So now we’ve MDT 2010 to a level where we could actually make a seamless install.

No we haven’t.  I lied again.

What we’ve done is bring a lot of automation but there are things that can and should happen even further.

What about Windows Updates?   What about things that can happen WITHIN that installation as it’s installing?  Perhaps you’d like to NOT join to the Domain and leave the password in clear text?

That’s the power contained within your Task Sequence.  Remember when I said it was a “Predefined Template” but you COULD go into it deeper?  We’re about to open the hood.  Let’s pull up the properties of the Task Sequence created before.


We’re going to click on “Task Sequence” which is (Are you ready folks?) the “SEQUENCE” your task is going to run in.

Taking a quick look at our Task Sequence it’s really almost a workflow more than code.   Stating what we’re planning on doing.  If you look near the bottom you’ll see two sections marked “Windows Update (Pre-Application Installation)” and “Windows Update (Post-Application Installation)”


Presently they are greyed out.  You can see this if you click on one of them and choose the “options” tab on the right hand side.   If you were to enable this feature you will now have enabled Windows Updates to occur BEFORE applications install.   Have done more than a few I recommend looking into getting as many patches into the system upon install.  But if you have WSUS server local to your install this is not a bad option to enable.  This is off be default to leave HOW you want Windows Updates to apply up to you.

With Windows 7 you may want to enable this to avoid disturbing the application Install.  Once it’s live on the Network, Windows 7 will IMMEDIATELY want to download updates.    However now we’re going to look into editing UNATTEND.XML in order to control this and other features on a finer level.

Click the “OS Info” tab next.  This will give you a very simplistic screen.  We’re concerned with one option “Edit Unattend.XML”


Fortunately for the ITPro this will NOT bring up a souped up version of NOTEPAD and force you to learn XML.  Microsoft has provided us with a proper editor to navigate and work with the content it contains in a very sensible fashion including encryption of passwords.   We get THIS to work with Smile


Looking here under “Unattend” on the right hand side are the various stages of your Deployment.  From WindowsPE all the way down to oobesystem (Out Of Box Experience, what happens JUST BEFORE  YOU GIVE IT TO THE USER TO BREAK!)

I’ll be honest and I haven’t mastered even half of this but I’ll show you some things I learned and maybe that will help you along. 

The part I’ve with the most is under “Specialize” and “oobeSystem”.   Specialize (from what I can tell you) is various changes you’re making to the O/S from it’s stock configuration.  Like the local Administrator password you’re assigning and the scripts that are running automatically upon each successive reboot of the O/S until of course that part is complete.

The neat part I found out, is that the commands are just DOS commands.  so if you need to disable a service JUST for the install (IE, say Windows Update is stepping on your toes) you simply find out the command in Console to alter the state of a service and add it to the list of “FirstLogonCommands” When you see “Synchronous” that means nothing else can happen until it’s predecessor is complete and the command order is exactly that.   This process works the same way under “Specialize” and “oobeSystem” – Just remember everthing done under “oobeSystem” is your “Out Of Box Experience”, what get’s left behind for the user


To add a new Command to the list simply right Click on “FirstLogonCommands” and choose “Insert New Synchronous Command”.  In the provided line you will need to specify the Script or Console command you are running, Give a vague description and specify the order it happens in.  (1,2,3,4,5) – Keep in mind if you want to make this happen before OTHERS you will have to go and edit the “Order number” on the FOLLOWING synchronous commands first.


You can, if you so choose edit the default password being assigned to the Local Administrator account in your Deployment.



Here’s the coolest part.  If you don’t want to show your ID and password for Joining a machine to the Domain under Rules you can edit the UNATTEND.XML and put it right here under “Specialize” under the “x86-Microsoft-Windows-UnattendedJoin-neutral” category.  Under the “Identification” you can specify “JoinDomain” as true then under “Credentials” key in the required credentials


You could sit down on an entire weekend and not learn the massive power available to you in UNATTEND.XML but I’m hoping here you can see what it can do and hopefully you become comfortable to really pop open the hood.

Our next and final bit?  We’re going to drop our Images into a WDS (Windows Deployment Services) and get our environment so that we can even use a PXE network boot to install the software.