Virtual Machine with Windows Server 2022 with KB5022842 (Feb 2023) installed en configured with secure boot enabled will not boot up on vSphere 7 unless updated to 7.0u3k (vSphere 8 not affected)
In VM vmware.log, there is ‘Image DENIED’ info like the below:
2023-02-15T05:34:31.379Z In(05) vcpu-0 – SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
2023-02-15T05:34:31.379Z In(05) vcpu-0 – Hash: 0 in db, 0 in dbx.
2023-02-15T05:34:31.379Z In(05) vcpu-0 – SECUREBOOT: Image DENIED.
To identify the location of vmware.log files:
Establish an SSH session to your host. For ESXi hosts
Log in to the ESXi Host CLI using root account.
To list the locations of the configuration files for the virtual machines registered on the host, run the below command:
#vim-cmd vmsvc/getallvms | grep -i “VM_Name”
The vmware.log file is located in virtual machine folder along with the vmx file.
Record the location of the .vmx configuration file for the virtual machine you are troubleshooting. For example:
If you already face the issue, after patching the host to ESXi 7.0 Update 3k, just power on the affected Windows Server 2022 VMs. After you patch a host to ESXi 7.0 Update 3k, you can migrate a running Windows Server 2022 VM from a host of version earlier than ESXi 7.0 Update 3k, install KB5022842, and the VM boots properly without any additional steps required.
New features available on VMware vSphere PowerCLI 11.0 is to support the new all updates and release of VMware products , find the below following has been features,
New Security module
vSphere 6.7 Update 1
NSX-T 2.3
Horizon View 7.6
vCloud Director 9.5
Host Profiles – new cmdlets for interacting with
New Storage Module updates
NSX-T in VMware Cloud on AWS
Cloud module multiplatform support
Get-ErrorReport cmdlet has been updated
PCloud module has been removed
HA module has been removed
Now we will go through above mentioned new features to find what functionality it bring to PowerCLI 11.0
What is PowerCLI 11.0 New Security Module
The new security module brings more powerful automation features to PowerCLI 11.0 available new cmdlets include the following
Get-SecurityInfo
Get-VTpm
Get-VTpmCertificate
Get-VTpmCSR
New-VTpm
Remove-VTpm
Set-VTpm
Unlock-VM
Also New-VM cmdlet has enhanced functionality with the security module functionality and it includes parameters like KmsCluster, StoragePolicy, SkipHardDisks etc which can be used while creating new virtual machines with PowerCLI .In addition to that Set-VM, Set-VMHost, Set-HardDisk, and New-HardDisk cmdlets are added.
Host Profile Additions
There are few additions to the VMware.VimAutomation.Core module that will make managing host profiles from PowerCLI
Get-VMHostProfileUserConfiguration
Set-VMHostProfileUserConfiguration
Get-VMHostProfileStorageDeviceConfiguration
Set-VMHostProfileStorageDeviceConfiguration
Get-VMHostProfileImageCacheConfiguration
Set-VMHostProfileImageCacheConfiguration
Get-VMHostProfileVmPortGroupConfiguration
Set-VMHostProfileVmPortGroupConfiguration
Storage Module Updates
These new Storage Module updates specifically for VMware vSAN , the updates has predefined time ranges when using Get-VsanStat. In addition Get-VsanDisk has additional new properites that are returned including capacity, used percentage, and reserved percentage. Following are the cmdlets have been added to automate vSAN
Get-VsanObject
Get-VsanComponent
Get-VsanEvacuationPlan – provides information regarding bringing a host into maintenance mode and the impact of the operation on the data, movement, etc
The Microsoft Deployment Toolkit (MDT), build 8450, is now available on the Microsoft Download Center. This update supports the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1709, available on the Microsoft Hardware Dev Center(adksetup.exe file version 10.1.16299.15).
Here is a summary of the significant changes in this build of MDT:
Supported configuration updates
Windows ADK for Windows 10, version 1709
Windows 10, version 1709
Configuration Manager, version 1710
Quality updates (titles of bug fixes)
Win10 Sideloaded App dependencies and license not installed
CaptureOnly task sequence doesn’t allow capturing an image
Error received when starting an MDT task sequence: Invalid DeploymentType value “” specified. The deployment will not proceed
ZTIMoveStateStore looks for the state store folder in the wrong location causing it to fail to move it
xml contains a simple typo that caused undesirable behavior
Install Roles & Features doesn’t work for Windows Server 2016 IIS Management Console feature
Browsing for OS images in the upgrade task sequence does not work when using folders
MDT tool improperly provisions the TPM into a Reduced Functionality State (see KB 4018657 for more information)
Updates to ZTIGather chassis type detection logic
Upgrade OS step leaves behind SetupComplete.cmd, breaking future deployments
Includes updated Configuration Manager task sequence binaries
Many new items have been introduced, such as HTML5 video redirection support for the Chrome browser and the ability to configure Windows Start menu shortcuts for desktop and application pools using the Horizon Administrator console. As always, you can count on increased operating system support for virtual desktops and clients.
Here is an overview of the new features:
VMware Horizon 7.3 Server Enhancements
Horizon Help Desk Tool
Displays application process resources with reset control
Role-based access control for help desk staff
Activity logging for help desk staff
Displays Horizon Client information
Granular logon time metrics
Blast Extreme display protocol metrics
Instant Clone Technology
Instant-clone desktops can now use dedicated assignment to preserve the hostname, IP address and MAC address of a user’s desktop
Windows Server OS is now supported for desktop use
Instant clones are now compatible with Storage DRS (sDRS)
If there are no internal VMs in all four internal folders created in vSphere Web Client, these folders are unprotected, and you can delete them
IcUnprotect.cmd utility can now unprotect or delete template, replica or parent VMs or folders from vSphere hosts
Windows Start Menu Shortcuts Created Using the Admin Console
Create shortcuts to Horizon 7 resources:
Published applications
Desktops
Global entitlements
Cloud Pod Architecture Scale
Total session limit is increased to 140,000
The site limit is now seven
VMware Horizon Apps
This update makes Horizon Apps easier to use and allows the administrator to restrict entitlements
Restrict access to desktop and application pools from specific client machines
Resiliency for Monitoring
If the event database shuts down, Horizon administrator maintains an audit trail of the events that occur before and after the event database shutdown
Database Support
Always-On Availability Groups feature for Microsoft SQL Server 2014
ADMX Templates
Additional GPO settings for ThinPrint printer filtering, HTML5 redirection and enforcement of desktop wallpaper settings
Remote Experience
Horizon Virtualization Pack for Skype for Business
Multiparty audio and video conferencing
Horizon 7 RDSH support
Windows Server 2008 R2
Windows Server 2012 R2
Forward Error Correction (FEC)
Quality of Experience (QOE) metrics
Customized ringtones
Call park and pickup
E911 (Enhanced 911) support, to allow the location of the mobile caller to be known to the call receiver
USB desktop-tethering support
Horizon Client for Linux support for the following Linux distributions:
Ubuntu 12.04 (32-bit)
Ubuntu 14.04 (32 & 64-bit)
Ubuntu 16.04 (64-bit)
RHEL 6.9/CentOS 6.x (64-bit)
RHEL 7.3 (64-bit)
SLED12 SP2 (64-bit)
Additional NVIDIA GRID vGPU Support
Support for the Tesla P40 graphics card from NVIDIA
HTML5 Video Redirection
View HTML 5 video from a Chrome browser and have video redirected to the client endpoint for smoother and more efficient video playback
Performance Counter Improvements
Windows agent PerfMon counters improvements for Blast Extreme sessions: imaging, audio, client-drive redirection (CDR), USB and virtual printing
Linux Virtual Desktops
KDE support: Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04 and SUSE Linux Enterprise Desktop 11 SP4
MATE interface is now supported on Ubuntu 14.04 and Ubuntu 16.04
Blast Extreme Adaptive Transport is now supported for Linux desktops
vGPU hardware H.264 encoder support has been added
USB Redirection
USB redirection is supported in nested mode
ThinPrint Filtering
Administrators can filter out printers that should not be redirected
Horizon Client 4.6 Updates
Security Update
All clients have been updated to use SHA-2 to prevent SHA-1 collision attacks
Session Pre-launch
Session pre-launch is now extended to both Horizon Client for macOS and Horizon Client for Windows
Apteligent
Integration of Apteligent crash log
Blast Extreme
Improvements in Blast Extreme Adaptive Transport mode for iOS and macOS
User can change Blast Extreme settings without having to disconnect
Horizon Client 4.6 for Windows
Support for UNC path with CDR
Horizon Client 4.6 for macOS
Support for macOS Sierra and macOS High Sierra
Selective monitor support
Norwegian keyboard support
Horizon Client 4.6 for iOS
CDR support with drag and drop of files in split view
iOS split keyboard enhancement
iOS UI updates
Horizon Client 4.6 for Android
Android Oreo support
Manage the Horizon server list with VMware AirWatch
Simple shortcuts
External mouse enhancements
Real-Time Audio-Video (RTAV) support for Android and Chrome OS
Horizon Client 4.6 for Linux
Blast Extreme Adaptive Transport support
Horizon Client 4.6 for Windows 10 UWP
Network recovery improvements
Horizon HTML Access 4.6
HTML Access for Android with a revised UI
Customization of HTML Access page
Horizon Help Desk Tool
The Horizon Help Desk Tool provides a troubleshooting interface for the help desk that is installed by default on Connection Servers. To access the Horizon Help Desk Tool, navigate to https://<CS_FQDN>/helpdesk, where <CS_FQDN> is the fully qualified domain name of the Connection Server, or click the Help Desk button in the Horizon Administrator console.
The Help Desk Tool was introduced in Horizon 7.2 and has been greatly expanded upon in the Horizon 7.3 release.
Help Desktop Tool features with Horizon 7.2:
Virtual machine metrics
Remote assistance
Session control (restart, logoff, reset, and disconnect)
Sending messages
Additional features with Horizon 7.3:
Display application process resources with reset control
Role-based access control for help desk staff
Activity logging for help desk staff
Granular login time metrics
Display Horizon Client information
User Session Details
The user session details appear on the Details tab when you click a user name in the Computer Name option on the Sessions tab. You can view details for Horizon Client, the VDI desktop or RDSH-published desktop, CPU and memory stats, and many other details.
Client version
Unified Access Gateway name and IP address
Logon breakdown (client to broker):
Brokering
GPO load
Profile load
Interactive
Authentication
Blast Extreme Metrics
Blast extreme metrics that have been added include estimated bandwidth (uplink), packet loss, and transmitted and received traffic counters for imaging, audio, and CDR.
Note the following behavior:
The text-based counters do not auto-update in the dashboard. Close and reopen the session details to refresh the information.
The counters for transmitted and received traffic counters are accumulative from the point the session is queried/polled.
Blast Extreme Metrics for a Windows 10 Virtual Desktop Session
Display and Reset Application Processes and Resources
This new feature provides help desk staff with a granular option to resolve problematic processes without affecting the entire user session, similar to Windows Task Manager. The session processes appear on the Processes tab when you click a user name in the Computer Name option on the Sessions tab. For each user session, you can view additional details about CPU- and memory-related processes to diagnose issues.
Role-based Access Control and Custom Roles
You can assign the following predefined administrator roles to Horizon Help Desk Tool administrators to delegate the troubleshooting tasks between administrator users:
Help Desk Administrator
Help Desk Administrator (Read Only)
You can also create custom roles by assigning the Manage Help Desk (Read Only) privilege along with any other privileges based on the Help Desk Administrator role or Help Desk Administrator (Read Only) role.
Members of the Help Desk Administrators (Read Only) role do not have access to following controls; in fact, functions such as Log Off and Reset are not presented in the user interface.
Watch this brief demonstration video of the Horizon Help Desk Tool to see it in action:
Horizon Virtualization Pack for Skype for Business
You can now make optimized audio and video calls with Skype for Business inside a virtual desktop without negatively affecting the virtual infrastructure and overloading the network.
All media processing takes place on the client machine instead of in the virtual desktop during a Skype audio and video call.
Horizon Virtualization Pack for Skype for Business offers the following supported features:
System Requirements
The following table outlines the system requirements for the new release:
Supported Clients
The following table provides the list of support Horizon clients:
Start Menu Shortcuts Configured Through the Admin Console
This feature improves the user experience by adding desktop and application shortcuts to the Start menu of Windows client devices.
You can use Horizon Administrator to create shortcuts for the following types of Horizon 7 resources:
Published applications
Desktops
Global entitlements
Shortcuts appear in the Windows Start menu and are configured by IT. Shortcuts can be categorized into folders.
Users can choose at login whether to have shortcuts added to the Start menu on their Windows endpoint device.
Watch this brief demonstration video of the new Desktop and Apps Shortcuts feature to see it in action:
Dedicated Desktop Support for Instant Clones
Upon the initial release of instant clones in Horizon 7, we supported floating desktop pools and assignments only. Further investments have been made to Instant Clone Technology that add support for dedicated desktop pools. Fixed assignments and entitlements of users to instant-clone machines is now provided as part of Horizon 7.3.
Dedicated instant-clone desktop assignment means that there is a 1:1 relationship between users and desktops. Once an end user is assigned to a desktop, they will consistently receive access to the same desktop and corresponding virtual machine. This feature is important for apps that require a consistent hostname, IP address, or MAC address to function properly.
Note: Persistent disks are not supported. Fixed assignments to desktops does not mean persistence for changes. Any changes that the user makes to the desktop while in-session will not be preserved after logoff, which is similar to how a floating desktop pool works. With dedicated assignment, when the user logs out, a resync operation on the master image retains the VM name, IP address, and MAC address.
Support for the Tesla P40 Graphics Card from NVIDIA
VMware has expanded NVIDIA GRID support with Tesla P40 GPU cards in Horizon 7.3.
HTML5 Video Redirection
This feature provides the ability to take the HTML5 video from a Chrome (version 58 or higher) browser inside a Windows VDI or RDSH system and redirect it to Windows clients. This feature uses Blast Extreme or PCoIP side channels along with a Chrome extension.
The redirected video is overlaid on the client and is enabled as well as managed using GPO settings.
Benefits include:
Supports generic sites such as YouTube, without requiring a server-side plugin.
Provides smooth video playback comparable to the native experience of playing video inside a browser on the local client system.
Reduces data center network traffic and CPU utilization on the vSphere infrastructure hosts.
Improved USB Redirection with User Environment Manager
The default User Environment Manager timeout value has been increased. This change ensures that the USB redirection Smart Policy takes effect even when the login process takes longer than expected.
With Horizon Client 4.6, the User Environment Manager timeout value is configured only on the agent and is sent from the agent to the client.
You can now bypass User Environment Manager control of USB redirection by setting a registry key on the agent machine (VDI desktop or RDSH server). This change ensures that smart card SSO works on Teradici zero clients. Note: Requires a restart.
The Windows Agent PerfMon counters for the Blast Extreme protocol have been improved to update at a constant rate and to be even more accurate.
Counters include:
Imaging
Audio
CDR
USB
Virtual printing
Linux Virtual Desktops
Features and functions for Horizon 7 for Linux virtual desktops have been expanded:
KDE support – Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04, SUSE Linux Enterprise Desktop 11 SP4.
Support for the MATE interface on Ubuntu 14.04, Ubuntu 16.04.
Blast Extreme Adaptive Transport support.
vGPU hardware H.264 encoder support.
USB Redirection Support in Nested Mode
The USB redirection feature is now supported when you use Horizon Client in nested mode. When using nesting–for example, when opening RDSH applications from a VDI desktop–you can now redirect USB devices from the client device to the first virtualization layer and then redirect the same USB device to the second virtualization layer (that is, nested session).
Filtering Redirected Printers
You can now create a filter to specify the printers that should not be redirected with ThinPrint. A new GPO ADMX template (vmd_printing_agent.admx) has been added to enable this functionality.
By default, the rule permits all client printers to be redirected.
Supported attributes:
PrinterName
DriverName
VendorName
Supported operators:
AND
OR
NOT
Supported searching pattern is a regular expression.
Blast Extreme Improvements in CPU Usage
Now even lower CPU usage is achieved with adaptive Forward Error Correction algorithms. This clever mechanism decides how to handle error correction, lowering CPU usage within virtual desktop machines as well as on client endpoint devices.
Blast Extreme Adaptive Transport Side Channel
New support has been added for Blast Extreme Adaptive Transport side channels for USB and CDR communications. Once enabled, TCP port 32111 for USB traffic does not need to be opened, and USB traffic uses a side channel. This feature is supported for both virtual desktops and RDS hosts.
Feature is turned off by default.
Enable the feature through a registry key: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config\UdpAuxiliaryFlowsEnabled 1
Entitlement Restrictions Based on Machine Name
This feature allows IT administrators to restrict access to published applications and desktops based on both client computer and user. With client restrictions for RDSH, it is now possible to check AD security groups for specific computer names. Users only have access to desktops and apps when both the user and the client machine are entitled. For this release, the feature is supported only for Windows clients and works with global entitlements.
Pre-Launch Improvements
Pre-launch provides the ability to launch an empty (application-less) session when connecting to the Connection Server. The feature is now also available to Windows clients, in addition to macOS.
Also, it is no longer necessary to manually make changes to the client settings. You can configure automatic reconnection.
Blast Extreme Adaptive Transport Mode for iOS and macOS
With prior client releases, users were required to configure their Blast Extreme settings before they connected to the Connection Server. After a connection was established, the options to change the Blast Extreme setting—which included H.264, Poor, Typical, and Excellent—were unavailable.
With this release, users can change the network condition setting from Excellent to Typical or the reverse while inflight to sessions. Doing so also changes the protocol connection type between TCP (for Excellent) and UDP (for Typical).
Note: End users will not be able to change the network condition setting if Poor is selected before establishing a session connection.
Horizon Client for Windows
Horizon Client 4.6 updates include:
Additional command-line options for the new client installer – When silently installing the Windows client, using the /s flag, you can now also set:
REMOVE-SerialPort,Scanner – Removes the serial port, scanner, or both.
DESKTOP_SHORTCUT-0 – Installs without a desktop shortcut.
STARTMENU_SHORTCUT-0 – Installs without a Start menu shortcut.
Support for UNC paths with client drive redirection (CDR):
Allows remote applications to access files from a network location on the client machine. Each location gets its own drive letter inside the remote application or VDI desktop.
Folders residing on UNC paths can now be redirected with CDR, and get their own drive letter inside the session, just as any other shared folder.
Horizon Client for macOS
Horizon Client 4.6 updates include:
Apple macOS High Sierra day 0 support.
Users can select which monitors to use for VDI sessions and which to use for the local system.
Norwegian keyboard support and mappings are now available
Horizon Client for iOS
Horizon Client 4.6 updates include:
iOS 11 support
iOS split keyboard update – Removes the middle area in the split keyboard for a better view of the desktop
New dialog box for easy connection to a Swiftpoint Mouse
Horizon Client for Android
Horizon Client 4.6 updates include:
Android 8.0 Oreo support.
Server URL configuration – Allows administrators to configure a list of Connection Servers and a default Connection Server on Android devices managed by VMware AirWatch.
Android and Chrome OS Client Updates
Horizon Client 4.6 for Android and Horizon Client 4.6 for Chrome OS updates include:
Simple shortcuts – Users can right-click any application or desktop to add a shortcut to the home screen.
Webcam redirection – Integrated webcams on an Android device or a Chromebook are now available for redirection using the Real-Time Audio-Video (RTAV) feature.
HTML Access
HTML Access 4.6 updates include:
HTML Access on Android devices – Though HTML Access has fewer features than the native Horizon Client, it allows you to use remote desktops and published applications without installing software.
HTML Access page customization – Administrators can customize graphics and text and have those customizations persist through future upgrades.
Horizon Client for Linux
Horizon Client 4.6 updates include:
Support for Raspberry Pi 3 Model B devices:
ThinLinx operating system (TLXOS) or Stratodesk NoTouch operating system
Supported Horizon Client features include:
Blast Extreme
USB redirection
264 decoding
8000Hz and 16000Hz audio-in sample rate
RHEL/CentOS 7.4 support
Horizon Client for Windows 10 UWP
Horizon Client 4.6 updates include:
Network recovery improvements – Clients can recover from temporary network loss (up to 2 minutes). This feature was already available for Windows, macOS, Linux, iOS, and Android, and is now available for Windows 10 UWP.
Automatically reconnects Blast Extreme sessions
Reduces re-authentication prompts
We are excited about these new features in Horizon 7.3.1 and the Horizon Client 4.6. We hope that you will give them a try.
The Microsoft Deployment Toolkit (MDT), build 8443, is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607, available on the Microsoft Hardware Dev Center (adksetup.exe file version 10.1.14393.0).
You may notice that we are not tagging this release with a year or update version. To better align with the current branches of Windows 10 and Configuration Manager, and to simplify the branding and release process, we are now just referring to it as the “Microsoft Deployment Toolkit”, using the build number to distinguish each release. This is not necessarily a “current branch” of MDT; we are committed to updating MDT as needed with revisions to Windows, the Windows ADK, and Configuration Manager.
Here is a summary of the significant changes in this build of MDT:
Supported configuration updates
Windows ADK for Windows 10, version 1607
Windows 10, version 1607
Windows Server 2016
Configuration Manager, version 1606
Quality updates
Deployment Wizard scaling on high DPI devices
Johan’s “uber bug” for computer replace scenario
Multiple fixes for the Windows 10 in-place upgrade scenario
Several fixes to Configure ADDS step
Removed imagex/ocsetup dependencies, rely solely on DISM
Includes the latest Configuration Manager task sequence binaries (version 1606)
A recent update for Windows may cause Outlook to crash.
The update that causes this is KB3097877 and it appears to be limited to only some Windows 7 installations when downloading online images for a HTML message. The version of Outlook that you are using doesn’t seem to matter and other applications may also be affected.
MDT Team have released a newer build (8298) to address many of these issues. The Download Center is updated with the new build and is still considered MDT 2013 Update 1. Build 8290 is no longer available, no longer supported, and superseded by build 8298.
NOTE: it can take time for the files to fully propagate through the live downloads cluster, and to be refreshed on the Akamai caches. Please ensure the build version under Details is 8298. I have seen the updated page on a non-internal system; it’s there, just be patient. Use the time to review the release notes below!
The following issues are fixed in build 8298
Multiple drive partitioning issues are addressed by significant revisions to the Format and Partition Disk step (see release note below), including:
Upgrading to MDT 2013 Update 1 does not work for UEFI systems
An extra unneeded partition is created on both UEFI and BIOS systems
You cannot specify a custom partition layout containing a “Recovery”-type partition needed for UEFI systems
LTIApply error, “There is not enough space on the disk”
WINRE_DRIVE_SIZE from ZTIDiskpart.wsf is Too Small
Multiple issues related to XML processing:
Application bundles returning error 87
Selecting a keyboard locale in the Deployment Wizard
Cleanup after image capture doesn’t remove LTIBootstrap entry
Several issues with the Windows 10 in-place upgrade task sequence including:
The upgrade process ends with warnings “Unable to create WebService class”
The upgrade task sequence is available from Windows PE
After upgrade a System_License_Violation blue screen appears
Applications that use a command file start using System32 as the working directory
Spanned images cannot be applied
Below are the revised release notes and list of known issues. These inclusive lists supersede the previously published lists. New entries are marked with an asterisk (*).
Release Notes
TechNet documentation is not updated
The MDT product documentation published on TechNet is current as of MDT 2013; it has not yet been updated for MDT 2013 Update 1.
Do not upgrade from Preview to RTM
MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.
Windows System Image Manager will fail to validate MDT Unattend.xml templates
The Windows System Image Manager (WSIM, a component of the Windows ADK used to create and modify unattended installation answer files) does not allow blank values which exist in the default MDT Unattend.xml templates. When using WSIM option, Validate Answer File, it will return validation errors, such as “The ‘HorizontalResolution’ element is invalid – The value ” is invalid according to its datatype ‘HorizontalResolutionType’ – The string ” is not a valid UInt32 value.”
MDT removes blank values before injecting the file during deployment, so Windows always receives a valid XML answer file.
Integrating with System Center Configuration Manager
When integrating MDT with Configuration Manager, follow the version of the Windows ADK. MDT 2013 Update 1 only works with the Windows 10 ADK, so make sure it is used with a version of Configuration Manager that supports and also uses the Windows 10 ADK.
Image files larger than 4 GB are not split by default
Split image (.SWM) support is now off by default. It must be enabled by modifying %DeployRoot%\Control\Settings.xml with the following:
<SkipWimSplit>False</SkipWimSplit>
Using HideShell with Windows 10
The behavior of the HideShell option changed with Windows 10. Michael Niehaus explains this in great detail on his blog.
Changes to the Format and Partition Disk step *
The Format and Partition Disk step in the task sequence is now more closely aligned with the similar step in Configuration Manager; it will explicitly show all of the partitions that are created when the task sequence runs.
Backwards compatibility remains when using a task sequence that was created in a prior version of MDT. You should expect the same behavior as previously.
The DoNotCreateExtraPartition variable is deprecated. It should not be used with new task sequences (as the partitions are explicitly created by the task sequence step).
Changes to permissions of new deployment shares *
New deployment shares will now be created with more restrictive permissions. You should review these permissions and adjust accordingly for your access requirements.
Upgraded deployment shares are not modified, but the former default permissions are overly permissive. You should review the permissions on the share and directory and adjust accordingly for your environment.
MDT Known Issues
Static IP not restored when using media deployment
When doing a media deployment and using a static IP the static IP does not get restored.
Workarounds:
Modify Litetouch.wsf to enable MEDIA deployments (Keith Garner explains in this forum post) or
Add an extra Apply Network Settings action (alternative suggested by Johan Arwidmark on his blog)
Static IP not set in Network Adapter Configuration Wizard
When initializing a deployment in Windows PE and clicking Configure Static IP Address, if you uncheck Enable DHCP and enter static IP information, the following Network Settings Error will display:
This warning may also be seen in the results screen and log files during a deployment.
Workaround: a static IP can be manually set from Windows PE using netsh, but otherwise there are no workarounds at this time.
UDI wizard does not handle the domain join account user name *
When using the OSDJoinAccount variable in CustomSettings.ini for a UDI task sequence, the wizard cannot be completed because the domain join account user name is encoded. The New Computer Details page will display an error, “User name format is invalid. Example is domain\user.”
Workarounds:
Specify the OSDJoinAccount variable in the task sequence before the UDI wizard starts.
Alternatively, require the user to manually specify credentials in the UDI wizard.
Unable to browse for user data path *
In the LTI Deployment Wizard, on the User Data page, when selecting the Browse button, the Browse for Folder window does not display anything for selecting a path.
Workarounds:
Manually enter the path (do not browse).
Set the UserDataLocation variable in CustomSettings.ini.
The ZTIWinRE.wsf script and PrepareWinRE variable do not function properly *
If you specify PrepareWinRE=YES in CustomSettings.ini, Windows RE does not get enabled because the commandline is malformed.
The ZTIWinRE.wsf script is deprecated and should not be used.
Windows 10 language packs may not install *
We are still investigating an issue where Windows 10 language packs may not install during LTI.
Issues after successful Windows 10 in-place upgrade *
Following a successful upgrade to Windows 10:
Monitoring will continue to show the task sequence in progress until a user logs on.
A low rights user may receive an error at logon. This is a non-fatal error; the MDT script requires administrator elevation in order to display the final summary screen. Avoid this by using the variable, SkipFinalSummary.
Windows 10 Known Issues
The following are issues that are known to the MDT product team when doing Windows 10 deployments.
Issues with CopyProfile *
We are aware of reports of issues regarding the CopyProfile property in Unattend.xml. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with CopyProfile, please open a case with Microsoft Support to troubleshoot.
USMT LoadState fails on Windows 7 *
Using MDT 2013 Update 1 to deploy Windows 7 to an existing machine (refresh scenario), and using USMT 10 to capture and restore the user data will result in an error (“DismApi.DLL is missing”) while restoring the user state on Windows 7. This is a known issue with loadstate; see https://support.microsoft.com/kb/3084782 for more information.
MDAC component fails being added to Windows PE
This is a known bug with DISM; it is external to MDT. DISM can sometimes fail to add the MDAC component to WinPE boot images. This seems to be a timing issue which most commonly occur when you are using SSD disks.
Workarounds:
Remove MDAC. On the deployment share properties, Windows PE tab, Features subtab, uncheck Microsoft Data Access Components (MDAC/ADO) support.
If you need MDAC for database connectivity, you can try updating your boot images from a system where the %TMP% directory is located on a non-SSD drive. This is not a guaranteed workaround, but has been seen to work
NOTE: we are also aware of reports of issues regarding the WMI component in Windows PE. We have not been able to reproduce this issue, and are working with the Windows team to investigate further. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.
Issues with Windows PowerShell in Windows PE
Windows PowerShell cmdlets in Windows PE may not function as expected. We are investigating this issue with the Windows team. If you have a reproducible issue with Windows PE optional components, please open a case with Microsoft Support to troubleshoot.
The list of known issues below provides a number of workarounds that are currently available to help unblock affected customers. We will revise the list as needed. Given the number of issues with this build we will release a newer build of MDT 2013 Update 1 in the next several weeks to address as many of these issues as we can. Watch this blog for more information.
Release Notes
TechNet documentation is not updated
The MDT product documentation published on TechNet is current as of MDT 2013; it has not yet been updated for MDT 2013 Update 1.
Do not upgrade from Preview to RTM
MDT 2013 Update 1 Preview should be uninstalled before installing the final MDT 2013 Update 1. Do not attempt to upgrade a preview installation or deployment share. Although the product documentation is not updated for MDT 2013 Update 1, the information on upgrading an installation still holds true.
Windows System Image Manager will fail to validate MDT Unattend.xml templates
The Windows System Image Manager (WSIM, a component of the Windows ADK used to create and modify unattended installation answer files) does not allow blank values which exist in the default MDT Unattend.xml templates. MDT removes blank values before injecting the file during deployment, so Windows always receives a valid XML answer file.
Integrating with System Center Configuration Manager
When integrating MDT with Configuration Manager, follow the version of the Windows ADK. MDT 2013 Update 1 only works with the Windows 10 ADK, so make sure it is used with a version of Configuration Manager that supports and also uses the Windows 10 ADK.
Image files larger than 4 GB are not split by default
Split image (.SWM) support is now off by default. It must be enabled by modifying %DeployRoot%\Control\Settings.xml with the following:
<SkipWimSplit>False</SkipWimSplit>
Using HideShell with Windows 10
The behavior of the HideShell option changed with Windows 10. Michael Niehaus explains this in great detail on his blog.
Known Issues
Disk partitioning issues
Symptoms:
Recovery partition consumes the majority of the disk on BIOS systems
LTIApply fails with DISM error 112, There is not enough space on the disk.
Recovery partition is unnecessarily visible on both UEFI and BIOS systems
You can’t specify a custom partition layout containing a recovery partition for UEFI systems
Workarounds: Keith Garner provides some suggestions on his blog: uberbug06 and uberbug07.
Static IP not restored when using media deployment
When doing a media deployment and using a static IP the static IP does not get restored.
Workarounds:
Modify Litetouch.wsf to enable MEDIA deployments (Keith Garner explains in this forum post) or
Add an extra Apply Network Settings action (alternative suggested by Johan Arwidmark on his blog)
Static IP not set in Network Adapter Configuration Wizard
When initializing a deployment in Windows PE and clicking Configure Static IP Address, if you uncheck Enable DHCP and enter static IP information, the following Network Settings Error will display:
This warning may also be seen in the results screen and log files during a deployment.
Workaround: a static IP can be manually set from Windows PE using netsh, but otherwise there are no workarounds at this time.
Monitoring does not work after Windows 10 upgrade
After successfully upgrading a system to Windows 10 the MDT monitoring fails to report information. You will see the following warnings:
Unable to create WebService class
Workaround: None.
MDAC component fails being added to Windows PE
This is a known bug with DISM; it is external to MDT. DISM can sometimes fail to add the MDAC component to WinPE boot images. This seems to be a timing issue which most commonly occur when you are using SSD disks.
Workarounds:
Remove MDAC. On the deployment share properties, Windows PE tab, Features subtab, uncheck Microsoft Data Access Components (MDAC/ADO) support.
If you need MDAC for database connectivity, you can try updating your boot images from a system where the %TMP% directory is located on a non-SSD drive. This is not a guaranteed workaround, but has been seen to work.
NOTE: we are also aware of reports of similar issues regarding Windows PowerShell and WMI components in Windows PE (as well as some functional issues with these components). We have not been able to reproduce these issues, and are working with the Windows team to investigate further. If you have a reproducible issue with these components in Windows PE, please open a case with Microsoft Support to troubleshoot.
Upgrade task sequences are displayed when not applicable
Windows 10 upgrade task sequences are available when starting a deployment from Windows PE or on a non-matching architecture, however the in-place upgrade scenario is only supported when started from the full OS (it cannot be started from Windows PE) and from the correct architecture.
Workaround: Modify your upgrade task sequence properties to exclude client platforms that are not applicable. On the task sequence properties, General tab, select This can run only on the specified client platforms and then choose platforms that you want to target, for example, All x86 Windows 7 Client. This example will exclude Windows PE and Windows 7 x64 systems.
Applications with a command file (.cmd) use a Windows system working directory
If you have an application that uses a command file (.cmd) as the installation command line it will be launched from C:\Windows\System32 instead of the application’s working directory.
Workaround: See the associated bug on Connect for sample edits to ZTIApplications.wsf.
Application bundles successfully install but log an error
Application bundles will successfully install but the following warning is logged in ZTIApplications.log:
SelectSingleNodeString(CommandLine) Missing Node.
as well as the following error:
Application <app bundle name> returned an unexpected return code: 87
Workaround: See the associated bug on Connect for sample edits to ZTIApplications.wsf.
Deployment Wizard error for Keyboard Locale
Changing the keyboard locale in the Deployment Wizard will result in a script error:
Type mismatch: 'SetNewKeyboardLayout'
This error is non-fatal. Click Yes and continue.
Workarounds:
Specify the keyboard locale in CustomSettings.ini and hide this wizard page.
Edit %DeployRoot%\Scripts\DeployWiz_LanguageUI.xml to remove onchange="SetNewKeyboardLayout" from line 62.
ZTI: Offline installation of language packs or software updates fails
Using the “Install Language Packs Offline” or “Install Updates Offline” step in an MDT-integrated task sequence in Configuration Manager results in the language packs or updates not injected, and the following errors in the ZTIPatches.log:
ZTI ERROR - Unhandled error returned by ZTIPatches: Object required (424)
This error is only seen in logs, the deployment appears to be successful otherwise.
Workaround: apply updates and language packs online
Split image files do not apply
If you split a large image file to create .SWM file(s), then applying this split image file will fail.
Workaround: edit %DeployRoot%\Scripts\LTIApply.wsf, both lines 915 and 918, to add a colon and remove a space, for example on line 915 change:
Deployment fails due to unattend.xml errors during oobeSystem
If you have edited unattend.xml and then start a deployment with the wizard page for administrator password enabled, or specified AdminPassword in CustomSettings.ini, the deployment will fail during Windows OOBE:
Windows could not parse or process Unattend answer file [C:\Windows\Panther\unattend.xml\ for pass [oobeSystem]. The settings specified in the answer file cannot be applied. The error was detected while processing settings for component [Microsoft-Windows=Shell-Setup].
Workaround: edit %DeployoRoot%\Scripts\ZTIConfigure.wsf lines 343 and 344 to append unattend: before PlainText. For example, on line 344 change:
oCurrent.parentNode.selectSingleNode("PlainText").text = "true" to oCurrent.parentNode.selectSingleNode("unattend:PlainText").text = "true"
Do the same on line 343.
ZTI: LTIBootstrap.vbs script not found
Towards the end of a MDT-integrated task sequence deployment in Configuration Manager a Windows Script Host popup will appear with a message similar to the following:
Can not find script file "C:\LTIBootstrap.vbs".
(The drive letter may be different depending upon the specific scenario.)
Workaround: Script changes are possible but difficult and challenging. Johan Arwidmark provides an option on his blog (see Issue #2).
LTI: Cleanup is not complete after image capture
After capturing an image and rebooting back to the drive, autologon is still configured and an error will appear about LTIBootstrap is not found. This is a minor, non-fatal error that does not affect the captured image.
Workaround: Script changes are possible but difficult and challenging, especially given the minor severity of the issue.
DISM returns error 87 when applying image
A deployment fails with the following error from DISM:
Error: 87 (The parameter is incorrect)
With further detail in the dism.log:
Failed to get the filename extension of the image file
Workarounds: This is seen when the server name is only two characters, for example DC, such that the /ImageFile parameter is similar to the following:
The Microsoft Deployment Toolkit (MDT) 2013 Update 1 is now available on the Microsoft Download Center. This update requires the Windows Assessment and Deployment Kit (ADK) for Windows 10, available on the Microsoft Hardware Dev Center. (Scroll to the bottom of the page to the section, “Customize, assess, and deploy Windows on your hardware.” The page also includes other Windows kits; remember for deployment you only need the Windows ADK for Windows 10.)
Significant changes in MDT 2013 Update 1:
Support for the Windows Assessment and Deployment Kit (ADK) for Windows 10
Support for deployment and upgrade of Windows 10
Support for integration with System Center 2012 R2 Configuration Manager SP1 with the Windows 10 ADK (seethis post on the Configuration Manager Team blog for more information on using the Windows 10 ADK with Configuration Manager)
Here is a more detailed list of some specific changes in this release:
Support for new Enterprise LTSB and Education editions of Windows 10
Support for modern app (.appx) dependencies and bundles
Improved support for split image files (.swm)
Switched to using DISM for imaging processes (instead of deprecated ImageX)
Deployment Workbench revisions for deprecated content
Enhanced accessibility within the Deployment Workbench
Revised lists of time zones, regions and languages in the Deployment Wizard
Removed Start menu shortcut for “Remove PXE Filter”
Several MVP recommended fixes for Windows Updates, password handling, and PowerShell cmdlets
Added missing OOBE settings to Unattend.xml
Unattend.xml default screen resolution changed to allow for automatic scaling
Updated task sequence binaries from System Center 2012 R2 Configuration Manager SP1
New GetMajorMinorVersion function for integer comparison of Windows version numbers
You must be logged in to post a comment.