The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…


    Mikael Nystrom

    Mikael Nystrom

    OS Deployment Geek, Virtualization and System Center

    Mikael Nystrom is a Microsoft MVP and Principal Architect at TrueSec

  • Archives

  • Meta

Nice to Know – Reset the WSUS update Count during OSD, allows automatic reinstallation of patches that failed

Posted by Mikael Nystrom on March 30, 2015

No, this is NOT something new, its just that it needs to be spread more…

In MDT 2010, there were some improvements to the ZTIWindowsUpdate.wsf script, the reason as to cut down time, they did and at the same time ZTI was not as reliable as it used to be. The issue is very simple, the task sequence remembers all patches that has been installed, so it will never ever re-install a patch and that is great, unless a patch needs to be reinstalled and it might need to…

Alexey (with help from Keith) did create a script in mars 2010 that resets the counter. You can find the blog post here The script you download from my site, does the same thing, the script is just slightly polished…

How to use it?

  • Download, Unzip and store the script in the Scripts folder of the MDT share
  • Modify the task Sequence:
  • Add a “Run Command Line” with the following command
    • cscript.exe "%SCRIPTROOT%\ZTIWindowsUpdateReset.wsf"

It should look something like this:



Posted in MDT | Tagged: | Leave a Comment »

Nice to Know – Reset WSUS to “Factory Default” settings after OSD in MDT

Posted by Mikael Nystrom on March 30, 2015

Same days a go I write a post on how to reset WSUS after OSD in MDT, but of course a very good friend was complaining slightly, it was something “Yeah, great but I would like to reset WSUS back to it has never ever been used, like a factory reset…”

Since I’m a nice guy, here it is, the WSUS Factory Reset application for MDT.

So, same story, download(, unzip and import as an application, like this.


Then add it as an application in the MDT Task Sequence, something like this.



Posted in MDT | Tagged: | 3 Comments »

Nice to Know – Reset WSUS settings after OSD in MDT

Posted by Mikael Nystrom on March 26, 2015

After deploying a OS in MDT there are some “leftovers”, this script will remove those settings which is very convenient when creating a ref image that uses another WSUS server and you would like to minimize issues. Just download it, unzip it, import as an application, like this.


Then add it as an application in the MDT Task Sequence, something like this.

Download :



Posted in MDT | Tagged: | 2 Comments »

Nice to Know–Adding a second federated domain in ADFS fails if –SupportMultipleDomain was not used in the first place

Posted by Mikael Nystrom on February 7, 2015

Today as was trying to fix an issue regarding with ADFS and Office 365.

The Issue:

A very simple error, when you try to add the second domain it fails and in this case it was because the first federated domain was not setup using –SupportMultipleDomain

The solution:

After some digging and searching I found this post:

The issue was not exactly the same but close enough, a bit further down in the post it seems that he had the same issue as a while back.


Delete the object in the ADFS console

Open up the ADFS mmc snap-in


and delete it

Switch from Managed to Federated

Open the elevated PowerShell prompt with the Msol CMDLets, connect and authenticate and run this command to fix it:

Convert-MsolDomainToFederated -SupportMultipleDomain -DomainName

From this point on, you can now switch from Managed to Federated on all the other domains as well

Last thing you do is to run:

Get-MsolDomain to verify:



Posted in ADFS, Office 365 | Tagged: , | Leave a Comment »

Nice to Know – HP FlexFabric 10GB 2-port 534FLB Adapter can cause network issues using NVGRE

Posted by Mikael Nystrom on February 5, 2015

Today I was working at a customer site, setting up a NVGRE Gateway in a Fabric domain. Install, configuration, all went nice and smooth until we should test and verify that the VM’s could access the network, found a miss configuration and then, hey it was working, well TCP was working but NOT UDP, wtf??? Some troubleshooting (Google and Bing and some cursing) and it seems to be some various obscure things, some hotfixes but then we found something that actually worked…

The issue: Encapsulated Task Offloading

I’m pretty sure that the idea behind it is all good, but of course as all “great” things, it does not work in this combination.

Here you can se the setting that needs to be disabled and you can also see the driver version and date that was in place.

The Solution: Disable it!

But, if you disable it on every hyper-v host (not only the hosts running the NVGRE gateway), it starts working. At the time we could not find any other solution then to disable it.

In this case the customer (and you know how you are) was kind enough to let me post the script that was used to disable this “amazing” technology.


or here in plain text form

$Nics = Get-NetAdapterAdvancedProperty -DisplayName “Encapsulated Task Offload”

foreach($Nic in $Nics)
Set-NetAdapterEncapsulatedPacketTaskOffload -Name $Nics.Name -EncapsulatedPacketTaskOffloadEnabled:$false


Posted in Fabric, Hyper-V, SCVMM, System Center Configuration Manager 2012 R2 | Tagged: , , | Leave a Comment »

Nice to Know – Clean up the ISO name mess I SCVMM so that Windows Azure Pack looks nice

Posted by Mikael Nystrom on February 5, 2015

In System Center Virtual Machine Manager there is a library. The library stores resources used in the environment and one kind of resources is ISO images. The problem is that names on those ISO images is slightly “technical” and not so user-friendly. So who cares?

The Issue:

When you start using Windows Azure Pack to provide self-service, that is a very good reason to have nice names here is two samples

In the first picture, all the names looks ok, in the second picture, it looks different…

The names of the these files comes from System Center Virtual Machine Manager and they are easy to change, just go in to the library, open each and everyone and change the name…

How to modify the name of the ISO resource in the SCVMMLibrary using the UI.

However, doing that for one or two files are ok, more then that, it kind of gets boring after a while.

The Solution:

So, you can export all the information in to a CSV file, modify the CSV file to suit your organization and then import it again.

Export CD/DVD meta data from SCVMM using PowerShell

Get-SCISO -All -VMMServer “” | where HostType -EQ LibraryServer | Select LibraryServer,SharePath,Name,Description | ConvertTo-Csv -NoTypeInformation > “$env:TEMPISOInSCVMMLib.csv”

and that will give something like this:

A few of the ISO’s in the SCVMMLibrary.

So, open the file, modify name and description and run this

function Update-ISOForSCVMLib



$ISOToUpdate =  Get-SCISO -All | Where LibraryServer -EQ $LibraryServer | Where SharePath -EQ $SharePath
$ISOToUpdate | Set-SCISO -Description $Description -Name $Name

This will give you a new function and that new function can be used in the following way.

Import-Csv .\ISOInSCVMMLib.csv | foreach {Update-ISOForSCVMLib $_.LibraryServer -SharePath $_.SharePath -Name $_.Name -Description $_.Description}

The function is going trough the CSV file and search for the file, find the object and finally change the display name of the object.


Posted in SCVMM, System Center 2012 R2, Virtual Machine Manager | Leave a Comment »

Beyond Supported – Azure Site-2-Site VPN (with physical router) behind a NAT device

Posted by Mikael Nystrom on February 2, 2015

Last week at TechXAzure I did 3 sessions, during on of them we did some demos around Azure Site-2-Site VPN which is the fundamental connection to create a Hybrid solution. In production that is not really a complex task since the firewall that is used is directly connected to the Internet with a static IP, but that is usually not the case when you play around at home or in the LAB. Running behind a NAT:ed device is not supported, neither is running the solution on a dynamically assign IP, but it works…

So, the idea behind this guide is to give a fairly simple step-by-step guide to build a site-2-site VPN connection to the Azure IaaS service for you to play with at home or in a LAB, just remember, there is NO support for this at all!

The design

Looking at the picture you can see that we basically have two networks, one for the normal traffic and one more that is behind a second router. Behind that network we have access to Azure directly. For me this is perfect when playing around. The “normal network act as the workload network, that is where all normal traffic exists. The network behind the second router act as the fabric network, here is where my Private Cloud cloud is running. Note, this is just for LAB, Testing, Playing and such things. You should not use this for production since it is unsupported.


The Internet facing router is a Linksys EA6900

The Internal router between the normal network and internal Azure Site-2-Site router is a NETGEAR FVS318N


Create Networks in Azure

Logon to your Azure Account and create the Local network

Select Local Network.

Give it a name and type in your Internet facing IP.

Type in the IP address range your are going to use behind the second router.

Logon to your Azure Account and create the Virtual network

Select to create a Custom network

Give the network a name and assign it to a Azure location.

Type in the DNS servers you are going to have locally on your network and select Site-2-Site VPN. Note: If you also select Point-2-Site you cannot create a Virtual Router in Azure that supports IKEv1, the router I’m using does not support it, it only supports IKEv1 and there for I cannot have Point-2-Site VPN.

Add the IP address range and gateway range for your virtual network in Azure.

Create the Router

When the network has been created you need to create the Virtual Router

In the Azure portal, click on the Virtual Network “FabricAzure” You can either create a Static or a Dynamic router and you need to select the version based on the router/firewall you have locally. In my case I use a NetGear FVS318N and the features in that router requires my to configure the virtual router as a static router.


This takes time, have lunch or something

Finally its done.

Configure the Internet facing Router

To allow traffic from the Virtual Router in Azure to correctly receive data you need to redirect traffic, the easy way to do this is to use the DMZ function in the Internet facing router. This way, all traffic from that IP will be redirected to the second router.

Configure the second router on your network (not the Internet facing)


In this case it is a NETGEAR FVS318N and the easy thing is to run the Wizard for VPN and then modify the settings, but before you do that, we need the PreShared Key and you can get that in the Azure Portal.

Modify the IKE Policy in the Second router.

Modfy the VPN Policy in the second router


Wait, check logs, wait, check logs and…


/Happy Routing…

Posted in Azure, Fabric, IaaS, Site-2-Site, VPN | Tagged: , , , | 1 Comment »

Nice To Know – Generate the -JobGroup ID in SCVMM Scripts

Posted by Mikael Nystrom on January 28, 2015

When working with SCVMM it is common to perform administrative tasks using PowerShell. One very nice thing in SCVMM is that when using the UI it will create a script in the end and the idea is that you should be able to use that script and you can, one time…why?

…because you need to generate a new ID every time you run the script, so how do you do that?

Generate a GUID using PowerShell:

$JobGroupID1 = [Guid]::NewGuid().ToString()

The result when generating a GUID.

Using the generated GUID in a SCVMM PowerShell script

Here is a list of CMDlets that uses _JobGroup


Posted in PowerShell, SCVMM, System Center 2012 R2 | Tagged: , , | Leave a Comment »

Nice to Know – Azure Operational Insights -Data aggregation in progress”

Posted by Mikael Nystrom on January 27, 2015

I was troubleshooting Capacity planning Intelligence Pack stuck in “Data aggregation in progress” and found a blog post from the team, one of the best step-by-step’s for troubleshooting this problem I have seen. If you do have issues with this, just follow the guide

If this is your issue:


Follow this guide:


In this guide check out these procedures:

  • Validate if the right Management Packs get downloaded to your OpsMgr Environment
  • Validate if the right Intelligence Packs get downloaded to your Direct Agent
  • Validate if data is being sent up to the Advisor service (or at last attempted)
  • Check for Errors on the Management Server or Direct Agent Event Logs
  • Look for your agents to send their data and have it indexed in the Portal

Posted in OpsMgr, SCVMM, System Center 2012 R2 | Tagged: | Leave a Comment »

OSD – Install IE 11 in the ref image like a pro using a PowerShell wrapper

Posted by Mikael Nystrom on January 27, 2015

One of the best ways to get ready for Windows 10 is to deploy Internet Explorer 11 in your current environment, if you can make IE 11 work there is a huge chance that you will have no or just a few issues when Windows 10 is about to be deployed.

The best way to do that is to add IE 11 to the reference image when you are replacing, refreshing or perform a bare-metal deployment and the next best thing is to deploy it using any software distribution engine, like WSUS, ConfigMgr, Intune or something like that.

Even if you distribute it as a software, you should still update your reference image and here it is.

Step No:1 – Download IEAK

The best way to deal with IE11 is to create a configuration only package for all Windows versions that already have IE11 installed (Like Windows 8.1 or Windows Server 2012 R2) and create a full install package for all the other versions of Windows you are using in your organization and that is done by Internet Explorer Administration Kit (IEAK), just download it from and install on a computer WITH IE11 already installed.

Step No:2 – Create all packages

Start IEAK and create all your packages for each version and each language of IE you would like to have

  • Windows 7 SP1 x86/x64
  • Windows 8.1 x86/x64

(Create both full install package as well as as configuration packages)

Step No:3 – Download the PowerShell script

After creating all the packages, with the customized settings you will have a folder structure with full packages as well as configuration only for one or more language and instead of creating one application for each of these packages you can create one application in the deployment workbench that will figure out which package that should be installed.

  1. Download the PowerShell script from
  2. UnZip it and browse to the folder “Install – Internet Explorer 11\Sorurce”
  3. Copy the content of you “build” folder that was created when using IEAK into the folder named “Source”, it should contain folder names like “BrndOnly”,”FLAT” and “Ins”

This is the tree structure after copying the files.

Step No:4 – Create the Application in the Deployment Workbench

No you need to create the application, follow these steps and you are done.

  1. Open Deployment Workbench and browse to the Application node
  2. Create a new application named “Install Internet Explorer 11” with the Command Line “PowerShell.exe -ExecutionPolicy ByPass -File Install-InternetExplorer11.ps1”

The properties of the “Install – Internet Explorer 11” application in the Deployment Workbench.

Step No:5 – Add the application to the Task Sequence

Open your task sequence and add the application to the task sequence.

Install Internet Explorer 11 is added to the Task Sequence.

Happy OSD


Posted in Internet Explorer, MDT, OS Deployment, OSD | Tagged: , , | 1 Comment »


Get every new post delivered to your Inbox.

Join 4,785 other followers