PSD icon indicating copy to clipboard operation
PSD copied to clipboard
verified publisher icon FriendsOfMDT

error on first login after os install

Open laramy2020 opened this issue 8 months ago • 10 comments

I get a non-descript error when the system has reached the desktop for the first time

Image

attached are hopefully cleared out logs

Archive.zip

It contains _SMSTaskSequence Folder and from minint folder SMSOSD SMSTSLog Variables.dat TS.xml

This is a fully updated environment, even re-created the task sequence in case the default template was updated

laramy2020 avatar May 08 '25 00:05 laramy2020

Some more details, this is a captured windows image. Nothing to crazy, just the latest updates and dot net 3.x feature enabled

It is automated capture with a psd task sequence i made.

these are all the files and directories that are ignored after the task sequence syspreps and reboots

[ExclusionList]
$ntfs.log
hiberfil.sys
pagefile.sys
winpepge.sys
"System Volume Information"
RECYCLER
UserMan.ini
LLU_Admin.Local.db
LLU_Admin.Network.db
\bootmgr
\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
\Build
\idwlog
\InstalledRepository
\LTIBootstrap.vbs
\Packages
\partitions.txt
\sources
\Windows\CSC
\Windows.old
\Windows\Panther
\VLpackages
\MININT
\Boot
\_SMSTaskSequence
\Drivers
\marker.PSD
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PSDStartup.lnk
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Desktop.ini

Is there anything i should add/remove from this list?

laramy2020 avatar May 08 '25 02:05 laramy2020

I'm confused. Are u trying to do a build and capture task sequence? Currently PSD does have that ability that's I am aware of.

PowerShellCrack avatar May 08 '25 10:05 PowerShellCrack

i guess it was not descriptive enough or i worded it weirdly, was late at night and i was tired.

Yes, PSD does not support deploy and capture, I modified a task sequence to do this, this part is working for me.

Image (i can talk more about how i got that working somewhere else, but it does leverage unc mounts when it boots back into winpe) the remove appx-bloat

Image

and presysprep options is not apart of the captures that have issues, i am giving those a run today

my issue is using the captured image with the default psd deployment task sequence. it then fails to load the psd script after first login.

laramy2020 avatar May 08 '25 18:05 laramy2020

Thanks for clarifying. Are u saying that you are using a custom unattend that's is running a powershell script? Or are u saying the PSDstart.ps1 is not starting on the device when for post process?

If it is the latter, my first thought was if the custom image has been hardend with restrictive policies that's could be blocked unsigned code to run or startup.

PowerShellCrack avatar May 08 '25 18:05 PowerShellCrack

there is no custom unattend at any point. just custom task sequence to automate making a custom updated windows image

Then a default task sequence to deploy the captured image

laramy2020 avatar May 08 '25 18:05 laramy2020

ok so i think it is something with the varaibles.dat, it is not being updated on first login

In winpe there are variables like <var name="DestinationOSDriveLetter"><![CDATA[]]></var> that with the custom captured image But if i use the source .wim that value is only in winpe and goes away on first login

Unless i am misunderstanding how this storage file for vars works

laramy2020 avatar May 09 '25 00:05 laramy2020

is there anything in registry that is grabed? i can remove [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Task Sequence] and [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PSDInfo]

laramy2020 avatar May 09 '25 01:05 laramy2020

Between us, historically this is not a very good idea, you can just use the provided WIM from the OS's ISO you want to deploy and add a TS step to apply updates, it may take a bit more if the WIM is a bit old, but Microsoft provides monthly builds of their supported Operating Systems. Regarding the cleanup of bloatware and additions of features, runtimes, you can do that also during the building of the machine. Generally, most of us have moved away from the build and capture method quite some years ago, we do everything in the deployment Task Sequence. Also, the removal of "System Volume Information", to my understanding, is not a good idea, you're actually interfering with the volume's information that may break things later.

GeoSimos avatar May 09 '25 16:05 GeoSimos

I got a version working, there is some cleanup I am missing at some point, not sure what it is.

But I have the TS run and fully complete, and I added steps to the TS so I would not modify the source files of PSD/MDT

Before final reboot

  • remove administrator password
  • copy Winpe boot files to C:\boot
  • copy custom script that sysprep's and applies the Winpe as a boot option
  • copy startup shortcut to the custom script in C:\boot

the TS finishes and fully cleans up, system reboots, signs back into the admin account and runs the start up command, that startup command also deletes the shortcut

Reboots into the custom Winpe and captures the image, then wipes the disk

I am just curious what I am missing. I target (drivers is no longer targeted, the VM requires no custom drivers so I remove those steps from the TS)

C:\_SMSTaskSequence (i think this is the main issue, is this more than just a folder?)
C:\MININT
C:\drivers

Registery valies in PSDFinal.ps1

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer\AsyncRunOnce
HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows\Win10Upgrade

other reg values (psd info I think is handled by tatoo, I removed that step in capture)

HKLM:\SOFTWARE\Microsoft\PSDInfo
HKLM\SOFTWARE\Microsoft\SMS

laramy2020 avatar May 16 '25 21:05 laramy2020

Between us, historically this is not a very good idea, you can just use the provided WIM from the OS's ISO you want to deploy and add a TS step to apply updates, it may take a bit more if the WIM is a bit old, but Microsoft provides monthly builds of their supported Operating Systems. Regarding the cleanup of bloatware and additions of features, runtimes, you can do that also during the building of the machine. Generally, most of us have moved away from the build and capture method quite some years ago, we do everything in the deployment Task Sequence. Also, the removal of "System Volume Information", to my understanding, is not a good idea, you're actually interfering with the volume's information that may break things later.

Yeah this is kinda a habit from win7 days and it's 600k updates, but still comes in handy for us from time to time. We have people who start and are on barely fast enough internet (5mbps down lucky to get 1 up), having a image that is up to date and 90% provisioned helps with on-boarding when we ship out a computer from the office

The less they have to download to get setup for on-boarding the better

laramy2020 avatar May 16 '25 21:05 laramy2020