Ask MDTGuy!

Question: When I deploy Windows 7 from the Media Install files and the task reaches the “State Restore” and begins with the Windows Update pre and post application installation. The deployment process can literally take hours to complete. If I disable the Windows Update pre and post application installation the process then is really completed in less than 10 minutes.

1. Why does it take so long?

2. Does the target machine pulls the updates from MS or does get the updates via the MDT machine?

3. Aside from building a WIM that has all the updates, is there a way to speed up this part of the process?


These are all really good questions.

This is typical, an unpatched image can take hours and hours to patch, depending on the starting point and your internet connection speed. Now, I use SP1 media and inject a hotfix rollup from last summer and there’s still over a hundred updates it still needs to run. I can only imagine if you’re missing SP1 and/or the hotfix rollup its going to take even more time, as these patches vary from anywhere to just a few Kb to over ten megs. Some take just a mere second, and some like dotnet framework updates can take several minutes, and when those updates are done, they need updates. Yes, updating your updates, fun I know.
When the State Restore phase starts the windows update, it’s calling to a script called ZTIWindowsUpdate.wsf. Unless you specify in MDT to look for a WSUS server, you’re going to be pulling from Microsoft’s Windows Update servers.
As far as speeding this up, yes, you could inject the post Win7 SP1 hotfix rollup from Microsoft or better yet, get a WSUS server setup. If you don’t have a WSUS server handy, there are a few other steps you could do. But for now, start with adding the hotfix rollup, its like 90 updates out of the way.
Info on the HotFix Rollup:
Add a step in the task sequence to install the latest version of IE BEFORE patching starts. This really helps because that way you’re not upgrading to IE 9, patching and then upgrading to 10, patching, and then upgrading to 11, and yes, then doing more patching.
Block updates you don’t need, I don’t think you really need the Bing Toolbar, so block the ones you don’t need in the customsettings.ini file.
I actually use MDT to build my images in a VM. I simply use the standard client task sequence, have it capture, use the LTISuspend.wsf script, and make my customizations then.
Info on Adding IE 11 to your image:

Question: At my day job, I would like to use MDT. Do I need WDS to deploy via PXE booting machines? We use Linux servers, and the company I work for cannot afford (read: does not want to pay for) Windows Servers in the environment.

Answer: It’s important to understand that WDS is just a server role, MDT is the scripts and GUI, and ADK is just the tools. So, no you don’t need WDS, its cool to have, but not a deal breaker.

The ONLY thing you need WDS for is for is PXE boot and Multicasting. Which most people don’t need unless they’re running hundreds of machines (like I used to do when I worked for a large multinational conglomorate) Instead, just use the ISO that MDT spits out and burn it to CD or configure a USB drive to boot with that ISO.

So, the answer is No, you don’t need WDS. In fact, you can run it off a Windows 7 box. Better yet, use a Windows 7 VM on a server.

Question: Is it possible to clone multiple devices at the same time in MDT 2012? I have about 50 surface Pro 2 tablets that I would like to clone from a master image that I will make in MDT. After creating my necessary deployment share drives, how many surfaces can I apply the clone to at once using 1 PC?

Answer: This is a good question, I wish there was a real simple answer to this, but I can tell you what I know, and try to keep it as simple as possible.

A great deal of this depends on what kind of server you’re copying the files from and the network you’re running on. A small single disk server running on megabit will start to choke when you attempt to deploy to more than about half a dozen boxes at the same time, however, if you’re running a decent raid server using WDS multicasting on gigabit network, you could easily do a few dozen at a time before you’d see any real slowdown, and even then, with multicasting, you should have little trouble. What can also cause bottle necks is the update process, so if you’re going to keep office out of the image, take into consideration that you’ll want to let it update during deploy if you don’t have a WSUS server.

With that being said, if you’re pulling the image from 1 PC, don’t expect to do more than half a dozen at a time before the whole system starts to choke. Get WDS and Multicast working from a real server if you plan on cooking 50 some tablets at once.

Question:“How do I activate Office and/or Windows with MDT 2013?”

Turns out this actually pretty simple, both can be done easily from the command line The quickest way to do this it is by simply adding it to your task sequence.

I prefer however to add it as an application. This gives you the benefit of only activating when you’re ready to deploy at prime time, and keeps you from burning up activations when you’re only testing, giving you control of when and where it is done.

I also recommend adding your office key in the Office Customization Wizard, thus keeping your key out of plain text, and safe from snooping eyes. For Windows, I can’t recommend KMS enough, but if you’re using MAK, you may have to keep that in your answer file as well.

Office 2010 (64bit)

cscript "C:\Program Files\Microsoft Office\Office14\ospp.vbs" /act

Windows 7

cscript c:\windows\system32\slmgr.vbs /ato

See Also:

Question:“Why is it better to let a task sequence install software instead of including it on the image to start with?”

Answer:Ideally you want to have one and only one image, the less apps you have in the images, the easier it is to do this. This “thin” image is exponentially more flexible since you’re able to select which apps to install on the fly. You might be able to get away with Office in the image, but its really up to you. (Follow the less is more principle here!) So imagine a basic image done the “old” way with adobe reader, java, flash, etc. In six to nine months this image is horribly out of date, the java is out of date, the adobe is now two or three quarters behind and out of date flash is bad news bears as the hipsters like to say. So ask yourself: Do you want to build a whole new image just because of this or would it be easier to just go into MDT and copy three new msi files to the apps directory in the share? I like option two, besides a leaner image that’s just windows, updates and office can go anywhere if the vast majority of applications are installed “automagically” only when YOU say, its a beautiful thing. Almost as beautiful are how you can then bundle groups of apps with App Bundles.

App bundles are pretty neat. We used to use Bundles for specific groups of PCs at one company I used to work at, we had a “laptop bundle” it included the extra security software and VPN software and the web-cam app. We had a “Manager’s bundle” it included the software only supervisors would need. We had a “call center bundle” for our call center PCs, they come in real handy. At a school I worked with we had one bundle for student PCs and a second bundle of teacher PCs, it worked really well. Another thing you can do is bundle office and office activation scripts, hide the standalone office and activation apps, and leave just the bundle, this way you can “combine apps”

Question:“Why is MDT lite touch still prompting me with the welcome screen even though I still have skipbddwelcome=yes set in my customsettings.ini file.

Answer:This is a pretty common problem, and the answer is pretty simple. For some Reason, (don’t ask me why) Skip BDDWelcome needs to be set in both or just in the boot.ini file, and then you have to update your share AND your boot media, be that CD, USB or PXE.

Question:“Does it matter what format of installer you use with MDT?”

Answer:The answer is two part: Yes and No. While I’ve yet to see an application that couldn’t be installed silently or be kicked off for an unattended install, MSI files by and large tend to be the easiest to run unattended installs. However this question really does have one “gotcha” and that’s the commandline syntax needed to install the application unattended. Which for MSIs is fairly straightforward. MSI files are very easy to install this way. Not that standalone .exe’s won’t run with some secret “app.exe /silent” or “setup.exe /quiet” command line magic, it may take some research and real luck, but it most likely will require some real trial and error. The best thing about .msi files is that they can be edited with Orca so that they will already have the answers they’d ask predefined, and there is little to no guesswork with MSI files. Now, with that being said, not all .exe’s are created equal. Firefox likes one “magic word” to install silently, Microsoft products prefer another way, and its hard to know offhand what some other vendor will prefer, but don’t fret, it turns out lots of vendors actually hide MSI files in their executables, so try checking the Googles to see if your app is really just an exe bootstrapper for an MSI file. And on another note, if you’re lucky enough to have an installsheild .exe you should be able to generate and use an .iss file. Check for more info on how that works. Also double check my page Application Cheatsheet and for notes on what command line syntax is needed.

Question:“What are the advantages of using the database with MDT? Does it benefit me even if I only have 20 computers in my office?”

Answer:Ask not whether you have the time and resources to use the MDT database, but if you can afford not to use the MDT database. The advantages of using MDT’s database feature are just as beneficial to an office of 20 as they are to an office of 2000. First of all, it allows you to EXPAND on the dynamic capabilities of your customsetting.ini file, and assign special rules to specific devices, but still assign specific settings to specific PCs. For instance, if you wanted to assign specific names to specific hardware, the database would be an ideal way to do that. The fact of the matter is that there is only so much you can do with your customsettings.ini file. Now, you don’t need to be a SQL expert to setup the MDT database, it’s quick, easy, and is effectively a very good way to supplement and complement the customizations you’ve made with your MDT customsettings.ini file. It’s not an issue of whether you’re too small for a MDT database, the issue is whether your needs require expanding on the customizations made in the CS.ini file.


Question:“Why is MDT not installing drivers in my custom image?”

Answer:Remember, log files are your friend. Use CMTrace to check your logfiles, and use separate shares for building images, and for deploying images. There’s specific log files for driver injection. Set driver path variables either in your task sequence or in you customsettings.ini files. Finally, remember to use task sequences to build your image in a VM, simply set capture to true either in the wizard or in your build share’s customsettings.ini file. I can’t recommend any other way to build images. But if you’ve done all of this, check out:

Question:“Does user state migration fix profile issues on a user’s desktop?”

Answer:Yes it should, the User State Migration Toolkit (USMT) is remarkably adept at rebuilding user profiles. The infamous “Corrupt Profile” is in all reality, very rare. Usually the real culprit is registry issues or issues with bad program installs. Remember USMT just captures pointers to data, the profile gets rebuilt at first login. When the user logs into the PC for the first time, the system rebuilds the profile, and just uses the data that was moved. The USMT’s xml files can be tweaked to preserve less or more depending on what you want to copy. If you suspect its copying over information that’s causing issues, tweak it to preserve less data.”

Question:“I’ve been using clonezilla, and I think it rocks, why should I switch?”

Answer:Clonezilla is a joke. Switch to the ONLY Microsoft supported windows deployment solution and you’ll thank me later. Need a better reason? Reduce your image count from 12 to 1. Clonezilla is just a poor man’s version of Ghost, and believe me, its a poor one at that. MDT does so much more AFTER imaging like joining the domain and restoring user data. You want to do that by hand? No, don’t be that guy joining to the domain by hand. Use MDT to join the domain, build your sysprep files, and unattended.xml files as well. Trust me, don’t use Clonezilla. With all the time you’ll save, you’ll be able to do real work.”

Got a question? I LOVE Questions!