Security, Security Updates, Windows 7, Windows Server 2008 R2

Are you still Using Windows 7? Microsoft’s Next Update Is Critical

If you want to continue receiving Windows updates, then the next Windows 7 and Windows Server 2008 update is critical as it adds support for SHA-2 encryption. Without it, future updates can’t be downloaded.

The date to prepare for is March 12, which is when Microsoft rolls out the Stand Alone update for Windows 7 and Windows Server 2008. Just leave your desktop or laptop turned on and let Windows Update do its things.

After that, you’ll be in a position to receive all remaining updates until next year. It’s also a chance to grab a few extra months to decide on which upgrade path to take. Do you want a new Windows 10 PC, are you considering a switch to Mac, or is Linux a possibility?

Deployment, MDT, reference image, Task Sequence, Windows 7

Persistent Device Drivers in Reference Image

We needed to keep the Intel USB 3.0 drivers in a Windows 7 reference image.

  1. Import the drivers into MDT and create a selection profile.
  2. Edit the TS and update the Injected Drivers step to point to the selection profile.
  3. Open and edit Unattend.xml. Add the component called Microsoft-Windows-PnpSysprep to Step 3 Generalize.
  4. Edit the PersistAllDeviceInstalls option to be true.
  5. Save the Unattend.xml file and close.

More information here:

BitLocker, Configuration Manager 2012, Deployment, Registry, Task Sequence, Windows 10, Windows 7, Windows Preinstallation Environment

Windows 7 Pre-Provision Bitlocker Not Working

After updating Configuration Manager 2012 R2 and adding the Windows 10 ADK, task sequences will no longer pre-provision BitLocker


With WinPE 10 it uses the AES-CBC 128-bit encryption method.


Add the following Run Command Line steps after Format and Partition and before Pre-provision BitLocker.

  1.  Set EncryptionMethodWithXtsFdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsFdv /d 3 /f
  2. Set EncryptionMethodWithXtsOs – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsOs /d 3 /f
  3. Set EncryptionMethodWithXtsRdv – reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /t REG_DWORD /v EncryptionMethodWithXtsRdv /d 3 /f

Available Encryption Methods in WinPE 10

  1. Value Data: 3 (Description: AES-CBC 128-bit)
  2. Value Data: 4 (Description: AES-CBC 256-bit)
  3. Value Data: 6 (Description: XTS-AES 128 bit)
  4. Value Data: 7 (Description: XTS-AES 256-bit)
Deployment, Internet Explorer, MDT, Security Updates, Windows 7

Adding Internet Explorer 11 to your Windows 7 SP1 reference image

Here is an article from Johan Arwidmark regarding adding IE11 to your reference image.

Don’t forget to update the unattend.xml.

Also here are the KB Articles not to deploy to the WIndows 7 reference image:


If you get a DISM error, this is usually associated with the updates being added to the OS via offline servicing.

Check the DISM.log folder for the update that is affecting your build. X:\Windows\Logs\DISM.log

Configuration Manager 2012, Deployment, Logs, MDT, System Center, Task Sequence, Windows 7, Windows Preinstallation Environment

Failed to run the action: Use Toolkit Package – Error: 80070002; Source: Windows


Failed to run the action: Use Toolkit Package.
The system cannot find the file specified. (Error: 80070002; Source: Windows)

Use Toolkit Package Error 80070002


System Centre 2012 R2 CU5 Integrated with MDT 2013. Deployment Windows 7 SP1 with Office 2013.


If the Drive Letter task sequence variable is configured to True. This does not occur if it is configured to False.


To work around this issue, create the following two Task Sequence variables at the very top of the Task Sequence:

SMSTSDownloadRetryCount = 5
SMSTSDownloadRetryDelay = 15

Place them immediately after the Execute Task Sequence group.

Deployment, Office 2013, USMT, Windows 7

You cannot migrate Microsoft Office 2013 settings by using USMT 5.0

The title says it all. The MigApp.xml file is only limited up to Office 2010. So you will need to download the Hotfix from Microsoft . This will replace the existing MigApp.xml file with the updated MigApp.xml file.

Once updated, you may need to redistribute the package(s) used in your user migration solution.

Group Policy Objects, Kiosk, Windows 7

Remove Computer icon on the Desktop

For a kiosk I need to remove the Computer icon from the Start Menu.

The group policy location is: User Configuration, Administrative Templates, Desktop then Remove computer icon on the desktop


This setting hides computer from the desktop and from the new Start menu. It also hides links to computer in the Web view of all Explorer windows, and it hides computer in the Explorer folder tree pane. If the user navigates into computer via the “Up” button while this setting is enabled, they view an empty computer folder. This setting allows administrators to restrict their users from seeing computer in the shell namespace, allowing them to present their users with a simpler desktop environment.

If you enable this setting, computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to computer, the folder will be empty.

If you disable this setting, computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.

If you do not configure this setting, the default is to display computer as usual.


KMS, Windows 7

Client KMS Activation Failing Due to Corrupt token.dat file

This issue happened in our production environment. The KMS activation failed on a WIndows 7 client due to a corrupt Token.dat file.

The solution was to stop the server, rename the token.dat file and restart the service again. Then activate the client against the KMS host.

  1. net stop sppsvc
  2. CD %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
  3. REN tokens.dat
  4. net start sppsvc
  5. slui.exe
  6. slmgr /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH (This client key should still be on the client)
  7. slmgr /ato
Administration, Error, Script, Windows 7

Devcon.exe “Disable failed” on Windows 7 x64

I was needing to disable some devices on a Windows 7 x64 computer. Did the usual download from Microsoft then constructed the syntax. I kept getting: Disable failed.

I have this working on WIndows XP x86. After some googling it turned out that the 64 bit version of Devcon.exe that is available to download from Microsoft is not compatible for windows 7 64 bit. Go figure.

You need to extract it from Windows Server 2003 x64 DVD.

Here is a link for the x64 version of Devcon.exe (zipped):

Disabling devices using Devcon

  1. List all devices to a text file: devcon find *> d:\list.txt
  2. Verify the device is unique: devcon find *VEN_1113
  3. devcon disable *VEN_1113