i'm steve adams,my buddies up here forgot to put my @msdeviceguy soif you twitter me, @msdeviceguy. i am steve adams,microsoft's lead device guy and i just want to take a few minutesand literally two minutes, and share sorta what'simportant to microsoft. what we're thinking about when itcomes to windows 10 and deployment. so, first of all, who is inthe room has an ea with microsoft? okay, excellent. and who knows that withan ea comes ddps or
deployment services vouchers? okay, so everyone that didn'traise your hand, you have vouchers that will help you deploywindows 10 through our partners. so please, please,please go to your ea person and say what are thesevouchers i've heard of? these are not the vouchersyou're looking for. yes, they are. they're ddps vouchers. second of all, everyone that has,all of our customers in the room,
who works with a microsoft partnerto help them with deployment? okay, excellent, we have fundsavailable through our partners called accelerate,repeat after me, accelerate. >> accelerate. >> okay, microsoft has money to giveyou to help you deploy windows 10. >> i have patched it. >> excellent. so. [laugh] thank you, johan. i feel so loved now.
>> [applause]>> thank you, thank you very much. we're here all week. no, we're not,we're leaving this afternoon. so anyway, so two bucketsof money that we have for you that go underutilizedevery year. first one is ddps vouchers, sogo to your ea administrator and say give me those vouchers. that allows you to bring in yourpartner of choice to help you proof of concept, pilot orgo into production.
so please use those. second one,what was the magic a word? accelerate, ask your partner. ask your microsoft field person howdo i get accelerate funds to help accelerate my deployment? so what i just shared there iswhat's important to microsoft this year with windows 10. yusef on monday shared with usthat we were at how many million windows 10 devices?
>> [inaudible]>> boy, i wish i had prizes for the front row here. 400 million devices, okay,that's 40% of our target. we want how many devices? a billion windows 10 devices. in the first 14,15 months of the product existing. that's pretty amazing fora desktop operating system. how long did it take us to getto 400 million with windows 8? >> we're still not there.
>> [laugh]>> ssh, ssh, so anyway, please, please, please use our resources,use our teams, use our money. we are here to help you deploy andto help you deploy even better and troubleshoot thoseannoying little things. johan and mikael, take it away. >> thank you, sir. awesome. >> thank you. >> [applause]>> yes this will
be a deep-dive level 400session on troubleshooting, mostly config manager. but lots of stuff we'll do heretoday is also very applicable to your standard lite-touch deployment. so we ask the curious question, how many of you are usingconfig manager in this room? that's about everybody. >> [laugh]>> you still assume, at least, most of you are alsousing lite-touch, not for
production deployment but also forbuilding reference images. so we'll touch a littlebit on that as well. >> and we will also do demos,both in lite-touch and configuration manager. and the reason why we do a lot ofdemos in lite-touch is because it's faster. it is the exact same way it's gonnawork in configuration manager, it's just to shortendown the demo time. it's the same taskssequence engine basically.
so there's>> standalone version but yes. >> yeah. my name is johan, this is mikael. we both work for [inaudible]. we have some distinguished peoplealso here on the heckler's row. we have troy, mike,and michael kneehouse. probably going to ask us somehard questions, i think. there is a twitter feed as wellthat we monitor here on stage. so, if you tag your questionswith the session code,
hashtag brk3150 we'llbe able to catch them. we also have people. amy's offline andwatching the stream online remote. i'm watching the stream as well andanswer question. so give us questions there aswell as we would love to have questions on stage orhere in this room. yes, shall we? >> absolutely. >> you are the clicker.
>> i am the clicker. so my work forthe entire session is to do this? >> yes. and you do it so well. >> [applause]>> thank you so much. >> as i mentioned this isa troubleshooting session, this is a deep live session, we assume thatwe have used this stuff before. so, we'll use notepad, sothe in-command prompts and powershell prompts, sowe hope you won't be afraid of that.
next. so, starting off,debugging config manager things. everyone who's been doing any typeof troubleshooting in config manager knows that it's the logfiles that you turn to. since 2012, microsoft kindly added in cmtraceright into the boot image. so that's the premiere utility,unless your name is wally, then use another utility. but cmtrace is the one youuse to read the log file.
it's real time, it's updated, it'sformatting them well and simple. it's good stuff. >> how many times doyou get the question? i had the following issue yada,yada, yada. and your reply is can yousend me the log files? >> about every single time. >> and then the other guy sayswell i don't have the log files. in that case the answeris i can't help you. >> so the interesting thingabout the log files is
they are in different locationsdepending on when it fails. i'll come back to that in a bit. also, the default or the main log file in config manageris the smts log file. and even though microsoft alreadyback in r2sp1 actually increased the size of it,from one megabyte to two megabytes, it still scenarios because of thedefault settings in config manager where debug logging actuallyis enabled for some reason. i don't know, but it is.
it generates a lot of data. easily five, six megs of data. and if you think of the numberfive and six, and you try to fit that amount of data into a twomeg container, it's challenging. >> [laugh]>> slightly. >> yeah, math. >> [laugh]>> but anyway, i'll talk later moreabout that shortly. so next slide please.
so, we do have otheroptions available as well. every now and then when you do things the sequencewill start to do its actions and every now and then it willreport back to the site server. send upstatus messages,not super detailed, but sometimes good enough tohelp you troubleshoot. and you can view thatinformation in reports, there are a bunch of progressreports in config manager. there is also, you can createqueries directly to those status
messages inside the console, so youcan get the information there, too. of course you can alsoenable server site logging. that's available both for andconfigmgr, lite-touch and config manager and when you do that,if something fails, well the log files willbe copied to the server. and not only the smst log files,everything else as well. the logic of the script that doesthis is actually smart enough to reach into your machine. and grab every possible log fileit can think of to help you debug.
so, for example, if the sequencepassed the step that does driver injection,you will actually see the log file, log file that will help youdebug drivers on the server. in the folder wherethat computer name is. that will be log file. that can help you debugyour domain operations, assuming it actually came tothat point in the sequence. so it grabs some 20 filesfrom you machine and puts them in a folder on the serverso you can easily debug those.
next slide, please. >> how do you turn that on? >> how do i turn that on? i will absolutely show youhow to turn that on in a bit. good question. the second thing is wellthe log files will only be there assuming we canactually start deployment. and it happens every now andthen that you have a machine, you press f12, or you press enter ifit's a uife machine to pxe boot and
then it doesn't pxe boot. it will just give you like abortpxe and it dies immediately. so that point the log file on theclient doesn't really help because we don't have any at that point. we are still just dead as the water. the machine is basically nothingis running on that box, so slide. so. >> says demo. >> says demo.>> and your number?
>> seven? >> seven. >> very nice. very nice. so i am going to start a non-pxedeployment first for a reason. i'm going to starta lite-touch deployment. so i will go to a clean vm. that is configuredto boot from an iso. it should start pretty quickly.
the reason i'm using lite-touchis that they are special. when you start the lite touch bootimage, it actually kicks off a small wizard that drives youthrough the deployment. you can automate thatfully of course, but what is it in the boot imagethat actually starts this? why is this happening because if yougo into adk and you create yourself a custom boot image and you bootit in a vm or a physical box. i promise you it will do nothing. it will give you a commandprompt and it's black and
it will do nothing. so why is that this guy didsomething in this case presented a list of sequences to me. >> [inaudible]>> boot strap, yes, but that's later. if i open up the command prompt and i adjust the font size a little bit,and the colors a little bit. in the root of that boot image,there is an unattend file. if i open that unattend file,you can see it's actually
set in the screen resolution, whichworks great in biospace machine. not sogreat on utf-8 based machines. you can see that actuallylaunching a script. that's why it stops the wizard. this script, yes, reads the bootstrap in the file andtried to figure out what to do. but this is why the bootimage does something at all. and this is useful forconfig manager. in a few customer environmentsalready both for 1511,
both for 1602 and both for1606 versions of config manager. i have seen an interestingerror happening. this is my blog,this is the error you might see. it complains about not finding anetwork adapter, and you press that failed to do the ip conflict andthere is a network adapter. and you can see just youget this immediately. it's not like even tryingto find a network adapter. so this is obviously a bug,but to fix is so easy. create an attempt file.
put it in the boot image,in the root of the boot image, and it will actually run even beforethe pre-start command in configmgr. which is needed to work aroundthis issue with networks. i have seen this twice onconference networks too, because they often are. less maintain than the normalcorporate network. so i wrote this scriptthat i'm very proud of. lot of work. >> [laugh]>> thank you.
>> [inaudible]>> yes, i do. i do. but simple i gave this moretime to do its business. and that's all the problem forall those networks, every single one of them. so, if you do run into that issue,remember that, yes, you can put them ona tenant file in the root. you can have that to calla script to do something. i've seen other customers doingthis to actually clean up disk,
that may have been usingsay that part of this. on the box andthen i want to go bit logger. so i will try bare metal deployment. and the config manageraction will try to start to do its business offormatting drives. and sometimes it gets upset if thereis third party disc encryption on the box. but if you clean it first,problem goes away. so that's one way of doing it.
and, let me just doublecheck these guys, so, we assume we reboot we will get thelog files, so i will stop this vm. and i will toss my mdt serverbecause i'm going to do a pixie boot and my mdt server isalso a pixie server, and i don't know if you tried, buthaving multiple pixie servers on the same subnet at the same time isinteresting because they will fight. so i will take a normal vm,generation 2 vm. and i will pixsalute this guy. press enter, it will start todownload the boot image, and
what can you do tospeed up that process? well, this morning i stumbleacross this blog post. mr. jurgen nielson fellow swede. this is new in config manage 1606. that will help you even in other virtualization platformsin hyper v to get the speed when you're flexible todownload boot images that way. because this one up here has beenaround for a long, long time. but this one is new.
i can actually help mitigatesome of those long down times of downloading boot images. this varies with hardware. typical, i've been very successfulby setting this to eight in most environments. set for pro books, but you can often increase it tosomething higher than that. so anyway, the machine pxe bootedand i can start to log in. now when i press enter hereafter typing in the password,
it's gonna contact the site serverand it's gonna look for policies, deployments for this machine. if you are on slow networks, really high latency networks,this may time out on you. and you would get an error messagesaying, sorry, no policies for you. but first of all, it could actually be that youdon't actually have a deployment. so how do youtroubleshoot that part? how do you know alreadyat the pxe boot
if the machine will havea deployment or not. sms takes a long time to sort. so, if i go to my site server, go into my installation directoryconfig manager, while you have it. please don't type it on the c-drive. the inboxes are in that folder. and they can be full ifsomething goes wrong. and then it's bad ifit's on the c drive. so i open the pixel log file.
and you can actually see here inpretty much clear text that okay, i've had here. it tried to boot. that machine foundan option on advertisement. it was this sequence orthis advertisement for the, i'm sorry, deployment. i don't know what icall it advertisements. but, it actually founda boot eventually and it handed up bootdown to the client.
this is how you can seewhat's actually going on on the service side. now, what to do ifit takes too long? well, there are variables youcan set to give it more time. and obviously you can set thosevariables in the sequence because we haven't yetstarted the sequence. the problem we are having iswe don't see any sequences. let me see variables here,wrong one. these guys.
that's the script. there is, here we go. i don't need to send those guys. so these are the variables. i simply have a vb scriptthat sets them, easy. and. i call the script through the normalprestart command in config manager. again, giving it more time. this one you will not like tocall from another ten file.
the reason is you need to callit from the prestart command, otherwise you don't havethe environment up and running. but again, this is easy. i haven't documentedawhile on my blog. but this is something you can do togive it more time at deployment. but i will select the sequence andi will continue. to start to form at the diskonce to state your packet and then it'll continue anddo its business. in this case, it's actuallygoing on a pause after a while.
and this is something that is reallyuseful when debugging things. in my sequence on the site serverhere, let me pick that one. if i edit that, you will see, that here i added a pause. i added it directly after we triedto format the desk the first times. so in this scenario i wastroubleshooting disk partitioning, something happened, i added a pauseto the sequence that's actually bordered to that point,and at that time, i can now just opena command prompt.
press f8. run this part. try to partition the disk manually. verify that you actuallyhave a driver for it. and not only just clean it andcreate a partition, but actually format the partitionas well, because sometimes you can create a partition but it'sthe format action that will fail. and when you run that interactively,wow, sometimes you will see things that you don't do when you justhave the sequence engine running.
and at that point, i mean, if youplace a support call with microsoft, it doesn't really matter whatdeployment solution you're using. you can just tell them flat out, i'mstarting on a windows pe boot image. i cannot run this part andcreate the partition. and there will be much easier for them to help you troubleshoot thatprocess also through support. but anyway, to go back to my client, it should now have reachedthe point where it's pausing. this was actually slightlyharder to code this script
because it was severallines of code. so i put that scriptin my mdt package, and that's something i recommend to do. every custom script that youguys use in your sequences, put them in the mdt package. why? because it's always there. they always statethat packet on disc, you always have thosefiles available to you.
that's why you see inthe sequence many, many, many times there is a usefulkit package option. this is where they make sure thatthose files are available to you. so if i go into the scriptsfolder here, cdi pause win p. this is it. this is just a script thatis looking for a text file. and as long as that textfile doesn't exist, it will just wait, loop and wait. >> sohere's a good question for you.
that assuming that you integratemdt with configuration manager. >> yes?>> yes, there is always someone thatsays i don't wanna do that. and because we don't needthat extra functionality, but we don't really have that approach. it's not the functionality, we wantto have a deployment framework, and a good starting point isto have that toolkit. so even if you are using a nativeconfiguration manager sequences, you can still include this package, justto have all the scripts available.
>> i mean, you can viewmdt as a bag of candy or stuff that you really, really like. you pick the stuff that you likethe most, and you use that. yes, because that packet containssome 200 plus features for os deployment,you don't have to use all of them. and i know very few customerswho uses all of them. but you pick the stuff you like. and the framework fordevelopment is just one of them. >> so anyway, i will press f8,i will get a command prompt.
i will do the sameoperation here again, to make it slightly more visible. at this point, i can open cmtrace. obviously, i can go to the defaultlog location in the beginning, where it is the windows10 folder on the x drive. and i can open sql's log engine. and i can follow mydeployment from here. if i want to, i can also gointo my c drive in this case. it doesn't have to be the c drive.
it could be e, f, something. because drive letters inwindows p are temporary. it's not the same as windows 5,it will actually be installed to eventually, but in here,i will have a wd package folder. i will also have the normal packagesfolder to which the sequence downloads all its packageseventually, but this one is special. this one is the mdt package. so here, i can go to the scriptsfolder, and i can run, for example, a script that will enumerate
all the settings that i havecurrently in my sequence. and just dump them up to the screen,or preferably, how about pipe this to a text file,and open that text file in notepad. because now i can start to drilldown and see all of my variables. you can see that i have inthis sequence done something i highly recommend. i have added a variableto increase the timeout. so if i go to my sequence andcheck at the beginning of it,
i have added this one tochange the default timeout from 15 minutes into 24 hours. so if something breaks,i will actually know about it. so i don't miss it accidentallyjust because i left the room when i started the deployment. i will also add in another onethat you can see on that list, and that's this one, reboot when done. this, i would say, is critical formost config manager environments. and i can see that on the client.
i do have an smstpostaction. this is something that happenswhen the sequence is done. and i use this to forcea group policy refresh. because the normal config managersequence was suppress all good policy processingwhen it's running. but sometimes, you do want to applypolicies when you're done with it, and forcing a reboot, this,well, will refresh the policy. other things you can work on is,of course, following this information ordoing this from the service side.
check this stuff ormost of this stuff. so you do have the serviceside log in i mentioned. and this is really tricky toenable that was requested before, how do i enable this? well, you go into settings package,that you have a new sequence. and you simply add a one-liner. this is one of the 200 plusfeatures that the mdt gives you, server side log in forconfig manager. so when you enable this,if something goes wrong,
it will create a subfolder foreach computer that you deploy and copy all the log filesto that folder, so you can easily debug it,very, very handy. now another thing you can dowith this is also, of course, check it through the reports. so i will cancel this sequence. i will go back to mymonitoring node, no thank you. i will go to, my deployments. progress of a running sequencedeployment, i will run that report.
it can also use the browserto run the report. i will select my deployment,it was my debug sequence. thank you. and i can now see that so far, it'sactually been doing some stuff here. you can start to track to see whatthe sequence did and when it did it. so you have some information aboutwhat's going on somewhat real time. it's still not every step, but allthe actions in the sequence at least is being reported back this way. back in cmos 7,
i really like the way it wasby default because in cmos 7, that was ready made status messagenote to find deployment info. and they kind of removed that fromconfig manager, which made me sad. but it's not that hardto create your own ones. so here, i've created a query,where if you look at the code here, it's a bit messy, but, it's coming. i'm basically looking forstatus messages that belongs for my deployment. and if you search forthis out there,
you'll find plentyof examples of this. but now i can run that query. i can specify forhow long back, a day or two. and you wait patiently,that's you do. but here you see, i have a statusmessage from that computer, and we start to look into the details. you will actually seeadditional information about everything thatwas happening here, and sometimes that can give you someclues as well to debug things.
the nice thing, this is serviceside, you don't have to be on that client, we could be in anotherstate, in a different country. so, this is useful as well. what you also can doin config manager is, there are filter rolesthat you can enable. so if you go to your site,you have your status filter rules. and you can create your own ones,osd happiness. what's the code for happiness? could be 42, yes, but
in this case, it is 11171. and if it's happiness, you canlaunch a program that sends an email with a green logo on it andsay, yay. you can also do the opposite whichis probably more interesting. you can search for non happiness,utterly failure, which is this error code or status matches thatyou can do something else. and now the side service is keepingtrack of your deployments and sends you an email when stuffis good and when stuff is bad. or creates a ticket in help desk,do something.
but this is also quite powerfulto do in config manager. so one final thing, though,that log file i mentioned, the size of it i spent an afternoon,a friday afternoon, deploying windows as youdo on friday evenings. i probably had a beer in my hand,and i ran through deployments. with every single combination oflog setting that was in configmgr just to see what difference itwould be on the log file and the i compare the log files. and it turn out that inconfig manager by defaults
since debug loggingis actually enabled. you'll get more content, i mentioned this before than youhave in your log files size. so again,2 mb on one archive makes 4 mb, it's still less than five or six. so you have two options,either you simply increase the size, in this case to 16 mb. and i only do this rightnow in the windows pe part, because in deployment that'sactually where most errors happen.
i can do it for windows also, by changing the properties of theconfig manage agent in the sequence, but this is often all i need. and since i have it to 16 mb, i don't really need to havemuch of a history of it. i'd rather have everythingin one file than two files. because if i do 10 deployments and it creates two archive, two logfiles from those 10 deployments, i would open the wrongone 10 times in a row.
you never pick the right one,it's simple as murphy's law. and what you also cando is simply disable debugging, and i'm not surewhy it's owned by default. my theory is that a developerenabled it eight years ago. >> [laugh]>> and it's been stuck since. but that's just a theory,not confirmed with the product team. but the thing is,here are two log files. one that has debugging enabled. the other one have it disabled.
and what i've found so far, this often gives meenough to debug things. and when you do that, the logfiles are indeed only 1 to 2 megs. and it actually workswith the default setting. so shorthand story, to get thisgoing, you create an ini file. to make sure it's a boot image. i mean in later releases of configmanager, you can simply place this small file on the side server, thatwill be added to the boot image. previous verses you have toadd it to boot image yourself.
it was very easy. you connected alwaysto injector file, you can simply copy it fromthe windows folder, the boot image. if you do that once,then you're happy. so this is how you can make surethis stuff is easy to debug and easy to work with. now, back to slides>> what? slides. >> [laugh] >> i can do slides.
so you talked about drivers then,right? >> so drivers is still the part of operatingsystem deployment that i find very. >> fun. because it's always thisbattle between me and machine, i usually wins. otherwise, you can alwaysthrow away the machine and say, hey, it doesn't work. but we have different drivers.
and the first driver we reallyneed to make sure it works, is the windows pe driver, right? i can see customers say,hey there's new drivers for windows pe should i downloadthem and install them? no. you shouldn't. but they are new. yeah. but you shouldn't.
unless you need to. so the question is, when do youreally need to have a driver? well, we're gonna cover that. then we have the setup phase,and sometimes we are into a small slightly challenging issueis that you injected the right, right orjust windows picks another one and you go hey i didn't tell you to dothat, and then you try it again and it's like hey it's stillpicking the wrong one. i'm gonna cover that, and
then we have drivers thatcan't be installed as drivers. i mean,they're always going to be there, you can get it to bekind of installed. so there's a driver but,when you try to use the function, or the application it doesn't work. eventually, you've got tofigure out the following. needs to be installedas an application. there's no way around this,and that's fine. i do understand that sometimesyou need to do that.
>> do you want to click? >> no. >> you're not certified. [inaudible] [laugh] it says demo. i'm so impressed. >> [laugh] you're number seven,so i guess i'm number eight. >> or six. >> no, this is from yesterday. >> [laugh] okay.
>> i can remove that. so. no, it doesn't need to be updated. >> it'll need your help though. >> yeah, usually does. so number one, how do you verifythat you have a driver that actually works with windows pe? well you boot it up in windows pe. and then you type,this is very advanced, ip config. >> yeah, level 500.
so and if you get an ip address, you don't need a network driver,it's very simple. you have one that works. >> [laugh]>> but then, we need to verify that you have access to the disksubsystems, so this part it is. and, this needs>> you have to spell it also. >> yeah, i know. it doesn't have the automaticspelling thing for me. in this part did you.
list disk, disk. yeah and hey i have a drive. so then i'm fine. no you're not fine. because this is verygood as a starting point. but you really need to do this. select disk zero, clean, create partition primary, assign, active,>> and format.
>> format, fs. >> we really don'tneed to the assign and active, michael was just doingthat to show off right now. >> [laugh]>> but there is one they are doing it. >> you need to format the drivebecause we've been through that, it can really see the drive butwhen it comes to the action of creating the partitionof formatting, it fails. so this is not very fine.
i don't need drivers. okay? these are hardest usually tofind the disk subsystem driver because in most cases it's a clientworkstation, it's gonna be either built in or it's goingto be the generic set of drives. but when it comes to network,it's slightly more challenging. what we're gonna see people dosometimes, i don't recommend it, is to find every piece ofnetwork driver you have and cram it into your boot image.
wait for a long time andthen hope it's gonna work. >> right, that's sofar is about a gig. i've seen it at oneside of a boot image. >> the hoping thingdoesn't really fly for me, so>> i prefer to do it this way. let's assume i don'thave an ip address, but i expect these followingdrivers to be the right one. put them on a usb stick. right, or?...
>> or floppy? >> [laugh]>> anybody seen a floppy? and then you use an applicationcalled drb load. and then you specify. >> the driver. and i cheated. i put it on my boot image. and you point an imf file andyou load the drivers. and then you need to reboot.
>> nope. >> no, you don't need to reboot. you run the wpe in itto kick it off again. and now, you can do the same thing. ip config. did i get an ip address? and you do this until youfind e driver that works. then you use that driver,it's very important that you're minimalistic when itcomes to driver windows pe,
because when you add a driveryou might lose support for another piece of hardware thatyou use in your organization. because it has been updated and been replaced and it doesn'twork with all the hardware. so even if it's possible to downloadan entire cad file with windows pe drivers don't do that, pickthe exact driver you wanna have. i know it takes some time,but usually takes me half an hour to figure out whatdriver i need for windows pe. now that was windows pe.
then we have drivers for windows. >> then we have drivers for windows. we can go to the device manager andwe can see that hey, i have a display driver here. it's an nvidia card,and that's pretty nice. and in this case it didpick the right driver. now, the problem with pickingthe right driver is that, i wouldn't say problem. the challenging is that microsoftis using plug and play.
sometimes call them plug andpray, but that's another story. its based on ranking. so its gonna, its gonna grab all thedrivers that you downloaded to you machine and say hey,here is all the drivers, stage them. absolutely and then windows willfile up they gonna say hey, im gonna pick one of these. how many of you have kids? multiple kids. there's one thing as a parent you dowants when you have multiple kids.
it's that, going to the kids and ask them what they wouldlike to have for dinner. [laugh] because if youhave multiple kids, you'll gonna get multiple answer. eventually, as a parent, you learn the fact that it's mucheasier that you pick the food. and then you say dinner is served. it will be meatballs. >> yeah.>> and then one of the kids say,
i don't want to have that. well, that's the onlything you're going to get. and they will eventually acceptthe fact and have the meatballs. and you need to treatwindows the same way. you need to feed windows withthe one and only driver, and windows is going to be happy andsay, hey, i found one. [laugh] i will use that. >> it's the best. >> it's the best ofevery one i used.
now, ahhm the ranking system. it has been around forever. ahhm, but you can search forwhy did windows 7 pick that driver? >> [laugh]>> and then you're gonna find a blog post that explains that. if you zoom in here this isa part of the set up api.dev.log. you can see here it actuallydid find two drivers. here's one and here's the other one. and, of course, pick that one.
>> of course, it's the best. >> because it's the best. it says->> from a ranking point of view. >> selecting best. >> yeah, exactly. and the reason why i fixthat is because it's best, because it has the best ranking. now ranking is dividedin multiple numbers. the first two characters stand forsignature code.
that means that the unsigneddriver will never ever be picked. there is no way is unsigned,is gonna lose. >> on windows 10 in general, thatdoes not like outside drivers, so. >> and sometimes youreally need to have an on sign driver because that'sthe only option you have. that is the correct driver. you can turn to the vendors, you'regonna say hey i need a sign driver and they're gonna golike hmmppf [laugh] so then you need to cosign driver,and that used to be very simple,
because you can create basicallya self-signed certificate. that doesn't fly anymore. so you need to havea real certificate, but you can do cosigning of drivers. but you should go to the vendor andsay, hey i really need this. driver to be signed. if you can't go the vendor and get help, go to microsoft andtell them to go to the vendor. they are slightly bigger than you,most of you anyway, ahhmm and
they have really good lawyers, sothey can help you in that way. >> i think the engineer isthe right word developers. >> yeah butyou really want something done lawyers actually works better. >> [laugh]>> taking notes. >> the next run says forfeature score. and this is how forinstance intel drivers are pick instead of the inbox driverit's the same driver, it has the same ranking, it has thesame feature, well that's the trick.
they're gonna saythat our box driver, that you download,has a slightly better feature score. it doesn't mean it has betterfeatures, it's gonna be the. more or less the same driver, but it's, that's the wayyou're gonna take that. and that is how you can makea third party driver be picked instead of the inbox driver,by having it signed, and you bump up the feature score. now it's gonna pickthat driver instead,
because it seems to be better,right? and the last four charactersare identifier score, and that's how close they match. when you go in hereto my device manager, and do properties, anddo details, and hardware ids. here is the identifier score. so if i have the top one, it'sgonna be very close to my hardware. it's gonna pick that one. it even includes the revision ofthe physical hardware in my ahhm,
graphic adaptor. if you can't find the a1 revision,well it's gonna take the slightly more generic which means i don'tcare about revision of the hardware, but it's gonna be that device. otherwise it's gonnapick something else. and the last one is just verygeneric driver from nvidia. so it's gonna work,it's gonna have bad performance and you're not gonna haveall the features. and that is how you make sureall these drivers will work.
now so once, once in a whileyou need to have this drivers as application thing, right. so, i'm gonna use some,this is just an example, right, you can do this for delve,you can do this for lovell, for htc, for ever vendor it is,it doesn't matter. >> they have their own tools. >> they have their own tools ahm,and it's pretty easy to find that. let's assume that for any reason i need to installthe hp hot keys, support thing.
because my users reallywant that feature. anybody had a request forthings like that? no? and they go like, what do you? why? >> i really need it, okay. >> fine. >> so i'll use the view softpackcva which is a text file. i'm gonna open it up. and it's somewhere here, it sayshow to install this, hopefully.
>> there it is. >> the obvious command,which is very simple. >> look at the stuff inthe middle there, the log file. >> often with driver application, that's the key to have configman be happy about that setup. for example, some of the olderinstall field setups that installs driver apps if you don'thave log file it will fail, but what you find for the hp is thatthey often provide you with the config manager switches in theinformation ile about the driver.
>> and if i dont have the dontwanna have any percent the attended folder, i dont wanna have it there,where should i put it? well i can use the parameters. for where ahhm, idle laptops are configurationmanagement stores the log files. and put the log filein the same location. which means if i now run as itshare,those files will be covered as well. which is a bit nice. so i have the command line switch.
i need to explore this application. copies of that directory andput it on the. desktop, create folder, demo. this, ok. hey, there it is. and we need to extract it. maybe i can extract it this way. i don't want to install it. yeah, i can extract it to thatfolder [inaudible] there we go.
but i do need to grab the package. we're just four. and so here's the setup, here'sthe entire application, im sorry. 190, and i go copy. and then i need to createa package of that. i'm gonna create the package eitherin the configuration manager or creating an application you like. it doesn't matter in which way. it depends on the deploymentthrough which we have.
how do you get that packageinstalled based on the fact that it happens to be thatparticular kinda hardware. because i don't want to createa task sequence thing and say, hey, if that,happens to be that make a model, then you should installthis application. we prefer to do it another way. and what we do is this, usually. i wouldn't say usually. we do it every time.
well, with one exception. what mike was about to show you is,the ability to have a separate engine feeding appsinto the config manager to sql. which is fantastic forany type of network deployments. this is dynamic assignment orapplications. this works awesome unless youare using a standalone boot media where you actually need to haveeverything staged on the boot image. >> correct. in that case,you really really need-
>> need to have it in a sequence. >> yes,otherwise we try to avoid that. so i can either usethe moselalias vb script or i can use just model within. the only thing i do isthat i specify that if it happens to be thatparticular model, then you should absolutely installthe following application. and that is for lite touch. most of you are runningconfiguration manager.
so you're not going to domandatory application 001. you're going to do. packages. >> or applications. i could just sort of say, one. and equals to ps1:>> no, no, the package ids are. that's more than s ps1,i promise you. >> ps1:>> nope. >> something like that?
>> how many zeroes did you add? >> it doesn't matter. >> yes, it does matter. [laugh]>> [laugh] >> it does matter, if you wanna count them? >> now that's gonna work. >> [laugh]>> install the hp. >> so.>> stuff.
>> package id and program name if you don'tlike to say packages. >> or applications001=the hp stuff for osd. usually, you don't need to but a lot of customers are figuringout that sometimes it's easier to have a separate applicationin configuration manager, just for the use ofoperating system deployment. >> the thing is we can onlyspecify the application name here.
we cannot specifythe deployment type. sometimes when using the app modelyou have more than one deployment type, if you don't, you don'tneed multiple apps but if you do, well, you need tohave multiple apps. >> in fact but in this case, thelikeliness of you having a multiple application type or installing typesfor this application is very slim. >> but maybe you don't wanna publishit, so there is a way around this. if you don't wanna do it this way,well then you open your task sequence and you specifythe condition for that model,
model name you has make orwhatever it is. and say, hey install thisapplication based on this fact that it happens to be this machine. there are a lot of things thatneeds to be installed like this. so when you do verify thatevery driver is working. it's not enough to justcheck the device manager. you really need to verify that. whatever functionality that isbehind that driver really works. just because there's a devicedriver and says, hey try me,
that's not gonna be good enough. >> all right.it's life. >> it's fine. >> that's fine. >> so, software updates. in config manager, this has been oneof the well, pinpoints for many, many years to have the sequenceinstall as many updates as possible in the single run. now, we've understand we don'treally have that problem anymore.
because how many updates dowe need to actually install? typically as one,i've seen some scenarios for there is a servicingstack up they'd also but in the end you need only onebecause they are cumulative. and we actually have callers inthe room here sitting on that row over there. he owns the windows updates orsoftware updates. so if you have a software updatequestion i'm sure he'll be happy to answer them.
anyway when we buildour reference images, in the current release ofwindows 10, for the software updates action to work reasonablywell in lite touch deployments. what do you need to do is tomake sure that the latest cu, cumulative update is actuallyadded early on into the image. because they did changes tothe windows update agent that you really, really, really want. so how do you do that in lite touch? really, no you're not allowed to,no.
anyone? you put them into packages. so i have a folder here foreach version of windows 10. well, sorry about that,number seven. >> bend your knees. >> happy? >> i'm happy. >> good, so i have a folder for each windows release i'm using tobe able to reference images of.
>> so i've actually added inthis is the september 23? it's a week old update. so i simply add that,right-click and import it. i download it from the microsoftupdate site, the catalog site and i just import it here. and then, i'm creating a filter. so i have a selection profilethat is also named, well, somewhat the same where ihave selected that folder. so i have a folder in packageswhere i import the update.
i have a filter thatselects that folder. and then, in my sequence,that actually builds and captures my windows 10 machine. including a bunch of updates orcomponents. there is an apply patches step. this one i have configured touse that selection profile. >> now here's a good questionbecause someone in the audience are here right now thinking, whydo i need to create selection pro? can i ask, just add allthe drivers to the same file?
i think i do that and it works. it does. it does work. if you add all the packages forevery operating system into one big file of packages,it is going to work. >> the thing is it's goingtry to install them all. windows 7, server, this version andthis version, it would take a pretty long time and even though it willrealize that so it up wasn't for me. and it will continuejust don't do that.
just create that folder,create that filter and your deployment will be happy. so the latest from thisupdate agent is in the image. most of the problems that were withit was solved last week's release of the update agent, so,just make sure it's there. and that means you havea fairly up to date image. and if all the videos from igniteare being published right now on youtube, forthe only ignite channel. and also will be eventualizesoon available on channel 9,
at least i have beenthe previous years but they are availableright now on youtube. and we did a session ontuesday about mastering windows 10 deployment expert level. and in there we show you howto set up an image factory and that's something werecommend that you to do. but the short hand story is,when me and michael create reference images,this is typically what we do. change the font size,we go through a folder where
we have a script andwe run the powershell script. that's it. that script will takeyour deployment share and build a win file foreach sequence that you have. and store them on the site server. fully automated,using mbt in the back end. but there are no excuses for not updating your reference imagesevery now and then. don't have to do that every week.
of course,there is no updates every week. but once a month. every second month,something like that. because that really helps configmanager later on especially for windows 7. there still are somany updates in windows 7 that the default action here. let me take my windows 7 one. this guy, may time out.
but it doesn't do that if yourreference images fairly up to date. so, the quick fix i say is tomake sure the reference image is up to date. now, they did adda variable in help me out. 1606, that will allow you to specifythe timeout to more than 30 minutes. do you really want to havethe sequence wait for more than 30 minutes? get your image up to date and you get away fromthe problem altogether.
so yeah, that was in tips and tricksaround software updates there. so slides. >> now again? >> it's too many slides. i don't like that. >> no,we don't have too many slides. we have one and then we have demo. it's perfect balance. >> it says demo.
>> another. skip that. >> so we then havethe inplace upgrade limitations. i wouldn't say limitation probablydo have challenges around the inplace upgrade. number one when we talkabout inplace upgrades. yes, they worked. yes, we don't really havetoo many problems around it. one really common discussionat customers sites is this.
we are planning to do an inplaceupgrade, but we wanna do a shifting from bios to uefi or we wannado this and we're gonna do this. if your machines are old andthey're gonna be up for hardware replacement,doing an inplace upgrade, keeping the bios and everything,that's gonna be fine. because then you can havethe users trying out windows 10. before they need toreplace the hardware. we don't need thosebig bang projects, i don't, big bang is a reallynice tv series, right.
but you don't needto spend too much. so challenges are and you can go to->> your screen? >> my screen, it says demo, almost. now it says demo. >> yes, i see it. >> i'm eight. so a friend of mine, did write this. we do have limitations,language is one. i did have the customers thatdeployed the uk version of windows
8.1 and now they're gonnaupgrade to windows 10 and they wanna alsochange to us english. it's not fun to be in those withthese [inaudible], but yes- >> what if i know he can't? >> that's wrong. >> [crosstalk]>> sorry? >> can you refresh it? >> you can refresh it. that's another story, but true.
third party anti-virus dependingon vendor, even if you do have a supported antivirus, most likelyyou first need to upgrade it. yeah, okay, so that's another story. you can't do 32 64,you can't do lower skews, but you can go fromenterprise to education. prothetication. >> prothetication?>> prothetication. >> prothetication andthen you can change that later on. you can't do virtual.
you can't do windows to go,usb sticks and that's fine, nobody's gonna do that anyway. that is basicallythe limitations we have. other than that,it flies really nice. there is a note inthe middle there that i, was new in 1607 for windows whichmay give us some additional options in term of thatpart of dis-encryption. why you actually can have windowsinstall additional drivers for those scenarios.
so if you have a vendor thathas been working with this. so chances are higherthan ever before. >> now there's actually twokinds of in place upgrades. one is going from windows 10 or a previous operating system versionfrom windows 10 to windows 10. the other in place upgrade scenariois windows 10 to window 10. right? and that is going to be a morecommon scenario the more time we spend time on this so i think itis the way to do a correct upgrade.
>> yes.>> now if we do that and one of the things that youshould be aware of is this. let's check this sequence. it pretty much looks the sameway in conf manager also, so we don't have a huge difference. i'd like to do ittask sequence ways. there are the->> servicing. >> servicing. but servicing is, we can't reallycontrol it in the way we want to.
so i prefer to have a test sequence. that way you can determine when, how and since it's a test sequence,what do you need to do before? well we can runthe upgrade validation and say if it fails,the don't even try to do this. we can also update drivers,we can uninstall applications, we can install otherapplications after we done, so using a task sequence forthe in phase upgrade seems to be a better choice currently andi strongly recommend you to do that.
>> yes.so another thing is, let's see, yeah, even though didadd in the reflect rubber switch to the online action. how did you get configmatter to use it? well, there's a really long variableyou can use as well to force addition common switches into thestep in the sequence that actually runs the upgrade and that's all,well, if the driver actually works. so far in my experience, when youhave part of these encryption inboxes and you want to doan in place operator and
even sometimes youwant to refresh them. it can be a really painful processto work with the vendor and get the drivers to work andall of that. and more sort ofa a bullet proof scenario is to actually treated as a replace. so if i can have the->> absolutely. >> lucky number seven. so here i have a backuponly sequence. this is the default replaceequals in config manager.
it does a backup only. in here you can also add additionalbios configuration things if you want to convertfrom bios to uefi and mike tadel had a session yesterday,was it wednesday? so for mike terrell onthe youtube channel and you'll find the session entirelyfocused on how to do biased things. and michael also hassome info there later. but this is a backupon the sequence. so i will run that on the existingbox while it's online.
because then i don't have anyproblem with reaching the info on it, because it's online. and i installed the backupon the service somewhere. then as simply take a normaldeployment sequence and that process i restore that backup. on the same box. normally, we replaces when weare replacing computers, but we can also do it on the boxto work around issues with that part of description.
and that always works. so. slides. >> slides. i'm shifting. >> so, let's talk about runningpowershell for a while. >> in the sequence. and there are different ways. one is to use the built in actions. they work.
and then we can use,of course, custom actions. and which means that they basicallyrun it as a powershell script. we have variables and handlings, and we're gonna cover thatif i shift to eight. now, one thing to remember is to make sure that you do have your windows pe features set to include powershell. >> and sure, this will add 100meg or so to your boot image.
i couldn't care less. you're about to applya 10 gig image. if the boot image is another 0.1,okay. >> okay. >> okay, fine. so even if i'm not gonna usepowershell in my boot image, i want powershell to be there. so if i do need to trouble shoot,idon't need to create a vb script. i can just on the fly,powerup the power shut prompt and
get the wmi whateveri need to do right. so it's just faster. now if you have a task sequence,it is the ability to run, if i go to this i have the ability to actuallyaround the power shell script, because there's not makeyou function to do this. this is a very uselesspower shell script that just promise stuff on the screen, butif we open that power shell script which i have here, and around,somewhere around here. go to search, maybe demopowershell script and open that.
and make it slightly bigger, youcan see that it has a function and it has another function toimport all the variables and have the stack looping. and it's gonna writestuff to the screen. if we use write-progress- activity, that's gonna pop up in the tasksequence engine, so you can see the commands are actuallyrunning, if you want to do that. and of course you cando things like this. just no, waiting.
there it goes again. another way to run a powershellscript is to run it like this. you run it as command line. so in this case i have just a sequence that does nothing elsethan do not take that course. >> that's a vb script. so it's gonna do nothingat all in the end. [laugh] and then from that command promptwe can now execute the script.
so i'm gonna go to that machine andi want to pick this a sequence as called user's[inaudible] dev, dev here it is. and i'm gonna click that one andi'll do next. and begin. it's gonna run this. it's gonna end upwith just emp okay. and that means thatthe sequence is running. if the sequence is running, i canstart powershell anyway and i can load the sms type ts environment,and from within that, i can now
play with my variables, with myflag, like you're on the vbscript. that means it's pretty easy tocreate your own things like. powershell wrappers orthings like that. the only thing weneed to do is this. we need to import that object,put it in something, and now we have the abilityto dump that information out. so i'm gonna run this. that's elevated. gonna paste this in.
gonna make it slightly bigger. now you can see this supperadvanced okay button coming up and that's from all the stuff butwe don't do that. yes, i know. so now we have been below that, and now i can run this to getthe variables out of the system. and if i wanna run this one,it can give me everything. so, this is the way westart developing a script. can i, do i have the right, sowhat's the variation for that?
converting every piece in ourenvironment variables into a powershell variable. and if you go to my blog and you search for something like biosupgrade, you're gonna find one of those powershell scripts thatuses this functionality, so it's basically a powershellwrapper around it. >> slides coming up. so this is very easy andlight touch to do. is more tricky in config manager.
next slide. what will you can do in configmanager is we can borrow. i was about to say steal. look, if you don't do that weborrow a component form entity and we use it togetherwith config manager. it says demo. very happy that do. so let me start up a client here, it's a windows 10 machine,and on my site server,
i have a sequence createdexclusively for debugging scripts. so i just have a veryshort sequence. use to package, run the gather,and then it's using the service ui component to actuallylaunch a command prompt. because that command promptwill now run as system as to sequence itselfallow me to access stuff which we normally do not have accessto when you're running the sequence. because it will prevent youfrom interacting with it. unless you are on windows pe.
so, if i go to that client log in, i have already deployedthis sequence, so i will just open software center andi'll rerun that sequence. dowloading and installing software,just download the entity package. it runs gather eventually. but in the meantime, i will openup an elevated command prompt. because we can clearly see thatthe sql engine is running, if i go to this folderon local administrator. we can see it in the title bar butjus to make sure i'm an admin
and if i ran a script. that priors to accessthe sequence variables right now. it's not gonna be happy. [blank audio] butif i wait until the sequence opens the other commandprompt which is yellow, and i run the exact same script. then i do have the variables. and this allow me to runmy scripts over and over, change them, run them, change them,run them until i mail them.
and then i will update thema package and deploy this normal. but this is saving you somuch time when debugging scripts. in the sequence engine. because updating packages,having it redistributed, it's just interesting. >> it says gpo refresh andweb services. shorthand story here. a common error or issue, especially with lite touchdeployments is that you
have a policy in your environmentthat will break the process. but what you very easily cando is we can use web services to move the machines around. so, if i get the, thank you. you can download these web servicesfrom codeplex, have been around for quite some time. i have some on my blogs as well. but in your sequences,you can simply add instructions, in this case to say, hey.
in this case i'm getting the targetou from a database where the machine is supposed to end up eventually, that was stored outof way in a variable. then i will set the staging ou,to which i have no group policies, no group policies at all. that's what i'm going to use formy entire deployment, but in the very end of the sequence,i simply call the web service that loads that machine by calling a webservice that contacts the domain controller and moves the objectto the right location.
and then i do a final reboot. so now i can run throughthe entire sequence without any policies applied. but in the end, i'll make sure thatthe policies i do want to have in the box is actually on the box. it could be policies thatprevents displays notification. it could be policiesthat renames local admin. they would really really breakthe [inaudible] sequence. but, if you do it this waythe problem goes away. slides.
uifi deployments. so, deploying uefi isnot a problem itself. or it's pretty decent. but you need to shiftfrom bios uefi. and that, is of course,always challenging. now on your screen right now,there's a blog post from ccmexec. >> [inaudible].>> yes. a nice pay and it's very genericwhich is the good thing. it goes through allthe steps you need to do but
the basic idea is very simple. you need to grab the datayou need to store the data you need t shift andyou need to reboot. and it's gonna be like flyingon the other side of the moon, so there's gonna be a shoulder. >> check this blog. >> and check mine. >> session from earlier this week. >> yeah,because you did the demo and
session on during the same thing,right. yeah. >> similar. >> well, using the tool from 1e. but hey the idea is tochange from bios to ufi. >> yeah.>> and that is absolutely doable. >> slides please. >> slides please,okay slides please. this says demo, this is resources. on the site we have gatheredlinks to videos, books,
training around os deployment. books that we have written,other authors have written as well. kent is here on the ignite as well. >> he is. >> and there is only one thingleft for us to do, and that is to. thank you guys forspending the morning with us, and a have a great, great goodnight. thank you.>> thank you >> [applause]