EXCHANGE 2013 CU17 AND EXCHANGE 2016 CU6

On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.

A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26)
Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).

The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.

Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).

When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.

.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.

Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.

The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.

KB articles that describe the fixes, features and information in each release are available as follows:

Version

Build

KB Article

Download

UMLP

Schema Changes

Exchange 2016 CU6

15.1.1034.26

KB4012108

Download

UMLP

Yes

Exchange 2013 CU17

15.0.1320.4

KB4012114

Download

UMLP

No

Source: jaapwesselius

Mobile security is more important than ever!!!

The most used device these days is a mobile phone. Malware/Spyware/Hacking is everywhere, anytime,anywhere See: Update: Lookout re-airing on 60 Minutes

Some latest news about Mobile Security Alerts:

Hundreds of millions of devices potentially affected by first major iOS malware outbreak

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire

Soo what can you do about it:

Install Security app on your device: So i installed the free version of lookout on my phone.

unnamed

It works great so far: Testing it.

Security Bulletin: iOS “Pegasus” Malware and iOS 9.3.5 Security Update

On Aug. 25, 2016,  Apple announced updates to address security vulnerabilities in iOS version 9.3.4 and earlier. The affected components include the iOS kernel and WebKit.

The vulnerabilities can result in jailbreak, remote code execution, and memory corruption.  Security researchers at Lookout, Inc. have identified a high risk malware application, called “Pegasus”, that uses the vulnerabilities to compromise user devices.

MobileIron recommends that users update to iOS version 9.3.5 or later to obtain the necessary security patches. The security researchers have confirmed that the iOS patches prevent the vulnerabilities from being exploited.

Three vulnerabilities were patched in iOS 9.3.5.  The vulnerabilities are referred to collectively as “Trident”.  The reported CVE identifiers include:

  • CVE-2016-4655: An application may be able to disclose kernel memory.
  • CVE-2016-4656: An application may be able to execute arbitrary code with kernel privileges.
  • CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary code execution.

Detection of Pegasus Jailbreak:

According to the security researchers at Lookout, EMM vendors cannot currently detect the Pegasus jailbreak. At this time, the only known method to detect Pegasus is to use products from Lookout.

Source: http://blaud.com/blog/pegasus-malware-ios-9-3-5-security-update_lookout_mobileiron

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

Don’t use DHCP Option 60/66/67 when you want to use UEFI & Legacy PXE Boot with MDT

If you want to use EUFI Boot with MDT 2013 Update X.
Don’t use DHCP Option 60/66/67!!!

DC01 = Windows Server 2008 R2 SP1
DC02 = Windows Server 2012
MDT01 = Windows Server 2012 R2

UEFI Client: Dell Laptop E5450
BIOS Client: HyperV Virtual machine with Legacy network adapert

DC1; MDT01 and DHCPServer all in Subnet1.
(IP Helper is set for DHCPServer for DHCP and for DC01 & MDT01 for DHCP and BootP – I checked serveral times if everything is right here)
UEFI Client and BIOS Client in Subnet2.

Situation1 — Using no DHCP Options and WDS running (IP HELPER-ADDRESS):
UEFI Client – Boots perfectly (contacting Server MDT01)
BIOS Client – Boots perfectly (contacting Server MDT01)

Situaion2 — Using no DHCP Options and WDS just running on MDT01:
UEFI Client – Does not boot (no error information is provided)
BIOS Client – Does not boot (no Bootfilename recieved)

Situation3 — Using DHCP Options(Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01:
UEFI Client – Does not boot (no error information is provided)
BIOS Client – Boots perfectly (contacting Server DP1)

Situation4 — Using DHCP Options(Option 60=”PXEClient” Option 66=”IP of MDT01″ Option 67=”\x86\wdsnbp.com”) and WDS just running on MDT01:
UEFI Client – Boots perfectly (contacting Server DP1)
BIOS Client – Does not boot (taking hours to recieve dhcp options..)

Solution:

On most switches you can configure ip helper-addresses. This is most time al ready configured for the use of DHCP.

Add the IP of the MDT server als ip helper-address:

Example:

interface Vlan100
description GEBRUIKERS VLAN
ip address 192.168.101.254 255.255.254.0 show
ip helper-address 192.168.25.6   (DC01)
ip helper-address 192.168.25.7   (DC02)
ip helper-address 192.168.25.30 (MDT01)
end

MDT 2013 Update 2 (6.3.8330) Released

The Microsoft Deployment Toolkit (MDT) 2013 Update 2 (6.3.8330) is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, available on the Microsoft Hardware Dev Center. (Note that there are known issues with the v1511 release of the Windows 10 ADK and System Center Configuration Manager; these issues do not directly affect MDT although may still impact ZTI or UDI scenarios.)

MDT 2013 Update 2 is primarily a quality release; there are no new major features. The following is a summary of the significant changes in this update:

  • Security- and cryptographic-related improvements:
    • Relaxed permissions on newly created deployment shares (still secure by default, but now also functional by default)
    • Creating deployment shares via Windows PowerShell adds same default permissions
    • Updated hash algorithm usage from SHA1 to SHA256
  • Includes the latest Configuration Manager task sequence binaries
  • Enhanced user experience for Windows 10 in-place upgrade task sequence
  • Enhanced split WIM functionality
  • Fixed OSDJoinAccount account usage in UDI scenario
  • Fixed issues with installation of Windows 10 language packs
  • Various accessibility improvements
  • Monitoring correctly displays progress for all scenarios including upgrade
  • Improvements to smsts.log verbosity

There are no other new release notes or significant known issues. See the previous post for more information as much of it is still applicable (other than the fix list above).

See the following post on How to get help with MDT.

Frequently Asked Questions

In anticipation of some questions that you may have about this release (or MDT in general):

Q: Should I expect a release of MDT with every new Windows 10 and/or Configuration Manager build release?

No. We shipped multiple MDT releases this year due to the timing of Windows 10 and Configuration Manager releases, but do not intend to keep that same cadence going forward.

Q: What branches of Windows 10 does MDT support?

MDT supports both the current branch of Windows 10 as well as the long-term servicing branch.

Q: What branches of System Center Configuration Manager does MDT support?

For ZTI and UDI scenarios MDT 2013 Update 2 supports the current branch of System Center Configuration Manager (currently version 1511) for an integrated solution for deploying Windows 10 current branch as well as prior Windows versions.

Q: When is the next planned release of MDT?

We do not currently have a timeframe. We will release any tactical changes as needed which may be required to support new builds of Windows 10 or Configuration Manager, but do not currently expect this to be needed.

Q: Is this the last release of MDT?

No, we will continue to iterate and invest in the product.

Q: Why is it still “MDT 2013” when the year is almost 2016?

Two primary reasons. First, we have only made minor changes to MDT which in our opinion does not constitute a major version revision. Second, per the MDT support lifecycle, a new major version will drop support for MDT2012 Update 1 which still supports legacy platforms.

Source

Cumulative Update 11 for Exchange Server 2013

Cumulative Update 11 for Microsoft Exchange Server 2013 was released on December 15, 2015. Several nonsecurity issues are fixed in this cumulative update or a later cumulative update for Exchange Server 2013.

This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base articles:

This update also includes new daylight saving time (DST) updates for Exchange Server 2013. For more information about DST, go to Daylight Saving Time Help and Support Center.

 

Download Cumulative Update 11 for Exchange Server 2013 (KB3099522) now.

Windows 10 ADK update build 10586

The latest Windows 10 ADK update, build 10586, was silently released a few days ago (Thanks deploymentresearch for the download link). In this post you learn about what’s changed.

Download link: http://download.microsoft.com/download/3/8/B/38BBCA6A-ADC9-4245-BCD8-DAA136F63C8B/adk/adksetup.exe

Warning: Do NOT upgrade your ConfigMgr 2012 R2 SP1 or MDT 2013 Update 1 environments to this build yet. For ConfigMgr, even though it seems to fix the x64 UEFI / PXE and Powershell/.NET issue, which is great, the new ADK does break Computer Refresh scenarios (Bare metal works). The error code is 0x80220014. Research and discussions with the product teams in progress… MDT 2013 Update 1 yet to be validated, but error comments on twitter does not give me a warm and fuzzy feeling.

4fbe7042-d2fd-416e-a7b3-d3458a49aeec

MDT 2013 Update 1 re-released (build 8298)

MDT Team have released a newer build (8298) to address many of these issues. The Download Center is updated with the new build and is still considered MDT 2013 Update 1. Build 8290 is no longer available, no longer supported, and superseded by build 8298.

NOTE: it can take time for the files to fully propagate through the live downloads cluster, and to be refreshed on the Akamai caches. Please ensure the build version under Details is 8298. I have seen the updated page on a non-internal system; it’s there, just be patient. Use the time to review the release notes below!

The following issues are fixed in build 8298
  • Multiple drive partitioning issues are addressed by significant revisions to the Format and Partition Disk step (see release note below), including:
    • Upgrading to MDT 2013 Update 1 does not work for UEFI systems
    • An extra unneeded partition is created on both UEFI and BIOS systems
    • You cannot specify a custom partition layout containing a “Recovery”-type partition needed for UEFI systems
    • LTIApply error, “There is not enough space on the disk”
    • WINRE_DRIVE_SIZE from ZTIDiskpart.wsf is Too Small
  • Multiple issues related to XML processing:
    • Application bundles returning error 87
    • Selecting a keyboard locale in the Deployment Wizard
    • Deployments failing due to Unattend.xml errors
    • ZTIPatches returning error “Object required (424)”
    • Cleanup after image capture doesn’t remove LTIBootstrap entry
  • Several issues with the Windows 10 in-place upgrade task sequence including:
    • The upgrade process ends with warnings “Unable to create WebService class”
    • The upgrade task sequence is available from Windows PE
    • After upgrade a System_License_Violation blue screen appears
  • Applications that use a command file start using System32 as the working directory
  • Spanned images cannot be applied

Below are the revised release notes and list of known issues. These inclusive lists supersede the previously published lists. New entries are marked with an asterisk (*).

Release Notes

TechNet documentation is not updated

The MDT product documentation published on TechNet is current as of MDT 2013; it has not yet been updated for MDT 2013 Update 1.

Do not upgrade from Preview to RTM

MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.

Windows System Image Manager will fail to validate MDT Unattend.xml templates

The Windows System Image Manager (WSIM, a component of the Windows ADK used to create and modify unattended installation answer files) does not allow blank values which exist in the default MDT Unattend.xml templates. When using WSIM option, Validate Answer File, it will return validation errors, such as “The ‘HorizontalResolution’ element is invalid – The value ” is invalid according to its datatype ‘HorizontalResolutionType’ – The string ” is not a valid UInt32 value.”

MDT removes blank values before injecting the file during deployment, so Windows always receives a valid XML answer file.

Integrating with System Center Configuration Manager

When integrating MDT with Configuration Manager, follow the version of the Windows ADK. MDT 2013 Update 1 only works with the Windows 10 ADK, so make sure it is used with a version of Configuration Manager that supports and also uses the Windows 10 ADK.

Image files larger than 4 GB are not split by default

Split image (.SWM) support is now off by default. It must be enabled by modifying %DeployRoot%\Control\Settings.xml with the following:

<SkipWimSplit>False</SkipWimSplit>

Using HideShell with Windows 10

The behavior of the HideShell option changed with Windows 10. Michael Niehaus explains this in great detail on his blog.

Changes to the Format and Partition Disk step *

The Format and Partition Disk step in the task sequence is now more closely aligned with the similar step in Configuration Manager; it will explicitly show all of the partitions that are created when the task sequence runs.

  • Backwards compatibility remains when using a task sequence that was created in a prior version of MDT. You should expect the same behavior as previously.
  • The DoNotCreateExtraPartition variable is deprecated. It should not be used with new task sequences (as the partitions are explicitly created by the task sequence step).
Changes to permissions of new deployment shares *

New deployment shares will now be created with more restrictive permissions. You should review these permissions and adjust accordingly for your access requirements.

Upgraded deployment shares are not modified, but the former default permissions are overly permissive. You should review the permissions on the share and directory and adjust accordingly for your environment.

MDT Known Issues

Static IP not restored when using media deployment

When doing a media deployment and using a static IP the static IP does not get restored.

Workarounds:

  • Modify Litetouch.wsf to enable MEDIA deployments (Keith Garner explains in this forum post)
    or
  • Add an extra Apply Network Settings action (alternative suggested by Johan Arwidmark on his blog)
Static IP not set in Network Adapter Configuration Wizard

When initializing a deployment in Windows PE and clicking Configure Static IP Address, if you uncheck Enable DHCP and enter static IP information, the following Network Settings Error will display:

WMI Function: Adapter.EnableStatic(IPAddress,SubnetMask) FAILURE: -2147467259

This warning may also be seen in the results screen and log files during a deployment.

Workaround: a static IP can be manually set from Windows PE using netsh, but otherwise there are no workarounds at this time.

UDI wizard does not handle the domain join account user name *

When using the OSDJoinAccount variable in CustomSettings.ini for a UDI task sequence, the wizard cannot be completed because the domain join account user name is encoded. The New Computer Details page will display an error, “User name format is invalid. Example is domain\user.”

Workarounds:

  • Specify the OSDJoinAccount variable in the task sequence before the UDI wizard starts.
  • Alternatively, require the user to manually specify credentials in the UDI wizard.
Unable to browse for user data path *

In the LTI Deployment Wizard, on the User Data page, when selecting the Browse button, the Browse for Folder window does not display anything for selecting a path.

Workarounds:

  • Manually enter the path (do not browse).
  • Set the UserDataLocation variable in CustomSettings.ini.
The ZTIWinRE.wsf script and PrepareWinRE variable do not function properly *

If you specify PrepareWinRE=YES in CustomSettings.ini, Windows RE does not get enabled because the commandline is malformed.

The ZTIWinRE.wsf script is deprecated and should not be used.

Windows 10 language packs may not install *

We are still investigating an issue where Windows 10 language packs may not install during LTI.

Issues after successful Windows 10 in-place upgrade *

Following a successful upgrade to Windows 10:

  • Monitoring will continue to show the task sequence in progress until a user logs on.
  • A low rights user may receive an error at logon. This is a non-fatal error; the MDT script requires administrator elevation in order to display the final summary screen. Avoid this by using the variable, SkipFinalSummary.

Windows 10 Known Issues

The following are issues that are known to the MDT product team when doing Windows 10 deployments.

Issues with CopyProfile *

We are aware of reports of issues regarding the CopyProfile property in Unattend.xml. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with CopyProfile, please open a case with Microsoft Support to troubleshoot.

USMT LoadState fails on Windows 7 *

Using MDT 2013 Update 1 to deploy Windows 7 to an existing machine (refresh scenario), and using USMT 10 to capture and restore the user data will result in an error (“DismApi.DLL is missing”) while restoring the user state on Windows 7. This is a known issue with loadstate; see https://support.microsoft.com/kb/3084782 for more information.

MDAC component fails being added to Windows PE

This is a known bug with DISM; it is external to MDT. DISM can sometimes fail to add the MDAC component to WinPE boot images. This seems to be a timing issue which most commonly occur when you are using SSD disks.

Workarounds:

  • Remove MDAC. On the deployment share properties, Windows PE tab, Features subtab, uncheck Microsoft Data Access Components (MDAC/ADO) support.
  • If you need MDAC for database connectivity, you can try updating your boot images from a system where the %TMP% directory is located on a non-SSD drive. This is not a guaranteed workaround, but has been seen to work

NOTE: we are also aware of reports of issues regarding the WMI component in Windows PE. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.

Issues with Windows PowerShell in Windows PE

Windows PowerShell cmdlets in Windows PE may not function as expected. We are investigating this issue with the Windows team. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.

MDT 2013 Update 1 Release Notes and Known Issues

This post is to serve as the release notes and known issues list for the current release of MDT 2013 Update 1 (v6.3.8290). Source: http://blogs.technet.com/b/msdeployment/archive/2015/08/25/mdt-2013-update-1-release-notes-and-known-issues.aspx

The list of known issues below provides a number of workarounds that are currently available to help unblock affected customers. We will revise the list as needed. Given the number of issues with this build we will release a newer build of MDT 2013 Update 1 in the next several weeks to address as many of these issues as we can. Watch this blog for more information.

Release Notes

TechNet documentation is not updated

The MDT product documentation published on TechNet is current as of MDT 2013; it has not yet been updated for MDT 2013 Update 1.

Do not upgrade from Preview to RTM

MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.

Windows System Image Manager will fail to validate MDT Unattend.xml templates

The Windows System Image Manager (WSIM, a component of the Windows ADK used to create and modify unattended installation answer files) does not allow blank values which exist in the default MDT Unattend.xml templates. MDT removes blank values before injecting the file during deployment, so Windows always receives a valid XML answer file.

Integrating with System Center Configuration Manager

When integrating MDT with Configuration Manager, follow the version of the Windows ADK. MDT 2013 Update 1 only works with the Windows 10 ADK, so make sure it is used with a version of Configuration Manager that supports and also uses the Windows 10 ADK.

Image files larger than 4 GB are not split by default

Split image (.SWM) support is now off by default. It must be enabled by modifying %DeployRoot%\Control\Settings.xml with the following:

<SkipWimSplit>False</SkipWimSplit>

Using HideShell with Windows 10

The behavior of the HideShell option changed with Windows 10. Michael Niehaus explains this in great detail on his blog.

Known Issues

Disk partitioning issues

Symptoms:

  • Recovery partition consumes the majority of the disk on BIOS systems
    • LTIApply fails with DISM error 112, There is not enough space on the disk.
  • Recovery partition is unnecessarily visible on both UEFI and BIOS systems
  • You can’t specify a custom partition layout containing a recovery partition for UEFI systems

Workarounds: Keith Garner provides some suggestions on his blog: uberbug06 and uberbug07.

Static IP not restored when using media deployment

When doing a media deployment and using a static IP the static IP does not get restored.

Workarounds:

  • Modify Litetouch.wsf to enable MEDIA deployments (Keith Garner explains in this forum post)
    or
  • Add an extra Apply Network Settings action (alternative suggested by Johan Arwidmark on his blog)
Static IP not set in Network Adapter Configuration Wizard

When initializing a deployment in Windows PE and clicking Configure Static IP Address, if you uncheck Enable DHCP and enter static IP information, the following Network Settings Error will display:

WMI Function: Adapter.EnableStatic(IPAddress,SubnetMask) FAILURE: -2147467259

This warning may also be seen in the results screen and log files during a deployment.

Workaround: a static IP can be manually set from Windows PE using netsh, but otherwise there are no workarounds at this time.

Monitoring does not work after Windows 10 upgrade

After successfully upgrading a system to Windows 10 the MDT monitoring fails to report information. You will see the following warnings:

Unable to create WebService class

Workaround: None.

MDAC component fails being added to Windows PE

This is a known bug with DISM; it is external to MDT. DISM can sometimes fail to add the MDAC component to WinPE boot images. This seems to be a timing issue which most commonly occur when you are using SSD disks.

Workarounds:

  • Remove MDAC. On the deployment share properties, Windows PE tab, Features subtab, uncheck Microsoft Data Access Components (MDAC/ADO) support.
  • If you need MDAC for database connectivity, you can try updating your boot images from a system where the %TMP% directory is located on a non-SSD drive. This is not a guaranteed workaround, but has been seen to work.

NOTE: we are also aware of reports of similar issues regarding Windows PowerShell and WMI components in Windows PE (as well as some functional issues with these components). We have not been able to reproduce these issues, and are working with the Windows team to investigate further. If you have a reproducible issue with these components in Windows PE, please open a case with Microsoft Support to troubleshoot.

Upgrade task sequences are displayed when not applicable

Windows 10 upgrade task sequences are available when starting a deployment from Windows PE or on a non-matching architecture, however the in-place upgrade scenario is only supported when started from the full OS (it cannot be started from Windows PE) and from the correct architecture.

Workaround: Modify your upgrade task sequence properties to exclude client platforms that are not applicable. On the task sequence properties, General tab, select This can run only on the specified client platforms and then choose platforms that you want to target, for example, All x86 Windows 7 Client. This example will exclude Windows PE and Windows 7 x64 systems.

Applications with a command file (.cmd) use a Windows system working directory

If you have an application that uses a command file (.cmd) as the installation command line it will be launched from C:\Windows\System32 instead of the application’s working directory.

Workaround: See the associated bug on Connect for sample edits to ZTIApplications.wsf.

Application bundles successfully install but log an error

Application bundles will successfully install but the following warning is logged in ZTIApplications.log:

SelectSingleNodeString(CommandLine) Missing Node.

as well as the following error:

Application <app bundle name> returned an unexpected return code: 87

Workaround: See the associated bug on Connect for sample edits to ZTIApplications.wsf.

Deployment Wizard error for Keyboard Locale

Changing the keyboard locale in the Deployment Wizard will result in a script error:

Type mismatch: 'SetNewKeyboardLayout'

This error is non-fatal. Click Yes and continue.

Workarounds:

  • Specify the keyboard locale in CustomSettings.ini and hide this wizard page.
  • Edit %DeployRoot%\Scripts\DeployWiz_LanguageUI.xml to remove onchange="SetNewKeyboardLayout" from line 62.
ZTI: Offline installation of language packs or software updates fails

Using the “Install Language Packs Offline” or “Install Updates Offline” step in an MDT-integrated task sequence in Configuration Manager results in the language packs or updates not injected, and the following errors in the ZTIPatches.log:

ZTI ERROR - Unhandled error returned by ZTIPatches: Object required (424)

This error is only seen in logs, the deployment appears to be successful otherwise.

Workaround: apply updates and language packs online

Split image files do not apply

If you split a large image file to create .SWM file(s), then applying this split image file will fail.

Workaround: edit %DeployRoot%\Scripts\LTIApply.wsf, both lines 915 and 918, to add a colon and remove a space, for example on line 915 change:

sCmd = sCmd & " /SWMFile """ & sRWMPath & """"
to
sCmd = sCmd & " /SWMFile:""" & sRWMPath & """"

Do the same on line 918.

Deployment fails due to unattend.xml errors during oobeSystem

If you have edited unattend.xml and then start a deployment with the wizard page for administrator password enabled, or specified AdminPassword in CustomSettings.ini, the deployment will fail during Windows OOBE:

Windows could not parse or process Unattend answer file [C:\Windows\Panther\unattend.xml\ for pass [oobeSystem]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows=Shell-Setup].

Workaround: edit %DeployoRoot%\Scripts\ZTIConfigure.wsf lines 343 and 344 to append unattend: before PlainText. For example, on line 344 change:

oCurrent.parentNode.selectSingleNode("PlainText").text = "true"
to
oCurrent.parentNode.selectSingleNode("unattend:PlainText").text = "true"

Do the same on line 343.

ZTI: LTIBootstrap.vbs script not found

Towards the end of a MDT-integrated task sequence deployment in Configuration Manager a Windows Script Host popup will appear with a message similar to the following:

Can not find script file "C:\LTIBootstrap.vbs".

(The drive letter may be different depending upon the specific scenario.)

Workaround: Script changes are possible but difficult and challenging. Johan Arwidmark provides an option on his blog (see Issue #2).

LTI: Cleanup is not complete after image capture

After capturing an image and rebooting back to the drive, autologon is still configured and an error will appear about LTIBootstrap is not found. This is a minor, non-fatal error that does not affect the captured image.

Workaround: Script changes are possible but difficult and challenging, especially given the minor severity of the issue.

DISM returns error 87 when applying image

A deployment fails with the following error from DISM:

Error: 87 (The parameter is incorrect)

With further detail in the dism.log:

Failed to get the filename extension of the image file

Workarounds: This is seen when the server name is only two characters, for example DC, such that the /ImageFile parameter is similar to the following:

"\\dc\DeploymentShare$\Operating Systems\Windows 10 Enterprise x64\sources\install.wim"

Use a deployment share on a server whose name is three or more characters.

If you must use a server with a two-character name, specify its fully qualified domain name in bootstrap.ini, for example

DeployRoot=\\DC.contoso.com\DeploymentShare$