Potential USMT Errors & Resolution

, , , , , , , , ,
Potential USMT Errors


Failure when “trying to reboot into WinPE”
appears on the Task Sequence UI (forgot to take screenshot)

 Potential USMT Errors & Resolution

 

      Check the “SMSTS.LOG” “C:WindowsCCMLogs”

 

         In the screenshot below look for a line like “Unable to find a volume that is suitable for staging the boot image” in the log file 

 

Potential USMT Errors
       This is typically for 2 different reasons.
      1.  The drive is locked by bitlocker encryption and you need to first disable bitlocker in the task            sequence. once this is done then the task sequence engine can identify the drive to stage the        boot image locally
      2.   This can also be because the drive is still undergoing the encryption process. You must wait             until the drive is fully encrypted before you can execute this task sequence from windows.
       To verify the drive is finished encrypting launch powershell as an admin and type “Get-BitlockerVolume” and do not attempt to run the installation until the “Encryption KeyProtector Percentage” is are 100%  
Potential USMT Errors
NOTE: it is possible you receive this error when you are trying to stage the boot image onto the disk and the disk cannot be read b/c of a different encryption software locks the disk. For example if you are running Dell Credant you must be logged into the system then the TS Engine will be able to read the disk.
To identify Dell Credant systems via SQL…this is a hybrid of one my queries that I use in my production environment but you can modify it to abosrb only bitlocker information by commenting out not needed parts

SELECT Distinct

v_R_System.Name0 AS System,

Computer_System_DATA.Model00 AS [System Model],

___System_INSTALLED_SOFTWARE0.ARPDisplayName00,

V_R_System.AD_Site_Name0 AS [AD Site],

CASE V_R_System.Build01

When ‘6.1.7601’ THEN ‘Windows 7’

WHEN ‘10.0.14393’ THEN ‘Win 10 v1607’

WHEN ‘10.0.15063’ THEN ‘Win 10 v1703’

END AS [Operating System],

CASE V_R_System.Client0

When ‘0’ THEN ‘No Client’

WHEN ‘1’ THEN ‘Client Installed’

END AS [Client],

v_GS_ENCRYPTABLE_VOLUME.DriveLetter0 AS [Drive Letter],

–v_GS_ENCRYPTABLE_VOLUME.ProtectionStatus0 AS [Protection Status],

CASE v_GS_ENCRYPTABLE_VOLUME.ProtectionStatus0

WHEN ‘0’ THEN ‘not encrypted’

WHEN ‘1’ THEN ‘encrypted’

WHEN ‘2’ THEN ‘Encrypted Requires Pin’

END AS [Bitlocker Status]

FROM

v_GS_ENCRYPTABLE_VOLUME

INNER JOIN v_R_System ON v_GS_ENCRYPTABLE_VOLUME.ResourceID = v_R_System.ResourceID

INNER JOIN Computer_System_Data ON V_R_System.Name0 = Computer_System_Data.Name00

INNER JOIN INSTALLED_SOFTWARE_DATA AS ___System_INSTALLED_SOFTWARE0 ON ___System_INSTALLED_SOFTWARE0.MachineID = V_R_System.ResourceID

Where

v_GS_ENCRYPTABLE_VOLUME.DriveLetter0 = ‘C:’

AND Computer_System_DATA.Model00!= ‘VMware Virtual Platform’

AND Computer_System_DATA.Model00!= ‘Virtual Machine’

–AND v_GS_ENCRYPTABLE_VOLUME.ProtectionStatus0 = ‘0’ –for not bitlocker encrypted systems–

–AND V_R_System.Name0 = ‘P620268’

AND ___System_INSTALLED_SOFTWARE0.ARPDisplayName00 like N’Credant_WindowsShield%’

 

Potential USMT Errors

 

 
Failure when trying to connect to SMP Share
 
This failure is more often seen when trying to rerun on a failed system (can be seen during backup or restore part of the process) 
 
Potential USMT Errors
For this we corrected the issue is to open PowerShell and running the following.

 

Remove-Item -Path ‘HKLM:SOFTWAREMicrosoftSystemCertificatesSMSCertificates*’ -force; restart-service ccmexec

I would also recommend opening registry location to verify this has successfully been deleted.
Once this runs successfully you should then be able to re-run the task sequence successfully.
File Not Found: 
of course there is the standard make sure your commands are typed correctly. In the example below we see a file not found error. Make sure you type out your file names correctly etc.
Potential USMT Errors
Potential USMT Errors
NOTE: I have seen cases where a variable is set for Packages, but it does not always translate, so I tend to just hard code the package ID when I set restore/capture options into a variable see the example below
Potential USMT Errors
Connection to SMP Refused: 
Make sure when you being your deployment strategy that you plan for an adequate number of connections to the SMP. The default for this I believe is 100 connections, but that does not mean concurrent connections. The criteria that goes into the count is any established connection (completed or in progress) within the your deletion policy time period. If you have a problem where the connection is actively refused by the SMP you should increase the max allowed connections you have configured.
Potential USMT Errors
I tried to create as many Potential USMT Errors as I could think of to help out the community. If I  encounter anymore or can think of new ones I will add them to this blogpost.

Helpful WMI Queries (OSD)

, ,

WMI Queries

Earlier in the 2017 year I was at a customers site where they had 60+ task sequences. This customer had a specific TS for each model they supported, and for each scenario. This was eventually reduced down to 3 task sequence primarily by the use of WMI Queries.

For Tier 1 Support

 

“WMIC CSPRODUCT GET NAME”

 

This will return the system model information so I can take a look at what potential problems exist.

 

“WMIC BIOS GET SMBIOSBIOSVERSION”

 

This will return the current bios version running on the system. For my current customer we noticed the 840 G1 touchscreen laptops would exit the TS and have display issues unless we flashed the bios to at least 1.39 while being imaged connected to an ultra slim docking station

 

For Task Sequence
We started to combine the task sequences into 1 by use of WMI queries. There would be individual driver installation steps based on each mode.

select * from win32_computersystem where Model like “%HP EliteBook 840 G1%”

 

We can see when we query status messages that only the step to install 840 G1 drivers was ran due to the WMI query.

 

For Bios Flash
I like to create an If statement to include model information combined with specific bios version. This will allow me to target only systems that are not up to the approved baseline. Running with the configuration below we get a return of 5 – 8 minutes per system by being able to avoid this step.

less than version example:

select * from win32_computersystem where Model like “%HP EliteBook 840 G2%”

 

select * from WIN32_BIOS where SMBIOSBIOSVersion < “N71 Ver. 01.21”

 





FOR VPN
useful for deciding to ignore


Select * from Win32_IP4RouteTable where Name like '192.0.99.%' or Name like '192.0.98.%'










ProTip
make sure you always test query. I have seen in a previous customers environment while reviewing status messages that several model machines were failing domain joins b/c the driver packs were not being installed due to bad wmi queries. This was a problem the customer faced against 40% percent of their supported models.

Slow WinPE Boot Speed

, , , ,

Default out-of-the-box booting on WinPE with SCCM 2012/2016 is very slow. In some environments I’ve seen this take 3 hours to download the Boot.Wim. This is because System Center Configuration Manager 2012/2016 uses small TFTP block sizes of 512 bytes.

This behavior is set because it’s compatible with all network configurations; but the result is that the PXE boot speed can be very slow using Operating System Deployment with SCCM.

To increase the PXE boot speed, we need to modify TFTP Block Size.
In the registry editor:
Path : HKEY_LOCAL_MACHINESOFTWAREMicrosoftSMSDP
Name : RamDiskTFTPBlockSize
Type : REG_DWORD
Value : 16384 (decimal)

16384 is the maximum supported value.
If it is bigger, you can have corrupted data.
However I recommend to do some test with values :
– 4096,
– 8192,
– 16384.
I typically run 16384 and 8182 in my environments. These will be DP that are on server 2008R2 and later.

Restart the Windows Deployment Services Service. (WDS)

On this particular PXE-DP the time to download the boot.wim increased by roughly 80%

To my knowledge this feature has been built into CB1606 but I have not moved there yet to test myself.

ALSO SEE : Rebuild site servers without redistributing content over the WAN