In this post in our Windows 8 deployment series, we will edit the Windows 8 Task Sequence to include an application and to provide additional security. We will also cover BIOS management during the image process.
When we created our Windows 8 Task Sequence in the previous part, we used the Standard Client Task Sequence.
Standard Client Task Sequence
Microsoft has done an awesome job making this template as versatile as possible. If we want our setup to be as efficient as possible, we will most certainly need to edit it. Let’s get down to it!
Adding in Office
In Part 2, we created the Office Application. However, our Task Sequence has no idea that it even exists. We will need to edit the Task Sequence and add it. To edit your Task Sequence, right click on the Task Sequence and select Properties. Once the General tab has opened, select the Task Sequence Tab.
Task Sequence Initialization
Expand the State Restore section and then click the Install Applications task. Select Install a single application and then select Browse. Finally, select the previously created application (Microsoft Office 2010).
If you select Install multiple applications, end users can select the applications to add to their computer before the machine images.
If you wish to install multiple applications (for example Adobe Reader and Office), you can do so. First, add in the Application (using the directions in Part 2 of this series). After the application has been imported, edit your Task Sequence. Select the Install Applications Task. Then select Add – General – Install Application.
Adding an additional Install Application Task
After the Install Application task is added, select Install a Single Application and specify your new Application. If you find yourself adding multiple applications, it is a best practice to give each task a unique name. In the screenshot below, each Install Application task has the application name specified afterwards.
This Task Sequence is used for Offline machines in our corporate environment.
Securing the Task Sequence
As we discussed in part 3, a Task Sequence can be divided into two sections; the Windows PE section and the actual OS. When the computer has fully load the OS and is customizing it, the machine is in the State Restore phase of the Task Sequence. Every task in this phase runs as the local administrator. From a security stand point, this can be a big deal. If your machines are doing a lot of tasks in this phase, a user could easily walk up to the machine and perform malicious tasks (at worse). At best, your users will log out the local administrator and log in as themselves (which would kill the Task Sequence).Either way, we need to stop this and to secure the State Restore phase. There are two main ways to do this.
Locking the computer
The easiest way is to lock the computer. To do this, add a new task at the very beginning of the State Restore phase. To do this, select Add – then select General – finally select Run Command Line. Name the Task “Lock Workstation” and add rundll32 user32.dll,LockWorkStation as the command.
The Lock Workstation Task
If the computer restarts during the State Restore phase (for example, after applying Windows Updates), you will need an additional Lock Workstation task. To make your life easier, simply copy the first Lock Workstation task and paste it. Then move it to the proper location. While this is the quickest option, user may still become confused as to when the imaging process is finished.
Hiding the shell
The second option is to prevent Explorer.exe from starting. By doing this, the user only sees the Task Sequence and will not see the Start Menu, Taskbar, etc. You can achieve this by adding a new task at the beginning of the State Restore phase. This task should read taskkill.exe /im explorer.exe. Remember that if the computer restarts, you will need to add this task in again. Beginning in MDT 2012, a new CustomSetting command is available named HideShell. I find this way preferable as the end user can clearly see that the computer is still imaging.
In my personal opinion, there is no better time to update the BIOS than during the imaging process. To do this, we are going to treat our BIOS updates as an application. First, download the needed BIOS updates for all of your computer models. Create a folder under the Applications folder (in the Deployment Share) and name it BIOS. Then create sub folders for each model. Finally, rename each BIOS Update to BIOSUpdate.exe. For documentation, I also add a text file to each subfolder listing the BIOS version (example: A06)
Folder Structure for Storing BIOS Updates
Next, edit your Task Sequence and open the PreInstall group. Add a new Run Command Line Task and move it down until it is right above the Set Task Sequence Variable task.
In our environment, the task is named BIOS Updates.
Because we are using Dell Machines in our test environment, we will add BIOSUpdate.exe -nopause –noreboot as our Command Line. If you have other models, you will need to specify a silent command and a no reboot command. Finally, set your Start in location to Z:\Applications\BIOS\%MODEL%\.
Now, machine will automatically pull and install their correct BIOS update! And they will automatically look in the correct folder – with just a single task!
In this post, we added an Application to our Task Sequence, secured our deployment, and learned how to update the BIOS during Imaging. In our next post, we will dive into all of the answer files that MDT uses. These include the CustomSettings and Bootstrap.ini files. We will also build our Windows PE boot images!
As always, if you have any questions or comments – please let us know in the Comments Section.