCapture=YES
HideShell=YES
ApplyGPOPack=NO
;WSUSServer=https://update.ad.infrastrukturhelden.en:8531 
SkipAppsOnUpgrade=NO
SkipRoles=YES
SkipAdminPassword=YES
SkipProductKey=YES
SkipComputerName=NO
SkipDomainMembership=YES
SkipUserData=YES
SkipLocaleSelection=YES
SkipTaskSequence=NO
SkipTimeZone=YES
SkipApplications=NO
SkipBitLocker=no
SkipSummary=YES
SkipCapture=YES
SkipFinalSummary=YES
UserLocale=en-DE
KeyboardLocale=en-DE

If you want to use a Windows Server Update Service (WSUS), remove the “;” in front of the entry “WSUSServer” and change the URL accordingly. For more examples of the Microsoft Deployment Toolkit (MDT) Deployment Share rules, see Microsoft Docs

I have the computer name generated automatically, in this example it consists of “Win10-” and the first 9 digits of the device serial number. This is achieved by the entry “OSDComputerName=Win10-#Left(“%SerialNumber%”,9)#”.

I have also not provided for a migration of the user data in my test lab. This is done by the entry “SkipUserData=YES”. If you want to transfer user data, take a look at the “User State Migration Toolkit” (USMT) from Microsoft. This is also free of charge and can be integrated into the MDT as well as addressed via scripts.

Adapt your rule accordingly. To do this, right-click on the deployment share and select “Properties”

Screenshot: MDT Deployment Workbench - Konfiguration der MDT Regeln

Select the “Rules” tab and modify the entries accordingly.

Screenshot: MDT Deployment Workbench - Konfiguration der MDT Regeln

In addition, the Bootstrap.ini must also be modified. This is part of the boot image and provides access to the network drive in order to establish the network connection. If you do not adjust the Bootstrap.ini, you must log on to the network before the task sequence can be selected. You can also set the keyboard layout directly in the bootstrap instead of always being asked. I would also suppress the MDT welcome message directly, which saves another unnecessary click.

Screenshot: MDT Deployment Workbench - Konfiguration der MDT Regeln - Bootstrap.ini

Preparations for the first test

In order to test this now, the deployment share must first be updated. To do this, right-click on the deployment share and select “Update Deployment Share”

Screenshot: MDT Deployment Workbench - Update Deployment Share

In the options, the setting “Optimise the boot image updating process” is usually sufficient, as this is the fastest way. Nevertheless, you should occasionally regenerate the image completely. Especially after extensive changes, it is best to start this process at the end of the day.

Screenshot: MDT Deployment Workbench - Update Deployment Share

This is followed by the obligatory summary.

After you have confirmed the options, the share is updated. Now is a good time to get a coffee and have a chat with your colleagues in the coffee corner. Especially the first time takes a long time. After all, all previous steps are now inserted into the image.

Screenshot: MDT Deployment Workbench - Update Deployment Share

At the end of this step, there is a summary. In the course of the update, the boot medium was also created to start the Microsoft Deployment Toolkit (MDT). If you have not changed anything, the ISO and the WIM file required for the Windows Deployment Server (WDS) were created in the Deployment Share in the Boot folder. These are not offline media, I will tell you how to create them in the article “Creating Offline Media with the Microsoft Deployment Toolkit (MDT)

Screenshot: MDT Deployment Workbench - Update Deployment Share

Now is a good time to test the task sequence with the ISO, for example with a virtual machine. Afterwards you will know if there are any gross errors in the task sequence. You will find the ISO files in the “Boot” subfolder of your deployment share.

Test installation with the task sequence

To test the task sequence, I take a Hyper-V VM and mount the boot iso. The VM is a Generation 2 VM with UEFI support, which is important because there is no new PC to buy without UEFI. After I have booted from CD, the query for the task sequence appears if the bootstrap.ini and the set of rules are correct.

Screenshot: MDT - Testinstallation - Task Sequence

Since I have switched off many of the LTI dialogues in the rules, only the query for the task sequence and the BitLocker appears in this example in this task sequence. I leave the BitLocker in the lab because some of the old test devices or VMs do not have a TPM, depending on the settings. I leave the query for the task sequence active so that I can select several without always having to make a computer-specific entry in the rules.

Screenshot: MDT - Testinstallation - BitLocker selection

And then the installation begins with the individual steps.

Screenshot: MDT - Testinstallation - Process

The task sequence carries out the necessary restarts without any further interaction.

Screenshot: MDT - Testinstallation - Reboot

After the first steps and changes, the finished Windows also comes up and runs through the further steps of the task sequence. The logon takes place automatically, no further actions are necessary except waiting.

Screenshot: MDT - Testinstallation - Auto Logon

Then the last steps take place, updates

Screenshot: MDT - Testinstallation - Installation Process

and software installation. Here, too, restarts take place automatically if required. If you need a dedicated restart after installing software, do not integrate this into the wrapper (e.g. with a shutdown command), but use a corresponding reboot step in the task sequence.

Screenshot: MDT - Testinstallation - Installation Process - BGInfo

The last step is to reboot the system as defined in the rule “FinishAction=REBOOT” and it is then ready for use. If you want to pack the units directly after the reinstallation without still taking manual steps, use the value “SHUTDOWN” instead of “REBOOT”.

Screenshot: MDT - Testinstallation - Done

Continue in the last part: “Network Installation with the Microsoft Deployment Toolkit – Part 4: Integration of the Base Image and the Windows Deployment Service”


Note to this article

This article was automatically translated from German from our German partner blog InfrastrukturHelden.de.

Leave a comment