Category Archives: Deployment

Drivers Showing as Unsigned in Configuration Manager 2012 R2

A customer has a problem with importing drivers for their Surface Pro 3 devices in System Center Configuration Manager 2012 R2.

We keep noticing some of the drivers are unsigned. I immediately realized something is up as Microsoft releasing unsigned drivers isn’t going to happen. So I started digging and immediately came to KB3025419 which seems to cover my situation. My customer uses Windows 2008 R2 as the Host operating system for the Configuration Manager server and so this KB is relevant. Basically, Microsoft changed the way they signed drivers and now use a different method. This new method is different than what Server 2008 R2 recognizes and thus the change.

It affect Configuration Manager 2007, 2012 and 2012 R2 so you might see this as well down the road once hardware vendors use the new method.

Install the patches and don’t forget to reboot. A reboot is required even if it doesn’t prompt for a reboot. How do I know this, experience. Our server was patched by a different team but they didn’t reboot. The problem still persisted until the reboot.

Another thing you have to do is remove the “unsigned drivers”. This means delete the drivers that are showing unsigned before re-importing the drivers again. Once these two steps were performed we were back in business.

If you are running Windows Server 2008 R2 for your System Center Configuration Manager install you might just want to install this patch during your next maintenance schedule. As more vendors sign their drivers in the new method, you might start to see issues even if you don’t deploy Surface Pro. Of course, if you are running Windows Server 2012 R2 you probably have never saw this issue and the patches are not required.


Problems Deploying Apps with System Center 2012 R2 in an OSD Task Sequence

Onsite at one of my customer’s sites we are deploying operating systems with a Config Manager 2012 R2 task sequence (TS). The issue I was having was the applications were not installing. They were set to deploy in a task sequence without deployment so that wasn’t the issue. Looking at the log, (logs are your friend, use them) and I discovered this:

Unknown operating system build number 9600 found, setting OSVersion to 'Other'.

Ouch, what does this mean. It means my CM12 deployment has something not right with it. I don’t what the issue is but I will bring it up with Garth of Enhansoft who is an Enterprise Client Management MVP. He might have an idea on how to fix this.

In the meantime, I just changed the settings so that the software doesn’t have an OS requirement to install it. Basically I can set the package so it only installs on Windows 7 or Windows 8.1. In this case we can’t use that as we don’t know the OS.

Just change the package or app and allow it to be installed on all operating systems and it will deploy fine. Not a great solution for those trying to lock down apps to specific operating systems but it works.

Once I figure out why 9600 is not being recognized, I’ll update the post and we can all fix.


Upgrading a Windows Server 2003 Domain Controller

Customers seem to be finally getting the message about end of support for Windows Server 2003. Support ends in July. (July 14,2015 actually) So I have been assisting customers in preparing for their upgrade.

In most cases, the Server 2003 box is a 32-bit box so the an in-place upgrade path is non-existent. So I have designed steps for a side by each upgrade. The idea here is to bring up a new box on Server 2012, promote it to a domain controller and then demote the old 2003 Server DC.

*Update – One note before you start, you need to be at the Windows 2003 Domain and Forest level.

After installing the domain services role, click in the upper right, then click on Promote this server to a domain controller. 


Next fill in the Deployment Configuration options. As you can see , I have selected Add a domain controller to an existing domain, selected a domain and entered my credentials.




Next I observe the settings, enter in a password for Domain Services Restore Mode (don’t lose this password) and click Next



Click Next 


Observe settings and click Next


Observe settings and click Next



Click Next 



Click Next



After the pre-req checks, click Install


Once this completes, the server will reboot and you’ll have a new Domain Controller running a more modern version of Windows Server.

Next post I’ll cover off demoting the Windows 2003 Server.



Installing and Updating Adobe Reader

I am working with a customer and assisting them with their application updates. One of the applications needing updating is Adobe Acrobat Reader MUI. This version of Adobe Reader allows it to be displayed in English or French depending on what language the user is using. Reader is also one of those pain in the ass applications that nag the user to update all the time, so getting in front of this one and updating proactively is always a good way to get ahead of the bullshit calls you’ll get to the service desk. The users shouldn’t have to be asked if they want to update. We should be managing that for them and we know if we can update based on testing those patches.

If you already have Adobe Reader installed, just follow the part in regards to the MSP file. But if you don’t have Adobe Reader installed yet, basically it’s a quick install and update. Here is the link to the Adobe ftp site if you need to download the files. When you download the Enterprise build, Adobe includes an admin customization tool, but I just ignore that crap. Seriously, unless there is a good reason to run that junk I don’t use it. In my opinion and in my case, there isn’t a good reason to use it as I don’t deviate from the standard install.



Adobe Reader Directory with install files.

Run msiexec.exe /I AcroRead.msi /q. This will install the base of Adobe reader. In my case it’s version 11.0.00. Next grab the current msp file. If you already had Adobe Reader installed, this is your starting step. These are similar to an MSI file but updates. The command to execute these is msiexec.exe /update AdbeRdrUpd11010_MUI.msp /q. This will install the update bringing the MUI up to in my case 11.0.10.

For those of you using System Center Configuration Manager as I am, there are a couple of ways to ensure the order is maintained. Out of Order will cause a failure or at least the base version of Adobe Reader without the update. Create two packages, one package with source files for the Adobe Reader install (msiexec.exe /I AcroRead.msi /q) and the second package will be the Adobe Reader MSP (msiexec.exe /update AdbeRdrUpd11010_MUI.msp /q). Once you have the packages, you have two ways you can do this.

One way to do this is to roll a task sequence with the Adobe Reader msi install first followed by the Adobe MSP patch in the next step. Advertise that task sequence to your collection and Bob’s your uncle.

The other way is to edit the program properties of the patch and tell it to run another package first. In this case, Adobe Reader will be the package you will select to run first. Save that and then the patch will be the package you advertise to your collections.


Program Properties in Configuration Manager 2012 SP1

Here is after the deployment. My machine in English language –


Adobe Reader welcome screen on an english computer.

And then changing my language to french, notice the recycle bin name. –


Adobe Reader welcome screen on a french computer.


Fix a Windows Machine not getting its info from the KMS Server

I’ve noticed over the past little bit where servers were reporting they were not genuine. We have a KMS infrastructure and machines are authenticating against it, yet we are seeing some that are not able to talk any more.

My co-worker and I began troubleshooting it, we jumped on the KMS Server and just checked stuff was on and working. It was, if it wasn’t, all hell would have broke loose.

Next we jumped on the Windows Server being affected. We looked at the product info and it stated no information. I wish we had grabbed a screenshot. If I get another server with this issue, I’ll repost.

Next we jumped to the command prompt and type

slmgr /ipk YC6KT-GKW9T-YTKYR-T4X34-R7VHC.

This key is the KMS key you use when you want Windows to use KMS instead of MAK. This changed the server from not having info to be unlicensed and needing a key. Next we force the server to communicate with the KMS server. 

Next we run

slmgr /ato

Once the machine checks in with the KMS server you are good to go. Again, this is with the assumption that your KMS server is up, running properly and has hit the threshold for number of machines needed to start activation.

If you need all the keys for KMS activation, here you are

Pushing out the Windows 8.1 Update

Windows 8.1 Update 1 came out last week. There is a way as a user you can fetch this, but if you are an admin you can push this out. Let me walk you through this. If you are running Windows 8.1 you will need to upgrade if you plan to continue receive security fixes.

Windows Update
If you are running Windows 8.1, you can use Windows update to install the upgrade from 8.1 to 8.1 U1.

If you are an admin, be aware of an issue with using SSL for WSUS and this new patch.

As an admin, you simply approve the upgrade (and a patch required for the update to happen) and then your machines should start getting updates.

System Center Configuration Manager
If you are an administrator for your corporate network, you can use Software Update Services to deploy the upgrade (once its added back in to WSUS again for synching) or you add the whole Windows CD as an application to SCCM 2012 R2 or any version that support Windows 8.1 as a client. You will want to invoke setup with the setup with /auto:upgrade and make it available to users via the software center.

Happy installing.

Managing Drivers in Task Sequences with System Center Configuration Manager 2012

When of the question I always get when deploying Windows whether it be Microsoft Deployment Toolkit or System Center Configuration Manager is how to I properly deploy drivers.

Now there is no right or wrong way, but I always steer people away from putting them in one big folder and letting the OS figure out which to use. Have you ever seen a Dell using an HP Driver? Been there so here is a flashback of a back post of how to manage drivers in MDT.

Let’s take a quick look at how to clean this up in System Center Configuration Manager. Basically add your drivers and put them into folders and then add them in as driver packages.

Then when setting up your task sequences, add a section where it evaluates the machine type and if it matches, apply the drivers.

Here is a screen shot of a task sequence in System Center Configuration Manager I did for a customer.

System Center Configuration  Manager SCCM Task Sequence Drivers

What happens here is as the task sequence continues along, it checks to see if the drivers need to be applied based on a WMI query. To get this information use WMIC to pull out the model information.

Further along we install applications that are drivers, but poor ones in that they need to be installed. Again we use a WMI query to only install the application if it matches the make and model of the device we specify.

Planning a Windows 7 Deployment

Last July I left the County of Lennox & Addington and moved to the Upper Canada District School Board. One of the the first things I helped with was the Windows 7 Deployment.

This Windows 7 deployment is a 11,000 seat deployment and when I joined, the image was just about finalized. At this point the heavy lifting of planning, and figuring out what is in the environment was completed, but let me help you walk through your planning.

The first thing you need to do is get a sense of what your hardware is. In our environment,we have a tool that was developed to track that information. But you don’t need to reinvent the wheel, Microsoft makes a great tool FREE tool called MAP, Microsoft Assessment and Planning (MAP) Toolkit. You run this tool against your AD computer and then you get a great report of what is in your environment and what the capability of the computers are.

After running this tool, you should also be using the Application Compatibility Toolkit, another free tool. This application runs creates an MSI that is run on workstations. I push it out with GPO but you can use any tool you have to push MSIs out. This tool then runs for a predetermined amount of time (you set that) and then it returns what applications are installed and how much it has been used. From that report, it will make a list of what you have running for applications and which ones are supported on Windows 7. It also contains fixes for common application which won’t work natively with Windows 7. We used this tool to fix AutoCad 7 when it wouldn’t work correctly with Windows 7.

So, those two tools will help you get planning your Windows 7 deployment. Use these two tools, gather your information and plan your deployment. Good planning upfront will prevent a lot of a pain in the deployment phase.

In another post, I will cover off the deployment side.

Slow Logins

20071205_slow_sign2_3Just before Christmas holidays, we started receiving calls about sporadic slow logins in our schools. Now slow logins can be a real pain to troubleshoot and somewhat difficult to replicate the issues. We also noticed it was only student logins with the issue. Staff and admin logins were not affected.

We headed to one of the elementary schools and started investigating. I used wire shark to sniff the port of the computer we were testing with and I used the Sysinternal tools. We were able to replicate a slow login and started using gpupdate /force. If it updated with one specific DC, it would take somewhere in the neighbourhood of 10 minutes to update. It would take 45 seconds against the rest of the domain controllers. I also noticed the workstation was receiving the policy file 2 bytes at a time.

This was odd, so we decided to vMotion the virtual machine which is the DC to a different host. This fixed the issue and the updates were about 45 seconds now. So wanting to know if the problem was a host problem, we moved the virtual machine back to the original host and it still worked keeping our logins at 45 seconds. Not entirely sure what was happening but happy to have fixed the problem, we headed back to the office.

We checked in with Tier 1 support and let them know we solved it, not certain it would be a long term fix and wanted to made aware of any further calls.

The next day the calls were back. So I used the IT techs favourite troubleshooting tool.


I found this KB article. The machines that were affected were for sure Windows XP machines. I can’t remember now if we saw this behaviour on our Windows 7 computers. But at that point, we had just began our 11,000 seat Windows 7 deployment.

I added the entry I typed up here to the Group Policy preference to the GPO that was applied against the computers being affected.

Registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: BufferPolicyReads
Value: 1

Once this change was made, we update Group Policy and then headed to a school. It also had the benefit that good gpupdates went from 45 seconds to 15 seconds.

P2V Migration for Software Assurance

On Microsoft Connect in the Solutions Accelerator section, there is a new program to play with. It is the Physical to Virtual (P2V) for Microsoft Deployment Toolkit (MDT). It will automate turning a Windows XP computer into a Windows XP mode virtual machine. Continue Reading