Clean Up Storage Pre Upgrade

Just another group of tasks to add to your arsenal.  We run a Check Readiness step before our upgrades, with a minimum of 20GB Free. We have many clients that do not meet this minimum requirement and fail, and then have to remediate. While we have long term plans to automate much of this, and prevent the Task sequence from ever running on machines that don’t reach these pre-reqs, for now, a Band-Aid.

image

Step Breakdown “Storage Cleanup” Group
Run only if FreeSpace < 20GB
image

This same query is placed on several steps.  If the step that is cleaning up is successful at getting FreeSpace above 20GB, then lets continue on.  Otherwise, the last step that will run if still under 20GB is the restart, to help flush things from the previous steps.

  1. Cleanup User Temp Folders
    image
  2. Cleanup c:\Windows\Temp
    image
  3. Delete user Profiles over X Days inactive
    image

    This requires that the delprof2.exe file from Helge Klein's site. (It is in the download, as I have permission to redistribute it)
    You can change the day to any number you want and run this steps as many times as you want.  My idea was that I would start at a high number, then slowly lower it, 360, 180, 90, 60, 45, 30, 20,15,10,5, and have the wmi query on it, so as soon as it dumped enough old profiles, to get 20GB Free, it could continue on leaving newer profiles.  The script also looks up the top console user, and excludes that from the deletions, so even if the primary user hasn't logged in for awhile (on leave), it won't delete that profile (as long as it's still the top console user, and not some tech's account).  This is a powerful step, be careful with it, as you could accidentally remove a profile you didn't want to. If you have some profiles you don't ever want to delete, you can exclude them by adding an /ed:user in the script (look to Helge's documentation for more info).
  4. Cleanup WinSXS folder
    image
  5. CleanMgr – All Options
    image
    This was borrowed directly from stealthpuppy.  I had written something, but then found this and it was just easier to use this.
  6. Restart Computer
    The restart only happens if there still isn't 20GB Free Space.This will be added to the Task Sequence Module Download HERE.

ConfigMgr Task Sequence Collection

This is my "Clip Show" blog post, but hopefully you still find it useful.

I've been building out a Task Sequence that is just a collection of Task Sequence sections, or handy steps.  I'll use this TS to pull sections from when I create new Task Sequences, and add / modify as I test in "Real" deployment Task Sequences. DOWNLOAD HERE *Note, this is not an actual Deployment TS, it's meant to be imported and then have parts copied into your own TS.  All content, including some not used directly in this TS is included.

I have several sections, also a few handy steps for pause, wait, copying CMTrace local, and so on.  Many of these are borrowed from great community leaders such as Mike Terrill, Jason Sandys, Jörgen Nilsson, Mark Godfrey, and others (Sorry if I missed anyone)

  • Power Settings, CCMEXEC Change & Revert - This section will grab your current power settings, place in variable, set system to high performance, then restore them at the end of your TS.  It also has steps for changing the CCMEXEC service to auto start, instead of delayed, and back.
  • Upgrade Lockscreen - This section will change your lockscreen, designed for the Win10 In place upgrades.
  • User Lockouts - This section will use local group policy to block any users, either via AD Group, or users from local machine
  • AutoLogon - This adds account and keys for auto logon (for testing in lab)
  • Enable Mouse Support - This will enable the mouse cursor in the Windows 10 TS after WinPE steps are complete.
  • Windows 10 Tweaks - Several sub-sections of Customization gathered over the past years, many demo'd @ MMS2017

Power Settings info: https://garytown.com/change-and-restore-power-plan-during-ts

image

CCMExec Sevice to Auto & Back:

 

Upgrade LockScreen & User Lockout : https://garytown.com/change-lock-screen-image-during-upgrade-ts
I’ve made a few modifications since the post about this, moving the cleanup to a scheduled tasks, that will run during the upgrade deleting the Lock Screen images / Keys & cleaning up the Locked Out users, so users can log back in after.  It will also clean up the scheduled tasks.  I’ve left in the steps for you to add after the upgrade to do clean up as well, leaving you many options on how to implement this idea.  Each step has detailed notes in the descriptions.

image

 

AutoLogon: https://garytown.com/configmgr-osd-lab-add-autologon-account
Nothing changed from the blog post, just a reminder, don’t do this in production.
image

 

Enable Mouse Support: https://garytown.com/enable-mouse-support-in-win10-osd-during-state-restore
or Microsoft's Official Post 13 days later: https://blogs.technet.microsoft.com
image

Enable

Reset (Disable)

 

Windows 10 Customizations / Tweaks

SetOSDInfo: https://home.configmgrftw.com/configmgr-osd-information-script/

Most of this section is straight from MMS: https://garytown.com/windows-10-customizations-mms2017-demos
Windows 10 Features, enable or disable some “features” in win10
OEM Info, allows you to set the information that is displayed in “System”
Explorer Tweaks – Covers things that modify things displayed on Desktop or Explorer

image

Group Branding includes changing the Lock Screen, Wall Papers, User Icons, Start Menu
Default Profile are tweaks that apply only at the user level, so these are added to the default profile.

image

Remove Default Apps, either a script to remove everything (That is specified in the script, not actually everything) at once, or a line by line option to be granular.
image

Change Lock Screen & lockout users during Upgrade TS

Update 2017.10.26 - After a twitter convo with @brookspeppin, I added two additional steps for the legal notice.  I had ones to delete them, but Brooks said he had used them as the upgrade message, skipping everything else.  This was something I had considered, but after talking it over with the team, decided against it "No one reads that", but after seeing Brooks' screen capture, I tend to agree that it's worth having in your pocket, so I've added it to the Task Sequence Export that's available to download.  Here is a screen capture and keys needed.

Update: 2017.09.26 - Was able to take advantage of local group policy bypassing the need to talk with your Group Policy Team.  You can do it all in the TS..  Go to bottom to see how..
- Updated info again on 2017.10.13 here (includes updated download): https://garytown.com/configmgr-task-sequence-collection

Original Post: 2017.09.15:
What: Changing the Lock Screen Image to warn end user that the system is performing upgrade, also preventing users from logging on during TS.

Why: So users don’t call upset when they logon to a computer then get rebooted when the TS reaches that point. (For those groups whose users don’t read all of the communications about their machines updating)

How: Downloading Pre-created Images, setting registry keys, and to lock out users, that requires a little help from group policy (1 time setup)

clip_image001[15]

clip_image001[17]
Back story: ProgressUI does not display on computers unless a user is logged on.  If the process starts at it’s deadline, and no one is logged on, it will start running the task sequence with no visible signs until it reboots into setup, and the user sees the Windows 10 Setup screen.  Lets say the TS has started, and it’s in the middle of downloading the content, which can take awhile on a slow link.  User starts to do work (watch cat videos), and then they see a message pop up finally saying "computer will reboot in 60 seconds, you’re welcome", they won’t be so happy, worse yet, they look away for a couple minutes, or are grabbing their coffee to come back and find their computer rebooting to setup.   How can we draw more attention to the fact the computer is doing something.. how about make a bold lock screen image warning the user of the upgrade, or even prevent them from logging on.
Here is a picture, the PC was logged into during the TS, the User has no idea it’s in the setup.exe phase of the TS, going to reboot them in a few minutes.  This is what we’re trying to avoid.
image

Lock Screen is pretty easy, I have a couple steps in the beginning of the TS that downloads the files I need to a local folder, then deletes them at the end.

I have this same process repeated several times, before different large steps.  In my Example, I update the Security Software, which takes 20 minutes, so I have a custom lock screen image saying it’s updating Security Software.

I then repeat the process after the Security software is installed, and change the Image to say “Upgrading Windows OS”, which will be there until it reboots into setup.  At the end, I delete the registry keys allowing the original settings to take over and original lock screen image to return. (If you’re using the registry keys to apply a custom image, just set it back to what it was before, you could easily capture that key into a variable, then set it back at the end, or manually add it if everyone is the same, or have group policy fix it later)

Please modify steps to fit your environment, file names / location are only for example.

  1. Make Temp Folder for OSD Stuff
    1. cmd.exe /c if Not Exist "%programdata%\OSDReqs\" (md %programdata%\OSDReqs)
    2. image
  2. Copy Background Images (From your package with custom backgrounds)
    1. Package Contents: - Download Mine HERE
      image
    2. xcopy OSDImages\*.jpg %programdata%\OSDReqs /Y
    3. image
  3. Update Lock Screen Image Group (Only set to run if no one is logged on)
    1. WMI Query: select * from win32_computersystem where username is NULL
    2. Set Image 1 (Security Apps) – Modify the ImageName to match your needs.
      1. REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization" /V LockScreenImage /T REG_SZ /D C:\ProgramData\OSDReqs\ImageBackGroundRed-DoNotLogonSecurity.jpg /F
        image
    3. Tweak - Delete Legal Notice on Logon (1 of 2) –Optional – Removes the Legal Notice
      1. REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v legalnoticecaption /f
    4. Tweak - Delete Legal Notice on Logon (2 of 2) –Optional – Removes the Legal Notice
      1. REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v legalnoticetext /f
    5. Stop Process -Name WinLogon (Forces LockScreen to refresh.)
      1. powershell.exe "if((Get-WmiObject win32_computersystem).username -eq $null) {Stop-Process -Name winlogon -Force -Verbose}"
    6. Wait 5 seconds – Allows time for the Lockscreen to refresh before continuing. – Optional
      1. powershell.exe "Start-Sleep -seconds 5"

As for the locking out of users so they can’t log on, here is how I did that in my lab.

I created a group policy called “Deny Logon Locally” - TechNet

  1. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  2. Set Deny logon Locally to "DenyLogonLocally" (Which is the group we’re going to create in the TS)
    image

During the TS, I create a local group called "DenyLogonLocally" and populate it with all of the users who have logged onto the local computer (Thanks @keithga1) for the powershell code.

  1. Create Local Group DenyLogonLocally
    1. net localgroup DenyLogonLocally /add
    2. Set continue on error (it will error if you already have the group on your machine) – Recommend NOT deleting when done, but leaving for all future upgrades.  I had issues when I deleted it and recreated it, the policy didn’t take on the recreated group even with the same name.
      clip_image001[7]
    3. I had considered having an AD Group of all Domain Users (that were not admin accounts), but then you have one more group to keep manage in AD, so I decided against that. – that’s my greyed out step. - Note, added section at the end to show I had did set this up.
  2. Add Accounts to DenyLogonLocally – This will grab all of the accounts that have logged onto the machine, and populate them into the local group (You can specify accounts you don’t want included)
    1. Code: (Copy and paste it all, it is just one long line of code, thanks Keith) - Change the -notmatch area with your tech accounts

      clip_image001[21]
      Here shows the group after the script has run, both accounts garytown & cmadmin have logged on to this machine, but only garytown has been added.
      clip_image001[9]
  3. Remove Deny Logon Locally Group Membership – placed near the end in your clean up section, and in the roll back section, so if the upgrade fails, it will remove the users from that group, allowing them to log on again
    1. Code:

      clip_image001[23]

Note, do NOT kill the winlogon.exe after the setup.exe phase, bad things happen.. like it stops your TS (No errors thrown).
In the image above, you can see the "Stop Process -Name Winlogon" Step, disable / delete that.
You honestly don't need it after the setup.exe anyway, rest of the TS will be visible to your users.  After you delete the keys and clean up the images, everything will go back to how it was before once the system reboots at the end of the TS.

Hopefully this is helpful for you, not saying it’s the best or only, I’ve seen a lot of people blogging about similar things during an OSD TS, but I haven’t found much for in-place upgrade TS, so I’ve posted this.

NOTE: Sometimes the Lock Screen is buggy not showing the Lock Screen image, I’ve seen this on countless tests, I believe it is a known bug, so hopefully this gets resolved in the future.  In my last test, I changed the Background after the setup stage, but it just stayed a solid color blue, didn’t actually load the background.  This is why it’s great if you can prevent logon until the TS is complete.

I’ve also been considering removing the default “Upgrade Operating System” step with a run command line step and remove the /quiet switch.  If we don’t want users logged on, then having the UI display will assist with getting them to no be logged on, right?  Well, I still have to test this idea, if it pans out, I’ll share.

Updated 9/18 to show adding a domain group to control lock out.

In Active Directory, I created a group "DenyLogonLocallyTemp" and added all of the user accounts that I want to deny access.  This is where nested groups would be best.  Just make sure you don't have any of the tech / admin accounts in any of those groups.

Above shows the Machine after the steps "Add Domain Deny Group to Local" & "Add Accounts to DenyLogonLocally" have both run.  The Domain group was added by the first step, and the individual user by the second.  This is for demo purposes, you can pick one or the other, or both, depending on your scenarios.

Step: net localgroup DenyLogonLocally / add DOMAIN\DenyLogonLocallyTemp

Update 2017.09.26 - Update to use Local Group Policy:
using secedit.exe, we can import an inf file for this policy.  The issue I had run into, secedit uses the SID of the user group, not the display name, and if you make a local account, the SID will be different on each machine, so I need a way to dynamically update the inf file with the correct SID.  So I came up with the idea of having a script that would create the local group, grab the SID, build the inf file from scratch, and use the SID of the newly created group.  Then the script runs secedit with the contents of the inf file. (Thanks to Keith again for the assist on creating the Code).
Replace Create Local Group DenyLogonLocally with a new PowerShell Script Step:

 

Condensed Video of Progress:

Change and Restore Power Plan during TS

Ok, so this is old news. You change your Power Plan to High Performance during your TS to speed up the process.  So maybe you did that for a software upgrade (office, or Win10 Build upgrade), and then your user complained that the power settings were different than how they had configured it.

How about you grab the current power plan, put that in a TS Variable for later, change your power plan to High Performance, then after all your work is done, set the Power Plan back to the original plan using that TS Variable… that sounds good right?

So what does this look like in the TS?  2 Groups, 5 steps (No content required)

image

  1. Group 1 - Power Settings Change (no conditions on Group)
    1. Set TS Var "PowerPlan" to WMI's Active PowerPlan
      Code: powershell.exe -executionpolicy bypass -command "& {$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment; $tsenv.Value('PowerPlan') = (Get-WmiObject -Class win32_powerplan -Namespace root\cimv2\power -Filter {isActive='true'} -EA silentlyContinue).elementname}"
      image
    2. Record Current Plan in SMSTS log (This writes the Current plan into the log file.) – This step is Optional. I just like to have that info in the SMSTS log for troubleshooting.
      Code: powershell.exe -executionpolicy bypass -command "& {$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment; $tsenv.Value('PowerPlan')}" –verbose
      image
    3. Set Power Options - High Performance
      Condition: Task Sequence Variable PowerPlan not equals High performance
      imageCode: PowerCfg.exe /s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
      image
  2. Group 2: Power Settings Restore (only runs if computer originally had something different than High Performance set)
    Conditions: Task Sequence Variable PowerPlan not equals High Performance

    1. Set Power Options - Balanced
      Conditions: Task Sequence Variable PowerPlan equals Balanced
      image
      Code: PowerCfg.exe /s a1841308-3541-4fab-bc81-f71556f20b4a
      image
    2. Set Power Options - Power saver
      Conditions: Task Sequence Variable PowerPlan equals Power saver
      image
      Code: PowerCfg.exe /s a1841308-3541-4fab-bc81-f71556f20b4a
      image

And that’s it.  Now, just like your parents always told you, put things back when you’re done.

To watch this in progress, check out this video.  Here I test starting on each of the 3 power plans, for Power saver & Balanced, you'll see it change to High performance, and back. When starting with High performance, it stays consistent for the entire TS.

Thanks to @PotentEngineer for the info to get me over the hump:
http://www.potentengineer.com/using-powershell-to-set-osd-task-sequence-variables/

ConfigMgr OSD Lab–Add AutoLogon Account

I added a local admin account (Non-Domain) that autologon’s on to the computer after OSD purely to speed up my testing.  This way I don’t have to wait for First Logon, after OSD, it will reboot, then autologon as the account I’ve Created.

Make sure you add the SMSTSPostAction to reboot, so you don’t get that Group Policy Error the first time you try to logon. (As explained by Niall)

I’ve created a Task Sequence Variable at the start of the TS, that allows you to trigger the AutoLogon Group.  Simple Enable or Disable this step to have the Group run.
image

I then have a group which runs all of the commands individually.  You could easily put this into one batch file, I just like to do it this way, self documenting, and requires no content.  The group is set to run if the Task Sequence Variable “AutoLogon” = True

image

I then have 7 “Run Command line” Steps, creating the User and registry keys.

  1. Tweak – AutoLogon - Create Tony Stark Account
    1. net user /add TonyStark CapAmericaSt1nks! /Y
      image
  2. Tweak – AutoLogon - Tony's Password Never Expire
    1. wmic useraccount where "Name='TonyStark'" set PasswordExpires=false
      image
  3. Tweak – AutoLogon - Make Tony Admin
    1. net localgroup Administrators %computername%\TonyStark /add
      image
  4. Tweak - AutoLogon - Key DefaultUserName
    1. REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V DefaultUserName /T REG_SZ /D TonyStark /F
      image
  5. Tweak - AutoLogon - Key DefaultPassword
    1. REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V DefaultPassword /T REG_SZ /D CapAmericaSt1nks! /F
      image
  6. Tweak - AutoLogon - Key AutoAdminLogon
    1. REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V AutoAdminLogon /T REG_SZ /D 1 /F
      image
  7. Tweak - AutoLogon - Key DefaultDomainName
    1. cmd.exe /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V DefaultDomainName  /T REG_SZ /D %COMPUTERNAME% /F
      image
  8. Optional: Add two Steps to remove the Legal Notice Prompt (If you have it in your lab, GPO will probably put it back)
    1. REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v legalnoticecaption /f
    2. REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v legalnoticetext /f

After TS finishes, it will reboot and start the logon process automatically.  Now you can start your testing.

imageimageimage

You can change this to fit your needs, use a domain account in your Lab, just change the steps, as you won’t need 1-3 to create the account, and change step 7 to the Domain Name (Contoso, ViaMonstra, etc) instead of %computername%

 

Please Note, this is sending the information in Clear Text, and will be available in logs, etc.  Probably fine for your lab, not a good idea for production. Smile  Please don’t say “Hey Boss, don’t worry about it, it’s totally cool, Gary does it!”