You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Minimize
Search in All Title Contents
 
     

Cloud OS Deployment, Part 1 - Running MDT Task Sequences from Microsoft Intune

Jan 23 2018

In this post you learn how to run MDT Task sequences, for either Computer refresh or Inplace-upgrades, from Microsoft Intune. Using task sequences gives you much better control of the Windows 10 servicing compared to regular features updates. And, as you probably figured out from the title already, there are more posts coming…:)

Credits goes to Peter Delch Dahl ( @PeterSelchDahl ) and Oliver Kieselbach ( @okieselb ) for excellent info on PowerShell script support in Intune.

Setup MDT for Microsoft Intune

Since Intune doesn’t support applications larger the 2 GB, you have to use a regular Azure blob storage to store the OS deployment content, and then call that content from your deployment (assignment) in Microsoft Intune. To run MDT task sequences via Microsoft Intune, you need the following

  • A MDT media item with a Windows 10 image, drivers, task sequences etc..
  • An Intune subscription.
  • A little bit of PowerShell.

 

Step 1 – Create an MDT offline media item

Rather than trying to run deployments directly from Intune/Azure, I wanted to make sure all content needed was downloaded to the client first, and then run the deployment locally. To make this work I’m using a little known trick in MDT to generate an offline media, and copy it to the C:\ folder on the computer targeted for the OS deployment. If you copy the deploy folder from a MDT media item to the C:\ drive, you can actually start the litetouch.vbs script directly from this folder, meaning start the OS deployment locally. By using a download and execute method, you also have additional options for reducing network impact, such as using BITS for the download.

Here are the high-level steps to create an offline media item in MDT. For more details see the docs: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt

1. On any Windows machine, install MDT 8450 and Windows ADK 10 v1709.

2. Using Deployment Workbench, create a MDT deployment share

3. Import your Windows 10 image, and any driver you need

4. Create two task sequences, one Standard Client task sequence used for computer refresh scenarios, and one Inplace-upgrade task sequence.

5. In the Advanced Configuration node, create an MDT media item, and make very sure Not to create it inside the normal deployment share, create the folder somewhere else.

6. Configure the MDT media item to not ask any questions during OS Deployment. If you need an example, I’ve uploaded the Bootstrap.ini and CustomSettings.ini files I used when developing this solution. This files goes into the media item folder, not the parent deployment share.

https://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/SilentMediaBootstrap.ini

https://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/SilentMediaCustomSettings.ini

image
A MDT media item for Windows 10 deployments.

 

Step 2 – Upload the MDT offline media item for Microsoft Intune (to Azure)

To store the MDT offline media item in Azure, you should archive it to a single large file (faster to download). In my case I simply used 7-Zip to create an archive of the MDT offline media item.

1. Using 7-Zip, create an archive of the Deploy folder in your MDT media item. In my case I named the archive Windows10v1709.7z, and I gave the archive a password to make it at least a little bit difficult to read the content. In addition to the password, I also set compression level to Ultra, and solid block size to solid.

image
Creating an archive using 7-Zip.

 

image 
The Deploy folder in my MDT media item archive into the Windows10v1709.7z file.

  

2. In the Azure Portal, or PowerShell, create a Microsoft Azure Storage Account (Blob Storage). If you are new into Azure Storage, check the docs here:

About Azure storage accounts
https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#create-a-storage-account

3. In your Azure storage account, create a new container, and set the public access level to Private.

4. Upload the MDT media item archive, and the 7z.exe/7z.dll files to the container.

image
The files uploaded to Azure.

 

5. Create a new Shared Access Signature (SAS), and don’t forget to set valid Start and expiry date/time. Again, if you are new into Azure storage, check the docs for shared access signatures here:

Using shared access signatures (SAS)
https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

image
Generating a Shared Access Signature.

 

6. Get the “real” download link for your uploaded file, by combining the URL for your file with the shared access signature.

7. Modify the below script with the info from your Azure environment, and then import the script into Microsoft Intune PowerShell script feature.

 

$Path = $env:TEMP
$7zPassword = "P@ssw0rd"
$Container = "https://<your container>"
$SAS = "<your shared access signature>"

# Option #1 - Download content via HTTPS
#Invoke-WebRequest "$Container/7z.exe$SAS" -OutFile $Path\7z.exe
#Invoke-WebRequest "$Container/7z.dll$SAS" -OutFile $Path\7z.dll
#Invoke-WebRequest "$Container/Windows10v1709.7z$SAS" -OutFile $Path\Windows10v1709.7z

# # Option #2 - Download content via BITS (typically faster, unless throttled, and more resiliant on poor networks)
Import-Module BitsTransfer
Start-BitsTransfer "$Container/7z.exe$SAS" -Destination $Path\7z.exe
Start-BitsTransfer "$Container/7z.dll$SAS" -Destination $Path\7z.dll
Start-BitsTransfer "$Container/Windows10v1709.7z$SAS" -Destination $Path\Windows10v1709.7z

#Extract the MDT Media Item to C:\
& $Path\7z.exe x -y -oC:\ "-p$7zpassword" $Path\Windows10v1709.7z | Out-Null
Remove-Item $Path\Windows10v1709.7z

# Run LiteTouch.vbs, replace the task sequence ID with yours
Start-Process -FilePath 'cscript.exe' -ArgumentList "C:\Deploy\Scripts\LiteTouch.vbs", "/TaskSequenceID:W10-X64-015", "/SkipTaskSequence:YES" -Verb RunAs

 

8. Assign the script to a group of computers in Microsoft Intune, configure it to run as System. Then wait an hour or so… Done :)

Note: When assigning PowerShell scripts to run as System, the %temp% folder is C:\Windows\Temp.

 

image
Checking the files coming down via the PowerShell script when assigned as System.

 

Monitoring

From the Azure/Intune portal, you can go to the Device Configuration blade, select PowerShell scripts, select the script you want to monitor, select Monitor, and then look at the device status and user status reports.

Note: Due to default script timeouts (10 minutes) in Microsoft Intune, long running script is going to show a failure in the monitoring node, even when successful.

image
The MDT task sequence started via Microsoft Intune.

Troubleshooting Tips

If the script never run, make sure the machine is joined in to Azure AD, and that you are running Windows 10 v1607 or later. Running PowerShell scripts from Microsoft Intune requires the Microsoft Intune Management Extension, and that is only supported on Azure AD joined devices. To find out if a machine is Azure AD joined, run the dsregcmd.exe /status command.

image
Running the dsregcmd.exe /status on a Windows 10 v1607 machine.

In Settings, you should also see that the Microsoft Intune Management Extension is installed, but please note that can take a little while. You can check the installation status in the event viewer, in the Applications and Services Logs / Microsoft / Windows / DeviceManagement-Enterprise-Diagnostics-Provider / Admin node.

image
The Event Viewer showing a successful install of the Microsoft Intune Management Extension.

 

And, you will of course also see it in Programs and Features in Windows 10.

image
Microsoft Intune Management Extension installed.

You can review the logs for more information. In C:\ProgramData\Microsoft\IntuneManagementExtension\Logs folder, check the following log files:

  • IntuneManagementExtension.log
     
  • AgentExecutor.log

  

image
The C:\ProgramData\Microsoft\IntuneManagementExtension\Logs folder.

 

The script itself is downloaded to the C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts folder, and then run.

image
The location for the PowerShell script.

 

For more troubleshooting tips, check the below blog post by Oliver Kieselbach ( @okieselb ).

Deep dive Microsoft Intune Management Extension – PowerShell Scripts
https://oliverkieselbach.com/2017/11/29/deep-dive-microsoft-intune-management-extension-powershell-scripts

Written by Johan Arwidmark









Find this article helpful? Sign-up to get our monthly newsletter with more helpful tips.


Happy deployment, and thanks for reading!


What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive

Minimize

Meet the experts!

Live Stream Recordings
ConfigMgr 1806 and W10 OSD

Windows 10 OSD Classes (US)
Nov 5, 2018, Phoenix, US
Dec 10, 2018, Chicago, US

Windows 10 OSD Classes (Europe)

Sep 4, 2018, Culemborg, The Netherlands

ConfigMgr CB Classes (US)
Aug 27, 2018, New York, US
Nov 12, 2018, San Diego, US

Video-based trainings
https://online.truesec.com
https://deploymentartist.com/Training/Videos

MDT, Windows 10 and ConfigMgr Books
http://deploymentartist.com/Books

Contact Info
http://deploymentresearch.com/theteam