Installing All Software Updates in a XP in Build and Capture TS

I had a hell of a time getting software updates to work in an XP Build and Capture Task Sequence. Things would work okay if I used ZTIUpdates, but not the ‘Install Software Updates’ TS action. A lot of people online seem to have given up, but I think I found the keys to getting things going.

The Problem

When you run an XP Task Sequence with ‘Install Software Updates’, the updates don’t actually install.

The Cause

  1. SCCM can’t scan with the XP SP3 default WUAgent because it’s too old.
  2. SCCM can’t scan for updates with IE 6 installed, which is the XP SP3 default.
  3. SCCM can’t scan for updates without the WSUS patch KB898461 installed.
  4. SCCM can’t download updates with XP SP3 unless joined to the domain.
  5. SCCM can’t communicate with the client once joined to the domain unless the XP certificate hotfix is installed.
  6. Once a software scan action is completed with the ‘install Software Updates’ step, subsequent updates are not detected because it doesn’t re-scan for new updates after every set of updates is installed.

We’ll resolve these issues below.

The Fix

Packages and Prep

This post assumes that you have MDT Integrated and can use the ZTIWindowsUpdates script.

  1. Download the IE 7 installer here: Windows Internet Explorer 7 for Windows XP.
  2. Make a package for the IE7 installer using the following command-line action.
    IE7-WindowsXP-x86-enu.exe /NoRestart /NoBackup /UpDate-No /Quiet
  3. Download the WUAgent 7.4 Installer here: Windows Update Agent 7.4.7600.226. I found the link here: Forum Post – Windows Update Agent.
  4. Create a package for the WUAgent 7.4.7600.226 installer using the following command-line action.
    WindowsUpdateAgent30-x86.exe /quiet /norestart /wuforce
  5. Download the Windows XP Certificate Enrollment hotfix here: Windows Server 2003 and Windows XP clients cannot obtain certificates
  6. Create a package for the hotfix using the following command-line action.
    WindowsXP-KB968730-x86-ENU.exe /quiet

Task Sequence Changes

  1. Open the XP Build and Capture Task Sequence.
  2. On the ‘apply network settings’ action, join a workgroup instead of a domain.
  3. Directly after the ‘Setup Windows and ConfigMgr Step’, add ‘Install Package’ actions for IE 7, WUAgent 7.4, then the Certificate Hotfix.
  4. Next, right after the certificate hotfix install, add join domain and reboot actions.
  5. Next, add a ‘set task sequence variable’ action with the variable ‘WSUSServer’ set to your site server’s WSUS URL (ex: https://sccm.domain.local:8531″).
  6. Next, add the ‘Use Toolkit Package’ and ‘ZTIUpdates’ steps. This will install the WSUS patch and update WUAgent to the latest version.
  7. Next, create an ‘Install Software Updates’ action.
  8. After that, create a new ‘Run Command-Line Action’ with the following command. This will re-scan for new updates.
    WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE
  9. Repeat the Install Software Updates and Re-Scan command line actions. This will ensure that all updates are installed, since each Install Software Updates action is hard-coded to time out after 30mins.

Here’s a screenshot of my final task sequence.

XPBuildAndCapUpdates

Enjoy!

Advertisements

[SCCM 2012] XP Task Sequence – Removing Windows Tour, MSN, etc.

We have an XP Task Sequence for a couple of really old applications. Here’s how I pull some of the older and unused features out with my build and capture task sequence.

The Goal

Remove the following features from an XP Deploy.

  • MSN Messenger
  • MSN Exploder
  • Windows Tour
  • Outlook Express

The Process

Unattend.txt and the Build and Capture

  1. Create a file named unattend.txt with the following contents, place it in a package, and distribute the package to your distribution points.
    [Components]
    msnexplr=off
    oeaccess=off
    zonegames=off
    msmsgs=off
  2. Check this list to remove any other features you don’t want.
    XP Components
  3. Edit your XP Build and Capture Task Sequence, and choose to use the unattend.txt file \ package created in step 1.
  4. Run the Build and Capture to pull an image without Outlook Express or MSN.

The Deploy

  1. Create a batch file named remove-windowstour.cmd with the following contents, place it in a package, and distribute the package to your distribution points

    REM Loading Default User's HKCU hive
    REG LOAD HKLM\temp "C:\Documents and Settings\Default User\NTUser.Dat"
    
    REM Adding Config-NewUser.cmd to default user's HKCU\Runonce
    REG IMPORT Remove-WindowsTour.reg
    
    REM Unloading Default User's HKCU hive
    REG UNLOAD HKLM\Temp
  2. Create a reg file named remove-windowstour.reg with the following contents, place it in the same package as remove-windowstour.cmd, and update the distribution points.
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\temp\Software\Microsoft\Windows\CurrentVersion\Applets\Tour]
    "RunCount"=dword:00000000
    
  3. Add a ‘Run Command-Line Action’ in your task sequence to run the batch file.
  4. Test the task sequence. It shouldn’t ask to run the Tour, and shouldn’t show the features we removed.

Technically, Outlook Express and Windows Tour aren’t ‘removed’, they’re just hidden. I’m okay with this though.

SCCM – Imaging a Dell Optiplex GX620 with XP

It turns out that Dell Optiplex GX620’s are a bit of a pain to image with XP.

Downloads

  • First, get all of your necessary drivers from the dell download page. Make sure you’ve got XP selected! Here are the drivers I needed:
  • Dell CCTK 2.1
  • R132539 – Intel Chipset Driver for GX620. Keep this driver separate — we need to turn it into a software package without importing it as a driver.

Overview

  • Generate BIOS Files
  • Modify NIC Driver
  • Create a Working Task Sequence

The Process

Generate BIOS Files

The first problem we need to overcome is that the Optiplex GX620 will -not- image if the CD drive is enabled in the BIOS. It’s due to some bug in the driver. Crazy! If you don’t disable the CD drive, XP will bluescreen on boot until the Intel Chipset driver is installed. How did I figure this out  you ask? Pain.

  1. Configure the GX620 BIOS the way you want it. Use the best SATA option available. From best to worst, the order is: RAID ON, AHCI, Optimized, or Normal. You should not use legacy.
  2. Boot the GX620 into a usable operating system (if this is no longer an option, you might be SOL — sorry).
  3. Install the Dell CCTK utility and capture the settings ‘from this machine’.
  4. Save two files — one with the CD drive enabled, and one without the CD drive enabled. Call these DellOptiGX620-CD.cctk and DellOptiGX620-NoCD.cctk.
    NOTE: I always uncheck ‘enabled’ next to SATA-0 through SATA-4 so that the cctk file does not contain instructions for the BIOS to enable or disable the SATA ports. Otherwise, the BIOS may force the ports to be enabled despite having no devices attached, which will cause an error on boot.
  5. Place these files in a package per the instructions here: Dell BIOS Settings with SCCM.

Modify NIC Driver

The NIC driver from Dell’s site doesn’t work when imported because of a bad reference in the .inf. The task sequence will crash once you get out of the WinPE phase because the system won’t be able to reach the SCCM server. Here’s the procedure to correct the issue.

  1. Extract the driver (R97582) to C:\Temp\GX620Nic
  2. Copy the file .\Win2K\v8.22.1\b57w2k.sys to .\WinXP\v8.22.1
  3. Place this file in your GX620 driver source directory on your sccm source share

You’re now ready to import the drivers! Go ahead and do this.

Create a Working Task Sequence

There are a couple challenges here too. Here are the basics:

  1. Disable the CD Drive
  2. Pick the correct mass storage driver
  3. Install the OS and use the original media since it requires an old HAL
  4. Apply a driver package
  5. Install the Intel Chipset Driver as a package
  6. Enable the CD Drive

Here are the TS actions; I’ll leave it up to you to do the actual implementation.

Disable the CD Drive

Use the following instructions to push the No-CD cctk file that you created: Dell BIOS Settings with SCCM. The WMI Query to target your TS will be the following:

select * from Win32_computersystem where Model like "Optiplex GX620%"

Pick the Correct Mass Storage Driver

You actually don’t need one. I put this section in so that people wouldn’t try for a while and get confused.

Install the OS using the original media or an image with an old HAL

If you ran a Build and Capture XP Task Sequence in VMWare, the resulting image will be incompatible with the GX620 and will bluescreen. I got around this by duplicating the Apply OS task sequence action, setting one of them to use the XP OS Installer instead of the XP Image, and scoping them with WMI queries. This isn’t awesome if you have a pretty customized image (again; thin images are best).

Apply a driver package

You’ll need to make a driver package with the Dell files above in the ‘Downloads’ section, copy them to a source folder, and import them. This is the same as for any other workstation model.

Install the Intel Chipset Driver as a Package

You’ll need to create a non-driver package (a regular package, as in like Acrobat Reader) for the Intel Chipset driver and install it or the system will lock up as soon as you enable the CD drive.

  1. Extract the contents of R132539 to a new folder in your SCCM server’s source folder.
  2. Create a new package, and a program. The command line to install is “setup.exe /s”. Not bad!
  3. Create an Install Package action and scope it with WMI queries to the GX620.

Enable the CD Drive

Same as ‘Disable the CD Drive’, but with the alternate cctk file.

That’s It!

Don’t forget that you can update the BIOS in the task sequence also. See these instructions: Updating Optiplex BIOS with SCCM.

SCCM 2007 – XP Multi-Platform Imaging Options

So, my friend and colleague Andrew Buford (winception) and I have been trying to tackle Windows XP Universal Imaging with SCCM. Why? Because we have a lot of old lab equipment computers which need the occasional refresh, and the software’s too old to run on Vista\7. XP Mode? That would be great if there were Win7 drivers for the capture cards. For some reason professors don’t like to buy new $15k controller cards (if available) for an operating system update. If you know of a workaround, let me know!

In any case, I’ve managed universal XP images in a few departments over the years, and the following are decisions which must be made when attempting this with SCCM.

Heavy vs Light, Pre vs Post Capture

First, you need to decide whether to inject a bunch of drivers on the system and hope for the best (heavy), or whether to attempt driver injection of the specific make\model needed (light). There are some pro’s and con’s to both methods. Heavy images are bigger, and sometimes driver conflicts cause trouble. However, the initial configuration is easier if you’re deploying to a wide range of SATA\RAID platforms. Light images are smaller, but it can take some work to find the exact driver needed and get it mapped correctly. The second decision is if driver injection will take place pre-capture or post-capture, and using what tools. In the end, I choose to use light images injected by SCCM (the only supported way). More on this in the next section.

The Techniques

These techniques aren’t all tried-and-true and they’re not complete solutions. They are the leads which Andrew and I pursued before choosing our imaging option.

Driverpacks.net MassStorage Driverpack

Links:

This is a heavy-image solution. Driverpacks.net offers a free “MassStorage Driverpack” with almost every Mass Storage .inf file available. It’s possible to extract this driverpack, reference it in sysprep.inf using a special EXE to make [sysprepmassstorage] section entries, then capture the image. This works really well, but doesn’t play nice with a SCCM ‘Build and Capture’ Task Sequence. If you attempt to automate the sysprep section by using SCCM’s “Prepare OS” task sequence action and a custom sysprep file, sysprep will not actually import the drivers from the [sysprepmassstorage] section into the registry’s critical device driver list, because they’re mostly unsigned.

“But wait!” you say, “you must have forgotten to include the correct driver signing policy lines in your [unattended] section of sysprep.inf!”. That’s what we thought, but it’s only true on deployment. During the sysprep reseal process (pre-capture), Windows File Protection pops up warnings which must be manually clicked for each driver in the driverpack. Since SCCM’s “Prepare OS” action hides all dialog boxes, you never see the warnings and sysprep times out. However, you can manually create the universal heavy image the first time by splitting the build and capture task sequence in to separate parts, and running the capture part from within the guest OS. You can then use the captured WIM as the base image for future build-and-captures.

Unfollowed leads \ possible workarounds:

  • Disabling windows file protection by hacking sfc_os.dll with a hex editor, then restoring it after the ‘Apply Operating System’ action in the deploy task sequence.
  • Running a build-and-capture in MDT instead of SCCM, which might show the WFP dialog boxes, allowing you to write an Auto-It script to accept them automatically.
  • Using an offline sysprep tool
    • Offline Sysprep –  looks great but there is no command line support. Therefore an auto-it script would be required to be fully automate the task sequence.
    • MSSTMake – looks promising but the site is in Russian.

Symantec\Altiris DeployAnywhere

This is a light-image, closed-source, 3rd-party solution. If you currently own the proper versions of Symantec Ghost, you may have access to DeployAnywhere, which is a command-line utility run from Windows PE after the image is deployed. It scans the system for NIC and SATA drivers, references a driver database, copies the appropriate drivers to the windows volume, and then injects the driver paths into the registry. This method is elegant, and probably the best if you have the required software. Unfortunately, it means you have to keep a ghost console server around for driver database updates.

SCCM’s Apply Driver Package

In the end, we decided to go this route since it’s supported and the images will be smaller. We’re thinking that this will be good for XP Mode and MED-V. This method is similar to DeployAnywhere, and it’s all managed from inside SCCM Console. However, there’s a catch! You need a separate ‘Apply Driver Package’ task sequence action for each and every mass storage driver that you’d like to support.  Wowza.

In a future post, we’ll share the end results of this project and a step-by-step guide.