We have seen lots of requests over the past couple of years for a wizard pane that allows you to select from a list of roles that should be applied to a machine, where those roles are defined in the MDT database.  There are a few examples of this available on the web, implemented in different ways.  I’ll throw another one into the mix, this one using an ADO.NET Data Services web service to get the needed data.  (If you didn’t read my previous posting about this setup, click here.)

<?xml version="1.0" encoding="utf-8"?>
<Wizard>
  <Global>
    <CustomStatement><![CDATA[
' ***************************************************************************
' File:	Roles.xml
' Author:	Michael Niehaus
' Version:	1.0
' Purpose:	Display a list of roles from the MDT database, retrieved
'	using an ADO.NET Data Services.web service.  One
'	or more roles can be selected.  After they have been
'	chosen, CustomSettings.ini needs to be re-processed
'	to pick up the new settings.  Ideally this would be done
'	after the wizard is complete (just in case someone 
'	navigated back to the screen after initially making
'	changes), but that requires changing LiteTouch.wsf.
'
' NOTE:	Be sure to modify the web service URL below
'
' ***************************************************************************
Function InitializeRoleList
	Dim sScript
	Dim oDataService
	Dim oRole
	Dim sRoles
	' Make sure that ZTIDataAccess.vbs is available since it isn't loaded by Wizard.hta
	sScript = oFSO.OpenTextFile(oUtility.ScriptDir & "\ZTIDataAccess.vbs", 1, false).ReadAll
	On Error Resume Next
	ExecuteGlobal sScript
	On Error Goto 0
	' Call the web service
	Set oDataService = New WebService
	oDataService.WebService = "http://localhost:62932/MDTDatabase.svc/RoleIdentity"
	oDataService.Method = "REST"
	Set oResult = oDataService.Query
	' Process the roles to populate the list of checkboxes
	sRoles = ""
	For each oRole in oResult.SelectNodes("//d:Role")
		sRoles = sRoles & "<input type=checkbox name=Roles id=Roles enabled value='" & oRole.Text & "'>" & oRole.Text & "</input><br>"
	Next
	' If no roles were found, set the div to indicate that
	If sRoles = "" then
		sRoles = "<label class=errmsg style='display: inline;' >No roles could be found."
	End if
	' Update the pane
	RoleList.InnerHTML = sRoles
End Function
Function ValidateRoleList
	' Flush the value to variables.dat, before we continue.
	SaveAllDataElements
	SaveProperties
	' Process full rules (needed to pick up the role settings, apps, etc.)
	sCmd = "wscript.exe """ & oUtility.ScriptDir & "\ZTIGather.wsf"""
	oItem = oShell.Run(sCmd, , true)
	ValidateRoleList = True
End Function
]]></CustomStatement>
  </Global>
  <Pane id="Roles">
    <Body><![CDATA[<H1>Select the roles to be assigned to this computer.</H1>
<br>
<div class=TreeList id=RoleList style="height: expression( GetDynamicListBoxSize(this) );">
<label class=errmsg style="display: inline;" >Loading roles...
<!-- List goes here -->
</div>
]]></Body>
    <Validation><![CDATA[ValidateRoleList]]></Validation>
    <Initialization><![CDATA[setTimeout GetRef("InitializeRoleList"), 0]]></Initialization>
  </Pane>
</Wizard>

While this is set up as a stand-alone wizard, you can insert this into an existing deployment wizard using the MDT Wizard Editor by following these steps:

1. Launch the MDT Wizard Editor.
2. Open the DeployWiz_Definition_ENU.xml file.
3. Click on the “Global” pane.  Click “Add” on the “Settings” pane and choose to add a new “CustomStatement”.
4. Select the new “CustomStatement” at the end of the “Settings” list.
5. Select the VBScript code above (from the first comment line to the last End Function line) and copy it to the clipboard.
6. Paste the copied VBScript code into the text box in the MDT Wizard Editor.  Edit the web service URL to specify your ADO.NET Data Services web service URL.
7. Select a wizard pane (the new pane will be inserted after this one, so select appropriately).
8. Select all the text above from “<Pane” through “</Pane>” and copy it to the clipboard.
9. Right-click on the selected pane name in the MDT Wizard Editor and choose “Paste”.

What, your MDT Wizard Editor doesn’t have a “Paste” option?  Well, you need to download a new version from http://mdtwizardeditor.codeplex.com/, as I just added the paste capability tonight (along with other general usability improvements – I forced myself to actually use the program to create the rules wizard pane above and fixed all the behaviors I didn’t like while I was at it).

A few notes to mention:

• Because the wizard runs after CustomSettings.ini has been processed, the role settings, applications, etc. wouldn’t be processed as the “Gather” process isn’t run again.  To work around this, I added logic above to run ZTIGather.wsf again.  This could add a delay when clicking “Next”, so you might choose to do this later (possibly by modifying LiteTouch.wsf).  The other problem with running ZTIGather.wsf from this wizard pane:  If you navigate back to this wizard pane and uncheck an item, it’s too late – the settings for that role have already been added into the task sequence environment.
• The MDT 2010 wizard hypertext application (Wizard.hta) doesn’t load the ZTIDataAccess.vbs script needed to make web service calls from a wizard pane.  To work around this, I added logic above to dynamically load the file.  The other alternative would be to edit Wizard.hta to tell it to include the file.
• The role list is populated asynchronously so that the wizard doesn’t appear to be hung.  This is done by the “setTimeout” initialization statement above.  Note that the “Next” (or “Finish”) button will be enabled even while this is happening, so if you don’t want to wait you can probably go ahead and click the button to move on to the next pane.
• If you don’t have the ADO.NET Data Services web service set up and working, don’t expect this wizard pane to somehow magically fix it :-)

One of the new features in the .NET Framework 3.5 SP1 is ADO.NET Data Services.  This enables you to expose the contents of a data source, e.g. a SQL Server database, through something that looks roughly like an RSS feed, accessed in a similar manner to a web service.  That’s nice but why do you care as an IT pro?  Well, it’s a convenient way of making the contents of the MDT database available to programs or scripts without forcing them to use ADO to access SQL Server directly.

The best part of ADO.NET Data Services:  You really don’t need to write any code.  Just walk through a few Visual Studio 2008 wizards and you’re done – almost.  There are two lines of code that I added, one to day that all the selected tables and rows can be accessed read-only, and a second that generates detailed errors if something doesn’t work.  The basic process is described at http://msdn.microsoft.com/en-us/data/cc745957.aspx.  (So I lied – you have to write two lines of code.)

The harder part of this is deploying the resulting ADO.NET Data Services project to an IIS server.  You need to have .NET 3.5 SP1 installed, then IIS and ASP.NET need to be installed.  You might need to run “ServiceModelReg.exe –i” to get the ADO.NET Data Services and WCF logic registered in IIS, see http://msdn.microsoft.com/en-us/library/ms732012.aspx for details.  You will definitely need to edit the database connection string in the Web.Config file to point to your server (and optionally the instance) as well as the database (Initial Catalog) that needs to be used.  And you might need to grant access to SQL Server, the database, and the database tables and views.  (See http://msdn.microsoft.com/en-us/library/ms998320.aspx if SQL Server is on the same machine.)  Really, it’s not that bad :-)

The actual ADO.NET Data Services files need to all be dropped in a directory.  After doing this, set up an application in IIS that points to this directory.  At that point, if everything is set up right, you should be able to access the the web service via a browser.  To test it out, try a URL like this:

http://yourserver/YourApplicationName/MDTDatabase.svc

If that gives you a list of objects available in the database (you might need to tell IE not to display the result in RSS Reader view to see the real contents – in IE8, that’s configured on the “Content” tab from the “Feeds and Slices” settings dialog), you know at least IIS, .NET, and ADO.NET are fine.  Then try a more specific URL to request all the computer records:

http://yourserver/YourApplicationName/MDTDatabase.svc/ComputerIdentity

That should result in something that looks like this:

Yes, kind of weird looking, but pretty easy to consume in a script.  So that’s the next step – making use of this data.  More on that in the next posting.

The full solution (Visual Studio project, source, binaries, etc.) is attached.

For those of you who customize the MDT wizards, you may want to check out the new version of the MDT Wizard Editor at http://mdtwizardeditor.codeplex.com.  The latest version 2.0, uploaded today, includes a few fixes (e.g. properly encoding XML file entries in CDATA sections), adds support for MDT 2010, and includes a few new features.

The first change you will notice is that there is now a menu bar:

Use the “File” menu to open menu definition files (XML files), save your changes, and to exit the program.  Use the “Wizard” menu to test a wizard definition file after you have made changes.

The testing process is the most significant change in this new version.  It will gather information from the machine (running ZTIGather, as long as it can find it) and then display all of the variable values before starting the wizard:

You can modify variables, remove variables, add variables – whatever you would like to do.  When you are ready to run the wizard, click the “Run” button.  Once you have completed the wizard, the dialog will be updated to show you the variables that were set after the wizard completed:

In this case, you can see the additional variables that were defined for keyboards, applications, BitLocker, etc.

If you find any issues with this release, or if you have any suggestions on how to improve the release (subject to my available time), please use the CodePlex “Issue Tracker” to submit new items.

When MDT 2010 replicates content to a linked deployment share, you can choose whether to copy “standard folders” as part of that replication process.  These folders (Scripts, Tools, $OEM$, USMT) might be required by one or more of the task sequences being replicated, so we give you that option.  In the case of media, we always copy these four standard folders; you don’t get a choice as we assume everything in those folders is required by the current deployment share and therefore is also required by the media.

We have periodically received requests to allow for the replication of additional folders to linked deployment shares, as well as the inclusion of additional folders when creating media.  As a result of those requests, we added a mechanism for specifying a list of extra folders.  But there’s one challenge for that:  We didn’t provide a user interface for configuring those, so you have to use PowerShell to do it.  Unfortunately the documentation doesn’t even mention that this is possible, so consider this blog entry a documentation addendum :-)

From a PowerShell session, you would first need to load the MDT PowerShell snap-in (“Add-PSSnapIn Microsoft.BDD.PSSnapIn”) and then connect to the deployment share (simplest way is “Restore-MDTPersistentDrive” to get all the drives connected that you use in the Deployment Workbench).  In the case of linked deployment shares, you can get all the current properties like so:

Then setting the ExtraFolders property (which is empty by default) is achieved using “Set-ItemProperty”:

Because the ExtraFolders property is a list (array), you always need to specify the values as I did, using the PowerShell syntax of @(“Value1”, “Value2”).  If you only have a single value, it would look like @(“Value1”).

Media works the same way:

The folders you specify need to exist at the top level of the deployment share.  In my examples above, my deployment share is “C:\DeploymentShare” so the folders that must exist are “C:\DeploymentShare\MyFolder1” and “C:\DeploymentShare\MyFolder2”.  Make sure you specify folders that actually exist – otherwise you’ll get errors when MDT tries to copy those folders.

After doing this, you’ll notice an additional line in the output, highlighted below, telling you how many extra folders were copied:

In MDT 2008, we provided unknown computer support for ConfigMgr 2007, since it didn’t provide that capability – you first had to import new computers into the ConfigMgr database before you could install an OS, so MDT helped automate that process.  When ConfigMgr 2007 R2 was released, it included unknown computer functionality, so we have now removed most of that from MDT 2010.

One of the useful parts of this unknown computer process was a pre-execution hook that would run a wizard, leveraging the same wizard framework that we used for MDT 2010 Lite Touch deployments.  This was useful because we provided all the pieces to make it work:  the TSCONFIG.INI file that tells ConfigMgr what to run, the script that gets executed by ConfigMgr (referenced in TSCONFIG.INI), the rules processing logic to gather information from WMI and other data sources, and the wizard files themselves.

With MDT 2010, we’ve left these pieces in place, but set them up to do something more basic: prompt for a new computer name.  This is provided as a sort of general purpose “sample”, showing how to hook this into ConfigMgr.  While you might not find the sample particularly useful, you can edit the wizard definition (using Notepad or something like the MDT Wizard Editor, http://mdtwizardeditor.codeplex.com/) to add additional panes.

All the files related to this general purpose sample are located in the “C:\Program Files\Microsoft Deployment Toolkit\SCCM” directory:

• ZTIMediaHook.wsf.  This is the pre-execution hook script that drives the whole process (gathering information from WMI and other sources, then displaying the wizard).
• Deploy_SCCM_Definition_ENU.xml.  This file defines the wizard itself, which by default has one pane that asks for the computer name.
• Deploy_SCCM_Scripts.vbs.  This file contains the initialization and validation scripts called by the wizard pane (which don’t do much in this case).
• TSConfig.ini.  This file gets added to the boot image and tells ConfigMgr to run the ZTIMediaHook.wsf script.

So if you wanted too do some customization, the files you would want to change are the “Deploy_SCCM_Definition_ENU.xml” (to add or change wizard panes) and “Deploy_SCCM_Scripts.vbs” (to specify additional initialization or validation logic).

To actually get these pieces added into a boot image, you can check the “Add media hook files to enable the Deployment Wizard for this boot media” checkbox when running either the “Create Boot Image using Microsoft Deployment” wizard (which creates only new boot image which you would then need to configure the task sequence and ISOs to use) or the “Create Microsoft Deployment Task Sequence” wizard (which can create a new boot image as part of the task sequence creation process).

Booting from this boot image, you should see a wizard that looks like this:

You can then specify the computer name you want, which will set the OSDComputerName task sequence variable.  Like I said, pretty simple, but provided as a starting point for your own customizations – just edit the XML and VBS files, create a new boot image, and then deploy.  (Remember that all of these files are actually embedded in the boot image WIM file, so when you make changes you either need to create a new boot image or mount the existing one to change those files.  Update the distribution points after making changes.)

I’ve also attached a short video that shows the startup process (including the initial ConfigMgr wizard screen that can be used for specifying static IP information and for typing in the media password).

People have made fun of ConfigMgr, and every version of SMS before that, for being “slow moving software”.  For those of you who try to deploy software to a machine and then wait for it to actually happen, you know what I mean: it was guaranteed to take two minutes from the time you advertised it to the time the first clients acted on it.

With ConfigMgr SP2, a significant portion of that delay (which was actually happening on the client side, not on the server) was removed.  Now, I can add a new machine into a collection, then go to the machine and initiate a machine policy retrieval cycle and see a popup for new advertisements within a few seconds.  The first time that happened I was a bit startled by the result – surely something must be wrong.  But it wasn’t, the advertisement really was available that quickly.

ConfigMgr SP2 is still available as an RC through http://connect.microsoft.com, so you can try it out in your lab if you want.  It is expected to be released by the end of October.

Yes, I’ve been promising this blog posting for quite some time.  And I’ve been working on this for quite some time, but kept getting distracted either by new releases (Windows 7, Windows Server 2008 R2, MDT 2010, SCVMM 2008 R2, etc.) or by the addition of new features to the PowerShell scripts that I’ve been using.  But I’m determined to get this first part finished today.  Shame sometime can be a motivator :-)

First you need some additional background information.  I did a presentation at the Microsoft Management Summit, TechEd US, and TechEd Australia where I talked about how to use MDT 2010, ConfigMgr 2007, and SCVMM together for two main purposes:

• Creating an image factory. 
  • Perform unattended installation and configuration of operating systems (including patches, applications, etc.)
  • Sysprep and capture images for distribution/cloning
  • Create WIM files for deployment to physical hardware, VHD files for use with Virtual Machine Manager and Hyper-V
• Virtual Machine Customization
  • Rather than having lots of special-purpose VHDs, have a smaller number with the ability to apply specific roles or configuration at the time of deployment

So this posting is covering the first part, using MDT 2010 Lite Touch together with SCVMM to create an image factory.  Here’s more of a logical picture of what I am talking about:

So imagine that you have created a deployment share in MDT 2010 Deployment Workbench, imported your operating systems and all the other required files, and created multiple task sequences to build your reference images.  Now you want a quick and easy way to run all of those task sequences, without having a pile of hardware (so virtual machines are good) and without needing to manually initiate the process on each machine (automating the wizard).  That’s where the “image factory” comes in.

To implement this, I created a set of PowerShell scripts to initiate the step-by-step process above.  The scripts and their purpose:

• MDTImageFactory.ps1.  This is the main PowerShell script that drives the whole process (although the bulk of the logic is in the other scripts).
• MDTDB.psm1.  This is a PowerShell module that is used to manipulate the MDT database (more on that later).
• ImageFactory.psm1.  This is a PowerShell module that handles the interaction with SCVMM 2008 R2.

These scripts need to know some details from your environment.  Rather than hard-coding that information in the scripts themselves, this information is stored in a separate XML file named “MDTImageFactorySettings.xml.”  This file contains the following settings:

• DeploymentShare.  This specifies the path to the MDT 2010 deployment share containing the task sequences that should be executed.
• VMMServer.  This specifies the name of the SCVMM server.
• VMMLibrary.  This specifies the name of the SCVMM library on the specified SCVMM server.
• HyperVHost.  All virtual machines will be created on this server, which is being managed by the SCVMM server.  (It could be the SCVMM server, if that server is also running Hyper-V, or it could be a different machine.)
• HyperVHostNetwork.  The Hyper-V host may have multiple networks defined; this specifies the name of the network that should be used when creating each virtual machine.  This network must have access to the specified deployment share.
• HardwareProfile.  A hardware profile specifies the settings that should be used when creating a new virtual machine.  This specifies things like the amount of RAM to allocate to the machine (1GB is suggested), the network adapter type (a legacy adapter is recommended since the drivers are available in most OSes), and other hardware settings.
• VHD.  This specifies the template VHD that should be used when creating the virtual machine.  (SCVMM provides two templates initially, a small one and a large one, but since these dynamically grow it makes sense to always use the “Blank Disk - Large” template.)
• MaximumRunning.  Your Hyper-V host might not have the capacity to run all the task sequences (one per VM) at one time, so this specifies a throttling value: the script will ensure that only this number of VMs is activate at one time.  (For example, if your Hyper-V server has 8GB of RAM with no VMs running, you might choose to run 6-7 VMs at one time, so specify 6 or 7 as the value to use.)
• TaskSequenceFolder.  This specifies the folder in Deployment Workbench containing the task sequences that should be executed.  Normally, all task sequences are selected by specifying “MDT:\Task Sequences” but if you wanted to process only the task sequences in a subfolder you could change this to something like “MDT:\Task Sequences\My Subfolder”.  (Only enabled task sequences that deployment an operating system will be selected, so if you want to skip one while you are working on it just uncheck the “Enabled” checkbox in the properties for that task sequence.)
• UseDelegation.  Setting this to “True” enables an optimization in the process: the virtual machines can be configured to use a ISO on the SCVMM library share, instead of copying that ISO to the Hyper-V host using BITS.  This is optional, but if you want to enable it be sure to review the requirements for doing this at http://technet.microsoft.com/en-us/library/ee340124.aspx.

So what is required to set this up in your environment?  First, make sure that your environment is functional, as these scripts won’t magically fix things:

• Make sure SCVMM 2008 R2 can create and operate VMs on the Hyper-V host.
• Create your MDT 2010 deployment share and task sequences and make sure they run fine on a Hyper-V VM when manually started through the Deployment Wizard.
• Make sure PowerShell v2 is installed on the server where you expect to run these scripts.  (SCVMM 2008 R2 works with PowerShell v2; SCVMM 2008 technically only supports PowerShell v1.)
• If you want to run the scripts on a machine that isn’t the SCVMM server, make sure that the SCVMM console is installed so that the SCVMM PowerShell cmdlets are available.
• If you want to run the scripts on a machine that isn’t the MDT 2010 server, install MDT 2010 so that the MDT PowerShell cmdlets are available.

Once that’s done, you can perform the following setup steps:

1. Set up the MDT database, as this is required for the image factory to work.  There are two steps involved: running the wizard to create the database, and then running another wizard to configure the query rules in CustomSettings.ini.
2. Make sure that x86 and x64 are enabled for the MDT deployment share.  (The script assumes both ISOs will be available.  The name of the ISO doesn’t matter as the PowerShell script will get the name configured in the deployment share properties.)
3. Create a SCVMM hardware profile.  This should specify a reasonable amount of RAM (I typically use 1GB) and to use a legacy NIC (as the driver is available in most OSes); all VMs will be created using this hardware profile.
4. Configure Bootstrap.ini on the deployment point properties so that no user interaction is required to start the deployment process:
   
   SkipBDDWelcome=YES
   UserID=Administrator
   UserDomain=MTN-DEMO
   UserPassword=password
   
5. Make sure the SCVMM library server is in the Internet Explorer “Local intranet” zone (add \\server-name), or make sure the machine you are running the PowerShell scripts on has the UNCAsInternet registry setting configured.  If you see messages like “While scripts from the internet can be useful, this script can potentially harm your computer. Do you want to run <script>?” when trying to run the PowerShell scripts, you’ll understand why you need to worry about this.  (See http://www.leeholmes.com/blog/PowerShellExecutionPoliciesInStandardImages.aspx for some background.)
6. Create a folder called “PowerShell scripts” in the SCVMM library share.
7. Copy the attached scripts (after extracting them from the CAB file) into the “PowerShell scripts” folder on the deployment share.
8. Edit the MDTImageFactorySettings.xml file to specify your server names and settings as described above.
9. In the SCVMM console, refresh the library share to see the PowerShell scripts that were added.
10. Right click on the MDTImageFactory.ps1 script to run the process.

You should then see that connections are made to the MDT deployment share, the MDT database (the settings for the database are retrieved from the deployment share), and the SCVMM server.  A virtual machine will be created for each enabled OS deployment task sequence in the specified folder (and subfolders, recursively), and then the specified number of VMs will be started.  As the first VMs complete they will shut down (as long as the task sequence finishes successfully) and new ones will be started, until all task sequences are finished. 

As part of the VM creation process, new MDT database entries are created specifying the computer settings, associated to the MAC address of the network adapter for that VM.  These settings include:

SkipWizard=YES
SkipFinalSummary=YES
TaskSequenceID=<the ID of the task sequence to run>
AdminPassword=P@ssword
DoCapture=YES
ComputerBackupLocation=<deployment share UNC>\Captures
BackupFile=<task sequence ID>.wim
FinishAction=SHUTDOWN

So that specifies to skip all the wizards, run a specific task sequence, use a constant local admin password, capture an image to the deployment share using the task sequence ID to name the WIM file, and to shut down the VM when the whole process is complete.

Here’s what you might expect to see while the VMs are being created:

and while they are running:

That display will keep repeating until all task sequences are complete and the virtual machines shut down.

As the virtual machines complete, there will be two “outputs”:  the WIM file that is written to the “Captures” directory of the deployment share, and the VHD file that is still attached to the VM.  You can turn that VHD into an SCVMM template and use that when creating new VMs.  If you do that, be sure to disconnect the ISO file from the virtual DVD drive and to configure the NIC to specify a dynamic MAC address.  (More on that topic in a future blog post when we talk about virtual machine customization.)

That’s pretty much the whole process, but it is worth mentioning a few things in closing:

• The script could be enhanced to add the logic to detach the ISO file and reconfigure the NIC once the VM shuts down, but if I kept delaying while adding more script features this blog posting would never get completed :-)
• You can monitor the VMs inside the SCVMM console – just click on each one and see the thumbnail of the server display.  This lets you quickly scan through each of the VMs looking for ones that had errors or were just taking too long.
• These scripts were only tested with a Hyper-V host.  They should work with VMware ESX and Virtual Server, but might require some simple customization to make everything work.  Proceed at your own risk, let me know if you get it to work.

The “Part 2” blog posting will describe how to perform the same scenario using System Center Configuration Manager 2007 (with or without MDT), but it will take me some time to recover from this posting before I get to that one.

If I messed up the instructions or left something out, please let me know via e-mail, mniehaus@microsoft.com.  The scripts attached to this blog entry are provided as-is, and are not supported by Microsoft.  See the scripts for the full disclaimer.

Both MDT 2010 Lite Touch and ConfigMgr 2007 run the same task sequencer.  This task sequencer can run any command that you want, just specify the command line to use.  That’s the simple part – the harder part is figuring out what this command line should do.  Often the command, a VBScript or PowerShell script, needs to get information from the task sequence itself, accessing variables in the task sequence environment.  Remember, these task sequence variables aren’t environment variables – they are distinctly separate, so you can’t use the PowerShell “Env:” drive.

If you are using MDT, building a VBScript that includes the ZTIUtility.vbs script makes accessing task sequence variables pretty simple, as you can then reference something like this in your script:

sValue = oEnvironment.Item("MYVAR")

But PowerShell is now the rage – what if you wanted to do the same thing using PowerShell?  Fortunately that’s not too difficult either.  Here’s a simple example that gets the value of a particular variable:

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
Write-Host $tsenv.Value("_SMSTSLogPath")

You would then need to set up a task sequence step that ran that PowerShell script.  In the Lite Touch case, I would suggest saving the file in the “Scripts” directory on the deployment share, for example as “Test.ps1”.  You could then create a “Run command line” step in the task sequence that executes this command:

PowerShell.exe -File "%SCRIPTROOT%\Test.ps1"

If you were using MDT 2010 integrated with ConfigMgr, the same thing would work, but you would need to add the file to the “Scripts” directory of the MDT toolkit package.  Alternatively, you could create a new software distribution package containing the PowerShell script, specify to use that package on the “Run command line” step of the ConfigMgr task sequence, and then specify a command line that assumes the script is in the working directory:

PowerShell.exe -File "%SCRIPTROOT%\Test.ps1"

If you want to change a task sequence variable (or set a new one), you use the same “Value” method:

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$tsenv.Value("MyVar") = "My Value"

Maybe you want to do something a little more involved, like create an transcript (log) of the execution of your script.  You can use the _SMSTSLogPath variable to determine where to place the file:

# Determine where to do the logging
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$logPath = $tsenv.Value("_SMSTSLogPath")
$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start the logging
Start-Transcript $logFile

# Insert your real logic here
Write-Host "We are logging to $logFile"

# Stop logging
Stop-Transcript

Another useful example is a script that logs the values of all task sequence variables:

# Determine where to do the logging
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$logPath = $tsenv.Value("_SMSTSLogPath")
$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start the logging
Start-Transcript $logFile

# Write all the variables and their values
$tsenv.GetVariables() | % { Write-Host "$_ = $($tsenv.Value($_))" }

# Stop logging
Stop-Transcript

Or you could use the same technique to turn all the task sequence variables into PowerShell variables:

# Determine where to do the logging
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$logPath = $tsenv.Value("_SMSTSLogPath")
$logFile = "$logPath\$($myInvocation.MyCommand).log"

# Start the logging
Start-Transcript $logFile

# Convert the task sequence variables into PowerShell variables
$tsenv.GetVariables() | % { Set-Variable -Name "$_" -Value "$($tsenv.Value($_))" }

# Write out a specific variable value
Write-Host $_SMSTSMDataPath

# Get all the variables
Dir Variable:

# Stop logging
Stop-Transcript

(Take out all the extra stuff and this could be reduced to two lines, the one that creates the COM object and the one that calls GetVariables.)

A few other notes worth mentioning:

• You need to make sure scripts are enabled before trying to run these via a task sequence.  In the case of MDT Lite Touch, the scripts will typically be run from a network UNC path.  For ConfigMgr, a local path (for download-on-demand or download-and-execute) or a network path (for “run from DP”) will be used.  You can include a step in the task sequence to set the needed execution policy, e.g. “powershell.exe -Command { Set-ExecutionPolicy Unrestricted }”, or configure the same via Group Policy.
• You may want to add the “-noprofile” parameter to the PowerShell.exe command line as the profile commands may cause issues with your script.
• The Microsoft.SMS.TSEnvironment COM object is only available while the task sequence is running, so you need to test your script inside of a task sequence.  (This can be a case where the “convert task sequence environment to PowerShell variables could come in handy: do you testing with hard-coded variables, remove the values before deploying the script.)
• The task sequencer only registers the matching platform of Microsoft.SMS.TSEnvironment.  For example, when the x86 task sequencer is running the x86 Microsoft.SMS.TSEnvironment will be available but the x64 version will not.  For an x64 task sequence, only the x64 Microsoft.SMS.TSEnvironment will be available.
• ConfigMgr will run the x86 version of the task sequencer even on x64 operating systems, so the x86 version of PowerShell will normally be run in this case.  (For MDT Lite Touch, the x86 version of the task sequencer is used on x86 OSes and the x64 version is used on x64 OSes.)  Make sure you are aware of which platform is running, as that might affect your PowerShell script execution.  (Note that x64 processes run via a ConfigMgr task sequence, done by disabling file system redirection for the task sequence step or by specifying “sysnative” in the path, won’t be able to create the Microsoft.SMS.TSEnvironment object because of the previous note.)
• If you want to return an error, you should insert an “exit” statement in your PowerShell script, e.g. “exit 1234”.  This will cause PowerShell.exe to return that return code to the task sequencer.

You’ve probably gone through this cycle if you are using WDS to PXE boot computers to start bare metal Lite Touch deployments:

• Import new drivers or change bootstrap.ini.
• “Update deployment share” to generate new WIMs.
• Import new WIMs into WDS.

Fortunately, with the new “update” process in MDT 2010, described in more detail at http://blogs.technet.com/mniehaus/archive/2009/07/10/mdt-2010-new-feature-17-customizable-boot-image-process.aspx, it’s pretty simple to add a script to automate this process.  First, the script:

Option Explicit

Dim oShell, oEnv

Set oShell = CreateObject("WScript.Shell")
Set oEnv = oShell.Environment("PROCESS")

If oEnv("STAGE") = "ISO" then

    Dim sCmd, rc

    sCmd = "WDSUTIL /Replace-Image /Image:""Lite Touch Windows PE (" & oEnv("PLATFORM") & ")"" /ImageType:Boot /Architecture:" & oEnv("PLATFORM") & " /ReplacementImage /ImageFile:""" & oEnv("CONTENT") & "\Sources\Boot.wim"""
    WScript.Echo "About to run command: " & sCmd

    rc = oShell.Run(sCmd, 0, true)
    WScript.Echo "WDSUTIL rc = " & CStr(rc)

    WScript.Quit 1

End if

You’ll need to update the image name in the string above if you’ve changed it from the default of “Lite Touch Windows PE (x86)” and “Lite Touch Windows PE (x64)” since the script doesn’t know what you’ve changed the values to.  Save the edited script as something like “C:\Scripts\UpdateExit.vbs”.  Then, edit the “C:\Program Files\Microsoft Deployment Toolkit\Templates\LiteTouchPE.xml” file so that these lines:

<!-- Exits -->
<Exits>
  <Exit>cscript.exe "%INSTALLDIR%\Samples\UpdateExit.vbs"</Exit>
</Exits>

Instead look like this:

<!-- Exits -->
<Exits>
  <Exit>cscript.exe "%INSTALLDIR%\Samples\UpdateExit.vbs"</Exit>
  <Exit>cscript.exe "C:\Scripts\UpdateExit.vbs"</Exit>
</Exits>

Then make a change that requires re-generating the WIM and ISOs, e.g. change something in bootstrap.ini.  You’ll see in the “Update Deployment Share” output the generated WDSUTIL command that updates the boot image in WDS.  If WDS is located on a different server, you’ll need to update the command in the script above to add “/Server:WDSServerName” to the command.  (WDSUTIL must also be available on the machine, so you may need to install the RSAT WDS tools.)

Extra credit for someone who can convert this into a PowerShell script and look up the right boot image name :-)

I’ve been distracted while we worked on fixing the remaining bugs in MDT 2010, which was finally released today.  Now it’s time to get back to the discussion on new features in MDT 2010.  Next up on the list: improved driver management.

This is really a combination of two features we had already discussed:

• MDT 2010 New Feature #4: Folders everywhere, http://blogs.technet.com/mniehaus/archive/2009/06/27/mdt-2010-new-feature-4-folders-everywhere.aspx
• MDT 2010 New Feature #18: Selection profiles, http://blogs.technet.com/mniehaus/archive/2009/07/12/mdt-2010-new-feature-18-selection-profiles.aspx

with some capabilities added in that we haven’t already discussed.  First, there are new options available in a Lite Touch task sequence’s “Inject drivers” step:

Now there are two options when injecting drivers:

• Inject only matching drivers from the selection profile.  This is the same behavior as MDT 2008, injecting all drivers that matched one of the PnP IDs on the computer.
• Inject all drivers from the selection profile.  This is new (and roughly corresponds to the similar behavior that is available with a ConfigMgr “Apply Driver Package” step).  Instead of only injecting matching drivers, this injects all the drivers in the selection profile.

You might choose the first option, you might choose the second – it just depends on how you want to do it.  You might also choose to do both: you could create multiple “Inject driver” steps and specify different options and different selection profiles on both.  For example, you might have one “always apply” selection profile with all the printer drivers that you support (whether currently attached or not) and an “only matching” selection profile for everything else.  You could also set up multiple steps and place conditions on them, using different selection profiles and injection options based on the conditions (e.g. make and model).

Of course, if you want the process to be more dynamic, you can override the settings on the fly.  I would foresee this being a very common scenario, where you either specify a different selection profile on the fly, or maybe instead specify a list of folders that should be used.  To do this, you need to understand the available task sequence variables that can be configured through CustomSettings.ini:

• DriverSelectionProfile.  This can be used to override the selection profile configured in the “Inject drivers” step, e.g. changing the default selection profile to “Lenovo T61p Drivers”.
• DriverGroup.  This is a carry-over from MDT 2008, although now you can specify a folder path in order to select subfolders.  For example, if you created a “Toshiba” folder with a “Tecra M400” folder under it, you could specify “DriverGroup001=Toshiba\Tecra M400” or even “DriverGroup001=%Make%\%Model%”.
• DriverPaths.  This is a carry-over from BDD 2007 (and before) provided for compatibility only.  It allows you to specify UNC paths containing the drivers to be injected, e.g. “DriverPaths001=\\Server\Share$\Toshiba\Tecra M400” or “DriverPaths001=\\Server\Share$\%Make%\%Model%”.  Because this requires carefully controlling the physical storage of the drivers instead of the logical grouping through folders in the Deployment Workbench, this is frowned upon.  Support for this may be removed in a future release.

It’s important to understand that these parameters have an “additive” effect.  For example, if you specify a selection profile of “Everything” (all folders) and then specify “DriverGroup001=Toshiba\Tecra M400” the net result will be everything.  But if you specified a selection profile of “Nothing” (no folders) and “DriverGroup001=Toshiba\Tecra M400” then the result would be just the one folder you specified.  (DriverPaths values would be additive as well, but those aren’t recommended.)

So you have options.  You can create multiple selection profiles and choose which one to use dynamically, something that gets messy if you just want one folder per selection profile (e.g. per model) since every new folder would require a new selection profile.  Or you can choose the “Nothing” selection profile and then specify one or more folders via “DriverGroup”.  I believe that will be the most common approach, as you can then do things like:

DriverSelectionProfile=Nothing
DriverGroup001=%Make%
DriverGroup002=%Make%\%Model%
DriverGroup003=Peripherals

If you’ve already experimented with this and have some best practices to share, comments about challenges while implementing this, or just general questions, feel free to e-mail me at mniehaus@microsoft.com.